W32.Downadup.C Digs in Deeper

Symantec’s ongoing monitoring of Downadup (a.k.a. Conficker) has today resulted in the observation of a completely new variant being pushed out to systems that are already infected with Downadup. After taking into account the hype surrounding some other recent reports of variants of Downadup, Symantec is calling this new variant W32.Downadup.C.

Our analysis of the sample in question is still ongoing and at an early stage, but our initial findings have already revealed some interesting new attributes for this sample. It does not seem to be using any existing or new means to spread the threat to new machines. It is targeting antivirus software and security analysis tools with the aim of disabling them. Any processes found on an infected machine that contain an antivirus or security analysis tool string from the list below are killed:

•    wireshark
•    unlocker
•    tcpview
•    sysclean
•    scct_
•    regmon
•    procmon
•    procexp
•    ms08-06
•    mrtstub
•    mrt.
•    mbsa.
•    klwk
•    kido
•    kb958
•    kb890
•    hotfix
•    gmer
•    filemon
•    downad
•    confick
•    avenger
•    autoruns

Also, in response to the security industry’s success in cracking the W32.Downadup.B domain-generation algorithm for communicating with the command & control server, the subsequent registration of these domain names for monitoring purposes, and the resulting publication of findings, the Downadup authors have now moved from a 250-a-day domain-generation algorithm to a new 50,000-a-day domain generation algorithm. The new domain generation algorithm also uses one of a possible 116 domain suffixes.

These early findings may suggest that the Downadup authors are now aiming for increasing the longevity of the existing Downadup threat on infected machines. Instead of trying to infect further systems, they seem to be protecting currently infected Downadup machines from antivirus software and remediation. Also, currently we are not seeing an increase in customer infections for this threat but are keeping a close eye on it.

Symantec is continuing to work with other industry leaders to mitigate the spread and damage caused by W32.Downadup. The most effective step that organizations and end users can take is to ensure that their computers have up-to-date antivirus software and patches.

Source:
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245#A249

Posted in Internet, Privacy, Security | No Comments

Education vs Experience?

How do you transition from being a recent graduate from a Security degree to actually getting into the field to gain real-world experience?  I thought for sure this Bachelors in Information Systems Security would be my key and that I would be in high demand for any company.  Now, I am evaluating my options and seeing that I really don’t have too many more than I did 4 years and $97,000 ago.  Here’s the typical interview:

Interviewer: Tell me about yourself.
Me: <insert biography here>
Interviewer: Tell me about firewalls and IDS/IPS systems.
Me: <insert definitions and descriptions here to show complete understanding>
Interviewer: <nods with approval>
Interviewer: What port and protocol does DNS use?
Me: UDP on port 53, typically.
Interviewer: <nods with approval>
Interviewer: Do you know about system/network penetration and prevention methods?
Me: Yes, I’m currently studying for my CEH and hope to obtain that very soon.
Interviewer:  Very good.  <more nodding of course>
Interviewer: How many years of professional security related experience do you have?
Me: Currently, none.  I just graduated and am looking to jump into the field.
Interviewer: Sorry, we require at least 2-3 years of professional experience for this position.
Me: <blank stare>

Nice.  My question to existing security professionals and employers:  How does one obtain this *required* professional experience when companies will not give you the opportunity to get any?

Posted in General BS | 2 Comments

Twitter closes SMS spoofing hole

Twitter, the micro-blogging site, has closed an SMS spoofing security hole which, until Wednesday night, left accounts open to being hijacked. The vulnerability was due to an authentication weakness that allowed anyone who knew a user’s mobile number to spoof their messages, provided that the user’s mobile number was set up to post and receive Twitter messages.

The hijack was possible because Twitter determined where to post the messages from the “sender ID” field, the area in all text messages that contains the sender’s mobile telephone number. According to Security Fix, an attacker could use an SMS (short message service) spoofing service, such as my-cool-sms.com or phonytext.com, to mask the phone number for the original text call by replacing the “from” or “sender ID” field with the mobile number of a Twitter user and then sending a message. The message would be immediately posted to that user’s Twitter page.

By using Twitter’s “text commands,” an attacker could have enabled or disabled another user’s phone notifications and users could have been forced to follow other Twitter users. The vulnerability also let an attacker change a users settings so that they would stop receiving notifications from specific users on their list, or make other Twitter users start following their Tweets.

Source:
http://www.h-online.com/security/Twitter-closes-SMS-spoofing-hole-Updated–/news/112786

Posted in Internet, Privacy, Security | No Comments

Next Generation War-Dialing Tool On Tap

War-dialing is back, and it’s not limited to finding modems anymore. Renowned researcher HD Moore is putting the final touches on his latest project — a telephone auditing tool that also finds PBXes, dial tones, voicemail, faxes, and other phone line connections for security assessment, research, or inventory.

This is not your father’s war-dialer: The so-called WarVOX is free, Linux-based software (no telephony hardware necessary) that uses voice over IP services to place calls. It looks at the audio in a call and is much faster than old-school war-dialing, scanning more than 1,000 phone numbers per hour over a residential broadband connection, and up to 10,000 in eight hours.

Moore says WarVOX is aimed at security auditors and penetration testers looking for a faster and cheaper way to detect phone system vulnerabilities. “Right now, the target audience for WarVOX is anyone who currently uses legacy war-dialing tools and is frustrated by the amount of time and money it takes to perform the audit,” Moore says.

Traditional war-dialing has been on the decline in the broadband age. “Most security service providers that offer penetration tests still perform war-dialing for their clients. However, as a rule war-dialing has been a declining trend as fewer and fewer systems are left connected to modems,” Moore says.

WarVOX, he says, is simple to use and can provide a wealth of security information for organizations looking at their phone-line security posture. PBX voice system lines, for example, can harbor security holes that could put an enterprise at risk. “After playing with WarVOX over the last few weeks, I was surprised at how many lines I have found that expose some sort of security risk,” Moore says. “This includes the administrative interfaces to PBXes, lines that drop you to a fresh dial tone after a dozen rings, internal directories for large companies, and tons of sensitive information.”

Source:
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=215800791&cid=RSSfeed

Posted in Internet, Privacy, Security | No Comments

Tigger Trojan Keeps Security Researchers Hopping

It’s malware that actually removes other malware from its victims’ PCs. And so far, nobody is exactly sure how it’s being distributed.

Security experts this week are buzzing about a new Trojan called Tigger.A, also known as Syzor. The data-stealing malware has quietly claimed about 250,000 victims since it was first spotted by security intelligence company iDefense in November, according to a Washington Post report.

Tigger.A allows attackers to gain access to “administrator” privileges on Windows machines, even if the user himself doesn’t have those privileges, according to the report. It takes advantage of a vulnerability (MS08-066) in Windows’ “privilege escalation” feature that Microsoft revealed — and patched — in October.

“Tigger removes a long list of other malicious software titles, including the malware most commonly associated with Antivirus 2009 and other rogue security software titles,” the report says. “iDefense analysts say this is most likely done because the in-your-face, “Hey, your-computer-is-infected-go-buy-our-software!” type alerts generated by such programs just might tip off the victim that something is wrong with his system, and potentially lead to all invaders getting booted from the host PC.”

The Trojan also installs a rootkit on the infected system that loads even when the system is started up in safe mode, iDefense researcher Michael Ligh says in the report. “The scary part is, none of us are really sure how Tigger is even being distributed,” he said. “I look at a lot at info-stealing malware, and this is the first one I’ve seen in a while that goes to the trouble of removing other pieces of malware.”

Tigger’s ability to collect user data also is impressive, IT expert Michael Kassner notes in his blog.

“The Trojan uses a privilege escalation vulnerability which is almost an exact replica of the public exploit on Milw0rm,” the blog observes. “It disables Windows Defender, Windows Firewall, Outpost, Avira, Kaspersky, AVG, and CA products in unique ways such as posting malformed messages to windows owned by the daemon processes, sending special byte codes over named pipes, and using the products’ own API. It installs a rootkit that runs in safe mode [and] disables kernel debuggers.

Source:
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=215800583&cid=RSSfeed

Posted in Internet, Privacy, Security, Windows | No Comments