Friday, December 13, 2013

CPE: McAfee AudioParasitic: Episode 46: critical, out-of-cycle, Microsoft patch.

length: 00:18:37

self executing worm: sasser (the biggest), blaster

last week: knee jerk reaction because RPC vulnerability – because of the way RPC has been exploited in the past nowadays desktop & perimeter FW

lots of spyware being dropped

the PoC was not mature, but it’s not simply PoC of b0f, it does something, but  it is not gov/org malware level
when hacker find something hot, they don’t wait too long as the window of vulnerability will close

exploit via wire – IPS is best method to detect
but self executing worm will have a code that need to be spread, from AV prespective it should be able to detect it
BUT the exploit can be done without any file – needs to be written in the disk

SQL slammer: fileless malware
HIPS & generic b0f protection is good way to mitigate

Payload can be obfuscated – but the exploit cannot – IPS DCE RPC is old signature

Not feasible for AV to scan memory all the time.

Labels: ,


Post a Comment

Subscribe to Post Comments [Atom]

<< Home