Saturday, December 28, 2013

CPE: McAfee AudioParasitic: Episode 64: MS patch


length: 00:05:36

Only one bulletin
MS PTT affecting multiple platforms: mac & windows
14 vulnerabilities
Including one that has been exploited since Apri: PPT memory corruption (detected with exploit.PPT.K)
Nine related to processing old version of PPT that can lead to bad stuff, potentially emote code exec
IPS, HIPS, Foundstone cover them all
DAT is pending some coverage.

Labels: ,

CPE: McAfee AudioParasitic: Episode 63: Torpig


length: 00:27:25

UCSB study on Torpig : taking over the botnet
They took over a botnet and collect a lot of data that confirm al they hype on botnet!!!

Mcafee can never take over a botnet

In 10 days period they collected a huge amount of data that is belond FUD

One compromised- the attack has FULL CONTROL

1.2 million of windows password
70GB of data

AV companies cannot do this job – for ethical reason

Top country: US, IT, DE
China is number 7
Top targeted institution: PayPay, Poste Italiane, Capital One, Etrade

Labels: ,

CPE: McAfee AudioParasitic: Episode 62: Conficker follow-up


length: 00:13:32

Dave and Jim discuss the 1st April date where something big suppose to happen – but nothing interesting happened
It turned out there was P2P activity downloading fake AV and download MS08-067 like – to evade scanner.

Fascinating: Conficker a virus that download fake AV and face MS08-067

Conficker seems on top against counter measure:
Fake MS08-067 to evate infection detection – force us to change the tool

New dead line:5th may

Why download Waledac??? No body knows yet

Protection: Waledac.gen.b and FakeAlert-SpywareProtect activity associated with W32/Conficker.

People so busy discussing Conficken and forget about other big threats such use: winMM, sality, etc..

It got out of control because there was not a lot of people doing what they have to do:
-patching
-updating security software
-running scanner.

Gotta run fullscan, do full reboot and run scan again

People try not to take the full scan procedure – but you have to do it.

Labels: ,

CPE: McAfee AudioParasitic: Episode 61: Super Tuesday


length: 00:09:19

Big one
8 bulletins
12 vulnerabilities
5 critical

Biggies:
MS09-009: excel, CVE 2009-0238 –live malware active since Feb. – exploit-msexcel-R

MS09-010: wordpad/word97, CVE2008-4841, Since Dec

MS09-011 Direct-x mjpect decryption vulnerability
Whole range of IE

MS09-015: blended threat vulnerability, search functionality.
Initially discovered on safari –the ability of malicious malware to be downloaded without any user intervention – it turned out to be OS flaw.

Labels: ,

Friday, December 27, 2013

CPE: McAfee AudioParasitic: Episode 60: Conficker special edition


length: 00:06:38
Very special AudioParasitic
Quick list of countermeasure against Conficker:
AV DAT, HIPS< IPS

2009/03/30 DAT 3569 covers all variations of Conficker worm.
Generic b0f protection will cover as well
HIPS has specific signature: 3961
IPS: protection using last October NetBIOS vulnerability signature
Foundstone: did not have complete coverage, however based honeynet – recently it has been added to provide capability to accurately detect infected PC
Vflash: remedy – stinger tool cover only conficker
Document: finding suspicious files
MS08-067
Not all variant use this MS08-067 exploit.

Labels: ,

CPE: McAfee AudioParasitic: Episode 59: Inverview with SANS’ Lenny Zeltser, part 2/2


length: 00:26:22
SANS benefit from different diversity
SANS is fine to report about things that still in early phase of investigation –it could be the beginning of something big or it could be nothing…

First responder type job – very stressful –gotta make a call

At the end of the day -low false is more important than 100% detection.

McAfee is the first coined the term IPS

Lenny believes in cloud- at the time it was called Application Service Provider

Biggest problem: ppl adopt before they design – the didn’t consider the security ramification
Virtualization: people made mistake
Cloud: people will repeat the same mistake

Web 2.0: malware writer dream

McAfee cloud – Aramus – allow us to gather a huge quantity of data – use solely behavioral analysis – if the cloud detect something suspicious – it will send the sample to AVERT lab – AVERT lab will analyze and send back the result to the cloud.
This is very powerful and very interesting.

Allow to react very quickly leveraging cloud.
Also use DNS security
Very scalable

Sample gathered:
Actual zoo: everything > 22 million
Unique sample

Closing word: if you don’t pay attention you ended up protecting against last year threat.

Labels: ,

CPE: McAfee AudioParasitic: Episode 58: Inverview with SANS’ Lenny Zeltser, part 1/2


length: 00:25:17

Lenny Zeltser background: developer, admin, network – all intersect in security
Then got involved in malware because of interest in malware analysis

Sample sharing: AV community  - closed world – get sample if you know somebody
Nowadays close malware sample sharing is contradiction

Anybody can gather sample

Things that changes for the better:
-          Behavioral signature
-          Company protect their servers more
Things that got worse:
Biggest challenge how to protect the client

End point: anything that has data.
And if the data is valuable – it will become target

Problem with malware naming: high volume & cross pollination
Another challenge:
-          Generic malware identification
-          Difficulty for forensic – need specific information
Most AV company prefer to eradicate malware – make generic detection  – but sometime specific information is needed for legal forensic analysis.

The need of malware writer to go to prison is never so high as now.

When you bring business acumen to malware – that is not good for the good guys

Social engineering: the easiest way to steal someone identity is to ask for it (Jim Walter)

COMMONSENSE is the best AV

Labels: ,