Monthly Archives: June 2015

Adobe releases next emergency Flash zero-day patch

27 June 2015

Adobe Flash Player is a real source of irritation. New vulnerabilities are continuously made public. In the last three month 64 vulnerabilities were published in the NIST NVD Database, of which 43 with highest severity 10.0.

The latest vulnerability CVE-2015-3113, that potentially allows an attacker to take control of an affected system, is a technically advanced piece of malware. For technical details see the FireEye blog post ‘Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign’.

As usual the attack is started through a phishing email. And, once the attackers got access to the victim’s network, they move laterally through the network in the search of valuable information.

With this we have the first and second line of defense in a prevention strategy: User awareness training to support users in recognizing such attacks, and system isolation to prevent the attackers from moving laterally through the network.

Perhaps it’s time to solve this problem once and for all by uninstalling Flash Player…

Have a good weekend.

TrojanDownloader:Win32/Upatre not detected by 22 of 57 Anti-Malware Programs after 2 days

20 June 2015

In the past days I got lots of emails with suspicious attachments. I carefully analyzed most of them on my test system (VMWare with Windows 8.1 64bit and Microsoft Defender) and identified most of them as good old friends, sent by cyber criminals to steal personal information.

Cyber-attacks follow always the same pattern:

Development of a Cyber Attack

Development of a Cyber Attack

[1] Attract the reader’s attention.

[2] Force the reader to extract and execute the malware disguised as an innocuous pdf or html file.

[3] Make the Trojan persistent in the operating system and wipe out the digital traces as far as possible.

[4] Connect to the Command & Control (C&C) server and download additional software from the C&C server. The C&C server is the cyber attacker’s command center.

[5] Send the users secrets to the C&C server.

In most cases, email providers put such mails directly in the Junk E-mail or Spam folder. Unfortunately a small part of e-mails, with well camouflaged malware attachments or new variants of malware, are directed to the inbox. But this should be no problem at all. Since most of the Trojans are variants of already known malware one would expect that the heuristic scanners of the anti-malware systems should be able detect and sanitize the attachments during download from the email to the file system.

I use Trend Micro MaximumSecurity because the program got a 5 star rating in a comprehensive test last November. I run the program in protection level “Hypersensitive” to get maximum protection, but, to my great surprise, Trend Micro did not detect the malware.

On 18 June I uploaded the payload to virustotal.com to get an overview of the detection rate of 57 anti-malware programs. The malware was first analyzed on virustotal.com on 16 June 2015 at 11:48 a.m.

I received the mail on 16 June 2015 at 1:37 p.m. Microsoft Defender, rated “worst” in the November evaluation, identified the Trojan as Trojan:Win32/Peals.D!plock on 16 June 2015 at 9:45 p.m, 10 hours after the first upload to virustotal.com. This is a very good result!

On 18 June, 29 of 57 scanners were able to detect the malware, Trend Micro MaximumSecurity was not among them. Defender identified the malware as TrojanDownloader:Win32/Upatre, but this change is not relevant.

Defender Report

Defender Report

Yesterday evening I repeated the check on virustotal.com. 35 of 57 anti-malware programs successfully detected the malware. Again, Trend Micro MaximumSecurity was still not among them.

I am really puzzled. I thought, I bought one of the best anti-malware systems, but 6 months later it’s just not capable to detect variants of old Trojans. It’s time to switch back to Defender and to write-off the Trend Micro software. This seems to me an acceptable risk.

By the way, the most effective protection measure here is user training. Never open attachments of nested zip-files. It is very likely that they contain malware which puts your information systems at risk.

And don’t trust Anti-Malware program evaluations in German computer magazines.

Have a good weekend!

Appendix: virustotal.com check results as of 19 June 2015

Antivirus Result Update
ALYac Trojan.GenericKD.2494514 20150619
AVG Generic_s.EUO 20150619
AVware Trojan-Downloader.Win32.Upatre.ic (v) 20150619
Ad-Aware Trojan.GenericKD.2494514 20150619
AhnLab-V3 Trojan/Win32.Upatre 20150619
Arcabit Trojan.Generic.D261032 20150619
Avira TR/Agent.68096.251 20150619
Baidu-International Trojan.Win32.Upatre.bkby 20150619
BitDefender Trojan.GenericKD.2494514 20150619
CAT-QuickHeal TrojanDownloader.Upatre.r3 20150619
Cyren W32/Upatre.AT.gen!Eldorado 20150619
DrWeb Trojan.Upatre.3504 20150619
ESET-NOD32 a variant of Win32/Kryptik.DMJN 20150619
Emsisoft Trojan.GenericKD.2494514 (B) 20150619
F-Prot W32/Upatre.AT.gen!Eldorado 20150619
F-Secure Trojan.GenericKD.2494514 20150619
Fortinet W32/Waski.A!tr 20150619
GData Trojan.GenericKD.2494514 20150619
Ikarus PUA.Bundler 20150619
K7GW Trojan ( 004c5fac1 ) 20150619
Kaspersky Trojan-Downloader.Win32.Upatre.bkby 20150619
Malwarebytes Trojan.Downloader.Upatre 20150619
McAfee Upatre-FACH!9B004AD1DBB5 20150619
McAfee-GW-Edition BehavesLike.Win32.Dropper.km 20150619
MicroWorld-eScan Trojan.GenericKD.2494514 20150619
Microsoft TrojanDownloader:Win32/Upatre 20150619
Panda Trj/Genetic.gen 20150619
Qihoo-360 HEUR/QVM20.1.Malware.Gen 20150619
Rising PE:Trojan.Win32.Generic.18C77685!415725189 20150618
Sophos Troj/Dyreza-FP 20150619
Symantec Downloader.Upatre!gen5 20150619
Tencent Trojan.Win32.Qudamah.Gen.2 20150619
TrendMicro-HouseCall TROJ_GEN.F0D1H0ZFG15 20150619
VIPRE Trojan-Downloader.Win32.Upatre.ic (v) 20150619
nProtect Trojan.GenericKD.2494514 20150619
AegisLab 20150619
Agnitum 20150619
Alibaba 20150619
Antiy-AVL 20150619
Avast 20150619
Bkav 20150619
ByteHero 20150619
CMC 20150618
ClamAV 20150619
Comodo 20150619
Jiangmin 20150618
K7AntiVirus 20150619
Kingsoft 20150619
NANO-Antivirus 20150619
SUPERAntiSpyware 20150619
TheHacker 20150619
TotalDefense 20150619
TrendMicro 20150619
VBA32 20150619
ViRobot 20150619
Zillya 20150619
Zoner 20150619

 

HTTPS encryption for all federal websites requires new endpoint protection concepts

13 June 2015

Starting in 2017, all federal websites that are publicly accessible in the US should have HTTPS encryption as the standard secure communication protocol.

This directive, issued by The White House Office of Management and Budget (OMB), is a real game-changer because it makes it harder for attackers to intercept sensitive communications or to steal personal data that is entered on federal web sites.

I just finished my preparations for my ISO 27001 Information Security Officer exam when I read the announcement in a LIFARS post. ISO 27001 deals with cryptographic controls in Annex 10.1. In the related chapter A.10.1 of ISO 27002 you learn:

When developing a cryptographic policy the following should be considered:

g. the impact of using encrypted information on controls that rely on content inspection (e.g. malware detection).

Encryption means death for all traditional malware protection systems. Traditional malware detection tries to match patterns in a data stream with patterns stored in the pattern database of the anti-malware system. Since the patterns in the data stream are encrypted matches are no longer found. Game-Over!

This has only a minor impact on enterprises. They can use already available technology that breaks the SSL encryption for inspection, but this is too expensive for end-users.

Vendors of endpoint protection systems have to develop new concepts to protect consumers of unknown malware hidden in the encrypted data stream. And federal agencies have to grow their efforts to make sure that data exchanged through their websites does not contain malware.

‘HTTPS everywhere’ is indeed a real game-changer. Hopefully someone in the OMB has thought of the impact on endpoint protection.

Don’t panic… and have a good weekend.

Never mind the Next Big Threat Thing. Fix the Golden Oldies first.

11 June 2015

Yesterday evening I attended the webinar ‘Never mind the Next Big Threat Thing. Fix the Golden Oldies first this evening’, a welcome cool-down after a long day of ISO 27005 risk management training.

I found this really remarkable statement:

“First, we’ll start with a few blocking and tackling fundamentals that you really ought to be doing regardless of whether or not you’re worried about espionage. If you don’t do these, all those super advanced cybertastic APT kryptonite solutions may well be moot.”

Source: Verizon 2014 Data Breach Investigation Report.

Have a good day!

OPM May Have Exposed Security Clearance Data

7 June 2015

When I read David Sanger’s report ‘Hacking Linked to China Exposes Millions of U.S. Workers’ in the New York Times about the Office of Personnel Management (OPM) attack I was shocked on both, the large number of stolen records and the obviously inadequate protection measures and processes.

‘The intrusion came before the personnel office fully put into place a series of new security procedures that restricted remote access for administrators of the network and reviewed all connections to the outside world through the Internet’.

Are basic protection measures like Two Factor Authentication for all employees for access from the internet to federal computer networks really not in place, not even for the NSA:

‘In acting too late, the personnel agency was not alone: The N.S.A. was also beginning to put in place new network precautions after its most delicate information was taken by Edward J. Snowden.’

And why does it take such a long time until an investigation starts? From a LIFARS blog we learn:

‘The possibility of a data breach was first detected back in April, by the Department of Homeland Security. An internal investigation conducted in May, confirmed that the breach had indeed occurred.’

In the New York Times article we find the reason for this delay:

‘Administration officials said they made the breach public only after confirming last month that the data had been compromised and after taking additional steps to insulate other government agencies from the intrusion.’

Again, it seems to me that basic protection measures like proper network segmentation are not in place. In addition to effective communication processes and business continuity management, which could cut the Mean Time To Identify (MTTI) a breach dramatically due to the Ponemon 2015 Cost of Data Breach Study, page 24, figure 24.

Take care!

Bad LaZagne

4 June 2015

The LaZagne Project by Alessandro Zanni is a little utility that displays passwords for 22 Windows and 12 Linux programs. For details please see post The LaZagne Project dumps 22 Different Program Passwords published by ‘cyber arms – computer security’ two weeks ago.

LaZagne is primarily intended for penetration testers to dump passwords once they got access to a system. I use it as a demonstrator to raise awareness for security issues, for example, when it comes to WiFi security.

LaZagne dumps WiFi passwords from all networks you used since the last fresh installation:

|====================================================================|
|                                                                    |
|                        The LaZagne Project                         |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|

------------------- Wifi passwords -----------------

Password found !!!
password: XXXXXXXXXXXXXXXX
authentication: WPA2PSK
protected: true
ssid: WLAN-0024FE4A9566

Password found !!!
authentication: open
ssid: NH-Hotel-Group

Password found !!!
password: XXXXXXXXXXXXXXXX
authentication: WPA2PSK
protected: true
ssid: WLAN-DA5176

[+] 3 passwords have been found.
For more information launch it again with the -v option

That’s not rocket science. The connection details are stored in files in directory C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces{E3004523-B55C-4A21-BE85-2FEC752E07EB}. Since decryption of the connection passwords is easy, we face a new? vulnerability which makes it easy for attackers to compromise our networks.

With this, I recommend:

  • Never leave your computer unattended, in particular if you are signed in with administrative privileges. LaZagne needs administrative privileges to read the configuration files. I wonder why this is required because the configuration files are readable by everyone…
  • Before disposing your computer securely erase the data on the disk or use a full disk encryption utility. This will prevent attackers from accessing the WiFi configuration files and your network.
  • Configure your Internet router to restrict access to specific computers. That’s really annoying because you have to authorize a new device to your network before someone can start surfing.

Take care!