|
Fuzzy Mammal posted:it may be happening I doubt goog has the balls to revoke Symantec CAs from chome. they'd be shutting off part of the internet for their users and they care more about those ad dollars than security.
|
# ? Jan 31, 2017 01:48 |
|
|
# ? Jun 5, 2024 07:15 |
|
on the other hand if they could get Microsoft and failfox on board it would be a hell of a thing. so much poo poo would break.
|
# ? Jan 31, 2017 01:49 |
|
Don't they usually pick an issue date to no longer accept certs from the CA instead of a full revoke in situations like this?
|
# ? Jan 31, 2017 01:58 |
|
Shaggar posted:I doubt goog has the balls to revoke Symantec CAs from chome. they'd be shutting off part of the internet for their users and they care more about those ad dollars than security. they would revoke after a certain date, not retroactively
|
# ? Jan 31, 2017 02:13 |
|
Cocoa Crispies posted:yeah really Yeah, these are pretty neat. At the time they came out, USB C wasn't really a big thing. I've been hoping for this for USB C though, it will be glorious if it does come.
|
# ? Jan 31, 2017 02:22 |
|
https://twitter.com/Acosta/status/826197552995373057
|
# ? Jan 31, 2017 03:12 |
|
Secretary of Cyber position created and Barron appointed, natch
|
# ? Jan 31, 2017 03:23 |
|
https://assets.documentcloud.org/documents/3424611/Read-the-Trump-administration-s-draft-of-the.pdf who knows if it's real
|
# ? Jan 31, 2017 04:02 |
|
hes banned Club Penguin, the worlds premier jihadi communication tool
|
# ? Jan 31, 2017 04:03 |
|
Fuzzy Mammal posted:https://assets.documentcloud.org/documents/3424611/Read-the-Trump-administration-s-draft-of-the.pdf The Cyber Realm
|
# ? Jan 31, 2017 04:20 |
|
AggressivelyStupid posted:The Cyber Realm come and play my lord
|
# ? Jan 31, 2017 04:25 |
|
Fuzzy Mammal posted:https://assets.documentcloud.org/documents/3424611/Read-the-Trump-administration-s-draft-of-the.pdf This doesn't look retarded enough to be real
|
# ? Jan 31, 2017 04:30 |
|
apseudonym posted:This doesn't look retarded enough to be real don't say retarded
|
# ? Jan 31, 2017 04:33 |
|
Subjunctive posted:don't say retarded
|
# ? Jan 31, 2017 04:34 |
|
guy I helped with the eyepyramid analysis finally released his writeup: http://blog.talosintel.com/2017/01/Eye-Pyramid.html some notes: quote:The sample is written in .Net and it is heavily obfuscated. Although at first sight we can also extract some interesting strings which are useful for possible ClamAV or Yara signatures. The author paid attention to hide the core functionalities by using either known .Net obfuscators or cryptography to hide crucial information such as URLs, email addresses and credentials. as I noted before, the obfuscators, for one reason or another, were actually unable to hide a large number of uniquely identifying strings, for example argument or enum names, such as hgrghk, tmpwebshell and THISPROPERRUN. go ahead and google them, they're unique to eyepyramid and will reveal a few more samples (that however don't appear to be downloadable. anyone have access to a yara-searchable repository and wants to give me a hand?). the order for custody against the occhioneros pops up in that search too and it's full of details on the c&c infrastructure and the kind of exfiltrated data... I should really go and reread it more closely, and cross-reference it with what I have quote:Generally speaking, reversing .Net applications is not a difficult task because it is possible to decompile the binary. There are many tools do it such as ILSpy, dotPeek, etc. We first tried decompiling the sample with ILSpy but the obfuscation was heavy and all over the place. As a result the ILSpy output was not very useful and we had problems identifying the entry point of the application. The sample cannot be debugged, and it does not run inside virtual machines due to several and sometimes trivial (but effective) anti-debugging and anti-vm checks. dotpeek works a little better, but barely: it still produces non-compiling output, due to not supporting visual basic, which produces .net code that can't be decompiled to c# - some examples:
the entry point is actually easy to find: just ask dotpeek (or dnspy) to jump to it. sure, you can't grep for "main" because it's been renamed by the obfuscator, but the metadata can't be obfuscated so much that the entry point isn't hardcoded in the executable and easy to look up (or the executable won't run!). for example, in my sample, the entry point is token 600003D, as shown by a simple dumpbin /clrheader: pre:Microsoft (R) COFF/PE Dumper Version 14.00.23918.0 Copyright (C) Microsoft Corporation. All rights reserved. Dump of file d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c.bin File Type: EXECUTABLE IMAGE clr Header: 48 cb 2.05 runtime version CFF54 [ 10DD60] RVA [size] of MetaData Directory 1 flags IL Only 600003D entry point token 1DDCB4 [ 6E02] RVA [size] of Resources Directory 0 [ 0] RVA [size] of StrongNameSignature Directory 0 [ 0] RVA [size] of CodeManagerTable Directory 0 [ 0] RVA [size] of VTableFixups Directory 0 [ 0] RVA [size] of ExportAddressTableJumps Directory 0 [ 0] RVA [size] of ManagedNativeHeader Directory Summary 2000 .reloc 42000 .rsrc 2000 .sdata 1E4000 .text code:
quote:For instance, it creates a registry key named 'default.reg' and it is added to the registry by directly invoking the regedit command. this is glossing over a couple important points. first, all writes to the registry, both additions and deletions, go through temporary .reg files passed to regedit (yes! .reg files can delete keys and values, other than adding/changing them. it's a little known feature), no idea why. maybe the malware author was lazy second, the default.reg file is extremely interesting. not only it seems part of a named component, as its full name is in fact Shutil.default.reg (and there's a few other unobfuscated references to "shutil" scattered about), but it does many, many things of note. I'm extrapolating a little, but it seems to:
here is the whole thing for your reading pleasure: http://pastebin.com/28BdEsvY something about default.reg rubs me the wrong way. it looks copy pasted from another project, as the list of av software doesn't match the list embedded in the executable, there's a couple of weird comments embedded in it, and there's that component name (Shutil). sadly I don't get any google matches for the weird random alphanumeric strings in comments quote:The next step is to check and 'fix' the security descriptors of many folders via 'cacls.exe'. Specifically, this code is interested in the Windows Firewall and a long list of possible antivirus software (among them also 'ClamAV for Windows'). To find these programs the malware looks in typical locations such as ProgramFiles, ProgramFiles (x86), etc. You can see from the picture below 'cacls.exe' and part of the security products list: or more specifically:
quote:As we already said the sample is still obfuscated and it massively adopts cryptography. As reported by other sources, the strings are encrypted with 3DES. Here we report how the key is generated and the overall structure for the encryption phase. The key is an array of 16 booleans at the beginning all set to false. The key is initialized in the the steps listed in the table below. The result of every step is a boolean value (true/false). minus the fancy graphics, I have already given you a thorough (and much more accurate, ha) rundown of this part in my previous Dead Gay Forums Exclusive Report quote:so much for my scruples dude redact that poo poo, you're a professional goddamnit quote:If this is less than 46.5 GB and the operating system is Windows XP, this is not a valid environment actually hard drives use base 10 units so no, it's 50 GB quote:Another interesting point is related to the way in which the domains are rotated. This is not a real a domain generation algorithm (DGA), because the domains are not generated on the fly. This is simply how the agent gets the required information. This works in the following way: I didn't get around to it but yes, it does this! another clue that some thought was put into this malware quote:The exfiltration is done mainly via email and partially via WebDAV and HTTP. in the sample me and this guy analyzed, this entire part of code is, actually, completely unused and effectively dead so this is all at best an educated guess. I mean the code does do what he says it does, but from this sample alone we have no idea what conditions actually trigger it, and what kind of data is actually exfiltrated. well, in fact, I have an idea about some of the data: operational logs, for example, are encrypted and sent as s/mime emails; plus, there's a component that screen scrapes the page currently open in IE, makes a list of all form fields, serializes it to xml, compresses it, and e-mails it; maybe more but my time to play with eyepyramid ran out quote:There are other executables that appear to be executed, such as 'stkr.exe', but the analysis of that malware in beyond the scope of this post. For the reader interested in a further analysis, the sha256 for 'stkr.exe' is: 0af665d7d81871474039f08d96ba067d5a0bd5a95088009ea7344d23a27ca824. this sample is publicly known and downloadable. I might give it a shot. some time. maybe well. I looked at the strings dump at least. all of our good old friends like THISPROPERRUN, THISCANDIDATE, tmpwebshell and of course our beloved star, hgrghk are all there having a party. sadly string dumps aren't indexed for searching so I can't use the known keywords to find other samples under https://www.hybrid-analysis.com/ quote:The authors would like to thank the research community for sharing the hashes and 'hackbunny' for the support and information sharing. quote:Posted by Paul Rascagneres at 2:40 PM this isn't the guy I helped with the analysis btw, it must be his boss
|
# ? Jan 31, 2017 04:53 |
|
hackbunny best bunny
|
# ? Jan 31, 2017 04:55 |
|
hackbunny posted:so much for my scruples dude redact that poo poo, you're a professional goddamnit almost forgot! one of the passwords you can see in that string dump is "caccoletta". it means "litte booger". themoreyouknow.gif
|
# ? Jan 31, 2017 05:00 |
|
Subjunctive posted:hackbunny best bunny this. but what happened to your av hackbunny?
|
# ? Jan 31, 2017 05:00 |
|
cheese-cube posted:this. but what happened to your av hackbunny? I was wondering the same thing. Who hates you enough to anime it up like that? Unless it was you, then uh...
|
# ? Jan 31, 2017 05:04 |
|
cheese-cube posted:this. but what happened to your av hackbunny? someone's idea of a joke
|
# ? Jan 31, 2017 05:04 |
|
shame it seems to have been done by a terrible white nationalist 4channer, kinda taints the whole thing
|
# ? Jan 31, 2017 06:51 |
|
vOv posted:http://www.wrdw.com/content/news/Washington-Road-billboard-gets-hacked-shows-curse-words-to-describe-jewelry-412169543.html Security Fuckup Megathread - v13.2 - car go bep bep
|
# ? Jan 31, 2017 06:55 |
|
ate all the Oreos posted:shame it seems to have been done by a terrible white nationalist 4channer, kinda taints the whole thing oh ew
|
# ? Jan 31, 2017 07:00 |
|
vOv posted:http://www.wrdw.com/content/news/Washington-Road-billboard-gets-hacked-shows-curse-words-to-describe-jewelry-412169543.html
|
# ? Jan 31, 2017 07:08 |
|
vOv posted:http://www.wrdw.com/content/news/Washington-Road-billboard-gets-hacked-shows-curse-words-to-describe-jewelry-412169543.html a redditor posted:Shhhhh... I'm an engineer for a digital billboard company. Billboards are 100% not hackable. It's all just still images / animations / video files loaded into a playlist. So don't spoil the magic for people who want to believe this is real. If any changes were needed to be made, it would be done off site and saved as a flat image file. It would take too much time for the usually cheap rear end PC in the sign to render a Photoshop or .Ai file every time the sign changes.
|
# ? Jan 31, 2017 07:10 |
|
w...hat... Phoenixan posted:says someone called keksec of all things they're the people that hacked it, according to the article
|
# ? Jan 31, 2017 07:12 |
|
I want to believe
|
# ? Jan 31, 2017 07:13 |
|
long-rear end nips Diane posted:I want to believe
|
# ? Jan 31, 2017 07:17 |
|
if they're anything like the ones around here they're straight up windows PCs with VNC directly exposed to the internet. they're also paired with an ip cam directly on the internet, used to verify the displayed image remotely
|
# ? Jan 31, 2017 08:16 |
|
...why would it have to be a Photoshop or AI file? why does the file type mean that nobody can connect to the computer and put up their own image / animation / video file?
|
# ? Jan 31, 2017 08:51 |
|
CommunistPancake posted:...why would it have to be a Photoshop or AI file? why does the file type mean that nobody can connect to the computer and put up their own image / animation / video file? Idk that guy is a digital billboard engineer, better trust him
|
# ? Jan 31, 2017 08:53 |
|
CommunistPancake posted:...why would it have to be a Photoshop or AI file? why does the file type mean that nobody can connect to the computer and put up their own image / animation / video file? He explains later on that there's a hash for each image (or something like that). So the new file won't display because there's no way that someone that has managed to compromise the computer to load the images can replace the hashes.
|
# ? Jan 31, 2017 10:31 |
|
hackbunny posted:
Bonfire Lit fucked around with this message at 11:02 on Jan 31, 2017 |
# ? Jan 31, 2017 11:00 |
|
flosofl posted:He explains later on that there's a hash for each image (or something like that). So the new file won't display because there's no way that someone that has managed to compromise the computer to load the images can replace the hashes.
|
# ? Jan 31, 2017 12:04 |
|
You see, it's unhackable, because the hacker would have to go through a few minutes extra of work to hack it. Nobody's ever wasted a bunch of time to do something pointless and funny on the internet.
|
# ? Jan 31, 2017 13:18 |
|
funniest part of the article is the local TV news insisting that Augusta is a growing wizard capital put that on the sign because that's funny
|
# ? Jan 31, 2017 13:50 |
|
I'm the "vial stuff put up there"
|
# ? Jan 31, 2017 14:20 |
|
|
# ? Jun 5, 2024 07:15 |
|
Bonfire Lit posted:turns off UAC and "UAC remote restrictions". if you connect to a computer via smb with a local account with admin privs (as opposed to a domain account with local admin privs) windows usually disables the admin group in your token. the second setting turns that off, I don't know where the point is when UAC is already disabled but maybe it's in order to keep access if someone turns UAC back on via the control panel I don't get the point though! it seems completely unrelated to anything the malware does btw remember that webdav folder that investigators missed? and the files I downloaded from it? I managed to decrypt two out of four, and they're lists of accounts on gmx.com. nothing new basically, just a copy of data investigators already found elsewhere. I wonder about the other two files... my sample contains no reference to them. I'll try to brute force them, all I need to do is reverse sha1 a couple short, simple strings. why can't I use existing rainbow tables you ask, because the idiot hell fucker who cumpissed this abortion of a malware encodes the strings in utf-16 before hashing them, I answer
|
# ? Jan 31, 2017 14:29 |