InfoSec Week 19, 2017

Posted on 16 May 2017

You have probably heard about the WannaCry/WannaCrypt/WannaWhatever worm spreading ransomware, because of the sensation created by parties profiting from the scare tactics. But also because it is using really good spreading technique - exploiting MS17-010 SMB vulnerability leaked from the NSA.
Some post-mortem analysis of the first version (with the killswich) and TheShadowBrokers blog are listed below. Crypto is working, so no trivial decrypter is probable, except if the keys are published.

Nice analysis of a P2P botnet. The researchers determined the botnet size by injecting fake nodes to the network, as well as using crawling.

Fatboy Ransomware-as-a-Service is using The Economist’s Big Mac Index to calculate the ransom amount.

Tor hidden service operator is analysing bots used to enumerates and attack hidden services.

Google Project Zero post about the process of discovering CVE-2017-7308 vulnerability. Found by fuzzing, with the later exploitation to escalate privileges.

Wikileakes released "AfterMidnight" and "Assassin " malware frameworks designed, two CIA malware frameworks for the Microsoft Windows platform. Those services allow operators to dynamically load and execute malware payloads on a target machine & exfiltrate the data.

A Security researcher Thorsten Schroeder discovered that an audio driver shipped on dozens HP laptops and tablet PCs logs keystrokes. It's actually a badly written application outputting pressed keystrokes to the debug output, so everyone is able to list them using MapViewOfFile function.

malwaresearch - A command line tool to find malware samples on the It's possible to use the various hashes or common name.

Comments !