SpiderLabs Anterior

20 May 2013

Machine Learning Update 1

It has been almost exactly a month since my last post regarding the new project I am working on, so I figure it is time for an update. First off, I was excited and encouraged with the responses I received via Twitter after my initial posting. One response in particular mentioned the related work that @silviocesare is doing with the SimSeer project as well as a book he co-authored “Software Similarity and Classification”. Both appear to be excellent resources and I plan to check them both out in more detail as time allows.

It seems as if the stars were in alignment because just after I announced the project, a little birdy (@spookerlabs) let me know that a free Machine Learning course from Stanford University was being presented through Coursera . Did I mention that it is free? I signed up for it and we are about four weeks through the 10-week course. I have to say that I am pretty impressed with how the course is laid out and presented. We wasted no time jumping right into the math, but that shouldn’t really be of any surprise to anyone. The course mainly applies Linear Algebra, but an understanding of at least first year Calculus is a definite bonus. For example, here is a slide from the first week of the class covering the application of a Linear Regression Model and the Gradient Descent Algorithm, which would be used to help predict something like house pricing based on known square footage: Formula1

Continue reading "Machine Learning Update 1" »

Posted by Ryan Merritt on 20 May 2013 at 11:16 in Big Data, Malware, Security Research | Permalink | Comments (0)

17 May 2013

SpiderLabs Radio May 17, 2013 w/ Space Rogue

This weeks episode of SpiderLabs Radio hosted by Space Rogue is brought to you by Trustwave's Threat Intelligence Service and covers Topiray, Viral, TFlow, Kayla go to jail, DHS selling 0-days, OSX Malware, SkyNews, Colin was here, OpPetrol, Onity locks still getting owned, java renumbering, Taiwan and Philippines equals Cyberwar!, General Keith at Blackhat and a lot more!

Listen to SpiderLabs radio in iTunes.

Or you can download the MP3 file directly here.

Or listen right from your browser with this embedded player.

Posted by Space Rogue on 17 May 2013 at 16:14 in SpiderLabs Radio | Permalink | Comments (0)

Alina: Following The Shadow Part 1

Last I spoke with you, I went into the details of a family of Point of Sale (POS) malware, named 'Alina'. At the time, I chose to talk about version 4.0, mainly because I felt it gave a good representation of the entire family itself. In the course of my research, I've been able to acquire 12 distinct versions. As you may recall from the last blog post, Alina is versioned in the User-Agent field for all HTTP-based communication. For example, the User-Agent last time around was "Alina v4.0". Knowing this, I plan on talking about the evolution of this malware today, going from version 0.1 up to 5.5. Just for reference, I have the following versions at this time:

0.1, 1.0, 2.0, 2.1, 3.1, 3.2, 3.3, 3.4, 3.5, 4.0, 5.2, 5.3, 5.5

I'm going to break up this post into a few different sections, and talk about how the malware family has evolved over time with respect to various categories. As I started writing this, it became apparent that it wouldn’t fit into one blog post. As such, I’ve split it up into different parts. For this blog post I’m going to focus on the creation timeline, exfiltration, and C&C.

Continue reading "Alina: Following The Shadow Part 1" »

Posted by Josh Grunzweig on 17 May 2013 at 13:01 in Malware | Permalink | Comments (0)

15 May 2013

TrustKeeper Scan Engine Update - May 15, 2013

The latest update to the TrustKeeper Scan Engine is now available. It adds coverage for more than two dozen vulnerabilities, including several recent Ruby on Rails vulnerabilities. It also greatly expands our vulnerability coverage for Moodle CMS, with 20 new vulnerability tests. Additionally, with official support from Microsoft for Windows XP ending in less than a year, we have added an informational notice for detected Windows XP systems, reminding customers that support (and security fixes) will be ending soon.

Continue reading "TrustKeeper Scan Engine Update - May 15, 2013" »

Posted by woodbusy on 15 May 2013 at 16:30 in TrustKeeper Scan Engine | Permalink | Comments (0)

The White "X"

Over the many years I’ve spent training various local, state, federal and law enforcement organizations on forensics methodologies, one story always sticks out in my mind as I prepare for courses. As I get organized for the upcoming Computer Forensics & Incident Response for Investigators course on July 27^th – 30^that BlackHat USA in Las Vegas or hear about another breach in the news, I’m reminded of the following story once again.

A certain engineer retired from his job of 37 years at a very productive factory of a very well-known company. Prior to his departure, he trained three young college graduates with engineering degrees on the ins-and-outs of the factory. Because the retiring engineer did not have a college degree his replacements quickly discounted his admonitions as the ramblings of an "old man".

Continue reading "The White "X"" »

Posted by Chris Pogue on 15 May 2013 at 08:05 in Conferences, DFIR, Incident Response, Training | Permalink | Comments (0)

Analysis of Malicious Document Files Spammed by Cutwail

In our Global Security Report, we highlighted a zero day vulnerability in the Windows Common Controls affecting Microsoft Office (CVE-2012-0158). This was reportedly being used for targeted attacked against NGOs and human rights activist.

Over the past week, the Cutwail botnet has been sending out spam containing malicious documents of the aforementioned vulnerability, CVE-2012-0158. The use of a loaded RTF attachment is a departure from normal for Cutwail, usually it distributes executable attachments or links to exploit kits.

The spam claims to be from Citibank or Bank of America. The spam may use the “Merchant Statement” as a subject line and has an accompanying .DOC file attached.

Spam Campaign Samples

Continue reading "Analysis of Malicious Document Files Spammed by Cutwail" »

Posted by Rodel Mendrez on 15 May 2013 at 08:04 in Global Security Report, Malware, Phishing, Spam | Permalink | Comments (0)

14 May 2013

TWSL2013-002: Multiple XSS Vulnerabilities in The Bug Genie

Trustwave SpiderLabs has published a new security advisory for multiple Cross-Site Scripting (XSS) vulnerabilities in The Bug Genie, an open source issue tracking and project management PHP application. The findings include both reflective and persistent XSS vulnerabilities in input parameters that can be exploited via authenticated POST requests. The Bug Genie team was contacted earlier this year regarding the security issues, and made an attempt to address them in their 3.2.5 release. Due to incomplete fixes in the 3.2.5 version, affected users are advised to upgrade to the latest stable 3.2.6 release.

Continue reading "TWSL2013-002: Multiple XSS Vulnerabilities in The Bug Genie" »

Posted by James Espinosa on 14 May 2013 at 15:38 in Advisories, Application Security | Permalink | Comments (0)

Microsoft Patch Tuesday, May 2013

I keep hoping for an easy relaxing Patch Tuesday of say, only two or three bulletins but so far this year things haven’t been so easy. So far this year we have Patch Tuesdays of seven, ten and seven bulletins, respectfully, and this month we have ten. (hmm, is there a pattern there?) Not only that we have a zero-day vulnerability in Internet Explorer to deal with. I long for months like September 2012 when there were but two bulletins but I should feel lucky that its not December 2010 or April 2011 when we had no less than seventeen bulletins. I’ll take the ten and be happy.

This month there are only two critical patches, both covering remote code execution, both in Internet Explorer. The rest are all rated as Important and can be found in Windows, Lync, Publisher and Word. Bulletin Nine is in Windows Essentials, which is a product we haven’t seen much of here on Patch Tuesday.

Continue reading "Microsoft Patch Tuesday, May 2013" »

Posted by Space Rogue on 14 May 2013 at 12:54 in MAPP | Permalink | Comments (0)

13 May 2013

Securing Continuous Integration Services

Summary

Over the last couple weeks, I’ve had the distinct privilege to share some of my research surrounding continuous integration security. The presentation was dubbed “Attacking Cloud Services w/ Source Code” and was presented at both SOURCE Boston 2013 and THOTCON 0x4, where I discussed a bunch of fun things like:

Why I love Continuous Integration (CI) Services (especially hosted solutions)
My perspectives as an open-source developer (some happy, some sad)
What things could be possible if malicious code was fed to CI services
A project I’m working on, called RottenApple, to help make things better

In this blog post I hope to capture some of the meat of the presentation for those who could not attend and use this opportunity to announce the first public release of RottenApple.

Continue reading "Securing Continuous Integration Services" »

Posted by claudijd on 13 May 2013 at 10:20 in Cloud, Open Source, Tools | Permalink | Comments (0)

10 May 2013

SpiderLabs Radio May 10, 2013 w/ Space Rogue

This weeks episode of SpiderLabs Radio hosted by Space Rogue is brought to you by Trustwave's Threat Intelligence Service and covers IE 0-day hits Labour, Syrian Electronic Army hits E! Online and The Onion, Guccifer returns, $40 Million cyber heist, OpUSA becomes OpDud, BX1 extradited, name.com, John Dvorak. media sites hit, I'm a Slutty Moron, Evernote and China? and a lot more!