As a Security Analyst I spend a significant amount of time working in tools like Burp Suite. On any given project I need to keep track of a large number of requests, responses, and various scan results. Conveniently, I can store all this in a single state file to keep for future referral. I also use a number of external scripts that have important output, but that ends up in a spread of text files that I have to keep track of. With that in mind, and the revamp of the Burp Extender API, I have decided to create an extension to make organization a bit easier.
The Burp Notes Extension adds a tab to the interface where I can create and manage text documents and spreadsheets. From the main tab a user can create new documents, load previously saved data, and save any currently open documents. I've also added the ability to import and export documents so that they can be easily reused for each project. One of the apparent limitations of the API is that it does not provide integration with Burp’s state functionality; all documents within the Notes tab are saved and loaded externally to the state file. I have taken care, however, to make sure that users are prompted to save before anything closes to make sure data isn’t lost. State integration is on the top of my list once that functionality becomes available.
The Trustwave Spiderlabs team frequently responds to E-commerce data breaches. The number of website breaches that we are working continues to rise. There are a handful of reasons for this rise.
There will be ten bulletins released by Microsoft next Tuesday and one of those should be for the recent Internet Explorer zero-day discovered earlier this week. Buletin 2 should cover the remote code execution of the IE-8 0day while Bulletin 1 will also cover RCE in IE 6 thru 10. We suspect Bulletin 1 will fix the issue discovered during the PWN2OWN competition at CanSecWest earlier this year.
Bulletins 3, 4, and 10 are in Windows itself including .NET. They are rated Important and cover Denial of Service, Spoofing and Elevation of Privilege vulnerabilities.
Bulletins 5, 6, and 7 are all rated Important and all three result in remote code execution in parts of Microsoft Office. Specifically Communicator and Lync, Publisher and Word in that order.
Bulletin 9 is also rated as Important and results in Information Disclosure in Windows Essentials. Don’t get confused with Security Essentials. Windows Essentials is a free software pack for Windows 7 that includes Mail, Movie Maker, Messenger and other useful apps that Microsoft gives away.
Over the pastfew months, a number of malware families targeting Point of Sale (POS) systems have been discussed. First there was Dexter (Seculert / SpiderLabs), then there was its big brother vSkimmer, and more recently there was Dump Memory Grabber / BlackPOS. One of the most interesting threads of commonality between these samples is the command and control (C&C) structure used between them. Utilizing a C&C communication channel for data exfiltration, while previously rare, has become more and more common in POS malware. I'd like to use this blog post to discuss another similar sample that I recently got the chance to look at, named Alina. We’ve seen Alina on a number of active forensic cases in the past few months, which is how I was originally made aware of this malware family.
Alina is not completely unknown in the reversing community. Xylitol has a nice writeup on a slightly older version, which you can find here. While an excellent read, I'd like to use this opportunity to dig into the mechanics of the malware further. There are a number of versions of the Alina malware family. For this post, I’m going to focus on version 4.0, which looks to have been created on February 7th based on the PE timestamp information. I have some newer versions, but I’m going to hold off talking about those until my next blog post, where I will discuss the evolution of this malware family and the changes made between revisions. So without further adieu, let's dig in.
While many workers around the world were celebrating the May 1st events, the US Department of Labor website got hacked and was used to redirect browsers to a 3rd party site which served a new IE 8 0day exploit, known as CVE-2013-1347. Microsoft already released an advisory about it last Friday.
Apparently, the attackers collected technical statistics on the victims’ browser plugins BEFORE serving them with the IE exploit, for example whether plug-ins from their antivirus product, from Fiddler Proxy or from TamperData are installed. That information is then sent to the aforementioned 3rd party site.
According to a tweet from one of Metasploits’ exploit developers, a module for this CVE will be released soon. Therefore an increase in exploit attempts of this CVE is quite likely.
And to the good news: Trustwave SWG Server (versions 10.1 and higher) blocks this attack out-of-the-box using its generic protection engines, without any further update, thus maintaining good record of blocking the recent 0-day attakcs.
The latest update to the TrustKeeper Scan Engine is now available. It adds coverage for more than a dozen vulnerabilities, including several recent vulnerabilities in Cisco and Oracle products. Newly covered vulnerabilities also include recent vulns in Microsoft Active Directory (including ADAM and AD LDS as well as the usual AD) and MySQL.