Home   Blog   Twitter   Database  

Facebook lifts Tor ban, offers encrypted onion access point

Anonymized traffic now A-OK

Facebook has changed its stance on Tor traffic and will now provide users with a way to connect to its social network using the anonymizing service.…

Posted: 31 Oct 2014 | 2:46 pm

CVE-2014-4115 Analysis: Malicious USB Disks Allow For Possible Whole System Control

One of the bulletins that was part of the October 2014 Patch Tuesday cycle was MS14-063 which fixed a vulnerability in the FAT32 disk partition driver that could allow for an attacker to gain administrator rights on affected systems, with only a USB disk with a specially modified file system. This vulnerability as also designated as CVE-2014-4115.

Why is this vulnerability unusual?

We pay close attention to file system drivers because these can be used to attack systems via USB drives. Consider the earlier Stuxnet vulnerability: that was spread using one vulnerability in Windows shortcuts to easily run Windows shell code; a second vulnerability was used to gain administrator rights. A vulnerability in the file system driver can be used to perform what would normally be two separate step in just one.

CVE-2014-4115 is found in the file system driver (FASTFAT.SYS) of Windows Vista, Server 2003, and Server 2008. This driver is responsible for handling fast FAT file systems (like FAT32). This vulnerabily can be triggered when handling boot sectors with a specific BIOS Parameter Block (BPB) in FAT32-formatted drives.

FAT32 is still commonly used today in USB flash disks. Because of this, a targeted attack can be carried out using this vulnerability. Suppose that a specially crafted USB disk somehow ends up plugged into the laptop of a senior executive or a PC in that company’s intranet. Those systems can than be controlled by outside actors and potentially used in targeted attacks.

Timely patching by system administrators would have reduced the risk of falling victim to this attack. Enterprise system administrators should also reconsider existing policies on the use of USB media within corporate networks.

What and where is the vulnerability?

As we noted earlier, the vulnerability is found in FASTFAT.SYS. Comparing the vulnerable version and the patched version, there is only one difference: the function FatCommonWrite().

Figure 1.  Difference between original and patched FASTFAT.SYS

The second parameter (NumberOfBytes) is multiplied by 0×18 in the patched version when the ExAllocatePoolWithTag function is called.

The prototype of function ExAllocatePoolWithTag() is as follows

PVOID ExAllocatePoolWithTag(
_In_  POOL_TYPE PoolType,
_In_  SIZE_T NumberOfBytes,
_In_  ULONG Tag

The bug itself is very simple. The developer performed the wrong calculation on the size needed memory that is to be allocated: he forgot to multiply the number of structures by the size of a single instruction. This can lead to out-of-bounds heap write operations in the following instructions.

The pseudocode around the vulnerability could be described as follows:

NTSTATUS FatCommonWrite (

if (TypeOfOpen == VirtualVolumeFile)
ULONG BytesPerFat;
IO_RUN StackIoRuns[2];
BytesPerFat = FatBytesPerFat( &Vcb->Bpb );
if ((ULONG)Vcb->Bpb.Fats > 2) {
IoRuns = FsRtlAllocatePoolWithTag(
(ULONG)(Vcb->Bpb.Fats), //Actual vulnerability, missing ×sizeof(IO_RUN)
} else
IoRuns = StackIoRuns;}
for (Fat = 0; Fat < (ULONG)Vcb->Bpb.Fats; Fat++)
IoRuns[Fat].Vbo = StartingDirtyVbo;
IoRuns[Fat].Lbo = Fat * BytesPerFat + StartingDirtyVbo;
IoRuns[Fat].Offset = StartingDirtyVbo – StartingVbo;
IoRuns[Fat].ByteCount = WriteLength;

Obviously, when Bpb.Fats is 3 or above, the memory allocation for IoRuns by FsRtlAllocatePoolWithTag() is less than the expected size. It would typically cause a crash when IoRuns is called again – for example, when it is initiated in the “for” statement. However, hackers can use it to overwrite some kernel objects deliberately, setting the stage for arbitrary code execution.

Triggering the vulnerability

Since any FAT32 file write request with the VirtualVolumeFile file type could trigger FatCommonWrite, the key point is how to control Vcb->Bpb.Fats to meet the condition (Vcb ->Bpb.Fats > 2) of the vulnerability

In the fastfat implementation, the Vcb (Volume control Block) record corresponds to every volume mounted by the file system. In FatCommonWrite, Vcb is initiated with FileObject which is the memory representation of FAT32 volume partition just before the vulnerability.

The Vcb trace back process for detail is shown below:

Figure 2. Vcb trace back

_USBSTOR is the volume label of our USB drive for test with FAT32 file system.

What is Bpb.Fats?

Usually, the MBR (Master Boot Record) is located in cylinder 0, head 0, sector 1, while the Boot Sector of the first partition of a FAT32 volume is located in cylinder 0, head 1, sector 1.

The first important data structure of a FAT volume is called the BPB (BIOS Parameter Block), which is located in the first sector (Boot Sector) of the volume in the Reserved Region.

Figure 3. BPB in disk format

The definition of a BPB’s structure can be found in Microsoft Windows Driver Kit as follows:

typedef struct BIOS_PARAMETER_BLOCK {
USHORT BytesPerSector;
UCHAR  SectorsPerCluster;
USHORT ReservedSectors;
UCHAR  Fats; //Number of FAT tables, default 2
USHORT RootEntries;
USHORT Sectors;
UCHAR  Media;
USHORT SectorsPerFat;
USHORT SectorsPerTrack;
ULONG32  HiddenSectors;
ULONG32  LargeSectors;
ULONG32  LargeSectorsPerFat;
union {
USHORT ExtendedFlags;
struct {
ULONG ActiveFat:4;
ULONG Reserved0:3;
ULONG MirrorDisabled:1;
ULONG Reserved1:8;

USHORT FsVersion;
ULONG32 RootDirFirstCluster;
USHORT FsInfoSector;
USHORT BackupBootSector;

How to control Bpb.Fat?

Bpb.Fat is located in the fixed byte of the disk drive, which can be modified directly by a sector read/write tool.

In this test, we use FAT32 template of a binary editor to find out the Bpb (i.e. BPB_FAT32 structure in Figure 4) structure and the Fat field (i.e. NumberOfFats in Figure 4).

Figure 4  FATS in Data Structure of BPB

Proof of Concept leading to a crash

We made a proof of concept by simply modifying the BPB of a FAT32 USB disk. We changed BPB_FAT32.NumberOfFATs to a number greather than 2 using the sector read/write tool.

A crash soon results after the following steps:

  1. Insert this USB disk into any PC with a vulnerable FASTFAT.SYS version.
  2. Perform any write operation on the disk (i.e. copy a file onto it.)


This vulnerability is present in older versions of Windows – Vista, Server 2003, and Server 2008. Newer versions like Windows 7, Windows 8, Server 2008 R2, and Server 2012 are not affected.

The patch for this vulnerability makes the code for the patched platform essentially identical to newer versions. We suppose that the vulnerability was introduced by human error during coding or during code merging. This indicates that more vulnerabilities or bugs could be found out by binary comparison between Windows 7 and other platforms for FASTFAT.SYS.

Exploits for this vulnerability has not yet been seen publicly to date. However, the appearance of exploits in the wild cannot be ruled out. Incidents like these highlight the need for improved patch management on the part of enterprises, as even vulnerabilities that do not immediately lead to the execution of code on affected systems can pose risks, as this analysis shows. In addition, network-based solutions like Deep Discovery can help reduce the risks from certain kinds of vulnerabilities.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

CVE-2014-4115 Analysis: Malicious USB Disks Allow For Possible Whole System Control

Posted: 31 Oct 2014 | 12:15 pm

Teacher's ex accused of hacking email, sending nude pics to students

The ex-lover of a Pasadena teacher has been arrested and bailed, accused of breaking into his school email account and using it to send out "sexually explicit" photos of said teacher to students and fellow staff.

Posted: 31 Oct 2014 | 9:05 am

Multi-language support: Not your everyday spam

Sometime during the beginning of the year, we have encountered a surge in Fareit spams. Fareit is a downloader used to deliver Zeus and Cryptowall.

Lately, we have been noticing yet another downloader being spammed. It seems that the spammer for this downloader has spent more effort to trick the user into believing that it’s a legitimate email.

A recent spam was a fake KLM e-ticket which was tailored to pretend to come from the Sales & Service Center of Air France KLM.

klm_eticket_ready (39k image)

However, this spammer did not only tend to English language speakers. Recently, we also saw quite a number of its spam sent in Polish.

This email, for example, supposedly comes from dotpay.pl, a service for online transaction payment that is based in Poland.

dotpay_blurred_ready (34k image)

While this one uses an ISP that’s popular in Poland.

nowy_kontrakt_listopad_ready (23k image)

And just when we thought the spammer’s language skills ends there, it gave us a sample of its Finnish-themed spam.

lomake_ready (24k image)

The grammar seems to be quite convincing enough considering that even the subject and attachments are using the correct Finnish terms. Not only that, the email address used, “suomi24.fi”, is one of Finland’s most popular websites.

Obviously, spammers are also doing their research in customizing their messages to produce more effective scams. Not only do they use the language of the target country or people, but they have also achieved to make use of popular email or service providers.

The payload of these spams is a Trojan Downloader known as Wauchos.

Here are its recent filenames:

attachments_ready (3k image)

For the two sample attachments, it confirms internet connection by trying to connect to http://www.google.com/webhp.

It makes the following network connections:

• http://188. 225.32.207/ssdc32716372/login.php
• http://188. 225.32.208/ssdc32716372/file.php
• http://188. 225.32.209/ssdc32716372/file.php
• http://188. 225.32.209/ssdc32716372/file.php
• http://188. 225.32.209/ssdc32716372/file.php
• http://92. 53.97.194/ssdc32716372/file.php
• http://46. 28.55.113/ssdc32716372/file.php

And it downloads these additional trojans from the following:

• http://auto*.it/*/jeve.exe
• http://dd*.ru/old.exe

The Wauchos variants we’ve seen in these emails downloaded either Zbot or Cridex, which are both information stealers.

We detect these families as Trojan-Downloader:W32/Wauchos, Trojan-Spy:W32/Zbot, and Trojan:W32/Cridex.

On 31/10/14 At 04:01 PM

Posted: 31 Oct 2014 | 8:07 am

From Russia with love: Sofacy/Sednit/APT28 is in town

Yesterday, another cyber espionage group with Russian roots made it to the New York Times headlines again courtesy of FireEye and a new report they published.

FireEye did a pretty good job on attribution and giving some technical indicators; however, they neglected to reference previous work on this threat actor from companies like PWC, TrendMicro, ESET and others.

We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.

The techniques used by this group have evolved over the years.

- Spearphishing

Most of the Spearphishing campaigns launched by this group involve a malicious Word document exploiting one of the following vulnerabilities:

As described by FireEye and others, this group uses different payloads including a downloader and several second-stage backdoors and implants.

We cover these tools using the following rules with USM:

- Web compromises

The group has been seen infecting websites and redirecting visitors to a custom exploit kit being able to take advantage of the following vulnerabilities affecting Internet Explorer:

The following rule detects activity related to this exploit kit:

- Phishing campaigns

This actor uses phishing campaigns to redirect victims to Outlook Web Access (OWA) portals designed to impersonate the legitimate OWA site of the victim's company. This technique is used to compromise credentials and access mailboxes and other services within the company.

Inspecting the content of the malicious redirect we can alert on this activity using the following rule:


[1] http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf
[2] http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-the-red-in-sednit/
[3] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf
[4] http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/
[5] http://malware.prevenity.com/2014/08/malware-info.html
[6] http://www.fireeye.com/resources/pdfs/apt28.pdf


Posted: 28 Oct 2014 | 9:30 pm

A false choice: the Ebola virus or malware?

In September we came across mentions of people in Africa suffering from the Ebola virus and unusual invitations to a conference of the World Health Organisation (WHO) in the subject line of so-called "Nigerian" emails.  The aim of the conmen was, as usual, to swindle money from trusting recipients who entered into conversation with the authors of the letters.

In October it was the turn of the cybercriminals, who used the tumult around the Ebola virus to send letters containing malware. Once again the WHO was indicated as the sender of the letters, which is unsurprising as this is the organisation that deals with various diseases and epidemics on a worldwide level.

In the text of the letters we detected the evildoers tried to convince recipients that the WHO has prepared a file with general information and security measures that will help protect users and those around them from the deadly virus and other diseases. Furthermore the recipient was also asked to distribute this information to help the WHO.

A false choice: the Ebola virus or malware?

To mask the real link a link abbreviation service was used, which finally redirected users to a popular cloud data storage service. There the criminals had stored the malware program Backdoor.Win32.DarkKomet.dtzn disguised as a document from the WHO. This malware is designed to steal personal data. We note that access to the file was blocked quite quickly by the service administrators and, probably for that reason, the evildoers decided to change their letter. The very next day our traps caught a similar communication supposedly from the WHO, only this time the archive with the same malware program was inserted into the letter itself.

A false choice: the Ebola virus or malware?

Cybercriminals rarely miss a chance to use current events and the names of famous organisations to trick the recipients of their spam. And so, having fallen for the convincing header and failed to pay attention for even a moment, users risk compromising their personal data and surrendering control of their computer to criminals. It is worth remembering that modern anti-virus solutions provide protection but it is only the considered actions of users that can keep their personal data safe.

Posted: 23 Oct 2014 | 6:31 am

Cashing in on Cybersecurity

With the recent news of Wall Street banks requesting a meeting with the U.S. Treasury Department and other government officials to discuss cybersecurity concerns, I reached out to one of the leading information security authorities for her take on the cyber threats that banks currently face. Following is an interview I held with CEO and Founder of Pondera International, Kristen Verderame.

What are the key threats banks face today?

Banks face a number of cybersecurity threats today, now more than ever. Threat actors targeting financial services are getting more and more sophisticated. While malware continues to be the biggest reported threat, attackers are more often using attack vectors only once – rendering monitoring for advanced persistent threat groups more and more difficult. The good news is that the financial services industry is way ahead of the curve in terms of preparedness and the ability to counter such threats. In fact, the financial services sector has lead all sectors for some time because their business case has required it.

How can the government(s) help? Why should they?

Governments can help by publicizing best practices for industry to follow, as demonstrated in the NIST Cybersecurity Framework issued earlier this year. Though the Framework is not comprehensive and certainly not a panacea for all cybersecurity vulnerabilities, it provides a useful assessment and summary of best practices and will be a good resource for entities that have not taken action previously. Governments can also help by facilitating trustworthy information sharing and supporting bi-directional sharing (i.e., government-to-industry sharing, not just industry-to-government). Often the government, as a neutral party, is in the best position to facilitate such sharing between industry competitors.

How important is a community approach when it comes to cyber defense?

A community approach is widely recognized as critical for effective cyber defense. The sharing of threat information and best practices between entities has proven the most effective means of combating APTs across industry sectors and across geographical boundaries. Collaboration through information sharing has been recognized by the U.S. Congress as a critical tool against cybersecurity threats – both the House and Senate introduced legislation to promote information sharing across government and industry. President Obama included information sharing as a key component of his Executive Order. Outside the U.S., the European Commission is currently considering cybersecurity legislation that not only encourages information sharing, but requires collaboration across Member States in a variety of other ways.

Are there any precedents for this type of collaboration and will it succeed?

Yes on both counts, in my opinion. One example of collaboration that has proven effective is the “Information Sharing and Analysis Centers” (ISACs), which are comprised of critical infrastructure owners in various sectors. The ISACs provide an information-sharing platform for their members and sometimes also provide risk mitigation, incident response and alerts to members. Some of the ISACs have proven more effective than others. The FS-ISAC has consistently served as a model for other ISACs while the energy sector ISAC is not as robust as many would like, in part because the industry regulator is at the table with industry presenting a potential conflict of interest. Though not perfect, the ISACs provide at their core a facilitative framework used by government and industry for collaboration and cooperation.

Posted: 17 Oct 2014 | 7:00 am

Tools Update

No significant updates, just several enhancements and bug fixes to four tools:

– Added new features to Custom PHP Search/Replace
– Added Convert Word (to decimal) feature
– Enhanced Key Search/Replace input checking (see Data Converter changes)
– Improved Beautify Generic routine
– Updated some labels to provide more clarity
– Fixed PHP decoder toggle
– Fixed Base64 by Delimiter option to handle nulls
– Fixed unescape issue by removing ` replacement
– Fixed Character Frequency array function to remove last item
– Fixed Base64 to Text function to properly handle CRLFs

Data Converter
Thanks to Thijs Bosschert for his suggestions. I still need to look into his additional enhancements without slowing things down but for now:
– Split by single char if key value is text
– Split every two chars if key value is hex
– Remove spaces and commas if input value is hex

– Added –ignore-ssl-errors=true option to PhantomJS call

– Added –ignore-ssl-errors=true option to PhantomJS call

Thanks for your support!

Posted: 5 Oct 2014 | 12:16 pm

ShellShock payload sample Linux.Bashlet

Someone kindly shared their sample of the shellshock malware described by the Malware Must die group - you can read their analysis here:
MMD-0027-2014 - Linux ELF bash 0day (shellshock): The fun has only just begun...


Download. Email me if you need the password

File Information

File: fu4k_2485040231A35B7A465361FAF92A512D
Size: 152
MD5: 2485040231A35B7A465361FAF92A512


SHA256: e74b2ed6b8b005d6c2eea4c761a2565cde9aab81d5005ed86f45ebf5089add81
File name: trzA114.tmp
Detection ratio: 22 / 55
Analysis date: 2014-10-02 05:12:29 UTC ( 6 hours, 50 minutes ago )
Antivirus Result Update
Ad-Aware Linux.Backdoor.H 20141002
Avast ELF:Shellshock-A [Expl] 20141002
Avira Linux/Small.152.A 20141002
BitDefender Linux.Backdoor.H 20141002
DrWeb Linux.BackDoor.Shellshock.2 20141002
ESET-NOD32 Linux/Agent.AB 20141002
Emsisoft Linux.Backdoor.H (B) 20141002
F-Secure Linux.Backdoor.H 20141001
Fortinet Linux/Small.CU!tr 20141002
GData Linux.Backdoor.H 20141002
Ikarus Backdoor.Linux.Small 20141002
K7AntiVirus Trojan ( 0001140e1 ) 20141001
K7GW Trojan ( 0001140e1 ) 20141001
Kaspersky Backdoor.Linux.Small.cu 20141001
MicroWorld-eScan Linux.Backdoor.H 20141002
Qihoo-360 Trojan.Generic 20141002
Sophos Linux/Bdoor-BGG 20141002
Symantec Linux.Bashlet 20141002
Tencent Win32.Trojan.Gen.Vdat 20141002
TrendMicro ELF_BASHLET.A 20141002
TrendMicro-HouseCall ELF_BASHLET.A 20141002
nProtect Linux.Backdoor.H 20141001

Posted: 2 Oct 2014 | 5:12 am

A More Realistic Perspective on Cybersecurity from the Director of the NSA

A few days ago Admiral Mike Rodgers, director of the NSA and Commander of the U.S. Cyber Command, gave a keynote address at the Billington Cybersecurity Summit. His message was strong and clear, CYBER-RESILIENCY. He discussed the impractical reactions typical to cyber intrusions today. After an attack a network may temporarily shut down and operations will cease in government and private sector organizations alike. Both the Admiral and us here at Cyber Engineering Services believe this is an unnecessary and damaging response.

The goal of network security should be to monitor traffic and be ready to fight as quickly as possible in the face of an attack while keeping the network and productivity online. In his speech the admiral emphasized something that the experts at Cyber Engineering Services were forced to acknowledge long ago, cyber intrusions will happen no matter what defenses are in place. As fast as the good guys can develop technology to stop them, cyber criminals develop new weapons to get into networks.

Accepting this can be a hard pill for companies to swallow as it is natural to want to put an end to all intrusions and data loss. However accepting this problem doesn’t change it’s nature, it allows for the development of more realistic strategies. As the admiral puts it, “This is not a small problem. It’s not going away. Technology will not catch up. This is foundational to the future. I need your help.” Basically, the director of the NSA is explaining the government alone is not going to conquer this problem, private sector needs to step up to the plate and get realistic and proactive.

At Cyber Engineering Services we are very excited to see key individuals in the Cybersecurity war spreading accurate and motivating information. Our whole strategy at Cyber Engineering Services is based on a deep understanding of these realities. We have designed a system and a team of experts that is ready to watch, respond, and stem damage at a moments notice. We are ready to do our part in the Cyber-Resiliency revolution by helping companies monitor their network traffic and respond in a way that stops the damage while keeping companies running and production as smooth as possible.

If you’d like to read more of the Admirals message see the link below to a summary written by Mike Donohue.

NSA Rodgers Urges Cyber-Resiliency

Posted: 19 Sep 2014 | 2:46 pm