Downclimb

2014.11.28

Downclimb: Summit Route’s Weekly Infosec News Recap
2014.11.21 – 2014.11.28: https://SummitRoute.com

Quotes

“It’s funny, the intellectual property of malware authors become the trade secrets of AV companies” @McGrewSecurity

Top stories

less and many other standard Linux tools vulnerable due to too many features

On CentOS, Ubuntu, and other Linux distros, the simple “less” command calls into a large number of third-party libraries, such as ancient and obscure compression utilities and doc converters. These were never written to handle malicious input, and thus could result in RCE. lcamtuf is uncovering many problems in old linux utilities (such as the bugs he found recently in “strings”). It appears many of these old GNU tools will need to be simplified.

http://seclists.org/oss-sec/2014/q4/769

Regin

Symantec released a report on a “newly” discovered advanced malware family named Regin[1]. Although it has not been discussed much in the past, it has been known about since at least 2009, according to F-Secure[3], and AV has been detecting it. It’s targets include telecom operators, government institutions, financial institutions, and individuals involved in advanced cryptographic research, among others. Kaspersky’s write-up is the most interesting read[4].

Some interesting points:

The malware incorporates code from open-source projects, making it difficult to write detections for.
Uses NTFS Extended Attributes to hide large files, which is similar in a lot of ways to old Alternate Data Streams, but more difficult to create and access than simply appending a colon to a filename.
Inserts a Certificate Authority into the system so it’s fake certs will appear trusted on that system.
Contains module for manipulating a GSM Base Station Controller.
Uses P2P for communications so certain hosts only communicate with certain other hosts, making traffic analysis more difficult.
Uses somewhat uncommon algorithms: nrv2 for compression and slightly more common (for malware) RC5 for encryption.

References:

Original paper: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf
Samples, yara sigs, and mention that this has been “detected since 2011”: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3602
https://www.f-secure.com/weblog/archives/00002766.html
https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf

Business

VUPEN moving due to new EU laws: The EU added exploits and trojans to it’s control list of dual use items earlier this month. The result of this has not been to stop those who sell such things, but rather is just forcing them to move. VUPEN, a French offensive security vendor, is moving to Luxembourg and Singapore. It also already has a satellite office in Maryland.

Publications and Conference materials

PoC or GTFO 0x06: A zine that tends to focus on doing weird things with file formats.
BlueHat Fall 2014: Microsoft’s invite only conference.
BSides Winnipeg

a16z is a great podcast from the venture capitalist company Andreessen Horowitz. In this episode they discuss the “End of Ownership”. You’ve probably heard that Generation Y doesn’t care to own cars like previous generations, and this concept of being able to pay to rent or use things, but not own them, is becoming more prevalent. For those of us in security this becomes especially relevant because much of security is based on controlling and monitoring things for it’s entire life cycle which implies ownership. The concept of cloud computing and being able to rent servers from Amazon’s AWS or DigitalOcean has often been considered within the context of security, but there are likely lessons that can be learned from other areas of commerce where renting takes place.

http://a16z.com/2014/11/17/the-end-of-ownership/

Tools

Santa: Unofficial Facebook project Santa provides process white-listing on OSX