Tag antivirus

InfoSec Week 49, 2017

The "Janus" Android vulnerability (CVE-2017-13156) allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. The vulnerability allows attackers to inject malware into legitimate application and avoiding detection.

According to the research by Hanno Böck, Juraj Somorovsky and Craig Young, the Bleichenbacher’s attack on RSA PKCS#1v1.5 encryption still works on almost 3% of the Alexa top million most visited websites. The researchers were even able to sign a message using Facebook’s private TLS key. Vendors like Citrix, F5, Cisco, and multiple SSL implementations are affected.

HP had a keylogger in the Touchpad driver, which was disabled by default, but could be enabled by setting a registry value.

There is a remote root code execution flaw (CVE-2017-15944) in the Palo Alto Networks firewalls.

Researchers from the Group-IB spotted the operations of a Russian-speaking MoneyTaker group that stole as much as $10 million from US and Russian banks.

Recorded Future analyzed costs of various cybercriminal services sold on the dark market.

Internet traffic for organizations such as Google, Apple, Facebook, Microsoft, Twitch were briefly rerouted to Russia.

Microsoft started rolling out an update for Malware Protection Engine to fix a remotely exploitable bug discovered by the British intelligence agency.

Avast open-sources RetDec machine-code decompiler for platform-independent analysis of executable files. It's based on LLVM.

Wireless network sniffer Kismet now supports the DJI DroneID UAV telemetry extensions.

Wazuh - Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.
It supports log management and analysis, integrity monitoring, anomaly detection and compliance monitoring.

Wifiphisher is an automated victim-customized phishing attacks against Wi-Fi clients.

InfoSec Week 45, 2017

Researchers exploited antivirus software quarantine mechanism to gain privileges by manipulating the restore process from the virus quarantine. By abusing NTFS directory junctions, the AV quarantine restore process can be manipulated, so that previously quarantined files can be written to arbitrary file system locations.

Wikileaks released source code of leaked CIA hacking tools and it indicates that the CIA used fake certificates attributed to Kaspersky Labs for signing their malware.

A security researcher has discovered factory application in OnePlus devices. It can be used to gain root privileges, dump photos, collect WiFi & GPS information.

There was a vulnerability in CouchDB caused by a discrepancy between the database’s native JSON parser and the Javascript JSON parser used during document validation. Because CouchDB databases are meant to be exposed directly to the internet, this enabled privilege escalation, and ultimately remote code execution, on a large number of installations.

Researchers from the Princeton university have been studying third-party trackers that record sensitive personal data that users type into websites, and the results are not good.

iPhone X's Face ID facial recognition security mechanism system was circumvented by Vietnam experts using a 3D mask.

Security researcher Maxim Goryachy reports being able to execute unsigned code on computers running the Intel Management Engine through USB.

Deep dive into the Facebook sextorcism scheme using fake young girls profiles by the guys from Marseille.

Long read about how the security breaches by the Shadow Brokers damaged the US National Security Agency.

Analysis of a low cost Chinese GSM listening and location device hidden inside the plug of a standard USB data/charging cable.

Privacy Pass is a browser extension for Chrome and Firefox, which uses privacy-preserving cryptography to allow users to authenticate to the services without compromising their anonymity. It uses blind signature schemes.

InfoSec Week 38, 2017

The ZNIU Android malware is exploiting Linux kernel "Dirty COW" vulnerability to install itself on a device and collect money through the SMS-enabled payment service.

Good introduction blog into the art of binary fuzzing and crash analysis demonstrated by fuzzing famous open-source Mimikatz software.

Security researcher Inti De Ceukelaire has gained access to company team pages by exploiting faulty business logic in popular third-party on-line helpdesks.

Server part of the Wire end-to-end encrypted instant messenger application is now open-source, but there are lots of external dependencies and no documentation yet.

A brief description behind the technology of a private contact discovery used in Signal messenger.

X41 IT Security company has released an in-depth analysis of the three leading enterprise web browsers Google Chrome, Microsoft Edge, and Internet Explorer.

A nice list of a various open-source honeypot projects available on-line.

SigThief - The script that will rip a signature off a signed PE file and append it to another one, fixing up the certificate table to sign the file. It's not a valid signature BUT it's enough for some anti-viruses to flag the executable as trustworthy.