Actus Sécurité Confirmé 2012 S11

=> Citadel : le fichier de configuration. 12/03/2012. «Nous nous sommes récemment intéressés au dernier venu dans le monde des malwares bancaires : Citadel. La publication du code source du malware Zeus a rendu possible la création de nouveaux malwares bancaires, et Citadel fait partie de ceux-ci (…).»
Source : cert.lexsi.com/weblog/index.php/2012/03/12/426-citadel-le-fichier-de-configuration
Billets en relation :
12/03/2012. Citadel: configuration file : cert.lexsi.com/weblog/index.php/2012/03/12/427-citadel-configuration-file

=> Manual for ZeuS & SpyEye trojan. 12/03/2012. «Manual for ZeuS & SpyEye trojan (…).»
Source : twitter.com/#!/bartblaze/statuses/179550924333785088

=> Microsoft’s Guidance on CVE-2012-0002. 14/03/2012. «First: Microsoft’s Remote Desktop Protocol is disabled on Windows by default. So most computers are unaffected by issues highlighted as a result of the month’s « Patch Tuesday ». However: If you administer RDP enabled workstations — then you probably should read Microsoft’s Security Research & Defense post about CVE-2012-0002 (…).» ‘Patch Tuesday’, isolé cette partie qui faisait pas mal causer.
Source : www.f-secure.com/weblog/archives/00002327.html
Billets en relation :
13/03/2012. CVE-2012-0002: A closer look at MS12-020′s critical issue : blogs.technet.com/b/srd/archive/2012/03/13/cve-2012-0002-a-closer-look-at-ms12-020-s-critical-issue.aspx
13/03/2012. MS12-020 BinaryDiff : blog.binaryninjas.org/?p=58
13/03/2012. Bulletin de sécurité Microsoft MS12-020 – Critique : technet.microsoft.com/fr-fr/security/bulletin/ms12-020
13/03/2012. Patch Tuesday March 2012 – Remote Desktop Pre-Auth Ring0 Use-After-Free RCE! : www.securelist.com/en/blog/2354/Patch_Tuesday_March_2012_Remote_Desktop_Pre_Auth_Ring0_Use_After_Free_RCE
14/03/2012. RDP+RCE=Bad News (MS12-020) : blogs.mcafee.com/corporate/cto/rdprcebad-news-ms12-020
15/03/2012. The Race for MS12-020 : blog.spiderlabs.com/2012/03/the-race-for-ms12-020.html
15/03/2012. Hackers Offer Bounty for Windows RDP Exploit : krebsonsecurity.com/2012/03/hackers-offer-bounty-for-windows-rdp-exploit
16/03/2012. MS12-020 RDP Code Leak Mystery Deepens As Microsoft Remains Silent : threatpost.com/en_us/blogs/ms12-020-rdp-code-leak-mystery-deepens-microsoft-remains-silent-031612
16/03/2012. Another MS12-020 DOS PoC smaller than « chinese shit » : twitter.com/#!/2gg/statuses/180586278725750785
16/03/2012. MS12-020 RDP Exploit Found, Researchers Say Code May Have Leaked From Security Vendor : threatpost.com/en_us/blogs/ms12-020-rdp-exploit-found-researchers-say-code-may-have-leaked-security-vendor-031612
16/03/2012. Proof-of-concept RDP vulnerability code discovered. Patch Windows now : nakedsecurity.sophos.com/2012/03/16/rdp-exploit-china/
16/03/2012. Update to this Month’s Patch Tuesday Post on MS12-020/CVE-2012-0002 : www.securelist.com/en/blog/208193412/Update_to_this_Month_s_Patch_Tuesday_Post_on_MS12_020_CVE_2012_0002
17/03/2012. Faille Windows RDP – MS12-020 : binsec.blogspot.fr/2012/03/faille-windows-rdp-ms12-020.html

=> 64-Bit System Driver Infected and Signed After UAC Bypassed. 14/03/2012. «What was just a theory not so long ago is now being used in-the-wild by threats such as Backdoor.Hackersdoor and its newer variant Backdoor.Conpee (…).»
Source : www.symantec.com/connect/blogs/64-bit-system-driver-infected-and-signed-after-uac-bypassed

=> Mediyes – the dropper with a valid signature. 15/03/2012. «In the last few days a malicious program has been discovered with a valid signature. The malware is a 32- or 64-bit dropper that is detected by Kaspersky Lab as Trojan-Dropper.Win32.Mediyes or Trojan-Dropper.Win64.Mediyes respectively (…).»
Source : www.securelist.com/en/blog/682/Mediyes_the_dropper_with_a_valid_signature
Billets en relation :
15/03/2012. Trojan Dropper Uses Valid Certificate Issued For Swiss Company : threatpost.com/en_us/blogs/swiss-authority-issues-certificates-trojan-dropper-malware-031512

=> It’s not the end of the world: DarkComet misses by a mile. 16/03/2012. «This blog post is the fourth installment in our ongoing series of articles exploring the crypto systems commonly found in various DDoS malware families. Previous subjects have included Armageddon, Khan (now believed to be a very close “cousin” of Dirt Jumper version 5), and PonyDOS. Today we’ll be diving deep into the details of the DarkComet RAT’s crypto (…).»
Source : ddos.arbornetworks.com/2012/03/its-not-the-end-of-the-world-darkcomet-misses-by-a-mile
Billets en relation :
13/03/2012. Reversing the DarkComet RAT’s crypto- 3/13/2012 : ddos.arbornetworks.com/uploads/2012/03/Crypto-DarkComet-Report.pdf
16/03/2012. DarkComet Analysis – Understanding the Trojan used in Syrian Uprising : resources.infosecinstitute.com/darkcomet-analysis-syria/
16/03/2012. DarkComet Analysis – Understanding the Trojan used in Syrian Uprising : quequero.org/DarkCometRAT_Analysis

=> A unique ‘fileless’ bot attacks news site visitors. 16/03/2012. «In early March, we received a report from an independent researcher on mass infections of computers on a corporate network after users had visited a number of well-known Russian online information resources. The symptoms were the same in each case: the computer sent several network requests to third-party resources, after which, in some cases, several encrypted files appeared on the hard drive (…).»
Source : www.securelist.com/en/blog/687/A_unique_bodiless_bot_attacks_news_site_visitors

Billet précédent : «
Billet suivant : »