more to come
Just last week I faced a job of removing the malware from a Windows 7 64bit HP Laptop, and getting the computer back to a usable condition. It was only 6 months old, and the owner complained that they could not do anything on the internet because the computer kept shutting itself off. She even talked about being ready to send it back to HP. I asked her if she had antivirus and kept it up-to-date, and she said she had installed AVG about a week after she brought the laptop home, and it often updated itslef while she was trying to use the computer. The first thing I did when I received the laptop was simply attempt to go online with each of the browsers. The computer had only 19 gb used out of 750, yet it had about 12 toolbars, and rebooted 5 minutes after I started trying to browse the web. I immediately installed MalwareBytes, and started to run a scan, while i proceeded to remove each of the different toolbars and I installed CCleaner so I would be able to clean the cache, cookies, and temporary files. MalwareBytes immediately found 30 malicious items in the first 5 minutes of the scan. I started looking at the AVG logs and settings to see why AVG had let this happen to the computer. I thought that maybe AVG was not turned on or had not run a scan in a while. However, I noticed that AVG was set to scan everyday at 5pm, and it had indeed run 20 times in the last month but had not found any malware. I checked the logs and found out that the only things AVG reported was actually files related to Microsoft .Net Framework 3.0 and 3.5 SP1 (which it labeled as a probable rootkit).
Malware Bytes finished its scan finding 45 malicious items (7 tracking cookies and 38 malicious trojans and toolbars). Next I ran an AVG scan (just to see if it would find any of these same items, before I removed them with Malware Bytes. I updated AVG’s signatures and then AVG scanned the entire system in about 15 minutes, and found nothing yet again. At this point, I had found an ASCII to UTF converter with a chinese logo, and an instance of LogMein rescue hidden in the temporary files folders. I called up the woman and asked if she had evr had anyone try to help her by remotely logging in to her computer and she said no, never. I realized that one of those toolbars she had installed had likely been a trojan with an Asian hacker on the other end that had been remotely running commands on her computer. I used the Netstat utility but did not see any current activity. At this point I had to do some proprietary investigation and forensics, in order to prevent this hacker from ever accessing this computer again. I completed this in an hour or two and ran a ComboFix Scan.
Okay, I then decided that either this AVG install was corrupted, or that AVG is no longer an effective player in the Anti-Virus industry. Well ,I did not have time to further investigate, as i needed to have this computer back to new condition by tomorrow. I removed all of the items found by Malware Bytes, then I restarted and deleted all the system restore points. I checked each of the browsers for any left over debris, (firefox, IE, and Chrome) and I rebooted the system. I next typed “MRT” in the search box which ran the Microsoft Malicious Software Removal Tool, but it did not find anything. I then ran a portable BitDefender scan on the entire system, as well as an online scan by ESET. The system was coming up clean. I completely removed all remnants of AVG except for the AVG secure search bar, (because utilizing the AVG safe search couldn’t hurt the owner.)
Next, I installed Microsoft Security Essentials, and set MalwareBytes’ real-time protection to off. MSE’s real-time protection will hopefully be good enough to protect the owner in the near future. I ran a full system scan, which came up clean, and used Revo Uninstaller to uninstall any leftover programs that the owner did not need. I then went ahead and tweaked all of the browsers’ settings and configured her firewall, and updated her Adobe Reader, Flash player, and her Java (which apparently had come installed on the laptop when she bought it. ( I used Secunia PSI to notify me of updates available for all installed programs.) Then I went online and tried to perform some everyday tasks to verify that the computer was back to a usable condition. Note: I had documented all of my work, and I handed over the documentation to the owner when I gave back the computer. In the end, the laptop was back to its OOBE (Out of the Box Experience), and the owner was very appreciative.
Here’s the home page for Lawrence Livermore National Laboratory (the host of the world’s fastest supercomputer) “SEQUOIA”.
“Sequoia is expected to be one of the most powerful supercomputers in the world, equivalent to the 6.7 billion people on earth using hand calculators and working together on a calculation 24 hours per day, 365 days a year, for 320 years…to do what Sequoia will do in one hour.”
“Sequoia will be focused on strengthening the foundations of predictive simulation through running very large suites of complex simulations called uncertainty quantification (UQ) studies. In addition, it will be used for weapons science calculations necessary to build more accurate physical models. This work is a cornerstone of NNSA’s Stockpile Stewardship program to ensure the safety, security, and reliability of the U.S. nuclear weapons stockpile today and into the future without underground testing.”
Specs: 1.6 petabytes of memory, 96 racks, 98,304 compute nodes, and 1.6 million cores.
I would love to credit the source, but I’m not sure who wrote this article, and I simply quoted parts of it, since I can’t really say much about something that I haven’t looked at personally.
Check Out Information Weeks Dark Reading site for some more Black Hat 2012 information, link to be posted here
Black Hat Releases Complete Event Schedule
Among the news breaking will be 36 tools, 17 0-days, and 49 live on-stage demonstrations
Jun 14, 2012 | 06:12 PM | 0 Comments
SAN FRANCISCO, June 14, 2012 /PRNewswire/ — Black Hat, producer of the world’s premier information security events, today announced the official schedule for Black Hat USA 2012, where the smartest and most disruptive cyber security professionals will reveal research and vulnerabilities that threaten national critical infrastructure and identify flaws in popular consumer devices. Among the news breaking will be 36 tools, 17 0-days and 49 live onstage demonstrations during the action packed week of July 21-26 2012 in Las Vegas. For more information and to register, visit Black Hat.
Click here for more of Dark Reading’s Black Hat articles.
The keynote speakers at Black Hat USA 2012 include Neal Stephenson, one of the world’s foremost historical and science fiction authors, and Shawn Henry, former FBI Executive Assistant Director (EAD) and currently President of CrowdStrike Services. Neal will take the stage for an interactive interview with attendees while Shawn will offer new insights on how a hostile cyber environment has rendered traditional security obsolete in a talk entitled: “Changing the Security Paradigm…Taking Back Your Network and Bringing Pain to The Adversary.”
Black Hat USA 2012 will feature talks that point out key security vulnerabilities in global and national infrastructure, including:
Threats to air traffic control systems (Andrei Costin), smart meters and the power grid (Don Weber). Stephen Ridley and Stephen Lawler will address advanced ARM exploitation and share some anecdotal “hardware hacking” experiences. Yann Allain and Julien Moinard will discuss power analysis of embedded systems. Methods for taking cyber security on the offensive: Renowned security researcher Dan Kaminsky will offer a look at “black ops,” offering insight on attack techniques that previously may have been considered ‘wrong and evil.’ Robert Clark, operational attorney for the U.S. Army Cyber Command, will offer a look at the legal aspects of cyberspace operations. Apple operating systems and applications: speakers will discuss flaws in the Apple AppStore (Justin Engler, Seth Law, Joshua Dubik, and David Vo); vulnerabilities in the operating system kernel that drives IOS and Mac OS X (Stefan Esser); and a workshop on the dark art of IOS application hacking (Jonathan Zdziarski). Threats and vulnerabilities to the most commonly used Web applications and tools, demonstrating key vulnerabilities at the very core of today’s Internet. Sheeraj Shah offers a look at the Top 10 threats, while Sergey Shekyan and Vaagn Toukharian discuss hacking with HTML5’s WebSockets; a look at recent Java exploitation trends and malware (Jeong Wook Oh); and the revelation of several new vulnerabilities in popular Web application firewalls (Ivan Ristic).
Black Hat will feature nine concurrent tracks every day, mixing workshops, roundtables and cutting edge presentations by top security experts. Deep technical training will take place July 21-24, while the open briefings will run from July 25-26.
Black Hat on Facebook; Black Hat on LinkedIn; #BlackHatEvents on Twitter; Black Hat Events on Flickr.
Sponsors of this year’s Black Hat include Diamond Sponsors Qualys, Microsoft and Lookingglass Cyber Solutions; Platinum Sponsors Accuvant LABS, Blue Coat Systems, Core Security, Cisco, IBM, Juniper Networks, LogRhythm, RSA, Symantec, Trustwave and Verizon.
About Black Hat
Black Hat provides briefings and training to leading corporations and government agencies around the world. Black Hat differentiates itself by working at many levels within the corporate, government, and underground communities. This unmatched informational reach enables Black Hat attendees to be continuously aware of the newest vulnerabilities, defense mechanisms, and industry trends. Black Hat Briefings and Trainings are held annually in Europe and Las Vegas. Black Hat is produced by UBM TechWeb. More information is available at www.blackhat.com.
According to Robert Lemos of Dark Reading,
Stopping malware is so yesterday. Eclectic groups of security people have banded together to make life difficult for attackers… Well, I enjoy studying malware, and I don’t have as many years of experience working in CyberSecurity yet, so I will continue doing what I enjoy for now, Hunting, Studying, and Destroying Viruses and Malicious code. Here’s Mr. Lemos’ story anyway, its interesting
Jun 14, 2012 | 06:06 PM |
By Robert Lemos, Contributing Writer
Security consultant Dino Dai Zovi hacked Macs and co-authored a book on how to secure them. Tillmann Werner researched ways to detect the Conficker worm on infected networks and advocated an offensive approach to dealing with the threat. Shawn Henry chased cybercriminals during his 23-year career at the FBI. And Dan Guido teaches at NYU Poly and espouses a “Know Your Attacker” philosophy.
All four have left previous positions and joined startups that are creating services and products that focus on ways to make attacks more painful for the attackers. Rather than continue finding vulnerabilities or pointing out ways attackers can infiltrate networks, groups of well-known researchers are increasingly coming together to find better ways to identify and hinder attackers.
As attackers become more skilled at quiet, targeted attacks, traditional defenses are failing to catch them. While some security companies, for example, can search their logs of blocked programs for evidence that their products stopped Flame, it took the antivirus industry at least four years to detect the attack.
The lack of success has frustrated a number of researchers, such as Guido. With Dai Zovi and former VMWare researcher Alexander Sotirov, the one-time security consultant and occasional professor created Trail of Bits, a company focused on analyzing attacks and finding the best ways to help its clients defend their networks and data.
[ The White House’s first cybersecurity coordinator says it’s time for the federal government to begin implementing its blueprints for secure identities and its international strategy for cybersecurity. See Former White House Cybersecurity Czar Calls For Security Action. ]
Similar reasons drove George Kurtz to start up CrowdStrike with Dmitri Alperovitch, former vice president of threat research at McAfee, and Gregg Marston, formerly of Foundstone, a company Kurtz co-founded in the late ’90s. There is still a lot of work to be done, but CrowdStrike is developing the ability to help companies understand who is attacking them and why they are being targeted so that they can martial their defenses around those actual threats, Kurtz says. Companies are tired of trying to keep up with the large number of threats that may be targeting them.
“There is only so many fingers that they can put into the dike, and they want to know who is in their network and how to get them out of the network,” Kurtz says. “They want to understand what they are ultimately after. By switching from a focus on … malware to moving toward figuring out who is attacking and how they are doing it, you can basically put up better defenses.”
Both companies are investing in creating intelligence on threats to better inform their clients’ defenses. And both companies hope that doing so will help companies drop out of the rat race of trying to keep up with attackers’ ability to change their code. The fact that the firms exist and have attracted a bevy of smart researchers is likely due to the high level of frustration among defenders aimed at the unending success of attackers. Such frustration led Shawn Henry — recently the executive assistant director of the Criminal, Cyber, Response, and Services Branch of the FBI — to head up CrowdStrike’s services branch.
“The problem with existing technologies and threat-mitigation tactics is they are too focused on adversary tools — malware and exploits — and not on who the adversary is and how they operate,” Henry stated in written testimony (PDF) to the U.S. House Subcommittee on Homeland Security in April. “Ultimately, until we focus on the enemy and take the fight to them to raise their cost of attack, we will fail because they will always get thorough.”
Companies have enough information to understand attackers and gain better information on the threats to their business, but lack the tools to turn that data into a strategy for stopping attackers, Guido says.
“In reality, data on attackers is widely available in published security industry reports, but many organizations have trouble interpreting this data and making it actionable,” he says. “The difficulty in achieving this vision will be in making the knowledge and tools to perform this analysis widespread.”