본문 바로가기

malware

Superfish 2.0: Dell Windows Systems Pre-Installed TLS Root CA Recently shipped Dell systems have been found to include a special Root CA Certificate and private key, "eDellRoot". All systems apparently use the same key and certificate. Using the "secret" key, anybody could create certificates for any domain, and Dell systems with this eDellRoot certificate would trust it. The key is part of "Dell Foundation Services".To test if your system is affected, see.. 더보기
Sofacy Recycles Carberp and Metasploit Code 1. IntroductionThe Sofacy Group (also known as Pawn Storm or APT28) is well known for deploying zero-day exploits in their APT campaigns. For example, two recent zero-days used by the Sofacy Group were exploiting vulnerabilities in Microsoft Office CVE-2015-2424 and Java CVE-2015-2590.If the exploit is successful, it installs a Sofacy downloader component, which is different from what we have se.. 더보기
Android MediaServer Bug Traps Phones in Endless REboot We have discovered a new vulnerability that allows attackers to perform denial of service (DoS) attacks on Android’s mediaserver program. This causes a device’s system to reboot and drain all its battery life. In more a severe case, where a related malicious app is set to auto-start, the device can be trapped in an endless reboot and rendered unusable.The vulnerability, CVE-2015-3823, affects An.. 더보기
MediaServer Takes Another Hit with Latest Android 취약점 The “hits” keep on coming for Android’s mediaserver component. We have discovered yet another Androidmediaserver vulnerability, which can be exploited to perform attacks involving arbitrary code execution. With this new vulnerability, an attacker would be able to run their code with the same permissions that the mediaserver program already has as part of its normal routines.This vulnerability ha.. 더보기
Exploiting MS15-076 (CVE-2015-2370) A few weeks ago (July 14, 2015), Microsoft had a busy patch Tuesday fixing quite a few privilege escalation vulnerabilities. Among these was a bug in DCOM/RPC which allows for an NTLM authentication challenge to be reflected back to a listening TCP socket. This issue was found by James Forshaw (@tiraniddo) with the Google Security Research team. The details of this bug and potential exploit path.. 더보기
OS X Zero-days on the Rise—A 2015 Midyear Review and Outlook on Advanced Attack Surfaces 2015 has so far been a very busy year for security researchers. The data leaked from Hacking Team shocked many, thanks to the multiple zero-days that were disclosed, as well as emails discussing the unscrupulous trade in exploits and “tools”.Cybercriminals (including exploit kit authors) have been hard at work integrating these newly-discovered flaws into their “products” to victimize more peopl.. 더보기
진행중인 대규모 동시 다발 Web 변조 공격을 자세히 분석 플래쉬 취약점악용 공격이 공격은 현재도 진행 중이며, 종이를 쓰고있는 동안에도 속속 새로운 변조 사이트가 발견되고 있습니다. 트렌드 마이크로에서 일본의 위협 분석을 담당하는 실험실 인 JP 지역 트렌드 랩 (JP RTL)에서 속보를 알려드립니다.■ 다발중인 Web 변조 공격의 특징 JP RTL은 본건에 대해 7 월 24 일 시점에서 수십 도메인의 위조 사례를 확인하고 있습니다. 그 중 약 절반이 일본 관련 Web 사이트였습니다.또한 이러한 공격의 내용을 검토 한 결과 다음과 같은 특징이 보입니다.현재까지 확인 된 국내 위조 사이트는 특정 클라우드 호스팅 서비스에 집중하고있다변조 희생 된 Web 사이트의 대부분이 비영리 단체이다 (외곽 단체 등)무단 설치된 HTML 파일과 SWF 파일은 모든 경우에 거의 .. 더보기
Bartalex malspam pushing Pony/Dyre IntroductionEarlier this year, we started seeing reports of macro-based Bartalex malware [1]. Bartalex has been used in Microsoft Office documents sent through malicious spam (malspam). On Tuesday 2015-07-21, we found a sample to examine for today's diary. We used this example of Bartalex to infect a Windows host with Pony malware that downloaded a Dyre banking Trojan [2].Example of the malspamT.. 더보기
Searching Through the VirusTotal Database Now that my overview of Sysinternals tools with VirusTotal support is complete (Process Explorer, Autoruns and Sigcheck), let's address a couple of remarks I received (BTW, if I missed a Sysinternals tools, let me know with a comment).1) Upload of files. Some people are worried that the Sysinternals tools will upload (confidential) files to VirusTotal. That is a valid concern, but for each tool .. 더보기
A .BUP File Is An OLE File Yesterday I mentioned that McAfee quarantine files on Windows (.BUP extension) are actually OLE files.I'm going to write a couple of diary entries highlighting some file types that are OLE files, and I'm starting with .BUP files.OLE files can be analyzed with my oledump tool. Here is an example with a .BUP file:As you can see, this quarantine file contains two steams: Details and File_0. Details.. 더보기

티스토리툴바