RSS feed

Downclimb: Summit Route’s Weekly Infosec News Recap
2015.05.24 – 2015.05.31:


“Worms written in 2001 are more capable of lateral movement than most pentesters” Chris Rolf


“Penetration testing & exploit development has to be < 1% of InfoSec jobs but if you listen to Twitter you’d think everyone was writing 0day.” Marcus Carey


“A doctor can tell his patients don’t eat Twinkies. Likewise we can’t force people to implement cybersecurity. Cyber Twinkies bro.” Marcus Carey


“Security reporters PLEASE get competing views and analysis - else you fall prey to being the PR arm of security vendors.” Robert M. Lee


“In 2013, Bitcoin miners collectively performed ≈ 2^75 SHA-256 hashes in exchange for bitcoin rewards worth ≈ US$257M” Nadim Kobeissi


“Once upon a time people thought the Internet was anonymous because IP addresses don’t include names. Now they think that about Bitcoin.” zooko

Top stories

The Cost of Bad Threat Intelligence

In the world of anti-virus, one of the worst things you can have happen is a False Positive (FP), especially one that causes you to block vital Windows processes (like svchost) from running, causing the system to be bricked. This problem isn’t discussed with regards to Threat Intelligence, usually because the result is just more alerts, but this is still a problem.


Sourceforge has hijacked the GIMP for Windows repo and is distributing adware-riddled binary installers instead

Sourceforge was a popular place to host open-source projects before Github. Unfortunately, in recent times, it has begun adding adware to binaries users download from the site.

  • GIMP developer’s complaint:
  • Sourceforge’s response:

Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities

30% of the docker images in the official repositories use old software that are vulnerable to various attacks (Shellshock, Heartbleed, etc.). Images pushed by users contain more. This article discusses this problem and also provides a tool to scan docker images.


A New UAC Bypass Method that Dridex Uses

Interesting UAC bypass on Windows 7 used by Dridex malware leverages application compatibility files (.sdb files).


An Exploit Kit dedicated to CSRF Pharming

This exploit kit tries to exploit SOHO routers via CSRF to change the DNS settings. It will also try to brute-force the credentials of the router to login and perform this action.


Dissecting Linux/Moose: a Linux Router-based Worm Hungry for Social Networks

This worm infects routers. It’s main focus seems to be social networking fraud, but it will also change the DNS settings on the router and kill and other malware processes on the router.


Blockchain wallet crypto issues

Blockchain is the name of a bitcoin company that, amongst other things, provides a wallet app for Android. Crypto issues stemming from poorly acquired random allowed some bitcoin users to have funds stolen. Specifically:

  • When initializing things for their random they don’t bail on failure.
  • They get a seed from (slightly odd in itself), and do so over HTTP (which could be MiTM’d).
  • was changed to force people to use HTTPS, so the request was always returning a 301 to this app, resulting in the same seed (a redirect message) always being used.

Whether or not you believe bitcoin can compete as a legitimate currency, the flaws in the applications and services that use it are enough of a deterrent for many.

  • Android announcement on the issue (no technical info):
  • User comment (technical info):

Newspaper News


Conference materials and publications


  • Selfie: A Tool to unpack self-modifying code using DynamoRIO.
  • detux: This “Linux Sandbox” site provides some basic dynamic analysis of linux samples on x86, x86-64, ARM, MIPS and MIPSEL cpu architecture. It looks like right now it only shows what IP’s samples connect to. This looks like it could be the start of a Linux version of what is.
  • IdaRef: A plugin for IDA Pro that gives full documentation for assembly instructions for x86-64 and ARM.

Other reads

  • Meet ‘Tox’: Ransomware for the Rest of Us: Ransomware now has an easy to use service for generating your own ransomware.
  • iPrint Client: nipplpt.sys vulernabilities: If you’re interested in looking at driver vulnerabilities on Windows, Google Project Zero just released 6 privilege escalation vulns they found in a single driver.
  • The Empire Strikes Back Apple – how your Mac firmware security is completely broken: EFI attack on Apple Macs.
  • Security Monitoring with Attack Behavior Based Signatures: Shows how to use sysmon to identify malicious behavior.
  • OceanLotus: This is an APT report published by SkyEye Lab of Qihoo 360 (a Chinese security firm) about a threat against the Chinese government. There isn’t much that caught by eye in trying to read Google’s translation, other than this appears to be an Apple OSX malware campaign. The most exciting part though is simply that it’s great to see Chinese security firms pushing out reports similar to the US firms, and funny to see them use the term APT as well, especially with regards to a threat against the Chinese government, since this term was coined as a way of describing threats assumed to be originating from the Chinese government.