Actus Sécurité Confirmé 2012 S05

=> Hierarchy Exploit Pack. New crimeware for the cybercriminal gangs. 29/01/2012. «The term « hierarchy » refers to an entity pyramidal action. Judging by the name of this new Exploit Pack of Russian origin, it seems that the author seeks to find its place within the criminal ecosystem, but all point to the feelings behind this is, above all, a beginner who seeks criminal more (…).»
Source : malwareint.blogspot.com/2012/01/hierarchy-exploit-pack-new-crimeware.html

=> MIDI hijacks the distribution of malicious code exploiting attention . 29/01/2012. «Currently Hauri (Hauri) the malicious code in the security company in the security bulletin for emergency always up to date with Windows security updates are urging everyone to maintain and operate its article, the actual infection and how to fix them manually look at I will (…).»
Source : bit.ly/xKcBL4
Billets en relation :
30/01/2012. Source : twitter.com/#!/Xylit0l/statuses/164076899495182336

=> Attackers Moving Zeus Servers to Former Soviet Union TLD. 30/01/2012. «The groups of attackers that employ the Zeus toolkit for their scams and malware campaigns have long used sites in the .ru Russian TLD as homes for their botnet controllers. Security researchers and law enforcement agencies have had a difficult time making headway in getting these domains taken down, but now it seems that some changes in the way that the Russian organization in charge of the .ru domain is enforcing rules for fraudulent domains is forcing attackers to move to a long-forgotten TLD owned by the former Soviet Union (…).»
Source : threatpost.com/en_us/blogs/attackers-moving-zeus-servers-former-soviet-union-tld-013012

=> Doomsday JavaScript Encoder. 31/01/2012. «In my last post I detailed a whole bunch of ways to make encoders better and that I had authored my own to see how difficult it was. Last night I released the encoder with some extra little bells and whistles to make it a bit more interesting (…).»
Source : blog.9bplus.com/doomsday-javascript-encoder
Billets en relation :
12/01/2012. Obfuscated JavaScript 2.0 – Building an encoder : blog.9bplus.com/malicious-javascript-20-139
31/01/2012. Null Pointer DoS in MSHTML!CMarkup::InitCollections : blog.9bplus.com/null-pointer-in-mshtmlgetall
31/01/2012. Doomsday_encoder : github.com/9b/doomsday_encoder

=> Kelihos/Hlux botnet returns with new techniques. 31/01/2012. «It has been four months since Microsoft and Kaspersky Lab announced the disruption of Kelihos/Hlux botnet. The sinkholing method that was used has its advantages — it is possible to disable a botnet rather quickly without taking control over the infrastructure.However,as this particular case showed, it is not very effective if the botnet’s masters are still at large. Not long after we disrupted Kehilos/Hlux, we came across new samples that seemed to be very similar to the initial version. After some investigation, we gathered all the differences between the two versions. This is a summary of our findings (…).»
Source : www.securelist.com/en/blog/655/Kelihos_Hlux_botnet_returns_with_new_techniques
Billets en relation :
30/01/2012. Accused Kelihos malware mastermind protests his innocence : nakedsecurity.sophos.com/2012/01/30/accused-kelihos-botmaster/
31/01/2012. Kelihos Botnet Resurfaces : threatpost.com/en_us/blogs/kelihos-botnet-resurfaces-013112
01/02/2012. « Slain » Kelihos botnet still spams from beyond the grave : arstechnica.com/business/news/2012/02/slain-kelihos-botnet-still-spams-from-beyond-the-grave.ars
02/02/2012. Botnet : Kelihos est ressuscité : www.generation-nt.com/botnet-kelihos-microsoft-kaspersky-actualite-1536291.html
03/02/2012. Update on Kelihos Botnet and New Related Malware : blogs.technet.com/b/microsoft_blog/archive/2012/02/03/update-on-kelihos-botnet-and-new-related-malware.aspx

=> TDL4 – Purple Haze (Pihar) Variant – sample and analysis. 01/02/2012. «I recently ran into an interesting piece of malware that was downloaded on a victim’s computer. I thought it was TDL/TDSS or maybe a new version of it as it had same components as TDL4 bootkit with a functionality of a mass scale PPC (pay-per-click) fraud. TDL had this functionality too and it is most likely spread by the same Russian-speaking gangs using the Blackhole exploit kit. It did not have the same type of config file that you may find in TDL4 (and first I could not find it at all). I call it « Purple Haze » thanks to the strings found in the code (…).»
Source : contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html
Billets en relation :
03/02/2012. TDL4 reloaded: Purple Haze all in my brain : blog.eset.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain

=> Detecting malware domains by syntax heuristics. 01/02/2012. «Within part of our IP Reputation Engine, we’ve developed an algorithm that can check good detections / false positives with acceptable ratio. Simply put, it’s a Python library attached at the end of the article, along with more stuff. (…).»
Source : labs.alienvault.com/labs/index.php/2012/detecting-malware-domains-by-syntax-heuristics/
Billets en relation :
01/02/2012. Source : twitter.com/#!/Guillermo/statuses/164785241863630848

=> Don’t trust satellite phones – The GMR-1 and GMR-2 ciphers have been broken. 02/02/2012. «Today, February 2nd 2012, Benedikt Driessen and Ralf Hund gave a very interesting talk at Ruhr Universität Bochum about their work on satellite phone security. In a nutshell, they were able to reverse engineer and to break the secret ciphers used in many satellite phone systems, namely the GMR-1 and the GMR-2 ciphers (…).»
Source : cryptanalysis.eu/blog/2012/02/02/dont-trust-satellite-phones-the-gmr-1-and-gmr-2-ciphers-have-been-broken/
Billets en relation :
02/02/2012. Don’t Trust Satellite Phones : www.hgi.rub.de/hgi/hgi-seminar/aktuelles/#don-t-trust-satellite-phones
03/02/2012. Qui donc se trouve à 350 km de tout le monde ? … : www.cnis-mag.com/qui-donc-se-trouve-a-350-km-de-tout-le-monde.html

=> Analysis Of Sykipot Smartcard Proxy Variant. 02/02/2012. «This malware does not only attempts to capture keystrokes and clipboard data, it also serves as a backdoor to remote control the victim’s system fully, and access protected resources that require authentication using smartcard (…).»
Source : eiploader.wordpress.com/2012/02/02/analysis-of-sykipot-smartcard-proxy-variant/
Billets en relation :
02/02/2012. Source : twitter.com/#!/Guillermo/statuses/165219579629551616

=> Timing Analysis Attacks in Anonymous System. 03/02/2012. «In timing analysis attacks we assume that the attacker has access to a particular set of mixes, i.e the attacker is a part of the network. By studying the timing of the messages going through the mixes it is possible for the attacker to determine the mixes that form a communication path. If the first and last mixes in the network are owned by the attacker, then it is possible for him to figure out the identities of the sender and the receiver. (…).»
Source : resources.infosecinstitute.com/timing-analysis-attacks/

Vous pourriez aussi aimer...

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Vous pouvez utiliser ces balises et attributs HTML : <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notifiez-moi les commentaires à venir via email. Vous pouvez aussi vous abonner sans commenter.