IE users get new protection against potent form of malware attack

Microsoft developers have fortified Internet Explorer with new protections designed to prevent a type of attack commonly used to surreptitiously install malware on end-user computers.

The "isolated heap for DOM objects" made its debut with last week's Patch Tuesday. Just as airbags lower the chance of critical injuries in automobile accidents, the new IE protection is designed to significantly lessen the damage attackers can do when exploiting so-called use-after-free flaws in the browser code. As the name suggests, use-after-free bugs are the result of code errors that reference computer memory objects after they have already been purged, or freed, from the operating system heap. Attackers can exploit them by refilling the improperly freed space with malicious code that logs passwords, makes computers part of a botnet, or carries out other nefarious behavior.

Use-after-free flaws are among the most commonly exploited, often at great expense to end users. Recent in-the-wild attacks that targeted IE versions 9, 10, and 11 capitalized on a use-after-free bug. The bug class has been at the heart of many other real-world attacks on IE that are too numerous to count. (They have also been known to bring down Google Chrome and Mozilla Firefox.) Wei Chen, an exploit developer with Rapid 7's Metasploit vulnerability framework, likens use-after-free exploits to sneaking tainted cookies into an already-opened bag of Oreos.

Read 5 remaining paragraphs | Comments

A Glance Into the Neutrino Botnet

Lately, we have seen a number of communications through our automated framework from the Neutrino botnet. While analyzing this botnet, we found that it has a number of anti-debugging, anti-virtual machine, and sandbox-detection techniques that we have seen before. The botnet looks to be at an early stage, based on factors such as no obfuscation/packer used in the botnet binary, a couple of hardcoded strings, and old anti-analysis techniques. The most interesting part of the botnet is the deliberate “404 Not Found” response from its control server that contains base64-encoded malicious commands. The botnet supports malicious commands such as distributed denial-of-service attacks, keylogger, download and execute, etc. You can learn more about the Neutrino botnet at this site hosted by Kafeine.

The botnet binary we analyzed is written in Visual C++ and uses no packer or obfuscation techniques. The binary immediately calls a function that will check if the binary is being debugged or run under any virtual machine. If the malware finds any of these, it terminates. Here are the checks implemented in the binary:

anti-vm-debug-sand

Once bypassed, the binary creates a mutex under the name n3nmtx, which is hardcoded in the binary. Then the malware performs a series of operations by calling different functions as below:

neturino_diff_fucntions

The binary gathers system information as we see above, retrieves hardcoded control server URLs, and then checks if the control server responds by sending a GET request, shown below:

neturino_ping_pong

As shown above, a few things are hardcoded in the malware, and we can easily look into the strings of this binary. The binary creates a directory under %APPDATA% and copies itself into that directory with different system filenames. It next adds a registry entry under Software\Microsoft\Windows\CurrentVersion\Run. The collected system information is then sent to its control server, as we see below:

neturino_c&c_response

The “404 Not Found” response is sent by the server to hide another malicious command, which is hidden inside the comment section of the HTML response. The hidden command, which starts with NCMD, is base64 encoded. When we convert the base64 response, it turns into:

“1400833546611328#keylogger Western#1399621409275851#rate 1#”

The command tells the botnet binary to start a keylogger on the infected system. The keylogger functions retrieve clipboard data and write it to the file _clipbrd.txt, under %APPDATA% in the directory LOGS, which is created by the binary in the following format:

neturino_clipboard_file

The botnet then informs its control server about the task it executed in the POST request shown below:

neturino_task_send

The control server sends additional commands to the infected system and executes them. The string from the binary contains all the supported commands by this botnet. Here is the list:

neturino_bot_commands

The hardcoded strings and plain communication over the network make this botnet easily detectable. McAfee customers are already protected from this threat.

 

The post A Glance Into the Neutrino Botnet appeared first on McAfee.

Poorly anonymized logs reveal NYC cab drivers’ detailed whereabouts

In the latest gaffe to demonstrate the privacy perils of anonymized data, New York City officials have inadvertently revealed the detailed comings and goings of individual taxi drivers over more than 173 million trips.

City officials released the data in response to a public records request and specifically obscured the drivers' hack license numbers and medallion numbers. Rather than including those numbers in plaintext, the 20 gigabyte file contained one-way cryptographic hashes using the MD5 algorithm. Instead of a record showing medallion number 9Y99 or hack number 5296319, for example, those numbers were converted to 71b9c3f3ee5efb81ca05e9b90c91c88f and 98c2b1aeb8d40ff826c6f1580a600853, respectively. Because they're one-way hashes, they can't be mathematically converted back into their original values. Presumably, officials used the hashes to preserve the privacy of individual drivers since the records provide a detailed view of their locations and work performance over an extended period of time.

It turns out there's a significant flaw in the approach. Because both the medallion and hack numbers are structured in predictable patterns, it was trivial to run all possible iterations through the same MD5 algorithm and then compare the output to the data contained in the 20GB file. Software developer Vijay Pandurangan did just that, and in less than two hours he had completely de-anonymized all 173 million entries.

Read 6 remaining paragraphs | Comments