Home   Blog   Twitter   Database  

GitHub to Pythonistas: Let us save you from vulnerable code

Third language added to security scanner

GitHub's added Python to the list of programming languages it can auto-scan for known vulnerabilities.…

Posted: 16 Jul 2018 | 12:30 am

What Drives a Ransomware Criminal? CoinVault Developers Convicted in Dutch Court

How often do we get a chance to learn what goes on in the minds of cybercriminals? Two members of McAfee’s Advanced Threat Research team recently did, as they attended a court case against two cybercriminal brothers.

The brothers, Dennis and Melvin, faced a judge in Rotterdam, in the Netherlands. This case was one of the first in the world in which ransomware developers appeared in court and were convicted for creating and spreading ransomware.

They were responsible for creating the ransomware families CoinVault and BitCryptor. CoinVault, the better known of the two, made its appearance in late 2014. The technically skilled programmers had examined the source code of CryptoLocker, the notorious ransomware family that first struck in 2013. The brothers were not very impressed and agreed that they could do a better job. What might have started out as a fun technical challenge turned into a criminal business.

The CoinVault and BitCryptor campaigns were not as widespread as CTB-Locker, CryptoWall, or Locky ransomware campaigns. Nor did they profit as much from it, but this case is nevertheless uncommon. It is rare that the developers of ransomware are caught, let alone confess their crimes. This case gives us an opportunity to understand what drove them down a path to cybercrime.

The challenge

Why would someone write malicious code and infect thousands of people? The judge asked the brothers the same question. Their response was “Because it was a technical challenge.” “But didn’t you realize you were dealing with people?” the judge responded. Both brothers answered that they did not; they were dealing with computers and never met their victims face to face.

The judge and prosecutor did not accept their explanation. CoinVault had a built-in helpdesk function to directly communicate with their victims, thus registering their pleas. The brothers standard reaction was merciless: “Just pay the money; otherwise we won’t decrypt.” According to the prosecutor, they had plenty of opportunities to see the consequences of their actions but choose to ignore them for money.

At the trial they said they were sorry and tearfully regretted what they had done. But were these mere crocodile tears because they got caught? During CoinVault’s lifespan, several versions of the ransomware were released. Every new version was a reaction to blogs written by security researchers and takedowns performed by law enforcement. Instead of realizing that they were making a mistake and stopping, the brothers saw it as a challenge, a digital game of cat and mouse, and constantly improved their malicious code.

Their continuing to improve the ransomware shows a lack of empathy with their victims. Was there no one in their social surroundings who could straighten their moral compasses and talk sense into them?

The payment

A ransomware criminal must decide the amount of ransom to charge. Generally the more targeted a ransomware attack is, the higher the ransom demand will be. CoinVault’s infections were not targeted at one organization; they charged only US$250. The two brothers explained that they chose that price to be low enough for an average person to pay while still making a good profit. The prosecutor remarked ironically that they were “very noble [to keep] their ransom demand affordable.”

The infection

The two brothers did not directly infect their victims with ransomware; they took a multistep approach. Their distribution method was via newsgroup channels. They hooked a small piece of malicious code to known software or license-key generators before posting the software packages on the newsgroups. Once victims installed the package or ran the key generator, they would become part of a botnet through the software the brothers named Comhost, which can record keystrokes, search for credentials, and steal Bitcoin wallets. Comhost can also upload and execute binaries received from the control server they named Sonar. (We believe Sonar is modified a version of the popular Solar botnet software.)

The Sonar botnet panel.

Once they had accumulated enough bots, they simply pushed CoinVault to all their victims and locked thousands of computers at once. This method made it hard for victims to figure out how they were attacked, because weeks could pass between the initial infection and the encryption. By spreading their ransomware via newsgroups with pirated software, they discouraged victims from going to the police out of fear of prosecution and copyright-violation fines.

The CoinVault lock screen.

The arrest

In April 2015, The National High Tech Crime Unit of the Dutch Police seized the control servers for CoinVault. After the police investigated, the two brothers, aged 18 and 22 at the time, were arrested in Amersfoort, Netherlands, on September 14, 2015. Systems were infected not only in the Netherlands, but also in the United States, Germany, France, and the United Kingdom. Their mistakes? Using flawless Dutch in the ransom notes and one time they did not use a Tor connection to log in into their control server, instead using their home connection.

Flawless Dutch in the ransomware code.

Although they used an obfuscator tool (Confuser) for their code, in some of the samples the full name of one of the authors was present, because they did not clean up the debugging path.

Example:

 c:\Users\**********\Desktop\Coinvault\coinvault-cleaned\obj\Debug\coinvault.pdb

From grabbing keys to No More Ransom

During the investigation the Dutch police obtained all the decryption keys for CoinVault and partnered with the private sector to build a decryption tool for CoinVault ransomware, successfully mitigating a large portion of the damage caused by CoinVault. This effort idea gave birth to No More Ransom, an online portal supported by the public and private sector with the largest repository on the planet of free ransomware decryption tools. No More Ransom now has decryptors for 85 ransomware versions. This global initiative has prevented millions of dollars from falling into the hands of cybercriminals. McAfee is proud to be one of the founding members of No More Ransom.

Nomoreransom.org

The next steps

Extorting people with ransomware is wrong, and perpetrators must be held accountable. It is sad to see two talented young people choose a pathway to cybercrime and waste their skills—skills sorely needed in the cybersecurity sector. We hope they will have learned a lesson as they endure the consequences of their actions. The sentencing will take place in about two weeks. Perhaps after they serve their time, they will find someone willing to give them a second chance.

The post What Drives a Ransomware Criminal? CoinVault Developers Convicted in Dutch Court appeared first on McAfee Blogs.

Posted: 13 Jul 2018 | 3:52 pm

VPNFilter-affected Devices Still Riddled with 19 Vulnerabilities

by Tony Yang and Peter Lee (Consumer Yamato Team)

Our IoT Smart Checker allows users to identify if connected devices (e.g. routers, network attached storage devices, IP cameras, and printers) in a given network are vulnerable to security risks and vulnerabilities, such as those related to Mirai, Reaper, and WannaCry.

IoT Smart Checker gathers data from the Trend Micro™ Home Network Security solution and HouseCall™ for Home Networks scanner. HouseCall for Home Networks is a free tool that features device recognition and vulnerability scanning in users’ networks and connected devices. Home Network Security is a solution plugged into users’ routers that protects connected devices from potential cyberattacks. Currently, IoT Smart Checker supports multiple operating systems, including Linux, Mac, Windows, Android, iOS, and other software development kit (SDK) platforms.

This blog tackles the recently ill-famed VPNFilter malware and if deployed devices are vulnerable to it and other vulnerabilities. VPNFilter is a newly discovered, multi-stage malware (detected by Trend Micro as ELF_VPNFILT.A, ELF_VPNFILT.B, ELF_VPNFILT.C, and ELF_VPNFILT.D) that affects many models of connected devices. Initially reported at the tail end of May to have infected at least 500,000 networking devices across 54 countries, including those from Linksys, MikroTik, Netgear, and TP-Link, to steal website credentials and even render devices unusable, the malware is now seen targeting more devices to deliver exploits and even override reboots. The Federal Bureau of Investigation (FBI) has even released a public service announcement (PSA), warning that it is the work of foreign threat actors looking to compromise networked devices worldwide.

Different brands and models affected by VPNFilter and more

VPNFilter is known to affect over ten brands and 70 models of devices. IoT Smart Checker can identify other publicly known vulnerabilities targeting the devices as listed below:

Manufacturer Model Device Type
Asus RT-AC66U, RT-N10, RT-N10E,
RT-N10U, RT-N56U, and RT-N66U
Routers
D-Link DES-1210-08P
DIR-300, DIR-300A, DSR-250N, DSR-500N, DSR-1000, and DSR-1000N
Ethernet switch
Routers
Huawei HG8245 Router
Linksys E1200, E2500, E3000 E3200, E4200, RV082, and WRVS4400N Routers
MikroTik CCR1009, CCR1016, CCR1036, CCR1072, CRS109, CRS112, CRS125, RB411, RB450, RB750, RB911, RB921, RB941, RB951, RB952, RB960, RB962, RB1100, RB1200, RB2011, RB3011,
RB Groove, RB Omnitik, and STX5
Routers
Netgear DG834, DGN1000, DGN2200, DGN3500, FVS318N, MBRN3000, R6400, R7000, R8000, WNR1000, WNR2000, WNR2200, WNR4000, WNDR3700, WNDR4000, WNDR4300, WNDR4300-TN, and UTM50 Routers
QNAP TS251, TS439 Pro, and other QNAP NAS devices running QTS software NAS devices
TP-Link R600VPN, TL-WR741ND,
and TL-WR841N
Routers
Ubiquiti NSM2 and PBE M5 Wireless access points
ZTE ZXHN H108N Router

Table 1. Some of the known affected devices by VPNFilter

Based on our data from June 1 to July 12, plenty of the devices are still using old firmware versions. In fact, 19 known vulnerabilities, not only taken advantage of by VPNFilter but other malware as well, can still be detected in devices up to this day.

At the time of our scanning, we observed that 34 percent of home networks had at least one device with a known vulnerability. We found that 9 percent of vulnerable devices are potentially affected by VPNFilter.

Device Vulnerabilities Vulnerable Devices/Services
Authentication Bypass Vulnerability CVE-2015-7261 QNAP FTP Service
Reaper Remote Code Execution CVE-2011-4723 D-Link DIR-300
Remote Code Execution CVE-2014-9583 ASUS RT-AC66U, RT-N66U
Reaper OS Command Injection CVE-2013-2678 Linksys E2500
Buffer Overflow Vulnerability
CVE-2013-0229
Vulnerable UPnP Service (e.g. Netgear/TP-Link/D-Link)
Stack Overflow Vulnerability
CVE-2013-0230
Vulnerable UPnP Service (e.g. Netgear/TP-Link/D-Link)
Remote Code Execution CVE-2017-6361 QNAP QTS before 4.2.4 Build 20170313
Router JSONP Info Leak CVE-2017-8877 ASUS RT-AC* and RT-N*
Router Password Disclosure CVE-2017-5521 Netgear R6400, R7000, R8000
Stack Overflow Vulnerability
CVE-2012-5958
Vulnerable UPnP Service (e.g. Netgear/TP-Link/D-Link)
Stack Overflow Vulnerability
CVE-2012-5959
Vulnerable UPnP Service (e.g. Netgear/TP-Link/D-Link)
Reaper Router Remote Code Execution D-Link DIR-300
Router Password Disclosure Netgear WNR2000
Remote Code Execution CVE-2016-6277 Netgear R6400, R7000
Router Session Stealing CVE-2017-6549 ASUS RT-N66U
OS Command Injection CVE-2013-2679 Linksys E4200
Authentication Bypass Vulnerability Netgear WNR1000
Router Password Disclosure Netgear WNR1000
Unauthenticated Router Access Vulnerability TP-Link TL-WR841N

Table 2. 19 vulnerability detections on VPNFilter-affected devices

As expected, the 19 vulnerabilities primarily affect routers. Interestingly, the Authentication Bypass Vulnerability CVE-2015-7261, an FTP (File Transfer Protocol) flaw in the QNAP NAS firmware, mostly affects printers based on our detection. While determining the possible reason behind this, we found that many of the detected printers’ FTP could connect to the network without any authentication. In some cases, this may be the printer’s default configuration, but it still poses a potential security risk if the FTP is set as open on the internet.

Figure 1. A Shodan result of an FTP connection to a printer without authentication

Figure 1. A Shodan result of an FTP connection to a printer without authentication

The other vulnerabilities detected, such as the Buffer Overflow CVE-2013-0229 and Stack Overflow CVE-2013-0230, can allow attackers to cause a denial-of-service (DoS) and execute arbitrary code in systems, respectively. Vulnerable UPnP Services detected, moreover, aren’t exclusively associated with Netgear/TP-Link/D-Link devices, as other brands could also have the same vulnerability. In that case, we can expect more detections.

Protecting devices and networks against VPNFilter malware and other vulnerabilities

The threat of VPNFilter malware is augmented by the fact that other publicly known vulnerabilities were detected in the affected devices. Since not all device manufacturers provide immediate fixes for discovered vulnerabilities and not all users regularly apply patches, users should first secure the way they set up their devices and networks. Trend Micro™ Home Network Security solution can check internet traffic between the router and all connected devices. Our IoT Smart Checker tool has been integrated into the Home Network Security solution and HouseCall™ for Home Networks scanner. Enterprises can also monitor all ports and network protocols for advanced threats and thwart targeted attacks with the Trend Micro™ Deep Discovery™ Inspector network appliance.

Aside from adopting security solutions that can protect networks and connected devices from the vulnerabilities through the identification and assessment of potential risks, we recommend standard security measures, such as:

Users of the Trend Micro Home Network Security solution are also protected from particular vulnerabilities via these rules:

The post VPNFilter-affected Devices Still Riddled with 19 Vulnerabilities appeared first on .

Posted: 13 Jul 2018 | 5:02 am

Sextortion scam knows your password, but don’t fall for it

The scam emails claim to have compromising video of you, and back it up by showing you one of your passwords.

Posted: 13 Jul 2018 | 4:48 am

Coinvault, the court case

Today, after almost 3 years of waiting, it was finally the day of the trial. In the Netherlands, where the whole case took place, the hearings are open to the public. Meaning anyone who is interested can visit. And it was quite busy. Because besides the suspects, their lawyers, the judges and the prosecutor there were also several members of the press, a sketch artist (to make a drawing of the suspects), several members of the Dutch police, a few victims and other people who were interested in the case.

The defence started by calling the public prosecution service “niet ontvankelijk” for one of the defendants, meaning they are not allowed to prosecute the case. As a reason there was given that one of the defendants was underage during some of the actions. However, all three of the judges also do cases concerning underaged defendants and after a quick consultation with each other they decided to continue.

The hearing was resumed with what the two brothers were accused of:

  1. Breaking into computers;
  2. Make other people’s work inaccessible;
  3. Extortion of 1295 people.

For us it was quite interesting to understand how they came up with the number of 1295 people, because when we released our final decryption tool we had at least 14k keys. So most likely much more people were infected. In fact, we think a zero could be added to 1295 to give a more realistic view on the number of victims.

The judge then went on with was basically a summary of the case. What happened, why did they do certain things etc. We as researchers often guess about motives behind actions, but we can never be 100% certain until there is a confession of the criminal. One of such an example is the amount of ransom to pay. During the time this all took place the brothers wanted 1 bitcoin as a ransom, which was worth about 220 euro at the time. We always say that we believe ransomware criminals choose a relatively small amount to make it more attractive to pay. When the judge asked the same question they gave exactly this answer. Always good to see your theories being confirmed 🙂

Some other interesting facts were that the case file was too big to fit in a moving box, they made around 20k euro (10k each), they didn’t stop with making ransomware because of the technical challenges, they accepted the risk of C2 seizure and they didn’t really see the influence their actions had on the victims. One of the judges then asked how this was possible, because they had a helpdesk where victims could e-mail to in case they had problems. All their “helpdesk” replies were that the victims just had to pay. The answers they gave to the judge weren’t very convincing.

The suspects mentioned though they started the helpdesk because their malware had some implementation mistakes (files were encrypted twice for example). A consequence of this is that even today, despite releasing our decryption tool which has all the keys, some victims were not able to recover all of their files. There was even one victim who mentioned that he just deleted all of his files because he didn’t believe a decryption tool would come available.

Another thing that we as Kaspersky Lab kept from the public, is that in our initial blogpost about Coinvault we had a screenshot with one of the suspect’s first name in the pdb path. When we worked with the police on this case they kindly asked us to remove that screenshot (which we did), so that the suspects didn’t realize they made a mistake. During the court case they mentioned that they read the blogpost and saw their name and they were on the edge of stopping their campaign, but ultimately decided not to.

It then continued with claims by victims who paid money to get their files back. One of the victims was interested in Bitcoin and decided to pay the ransom. However, he already had some bitcoins on his computer, which were stolen by the suspects (the software supported this functionality) and now he wanted his bitcoin back :). One other victim had his own company and this took place while he was on vacation. He wanted 5000 euro because the suspects ruined his vacation and with the 5000 euro he could go on vacation again.

Now it was time for the prosecutor: twelve months of jail time will all but three suspended. Effectively this comes down to three months – the time they already did * ⅔ = about two months of jail. The lawyers then requested (since they made a full confession, wanted to help the victims getting their files back, etc) many hours of community service. One of the reasons not request jail time was because: “Bitcryptor is not malware”. But BitCryptor was the follow up of Coinvault, different name for the same software. Nobody really understood the quote, except for the lawyer, since it was obvious malware and made some victims.

In two weeks, on the 26th of July at 13:00 CET we know the outcome.

Lessons learned? Cyber crime doesn’t pay off, and if you become a victim of cyber crime and especially ransomware, keep your files and file a case at the police. And of course visit Safety 101 page to see if there is a tool available to help you get your files back.

Posted: 12 Jul 2018 | 11:00 am

Reflow JavaScript Backdoor

A script was left behind on a compromised machine. This led to the discovery of a Windows backdoor written in JavaScript and the C&C backend scripts. Unfortunately I can’t post too much details because the victim’s organization name is present in the files.

The backdoor script is less than 2KB and the only indication of its presence on a compromised PC is a running process called “wscript.exe”, which is a legitimate Windows program. The main part of the script contains an endless do-loop awaiting commands after passing the query string “reflow” to the C&C else it sleeps for 4 hours.

The callback to the C&C looks like this:

I wanted to find out more so I searched for code snippets in various search engines and VirusTotal but that led me nowhere. I turned to Recorded Future and found exactly what I was looking for. In case you don’t know Recorded Future helps to enrich your raw data with useful contextualized and correlated threat intelligence. What I like best is its ability to find things that search engines can’t because it’s been removed from paste sites or posted to a private forum, as examples.

The results I got show three hits to matching files that were deleted back in December 2017. The cached data and link back to the original source helped me recover a compressed file with the C&C package.

There are four main scripts (3 PHP and 1 JavaScript files) in the package that are copied to a web server. The web server may be attacker-controlled or compromised by some means. The main script, index.php, contains an SVG animation that looks like this when a visitor happens to visit the page.

This script shows that when “reflow” is passed to the page, contents of a malicious JavaScript file (renamed as a PNG file) is sent to the victim PC and eval’d by the backdoor script. The malicious script uses WMI to obtain the system Information then sends that info back as part of its authentication method.

Here you can see the malicious script running an endless loop waiting for commands such as upload, download, and execute.

The “mAuth” function generates short random strings, concatenates them along with the system info and passes that to the C&C in a cookie after Base64-encoding it. These random strings are important as they are used as markers to identify instructions contained between them.

Data is transmitted back to the C&C using AJAX. There’s a function called “FillHeader” that populates the HTTP header.

Again, this is what the HTTP request looks like when the victim PC checks in:

Performing a Base64-decode on the cookie value results in the 2nd line. Repeating the Base64-decode on the string after the second caret reveals the system info.

One of the PHP scripts appears to be a template which is modified with HTML code to make the page look legitimate (e.g. it contain parts of an organization’s actual webpage). The script is renamed and referenced by the index.php script. This script has all the functions responsible for uploading and downloading files as well as creating activity logs. Among the log files are victim’s IP addresses, what files have been uploaded and downloaded, session information, etc.

The “Authentication” function reads in the cookie value from victims and parses out the system info, and defines variables used to create the log filenames. The victim’s username and computer name are MD5-hashed and used as part of the log filenames. When a victim PC connects to the C&C, three files are created on the C&C server:

The last PHP script in their package is used to interact with and send commands to the victim PCs. Note the timezone and interesting login method.

The available commands are quite limited but is more than enough to upload additional, more powerful tools to the victim PC and gain further access into their network. And finally, if the attackers sense they are about to be discovered, they can delete all the important log files with another set of commands built into this script.

I don’t have any attribution information on these scripts but it doesn’t seem to be related to your-typical-crime-gang. It appears that this campaign is still ongoing as other files show updated timestamps.

Posted: 30 Mar 2018 | 1:12 pm

Rootkit Umbreon / Umreon - x86, ARM samples



Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems
Research: Trend Micro


There are two packages
one is 'found in the wild' full and a set of hashes from Trend Micro (all but one file are already in the full package)






Download

Download Email me if you need the password  



File information

Part one (full package)

#File NameHash ValueFile Size (on Disk)Duplicate?
1.umbreon-ascii0B880E0F447CD5B6A8D295EFE40AFA376085 bytes (5.94 KiB)
2autoroot1C5FAEEC3D8C50FAC589CD0ADD0765C7281 bytes (281 bytes)
3CHANGELOGA1502129706BA19667F128B44D19DC3C11 bytes (11 bytes)
4cli.shC846143BDA087783B3DC6C244C2707DC5682 bytes (5.55 KiB)
5hideportsD41D8CD98F00B204E9800998ECF8427E0 bytes ( bytes)Yes, of file promptlog
6install.sh9DE30162E7A8F0279E19C2C30280FFF85634 bytes (5.5 KiB)
7Makefile0F5B1E70ADC867DD3A22CA62644007E5797 bytes (797 bytes)
8portchecker006D162A0D0AA294C85214963A3D3145113 bytes (113 bytes)
9promptlogD41D8CD98F00B204E9800998ECF8427E0 bytes ( bytes)
10readlink.c42FC7D7E2F9147AB3C18B0C4316AD3D81357 bytes (1.33 KiB)
11ReadMe.txtB7172B364BF5FB8B5C30FF528F6C51252244 bytes (2.19 KiB)
12setup694FFF4D2623CA7BB8270F5124493F37332 bytes (332 bytes)
13spytty.sh0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)Yes, of file spytty.sh
14umbreon.c91706EF9717176DBB59A0F77FE95241C1007 bytes (1007 bytes)
15access.c7C0A86A27B322E63C3C29121788998B8713 bytes (713 bytes)
16audit.cA2B2812C80C93C9375BFB0D7BFCEFD5B1434 bytes (1.4 KiB)
17chown.cFF9B679C7AB3F57CFBBB852A13A350B22870 bytes (2.8 KiB)
18config.h980DEE60956A916AFC9D2997043D4887967 bytes (967 bytes)
19config.h.dist980DEE60956A916AFC9D2997043D4887967 bytes (967 bytes)Yes, of file config.h
20dirs.c46B20CC7DA2BDB9ECE65E36A4F987ABC3639 bytes (3.55 KiB)
21dlsym.c796DA079CC7E4BD7F6293136604DC07B4088 bytes (3.99 KiB)
22exec.c1935ED453FB83A0A538224AFAAC71B214033 bytes (3.94 KiB)
23getpath.h588603EF387EB617668B00EAFDAEA393183 bytes (183 bytes)
24getprocname.hF5781A9E267ED849FD4D2F5F3DFB8077805 bytes (805 bytes)
25includes.hF4797AE4B2D5B3B252E0456020F58E59629 bytes (629 bytes)
26kill.cC4BD132FC2FFBC84EA5103ABE6DC023D555 bytes (555 bytes)
27links.c898D73E1AC14DE657316F084AADA58A02274 bytes (2.22 KiB)
28local-door.c76FC3E9E2758BAF48E1E9B442DB98BF8501 bytes (501 bytes)
29lpcap.hEA6822B23FE02041BE506ED1A182E5CB1690 bytes (1.65 KiB)
30maps.c9BCD90BEA8D9F9F6270CF2017F9974E21100 bytes (1.07 KiB)
31misc.h1F9FCC5D84633931CDD77B32DB1D50D02728 bytes (2.66 KiB)
32netstat.c00CF3F7E7EA92E7A954282021DD72DC41113 bytes (1.09 KiB)
33open.cF7EE88A523AD2477FF8EC17C9DCD7C028594 bytes (8.39 KiB)
34pam.c7A947FDC0264947B2D293E1F4D69684A2010 bytes (1.96 KiB)
35pam_private.h2C60F925842CEB42FFD639E7C763C7B012480 bytes (12.19 KiB)
36pam_vprompt.c017FB0F736A0BC65431A25E1A9D393FE3826 bytes (3.74 KiB)
37passwd.cA0D183BBE86D05E3782B5B24E2C964132364 bytes (2.31 KiB)
38pcap.cFF911CA192B111BD0D9368AFACA03C461295 bytes (1.26 KiB)
39procstat.c7B14E97649CD767C256D4CD6E4F8D452398 bytes (398 bytes)
40procstatus.c72ED74C03F4FAB0C1B801687BE200F063303 bytes (3.23 KiB)
41readwrite.cC068ED372DEAF8E87D0133EAC0A274A82710 bytes (2.65 KiB)
42rename.cC36BE9C01FEADE2EF4D5EA03BD2B3C05535 bytes (535 bytes)
43setgid.c5C023259F2C244193BDA394E2C0B8313667 bytes (667 bytes)
44sha256.h003D805D919B4EC621B800C6C239BAE0545 bytes (545 bytes)
45socket.c348AEF06AFA259BFC4E943715DB5A00B579 bytes (579 bytes)
46stat.cE510EE1F78BD349E02F47A7EB001B0E37627 bytes (7.45 KiB)
47syslog.c7CD3273E09A6C08451DD598A0F18B5701497 bytes (1.46 KiB)
48umbreon.hF76CAC6D564DEACFC6319FA167375BA54316 bytes (4.21 KiB)
49unhide-funcs.c1A9F62B04319DA84EF71A1B091434C644729 bytes (4.62 KiB)
50cryptpass.py2EA92D6EC59D85474ED7A91C8518E7EC192 bytes (192 bytes)
51environment.sh70F467FE218E128258D7356B7CE328F11086 bytes (1.06 KiB)
52espeon-connect.shA574C885C450FCA048E79AD6937FED2E247 bytes (247 bytes)
53espeon-shell9EEF7E7E3C1BEE2F8591A088244BE0CB2167 bytes (2.12 KiB)
54espeon.c499FF5CF81C2624B0C3B0B7E9C6D980D14899 bytes (14.55 KiB)
55listen.sh69DA525AEA227BE9E4B8D59ACFF4D717209 bytes (209 bytes)
56spytty.sh0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)
57ssh-hidden.shAE54F343FE974302F0D31776B72D0987127 bytes (127 bytes)
58unfuck.c457B6E90C7FA42A7C46D464FBF1D68E2384 bytes (384 bytes)
59unhide-self.pyB982597CEB7274617F286CA80864F499986 bytes (986 bytes)
60listen.shF5BD197F34E3D0BD8EA28B182CCE7270233 bytes (233 bytes)

part 2 (those listed in the Trend Micro article)
#File NameHash ValueFile Size (on Disk)
1015a84eb1d18beb310e7aeeceab8b84776078935c45924b3a10aa884a93e28acA47E38464754289C0F4A55ED7BB556489375 bytes (9.16 KiB)
20751cf716ea9bc18e78eb2a82cc9ea0cac73d70a7a74c91740c95312c8a9d53aF9BA2429EAE5471ACDE820102C5B81597512 bytes (7.34 KiB)
30a4d5ffb1407d409a55f1aed5c5286d4f31fe17bc99eabff64aa1498c5482a5f0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)
40ce8c09bb6ce433fb8b388c369d7491953cf9bb5426a7bee752150118616d8ffB982597CEB7274617F286CA80864F499986 bytes (986 bytes)
5122417853c1eb1868e429cacc499ef75cfc018b87da87b1f61bff53e9b8e86709EEF7E7E3C1BEE2F8591A088244BE0CB2167 bytes (2.12 KiB)
6409c90ecd56e9abcb9f290063ec7783ecbe125c321af3f8ba5dcbde6e15ac64aB4746BB5E697F23A5842ABCAED36C9146149 bytes (6 KiB)
74fc4b5dab105e03f03ba3ec301bab9e2d37f17a431dee7f2e5a8dfadcca4c234D0D97899131C29B3EC9AE89A6D49A23E65160 bytes (63.63 KiB)
88752d16e32a611763eee97da6528734751153ac1699c4693c84b6e9e4fb08784E7E82D29DFB1FC484ED277C70218781855564 bytes (54.26 KiB)
9991179b6ba7d4aeabdf463118e4a2984276401368f4ab842ad8a5b8b730885222B1863ACDC0068ED5D50590CF792DF057664 bytes (7.48 KiB)
10a378b85f8f41de164832d27ebf7006370c1fb8eda23bb09a3586ed29b5dbdddfA977F68C59040E40A822C384D1CEDEB6176 bytes (176 bytes)
11aa24deb830a2b1aa694e580c5efb24f979d6c5d861b56354a6acb1ad0cf9809bDF320ED7EE6CCF9F979AEFE451877FFC26 bytes (26 bytes)
12acfb014304b6f2cff00c668a9a2a3a9cbb6f24db6d074a8914dd69b43afa452584D552B5D22E40BDA23E6587B1BC532D6852 bytes (6.69 KiB)
13c80d19f6f3372f4cc6e75ae1af54e8727b54b51aaf2794fedd3a1aa463140480087DD79515D37F7ADA78FF5793A42B7B11184 bytes (10.92 KiB)
14e9bce46584acbf59a779d1565687964991d7033d63c06bddabcfc4375c5f1853BBEB18C0C3E038747C78FCAB3E0444E371940 bytes (70.25 KiB)

Posted: 20 Mar 2018 | 6:29 am

Equifax breach could be most costly in corporate history

NEW YORK/TORONTO (Reuters) – Equifax Inc (EFX.N) said it expects costs related to its massive 2017 data breach to surge by $275 million this year, suggesting the incident at the credit reporting bureau could turn out to be the most costly hack in corporate history.

The projection, which was disclosed on a Friday morning earnings conference call, is on top of $164 million in pretax costs posted in the second half of 2017. That brings expected breach-related costs through the end of this year to $439 million, some $125 million of which Equifax said will be covered by insurance.

“It looks like this will be the most expensive data breach in history,” said Larry Ponemon, chairman of Ponemon Institute, a research group that tracks costs of cyber attacks.

Total costs of the breach, which compromised sensitive data of some 247 million consumers, could be“well over $600 million,” after including costs to resolve government investigations into the incident and civil lawsuits against the firm, he said.

The post Equifax breach could be most costly in corporate history appeared first on CyberESI.

Posted: 2 Mar 2018 | 11:37 am

Freedome VPN For Mac OS X

Take a look at this:

F-Secure Freedome Mac OS X

F-Secure Freedome for OS X (freshly installed on a Labs Mac Team MacBook).

Mac_Team_Test_Machines

The beta is now open for everyone to try for 60 days at no cost.

Download or share.

On 24/04/15 At 12:37 PM

Posted: 24 Apr 2015 | 1:37 am