Posted in SANS on April 17th, 2012 by SANS NewsBites
A new piece of malware that infects Mac OS X computers through a Java vulnerability has been detected.......
Posts Tagged ‘sans’
Posted in SANS on April 17th, 2012 by SANS NewsBites
Apple has released a tool to wipe the Flashback Trojan horse program from infected computers.......
Posted in SANS on April 17th, 2012 by SANS NewsBites
Australia's Defence Signals Directorate has approved the use of Apple's iOS in certain "classified Australian government communications.......
Posted in SANS on April 16th, 2012 by ISC Handler
Thanks to reader Dan for sharing the following information:
McAfee has confirmed that incremental DAT 6682 may trigger message scan failures and a system crash in GroupShield Exchange (MSME), GroupShield Domino, and McAfee Email Gateway 7 (MEG). McAfee recommends that customers do NOT upload DAT 6682.
More information will be available on the McAfee KnowledgeBase (https://mysupport.mcafee.com) in article KB70380 (https://kc.mcafee.com/corporate/index?page=contentid=KB70380). Please check back to this KB article for further updates. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
McAfee has confirmed that incremental DAT 6682 may trigger message scan failures and a system crash in GroupShield Exchange (MSME), GroupShield Domino, and McAfee Email Gateway 7 (MEG). McAfee recommends that customers do NOT upload DAT 6682.
More information will be available on the McAfee KnowledgeBase (https://mysupport.mcafee.com) in article KB70380 (https://kc.mcafee.com/corporate/index?page=contentid=KB70380). Please check back to this KB article for further updates. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Special Webcast: Managing Third Party Risk for SMEs – Tuesday June 19, 2012 (9:00 AM EDT)
|
Comments Off
Posted in WebCasts on April 16th, 2012 by SANS Institute - ALL Upcoming Webcasts
Featuring: Jim Herbeck
Please visit http://www.sans.org/webcasts/show.php?webcastid=95239 for complete information and to access this event.
Special Webcast: Managing System-related Risk for SME’s – Tuesday May 15, 2012 (9:00 AM EDT)
|
Comments Off
Posted in WebCasts on April 16th, 2012 by SANS Institute - ALL Upcoming Webcasts
Featuring: Jim Herbeck
Please visit http://www.sans.org/webcasts/show.php?webcastid=95141 for complete information and to access this event.
Special Webcast: Managing Legal, Regulatory, and Compliance risk for SME’s – Tuesday April 17, 2012 (9:00 AM EDT)
|
Comments Off
Posted in WebCasts on April 16th, 2012 by SANS Institute - ALL Upcoming Webcasts
Featuring: Jim Herbeck
Please visit http://www.sans.org/webcasts/show.php?webcastid=95076 for complete information and to access this event.
Posted in SANS on April 16th, 2012 by ISC Handler
Following up on last weeks challenge I'd like to add a new element to the challenge, then review some of the EXCELLENT comments we received from our readers. First lets add a new element to the challenge and see how you can creatively make use of symbolic links on Windows. I'll throw a few things out there to get the ball rolling.
1) Using Infinitely recursive directories to defeat directory searching scripts: As described in this excellent presentation on Offensive Countermeasures by my friends John Strand and Paul Asodoorian, you can create symbolic links to the current working directory to cause directory searches to get stuck in an infinite loop. They begin talking about it at the 25 minute mark in this video ::http://www.youtube.com/watch?v=p0gWAbMjg1U In short you can create symbilic link directories to the current directory and cause anyone searching your hard drive (including malware and antivirus scans) to get caught in an infinite loop.
2) Create links to devices such as boot sector and to alternate data streams:
You can use symbolic links to access items in alternate data streams and items in disk partitions that are normally not easily accessed. For example, if you have a separate boot partition you can use symbolic links to access it and even hide files in It.
http://pauldotcom.com/2010/10/windows-7-symbolic-links-and-h.html
3) Symbolic links to Volume Shadow Copies:
Windows Volume shadows copies automatically maintain backups of the last 5-15 percent of all changes on your computer. It is a bit like Apple's time machine without the fancy GUI or the offline storage. This link shows you how to step back in time and see exactly what was on your systems a few days ago. Oh, You thought you deleted those files? You might want to check this out.
http://computer-forensics.sans.org/blog/2011/06/09/vscs-logparser
Interesting, you can also stage malware in volume shadow copes and then execute the malware directly from the shadow copy.
http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows
So there you go. What can you do with Symbolic links? We still don't have an explanation for the error message or strange behavior noted in the last challenge. What can you tell us about them? POSTACOMMENT or SENDMEANEMAIL! If you missed them here are some of the great comments we got from readers of the last challenge:
Original Comments and challenge are here:https://isc.sans.edu/diary/Challenge+What+can+you+do+with+funky+directory+names+/12958
Readers comments: Add space to filename to bypass Digital signatures on Microsoft policies.
This was a very interesting comment from reader Aaron. It seems that Aaron had some success bypassing digital signature checks. He reports that the process that checks a digital signature may ignore spaces at the end of the file causing windows to check the actual file with a good signature. The result is that malware named svchost.exe (svchost.exe with a space at the end)may appear to be digitally signed to some apps. That's all I'll say about that one.
Reader comments: Creating Extended character directory names with the alt key/numeric keypads.
As you probably know, we can use the ALTkey and the Numeric keypad to type extended ASCIIcharacters. Combine that with the ability to create files and directories with normally prohibited characters and you've got some PRETTYdirectories on your hands. Create smiley fact, hearts, diamonds and other interesting directories on your windows systems.
http://alt-codes.org/laptop/
Reader comments: Still no answer for the strange 8.3 names given to files/directories
We had several excellent comments and emails on the strange 8.3 directory names created when you create a directory or file with a character in its name that is prohibited by the normal file/directory creation process. Normally 8.3 shortnames are only given to files or directories that are longer than 8 characters in length. In this case, the 8.3 names are assigned seemingly at random to these files event though they are not more than 8 characters long.
HEY! I'm teaching SANSSEC560 BOOTCAMP Style in Augusta GA June 11th - 16th. Sign up today! http://www.sans.org/community/event/sec560-augusta-jun-2012
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
1) Using Infinitely recursive directories to defeat directory searching scripts: As described in this excellent presentation on Offensive Countermeasures by my friends John Strand and Paul Asodoorian, you can create symbolic links to the current working directory to cause directory searches to get stuck in an infinite loop. They begin talking about it at the 25 minute mark in this video ::http://www.youtube.com/watch?v=p0gWAbMjg1U In short you can create symbilic link directories to the current directory and cause anyone searching your hard drive (including malware and antivirus scans) to get caught in an infinite loop.
2) Create links to devices such as boot sector and to alternate data streams:
You can use symbolic links to access items in alternate data streams and items in disk partitions that are normally not easily accessed. For example, if you have a separate boot partition you can use symbolic links to access it and even hide files in It.
http://pauldotcom.com/2010/10/windows-7-symbolic-links-and-h.html
3) Symbolic links to Volume Shadow Copies:
Windows Volume shadows copies automatically maintain backups of the last 5-15 percent of all changes on your computer. It is a bit like Apple's time machine without the fancy GUI or the offline storage. This link shows you how to step back in time and see exactly what was on your systems a few days ago. Oh, You thought you deleted those files? You might want to check this out.
http://computer-forensics.sans.org/blog/2011/06/09/vscs-logparser
Interesting, you can also stage malware in volume shadow copes and then execute the malware directly from the shadow copy.
http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows
So there you go. What can you do with Symbolic links? We still don't have an explanation for the error message or strange behavior noted in the last challenge. What can you tell us about them? POSTACOMMENT or SENDMEANEMAIL! If you missed them here are some of the great comments we got from readers of the last challenge:
Original Comments and challenge are here:https://isc.sans.edu/diary/Challenge+What+can+you+do+with+funky+directory+names+/12958
Readers comments: Add space to filename to bypass Digital signatures on Microsoft policies.
This was a very interesting comment from reader Aaron. It seems that Aaron had some success bypassing digital signature checks. He reports that the process that checks a digital signature may ignore spaces at the end of the file causing windows to check the actual file with a good signature. The result is that malware named svchost.exe (svchost.exe with a space at the end)may appear to be digitally signed to some apps. That's all I'll say about that one.
Reader comments: Creating Extended character directory names with the alt key/numeric keypads.
As you probably know, we can use the ALTkey and the Numeric keypad to type extended ASCIIcharacters. Combine that with the ability to create files and directories with normally prohibited characters and you've got some PRETTYdirectories on your hands. Create smiley fact, hearts, diamonds and other interesting directories on your windows systems.
http://alt-codes.org/laptop/
Reader comments: Still no answer for the strange 8.3 names given to files/directories
We had several excellent comments and emails on the strange 8.3 directory names created when you create a directory or file with a character in its name that is prohibited by the normal file/directory creation process. Normally 8.3 shortnames are only given to files or directories that are longer than 8 characters in length. In this case, the 8.3 names are assigned seemingly at random to these files event though they are not more than 8 characters long.
HEY! I'm teaching SANSSEC560 BOOTCAMP Style in Augusta GA June 11th - 16th. Sign up today! http://www.sans.org/community/event/sec560-augusta-jun-2012
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ISC StormCast for Sunday, April 15th 2012 http://isc.sans.edu/podcastdetail.html?id=2467, (Sun, Apr 15th)
|
Comments Off
Posted in SANS on April 15th, 2012 by ISC Handler
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Posted in SANS on April 14th, 2012 by ISC Handler
Earlier in the week Apple released a Java update which included software to remove the Flashback Trojan from OSXLion machines running Java.
The Flashback Trojan removal tool is now also available for OS X Lion machines not running Java. This Flashback malware removal tool is available through the OSXSoftware Update tool, or from Apple's downloads site at http://www.apple.com/support/downloads/
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The Flashback Trojan removal tool is now also available for OS X Lion machines not running Java. This Flashback malware removal tool is available through the OSXSoftware Update tool, or from Apple's downloads site at http://www.apple.com/support/downloads/
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Search
Music to c0d3 too:- Strictly Mau5 – 04/04/2011
- Uplifting Trance Vibes – 10/02/2011
- Electro Pop Part Two – 27/12/2010
- Electro Pop Part One – 10/08/2010
- Easter Progressive 06/04/2010
- DeepDivin – 25/03/2010
- Dirty Friday – 05/03/2010
- Sunny Side Up 25/01/2010
- Christmas Messin Around 21/12/2009
- Rolling House Beats – 15/08/2009
- Electro-Fied – 04/08/2008
- Dirty House (16/07/2008)
- Hard House 05/04/2003
- Hard Trance 06/05/2002
- Progressive House Mix 20/10/2001
- Summer House Mix 20/09/2001
- Old School House 14/09/2001
- Euphoric Hard House 16/02/2001
- Stompin Pumpin Hard House 17/12/2000
- Hard House Happiness 02/12/2000