Defcon Preview Video

This is a preview of a forthcoming documentary about Defcon which was filmed at Defcon 20 and is supposed to be free when released. Enjoy the preview it is cool.

Cleaning Up after Citadel – Department of Justice Ransomware (

Citadel Malware Screen

Citadel Malware Ransomware Screen

A client of mine was hit with a variant of the Citadel Ransomware yesterday. He was just surfing the web and looking for a movie to watch, when he was hit by the drive-by download. It placed a big old warning message with Your Computer Has Been Blocked on the left and The United States Department OF Justice warning on the right, and a picture of a naked girl in a sexual position near the bottom, while asking for a moneypak payment to unlock the computer.
Upon receiving the computer, I rebooted and used a Kaspersky Rescue CD to boot and scan the harddrive. It found the following files… 4 files labeled as “” and 10 files labeled as “Win32.Katusha.n”. The exact filenames don’t matter because they are just a bunch of random letters and numbers. After I deleted these 14 items with Kaspersky, I took out the cd and rebooted.

Upon reboot, the computer came on and about a minute after being on, the warning screen came back on, which I was happy about because I wanted to get a closer look and a picture. Upon looking at the bottom of the screen I noticed there was a small black square that was blurry but changing and I moved aroung and noticed a picture of me there, as the web cam was recording and putting my picture right in the page next to the naked girl porno warning. I covered up the webcam with some tape and started to begin experimenting with the computer to see what I could do. After taking a picture of the screen for documentation purposes, I tried to do a few things and was surprised that it actually let me open up some windows and folders, I immediately noticed that it had created another false partition and a bootsect.bak. I rebooted into safemode and deleted all the recent temporary files and then used RogueKiller to run a quick scan and removal of about 8 registry keys and a batch file. I was still not out of the woods, but I was in total control of this bad boy at this point.

I downloaded MalwareBytes and let that scan and it found 15 items, mostly in the ProgramData folder. Check out the pictures for more detailed info. After deleting everything MalwareBytes found I uninstalled Microsoft Security Essentials and installed BitDefender. This is not the first time I have seen Microsoft Security Essentials fail to protect against older known malware. After removing everything to this point and rebooting, the computer seems back to normal, I am still searching through the registry and all folders for any remaining traces. Bitdefender and MalwareBytes are both returning completely clean and it really wasnt that difficult to remove this so I am still wary that there may be traces left behind. Scan findings 1Kasperskyrescuescan

Microsoft Security Compliance Manager Gets an Update (V3BetaRelease)

I have been involved in testing all aspects of Microsoft Group Policy for awhile, but I really never gave Microsoft’s Security Compliance Manager too much time, until now. I decided if I was going to really master Group Policy and everything it has to offer, that I need to utilize all the different utilities out there that Microsoft offers. I know there are many great third-party tools, but Microsoft has always offered many extra add-ons and Security Compliance Manager is one of my favorite. First I am going to discuss the old version of SCM v2.5. SCM is basically a package that you can install on your Main Administration computer which brings along a collection of Microsoft Baselines for Windows XP, Vista, 7, Server 2003, and 2008. These baselines are a combination of group policy settings that have been developed by Microsoft to offer a secure and compliant baseline for Windows XP, Windows 7, Internet Explorer 8, Microsoft Exchange 2007 & 2010, Office etc.

The Security Compliance Manager 2.5 includes all Operating Systems and Applications up to Windows 7 SP1 and Office 2010. You are able to explore the settings put into place in each of the baselines, before duplicating them, and then editing each of the settings to better resemble what you need in place for the networks that you are administering. SCM allows you to export the baselines to a Excel Workbook (.xlsm), a GPO Backup, SCAP v1.0(.cab), SCCM DCM 2007 (.cab), or a SCM (.cab). I have found the easiest one to work with in order to import the settings directly into the group policy management editor to be the GPO Backup.

Security Compliance Manager

Here is what the Security Compliance Manager looks like

I had just installed SCM v2.5 on my laptop when I thought about searching for a new version for Windows 8 and Server 2012. I then found out that in order to get the update you must join a Microsoft Connect Beta Program. So basically all you have to do is sign up and then you can download the SCM v3.0 Beta refresh. Microsoft describes the program like this … “Secure your environment with new product baselines for Windows Server 2012, Windows 8, and Windows Internet Explorer 10. The beta releases of Security Compliance Manager (SCM) 3.0 provide all the same great features for these new baselines, as well as an enhanced setting library for these new Microsoft products. The beta releases include fixes that resolve many previously reported issues in the setting library. The updated setting library also gives you the ability to further customize baselines. SCM 3.0 provides a single location for you to create, manage, analyze, and customize baselines to secure your environment faster and more efficiently.”

Note that there are 2 downloads for the SCM 3.0 Beta, the first “SCM 3.0 Beta” is the entire application and the second is “SCM 3.0 Beta Refresh” which is basically updated baselines only that you can import into the application.

Check Out JG Network Security’s Official

Mark Russonovich demonstration of Stuxnet, Flame, & more.

In between troubleshooting Windows Server 2008 SysVol Replication errors this week, I remember wanting to mention Mark Russonovich’s videos on Technet from when he demonstrated Stuxnet and Flame in Virtual Machines last year. I think I forgot to post the link so here it is, it was pretty entertaining. You can watch the video from June 11,2012 at TechEd here:

I solved a pretty annoying problem today when I finally found the solution to my SYSVOL replication error on a 2008 Server Domain Controller that was being improperly labeled with a \?C:WindowsSysVolSysvolDomainname.
The solution was simple but took me awhile to find it. All you have to do is go into ADSIEdit on the 2008 Domain Controller and maneuver to the msDFSR root path then edit the path that has the question mark and delete the first three characters. For the exact steps just check out the link at the end… Here is one of the technet articles that helped me get to the bottom of this.

Here is a link to the workaround which enables you to remove the bloody questionmark that was causing me grief.

HackInTheBox Security Conference Slides (PDFs)

Here is the Schedule And Presentation Calendar
D1T1 – Barisani and Bianco – Practical Exploitation of Embedded Systems.pdf
D1T1 – Chris Wysopal – Data Mining a Mountain of Vulnerabilities.pdf
D1T1 – Lucas Adamski – Firefox OS and You.pdf
D1T1 – Petko Petkov – History of the JavaScript Security Arsenal.pdf
D1T1 – Philippe Langlois and Emmanuel Gadaix – 6000 Ways and More.pdf
D1T1 – The Pirate Bay – Data is Political – NO SHOW
D1T2 – Don Bailey – Hackers, The Movie – A Retrospective.pdf
D1T2 – Haroon Meer – You and Your Research.pdf
D1T2 – Marc Heuse – IPv6 Insecurity Revolutions.pdf
D1T2 – Mark Dowd & Tarjei Mandt – iOS6 Security.pdf
D1T2 – Meder Kydyraliev – Defibrilating Web Security.pdf
D1T2 – Wes Brown – Supercomputing, Malware and Correlation.pdf
D1T3 – Charlie Miller – Attacking NFC.pdf
D1T3 – F Raynal & G Campana – An Attack Path to Jailbreaking Your Home Router.pdf
D1T3 – John Draper – A Historical Look at the Personal Computer and Phreaking.pdf
D1T3 – Jose Nazario – Tracking Large Scale Botnets.pdf
D1T3 – Paul Sebastian Ziegler – Hacking in the Far East.pdf
D1T3 – The Grugq – OPSEC – Because jail is for wuftpd.pdf
D2T1 – Chris Evans – Element 1337 in the Periodic Table – Pwnium.pdf
D2T1 – Katie Moussouris – How to Get Along with Vendors Without Really Trying.pdf
D2T1 – Ollie Whitehouse – Finding the Weak Link in Binaries.pdf
D2T1 – Paul Vixie – Silo Busting in Information Security – NO SLIDES
D2T1 – Rodrigo Branco – A Scientific Study of Malware Obfuscation
D2T1 – Shreeraj Shah – XSS and CSRF Strike Back Powered by HTML5.pdf
D2T2 – Fyodor Yarochkin and Vladimir – Messing up the Kids Playground.pdf
D2T2 – Jeremiah Grossman – Why Web Security is Fundamentally Broken.pdf
D2T2 – Raoul Chiesa – Information Warfare and Cyberwar.pdf
D2T2 – Saumil Shah – Innovative Approaches to Exploit Delivery.pdf
D2T3 – Emmanuel Gadaix – Something MEGA.pdf
D2T3 – Felix FX Lindner – Hacking Huawei VRP.pdf
D2T3 – Mikko Hypponen – Behind Enemy Lines.pdf
D2T3 – Stefano Zanero – Behaviour-Based Methods for Automated Scalable Malware Analysis.pdf

Thank YOU to Security Monkey’s Chief Monkey for the links…

Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8 and Windows Server 2012.

The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10. Here is the Microsoft Security Advisory Page: However, in Internet Explorer 10, the Windows 8-style UI will only play Flash content from sites listed on the Compatibility View (CV) list, therefore an attacker who created a malicious Flash object would have to compromise a website already listed in the CV list. Microsoft also warns users that “By default, all supported versions of Microsoft Outlook and Windows Live Mail open HTML email messages in the Restricted sites zone.” Which means that even if the user does not use Internet Explorer, just opening an email in Outlook or a document in Word that invokes an action to a webpage involving Flash Player could be enough to exploit the users. They go on to publish a registry edit that will prevent ActiveX from automatically invoking Flash:

Prevent Adobe Flash Player from running
You can disable attempts to instantiate Adobe Flash Player in Internet Explorer and other applications that honor the kill bit feature, such as Office 2007 and Office 2010, by setting the kill bit for the control in the registry.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To set the kill bit for the control in the registry, perform the following steps:

Paste the following into a text file and save it with the .reg file extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftInternet ExplorerActiveX Compatibility{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

Double-click the .reg file to apply it to an individual system.

You can also apply it across domains by using Group Policy. For more information about Group Policy, see the TechNet article, Group Policy collection.
Note You must restart Internet Explorer for your changes to take effect.
Today, (October 9th) is Microsoft's Infamous Patch Tuesday and there are a total of 7 bulletins that are patching about 20 vulnerabilities.

Once you update however, you will not need to apply this ActiveX killbit, so it is only here for those who are not planning on updating their systems right away with Windows Update.