Actus Sécurité Confirmé 2012 S29

Une recherche Google, un ‘ping’, un ‘trackback’ vous ont amené jusqu’ici ? Qu’est-ce que c’est que cette liste de liens fourre-tout ? Gnan ! Je ne suis pas un spam, je ne suis pas un ‘planet’ ! :D Je vous invite à consulter le post d’introduction de cette ‘brève’ -veille perso- pour voir de quoi il s’agit. 

 

=> The Flame: Questions and Answers. 28/05/2012. «Duqu and Stuxnet raised the stakes in the cyber battles being fought in the Middle East – but now we’ve found what might be the most sophisticated cyber weapon yet unleashed. The ‘Flame’ cyber espionage worm came to the attention of our experts at Kaspersky Lab after the UN’s International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East. While searching for that code – nicknamed Wiper – we discovered a new malware codenamed Worm.Win32.Flame (…).»
Source : www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers
Billets en relation :
28/05/2012. Identification of a New Targeted Cyber-Attack : www.certcc.ir/index.php?name=news&file=article&sid=1894
28/05/2012. Flame malware – more details of targeted cyber attack in Middle East : nakedsecurity.sophos.com/2012/05/28/flame-malware-cyber-attack/
29/05/2012. Cuckoo in Flame : blog.cuckoobox.org/2012/05/29/cuckoo-in-flame/
29/05/2012. Flamer: Highly Sophisticated and Discreet Threat Targets the Middle East : www.symantec.com/connect/blogs/flamer-highly-sophisticated-and-discreet-threat-targets-middle-east
29/05/2012. Flame: Bunny, Frog, Munch and BeetleJuice… : www.securelist.com/en/blog/208193538/Flame_Bunny_Frog_Munch_and_BeetleJuice
30/05/2012. Flamer worm : www.kernelmode.info/forum/viewtopic.php?f=16&t=1675&start=40
30/05/2012. Flame: Component soapr32.ocx : stratsec.blogspot.com.au/2012/05/flame-component-soapr32ocx.html
30/05/2012. Flamer/sKyWIper Malware: Analysis : blog.fireeye.com/research/2012/05/flamerskywiper-analysis.html
30/05/2012. How old is Flame? : labs.alienvault.com/labs/index.php/2012/how-old-is-flame/
31/05/2012. CrySyS Lab sKyWIper (a.k.a. Flame a.k.a. Flamer):A complex malware for targeted attacks [pdf] : www.crysys.hu/skywiper/skywiper.pdf
31/05/2012. Flame: msglu32.ocx, Component That Can Track Location : www.stratsec.blogspot.fr/2012/05/flame-msglu32ocx-component-that-can.html
01/06/2012. W32.Flamer: Spreading Mechanism Tricks and Exploits : www.symantec.com/connect/ko/blogs/w32flamer-spreading-mechanism-tricks-and-exploits
01/06/2012. Flamer aka skywiper : code.google.com/p/malware-lu/wiki/en_malware_flamer
01/06/2012. Defeating Flame String Obfuscation with IDAPython : blog.spiderlabs.com/2012/06/defeating-flame-string-obfuscation-with-idapython.html
01/06/2012. Flamer /SkyWiper Samples : contagiodump.blogspot.fr/2012/06/flamer-skywiper-samples.html
04/06/2012. ‘Gadget’ in the middle: Flame malware spreading vector identified : www.securelist.com/en/blog/208193558/Gadget_in_the_middle_Flame_malware_spreading_vector_identified
04/06/2012. The Roof Is on Fire: Tackling Flame’s C&C Servers : www.securelist.com/en/blog/208193540/The_Roof_Is_on_Fire_Tackling_Flames_C_C_Servers
04/06/2012. Flame, certificates, collisions. Oh my. : blog.cryptographyengineering.com/2012/06/flame-certificates-collisions-oh-my.html
06/06/2012. Flame: Replication via Windows Update MITM proxy server : www.securelist.com/en/blog/208193566/Flame_Replication_via_Windows_Update_MITM_proxy_server
11/06/2012. Back to Stuxnet: the missing link : www.securelist.com/en/blog/208193568/Back_to_Stuxnet_the_missing_link
12/06/2012. Flame USB dot file confirmed : blog.crysys.hu/2012/06/flame-usb-dot-file-confirmed/
12/06/2012. Flamer string decoder : blogs.norman.com/2012/security-research/flamer-string-decoder
18/06/2012. Analysis of Flame WuSetupV.exe URL parameters : blog.crysys.hu/2012/06/analysis-of-flame-wusetupv-exe-url-parameters/
21/06/2012. Analysis of functions used to encode strings in Flame (GDB script) : code.google.com/p/malware-lu/wiki/en_flame_analysis_with_script_gdb
25/06/2012. The Day The Stuxnet Died : www.securelist.com/en/blog/208193609/The_Day_The_Stuxnet_Died
20/07/2012. Flame, Duqu and Stuxnet: in-depth code analysis of mssecmgr.ocx : blog.eset.com/2012/07/20/flame-in-depth-code-analysis-of-mssecmgr-ocx

=> Ransomware ‘Holds Up’ Victims. 30/05/2012. «The current “ransomware” campaign uses a novel approach to extort money from naive Internet users. Malware from cybercriminals infects personal computers by claiming to be a genuine Windows update (…).»
Source : blogs.mcafee.com/mcafee-labs/ransomware-holds-up-victims

=> Moteur générique d’accrochage de Duqu. 30/05/2012. «Après ennuyeux stage 1, ce fut difficile de se motiver pour la deuxième étape. Mais ça valait la peine, je pensai que ce sample était un keylogger, comme documenté sur le net mais ce n’est pas le cas. C’est un moteur générique de hooking assez sympa. Les hooks sont placé sur (…).» Les publications de Malware.lu
Source : code.google.com/p/malware-lu/wiki/fr_analyse_statique_duqu_stage_2
Billets en relation :
29/05/2012. Presentation & example of our ASM ripper : code.google.com/p/malware-lu/wiki/en_ripper_metasm
30/05/2012. Generic hooking engine from Duqu : code.google.com/p/malware-lu/wiki/en_static_analysis_duqu_stage_2
30/05/2012. Dionaea auto-submit configuration : code.google.com/p/malware-lu/wiki/en_dionaea_submit
08/07/2012. AutoIT ransomware : code.google.com/p/malware-lu/wiki/en_analyse_autoit_ransomware

=> Is a new Zsone Under Development? #Android. 31/05/2012. «Android malware news: a year after Zsone’s discovery, we’ve come across a new variant. Or at least a sample that causes us to ask, is a new variant under development? This new Zsone uses a native component for its SMS sending routine (…).»
Source : www.f-secure.com/weblog/archives/00002373.html

=> Inside the Attacker’s Toolbox: Botnet Credit Card Validation Scripts. 31/05/2012. «In our previous blog post « Inside the Attacker’s Toolbox: Botnet Web Attack Scripts » we analyzed some botnet scripts that SpiderLabs Research team had captured that are used to conduct massive attack scanning traffic. In this installment, we will take a look at a php script that is used by Botnet owners to validate credit card data that has been illegally obtained (…).»
Source : blog.spiderlabs.com/2012/05/honeypot-alert-inside-the-attackers-toolbox-botnet-credit-card-validation-scripts.html

=> Major shift in strategy for ZeroAccess rootkit malware, as it shifts to user-mode. 06/06/2012. «SophosLabs has been monitoring a new strain of the infamous ZeroAccess rootkit that has been hitting the internet over the last few weeks (…).»
Source : nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/
Billets en relation :
13/06/2012. ZeroAccess’s Way of Self-Deletion : www.f-secure.com/weblog/archives/00002385.html
22/06/2012. ZeroAccess – new steps in evolution : artemonsecurity.blogspot.fr/2012/06/zeroaccess-new-steps-in-evolution.html
28/06/2012. Malware Analysis: New C&C Protocol for ZeroAccess/Sirefef : www.kindsight.net/en/blog/2012/06/28/malware-analysis-new-cc-protocol-for-zeroaccesssirefef
28/06/2012. ZeroAccess: code injection chronicles : blog.eset.com/2012/06/25/zeroaccess-code-injection-chronicles

=> ‘Bioskits’ Join Ranks of Stealth Malware. 07/06/2012. «We have seen many discussions of the MyBios “Bioskit” discovered at the end of 2011. MyBios was the first malware to successfully infect the Award BIOS and survive the reboot. It was first discovered by a Chinese security company; many other security vendors published detailed analyses after that. We have seen a lot of samples targeting the master boot record (MBR) to survive a reboot and reinfect a system. We found a sample in our collection that infected the MBR. Further investigation showed that the next variant of the malware was a Bioskit. The first variant of the malware was an executable that infected the MBR; the second was a DLL with the Bioskit component. We will discuss the second variant in this blog (…).»
Source : blogs.mcafee.com/mcafee-labs/bioskits-join-ranks-of-stealth-malware

=> MP-DDoser: A rapidly improving DDoS threat. 07/06/2012. «This blog post is the fifth installment in our ongoing series of articles surveying the crypto systems used by different DDoS-capable malware families. Today’s topic is MP-DDoser, also known as “IP-Killer” (…).»
Source : ddos.arbornetworks.com/2012/06/mp-ddoser-a-rapidly-improving-ddos-threat/

=> MBR Malware Analysis . 08/06/2012. «So i’ve read a few articles lately on the return of MBR malware so I figured I would take a look at a sample (…).»
Source : www.sysforensics.org/2012/06/mbr-malware-analysis.html

=> NGR Rootkit. 13/06/2012. «NGR Bot (also known as Dorkbot) was examined to be a user-mode rootkit that could be remotely controlled via Internet-Relay-Chat (IRC) protocol. It was designed with the intention to steal digital identity, perform denial of service, and manipulate the domain name resolution (…).»
Source : resources.infosecinstitute.com/ngr-rootkit/
Billets en relation :
08/06/2012. NGR Bot Analysis – Virus Bulletin Paper [Download] : secniche.blogspot.fr/2012/06/ngr-bot-analysis-virus-bulletin-paper.html

=> How to infiltrate affiliate programs. 19/06/2012. «Starting into affiliate infiltration is not a easy thing when you have no start point, i got alot of help requests regarding this via e-mail. Firstly… where can i find affiliate programs.. ? (…).» Je n’ai pas indiqué tous les liens de Xylt0l sur la période couverte par la brève, mais il y a de la lecture intéressante :)
Source : www.xylibox.com/2012/06/how-to-infiltrate-affiliate-programs.html

=> XPAJ: Reversing a Windows x64 Bootkit. 19/06/2012. «The number of bootkits is steadily growing. All kinds of new bootkits are appearing: sophisticated and simple, serving different purposes (such as rootkits or ransomware Trojans). Malware writers are not above analyzing their competitors’ malicious code (…).»
Source : www.securelist.com/en/analysis/204792235/XPAJ_Reversing_a_Windows_x64_Bootkit
Billets en relation :
19/07/2012. XPAJ. Étude d’un bootkit sous Windows x64 : www.viruslist.com/fr/analysis?pubid=200676288

=> German Trojans 2. 20/06/2012. «In the last article, I discussed in quite some detail how exactly the dropper for Bundestrojaner worked. In my next article what I’d been planning to do was to reverse the DLL and then the driver. There’s a slight change to those plans though (…).»
Source : resources.infosecinstitute.com/german-trojans-2/

=> Some shellcode de-mystified. 21/06/2012. «The shellcode described in this post was obtained from the Eleonore v1.2 exploit kit. High-level details about that kit are mentioned in my April 2012 blog post. This post is a technical view of the actual shellcode and is intended to be instructive to the inquisitive reader. Since this code is relatively old, the main techniques (hashing API lookups, rol decryption, kernel32 address lookup) have been discussed before (…).»
Source : blogs.technet.com/b/mmpc/archive/2012/06/21/some-shellcode-de-mystified.aspx

=> ACAD/Medre.A Technical Analysis. 22/06/2012. «For the story behind the suspected industrial espionage, where ACAD/Medre.A was used, refer to Righard Zwienenberg’s blog post. For technical details from analysing the worm’s source code, read on (…).»
Source : blog.eset.com/2012/06/21/acadmedre-a-technical-analysis-2
Billets en relation :
21/06/2012. ACAD/Medre.A : www.eset.eu/encyclopaedia/acad-medre-a-worm-alisp-blemfox-trojan-bursted-w-als
22/06/2012. ACAD/Medre.A [pdf] : www.eset.com/fileadmin/Images/US/Docs/Business/white_Papers/ESET_ACAD_Medre_A_whitepaper.pdf
22/06/2012. ACAD/Medre.A – 10000?s of AutoCAD files leaked in suspected industrial espionage : blog.eset.com/?p=13194

=> Win32/Gataka: a banking Trojan ready to take off?. 03/07/2012. «We have been following the development of the Win32/Gataka banking Trojan for several months and can now share some details of its operation which includes facilitating fraudulent bank transfers. This first post will highlight some of its key features, while the second will detail several interesting, more technical aspects of this malware (…).»
Source : blog.eset.com/2012/06/28/win32gataka-a-banking-trojan-ready-to-take-off

=> Rovnix bootkit framework updated. 14/07/2012. «We have been tracking the activity of the Rovnix bootkit family since April 2011. Rovnix was the first bookit family to use VBR (Volume Boot Record) infection (NTFS bootstrap code) for loading unsigned kernel-mode drivers on x64 (64 bit) platforms (…).»
Source : blog.eset.com/2012/07/13/rovnix-bootkit-framework-updated

=> The Madi Campaign – Part I. 17/07/2012. «For almost a year, an ongoing campaign to infiltrate computer systems throughout the Middle East has targeted individuals across Iran, Israel, Afghanistan and others scattered across the globe. Together with our partner, Seculert, we’ve thoroughly investigated this operation and named it the “Madi”, based on certain strings and handles used by the attackers (…).»
Source : www.securelist.com/en/blog/208193677/The_Madi_Campaign_Part_I
Billets en relation :
17/07/2012. Mahdi – The Cyberwar Savior? : blog.seculert.com/2012/07/mahdi-cyberwar-savior.html
19/07/2012. List of samples available on malware.lu about Mahdi aka Madi : code.google.com/p/malware-lu/wiki/en_malware_mahdi_madi

=> Analysis of Cridex . 18/07/2012. «On the 12th of June the payload delivered by a Blackhole Exploit Kit was Cridex. Cridex is part of the malware family that steals banking information from the victim’s computer. Social media sites are also the target of Cridex. Similar to ZeuS, Cridex is able to inject code into HTML pages on websites contained in the configuration file and capable of monitoring & manipulating cookies. The stolen data is saved into a file and send back to a C&C server. Additional malware may be downloaded by Cridex (…).»
Source : stopmalvertising.com/rootkits/analysis-of-cridex.html

=> Guntior. 18/07/2012. «Guntior – detailed analysis of the Chinese bootkit (…).»
Source : artemonsecurity.blogspot.fr/2012/07/guntior-detailed-analysis-of-chinese.html

 

Billet précédent : «
Billet suivant : »