Wednesday, June 27, 2012

McAfee Reveals Details of Global Financial Fraud Ring - Operation High Roller

McAfee Reveals Details of Global Financial Fraud Ring - Operation High Roller

This fraud empire, dubbed Operation High Roller, has reached banking systems worldwide, and is comprised of at least a dozen groups that use active and passive automated transfer systems to steal high value transactions from high balance accounts. The Operation High Roller attacks have impacted thousands of every class of financial institution: credit union, large global bank and regional bank, using smaller and less detectable automated transactions (PRWIRE)

Thursday, June 21, 2012

Syrian Activists Targeted with BlackShades Spy Software

Syrian Activists Targeted with BlackShades Spy Software

Thursday, June 14, 2012

Comsec detects security bug in one of Check Point's main security product

Comsec detects security bug in one of Check Point's main security product

Comsec Consulting has detected a security bug in Check Point's Endpoint Connect.  

‘Endpoint Connect’ unifies the protection of the user end-station under a single security management console. The product can be found in use across all sectors.

According to Moshe Ishai, CEO of Comsec Consulting, "the discovery was of a vulnerability, which could lead (if abused) to gaining control over any workstation the product is installed on. This vulnerability provides the attacker with potential to perform malicious activities, ranging from sniffing for information, to causing actual damage."

Moshe Ishai further added that, "Check Point is considered one of the leading security product companies on the market, offering high quality security solutions. It is possible to discover bugs in any products (software or hardware), and Check Point should be credited, as they immediately took all efforts to offer its customers an immediate fix. Check Point ensured a rapid remediation, which makes the product even more resilient than before. "

The bug was discovered by Comsec several weeks ago, but was kept secret and reported only to the product manufacturer. From this time, Check Point has worked vigorously in order to release an improved version which includes a fix for the risk identified by Comsec.

The affected product versions include: E75, E80.20, E80.30, R73 - (customers who update the version of their product will not be exposed to the aforementioned vulnerability).  

The Hot Fix for the bug can be downloaded from Check Point's website

Wednesday, June 13, 2012

Actively exploited attack on Internet Explorer

Issue that is being actively exploited in-the-wild, discovered by Google Security team and Qihoo 360 Antivirus team got a last minute critical update on this Patch Thursday.
Sample exploit code exist on-line, although I haven't tested anyone yet.

Sunday, June 3, 2012

News Brief: Flame Worm

News Brief: Flame Worm
On Monday, 28.5.12 a new worm, known as Flame and Skywiper, was discovered as being prominent in the Middle East. This is the first document by Comsec Consulting which describes the abilities of the newly-discovered worm, as well as ways to check if the worm has infected your environment.
Initial Findings
The worm gathers data from the computer using different methods:
a.      Key Logging – saving the key strokes.
b.      Taking screenshots.
c.       Activating the microphone and setting to record.
d.      Gathering information from documents and images on the computer.

The worm spreads itself via several infection vectors:

  1. Using existing exploits (MS10-061 and MS-10-041).
  2. Using user credentials to attack other computers.
  3. Spreading through removable media devices (such as USB).
  4.  There is also an unverified assumption that the worm uses 0-day exploits.

Identifying the Worm
1.      Registry – The worm uses the LSA Authentication Packages method for start-up. As a result, the data mssecmgr is added to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authenticatio Packages.

2.      Files – The worm uses several files. The existence of each might indicate the presence of the worm. The file extension could be either ocx or sys:

·         %windir%\system32\mssecmgr.ocx
·         %windir%\system32\advnetcfg.ocx
·         %windir%\system32\ccalc32.sys
·         %windir%\system32\msglu32.ocx
·         %windir%\system32\nteps32.ocx
·         %windir%\system32\boot32drv.sys
·         %windir%\system32\soapr32.ocx

3.       Network - The worm communicates by browsing to Command and Control servers that are on the web. At this time there is no published address or domain list. However, if there has been a request to one of the following URLs: wp-content/rss.php or cgi-big/counter.cgi, one can conclude that an infection is present. Please note that the absence of this pattern is not evidence that the worm does not exist on your network.

  • Use the HOST signature as described above in order to allocate the existence of the worm in the network.
  •  Update all computers in the network with Microsoft patches, in Particular MS10-061 and MS10-046  which are known ways for the worm to spread itself.
  • Should you identify the worm on your network, it is recommended to initiate your organisation’s internal procedure to identify, isolate, and mitigate against the threat and make an assessment of the damage.

Symantec                :     
CrySys Lab: