Analysis & pownage of herpesnet botnetIntroductionWe received a new sample from our submit mecanism. This sample is a botnet HTTP client called HerpesNet. The md5 of the sample is db6779d497cb5e22697106e26eebfaa8. We started the analysis when we found a way to manage the command & control... ToolsStatic analysisWe start by opening the binary with IDA. We see directly that the file is not packed. We follow the Win_Main function and at offset 004071E0h we can see a call on 004070E0h (initThread) The initTread function are in charge to decode strings, open a mutex with the name "rffggghooo" and run 3 threads 004034F5h (thrInstallReg) with the parameter at offset 0041CE88h ("tcerfhygy") is in charge to loops indefinitly and set the the regkey 'Software\Microsoft\Windows\CurrentVersion\Run' with the name "rffggghooo" ... Continue reading →
Pictures of people who look pathetic are funny. It's scientific fact at this point. It's also the engine behind People of Wal-Mart, that genius website that allows users to upload ridiculous camera-phone shots of ridiculous people (and other sights) captured while adventuring at ... you guessed it ... Wal-Mart! One of the niftiest features of People of Wal-Mart is the search function, which allows a person to narrow their search by state - meaning through the magic of technology we can gawk, chuckle, point, laugh, guffaw and otherwise carry on at the expensive of people caught in compromising positions (because they look stupid) at Wal-Marts right here in Washington. And they probably don't even know it! It's pretty dope. Now, I'm not going to lie. ... Continue reading →
There is a fair amount of chatter in Microsoft forums regarding problems cause by recent Microsoft patches. [1][2][3][4] From what I can gather users are repeatedly being prompted to reinstall 3 older .NET patches on some OS distributions. It looks like MS12-035 was intended to replaced 3 older patches MS11-044, MS11-078 and MS12-016 and something isn't quite right. You may want to hold of deploying that patch until we know more. Thanks to Dave (ToyMaster) for the heads up and hard work researching the issue. I think he has a blog post pending [5] that will explain the issue in more detail. I'll keep you updated here as I learn more. Do you have any more information for us? Leave me a comment or contact ... Continue reading →
Attackers using a feature that is common to many firewalls, switches and other networking gear could silently hijack Web sessions on mobile and desktop devices, according to a research paper presented by two Ph.D students from the University of Michigan.The two discovered that so-called TCP initial sequence number (ISN) checking features that are common to many network devices, including firewalls, could allow an attacker to use a lightweight malware client to probe active services using packets with spoofed IP addresses and checking which sequence numbers are valid. By inferring valid sequence numbers, then using the network device to verify valid ISNs, the malware can provide an Internet-based attacker to carry out successful TCP hijack attacks - such as spoofing a login page to Facebook, Twitter ... Continue reading →
Google plans today to begin warning Internet users if their computers show telltale signs of being infected with the DNSChanger Trojan. The company estimates that more than 500,000 systems remain infected with the malware, despite a looming deadline that threatens to quarantine the sick computers from the rest of the Internet. Security experts won court approval last year to seize control of the infrastucture that powered the search-hijacking Trojan in a bid to help users clean up infections. But a court-imposed deadline to power down that infrastructure will sever Internet access for PCs that are not rid of the malware before July 9, 2012. The company said the warning (pictured above) will appear only when a user with an infected system visits a Google search ... Continue reading →
May 21, 2012 — CSO — Named late last week to replace Howard Schmidt as the top White House cybersecurity adviser, Michael Daniel is a 17-year veteran of the Office of Management and Budget (OMB) and has been its intelligence branch chief for the past 11 years. But he has stayed largely under the radar, even in the cybersecurity community. Brian Krebs, a well-connected former Washington Post reporter and author of the respected blog KrebsonSecurity, said he did not know Daniel or what his politics are. Krebs is not alone. Several others told CSO they also know nothing about Daniel, but didn't want to be quoted. GovInfoSecurity's Eric Chabrow reported Monday that "some of the most-connected people in Washington's cybersecurity community [have] never heard of ... Continue reading →
The Wikimedia Foundation last week warned that readers who are seeing ads on Wikipedia articles are likely using a Web browser that has been infected with malware. The warning points to an apparent resurgence in adware and spyware that is being delivered via cleverly disguised browser extensions designed to run across multiple Web browsers and operating systems. An ad served by IWantThis! browser extension. Source: Wikimedia In a posting on its blog, Wikimedia noted that although the nonprofit organization is funded by more than a million donors and does not run ads, some users were complaining of seeing ads on Wikipedia entries. “If you’re seeing advertisements for a for-profit industry (see screenshot below for an example) or anything but our fundraiser, then your web browser ... Continue reading →
