[i]Security firm Tllod (The Last Line of Defense) reports in its blog that some botnet control servers are apparently equipped with functions to mislead and monitor inquisitive researchers, and to complicate their analyses. According to the researchers, such servers present a fake, basic web interface after pretending to accept easily guessed log-in credentials.
For instance, in one case the combination admin/admin was sufficient for an apparently successful log-in. The examined server was even prepared for attempted SQL injection attacks on the password field and pretended to fall for such strings as 'or 1=1–". After a successful log-in, the server recorded all activities. In Tllod’s opinion, this deceptive mechanism could serve the purpose of analysing the methods of potential intruders. Previously, such honeypots were only known to be used by security researchers who wanted to investigate the methods of criminals.
When analysing the source code of a control server set up by criminals, Tllod also noted that the statistics presenting the number of infected PCs (bots) and successful exploits were simply random figures. Such figures are obviously useless – and botnet researchers should be sceptical when examining the statistics presented by the control servers of other botnets. In the past, security researchers often released the internal statistics of hacked control servers.
The examined server’s web interface also pretended to allow users to upload executable files to the bots. However, the files were only stored – probably for subsequent analysis.[/i]
Inside Adobe Reader Protected Mode - Part 3 – Broker Process, Policies, and Inter-Process Communication
In part three of our technical tour of Adobe Reader X Protected Mode, we’ll examine the broker policies and the inter-process communication (IPC) the sandbox process uses to communicate with it.
[i]Swiss anti-spam activist Roman Hüssy has launched the SpyEye Tracker service. It’s designed to provide an overview of the SpyEye-based botnet control servers currently active around the globe. Hüssy already successfully operates the ZeuS Tracker service, which has tracked the ZeuS online-banking trojan, for quite some time.
Administrators can download a blacklist Hüssy creates from the tracker results and use this blacklist to protect their own networks. A similar service has now become available for SpyEye. Like ZeuS, SpyEye is a trojan toolkit used by criminals to build their own botnets. Trend Micro has released pictures of the control server’s user interface on their blog.
SpyEye has long tried to outmatch ZeuS in the digital underworld. It appears to have been unsuccessful so far, because current tracker statistics suggest that there are 10 times as many controls servers for ZeuS than there are for SpyEye. However, this could be about to change, as research by security specialist Brian Krebs suggests that the ZeuS developer, “Slavik”, has passed on all his source code to the SpyEye developer, “Harderman”, and that Slavik has withdrawn from the toolkit’s ongoing development. However, the SpyEye developer said that the ZeuS code was handed over on the condition that Harderman takes over the support for paid toolkits.
Talking to Krebs, Hüssy was sceptical about SpyEye’s ability to usurp ZeuS: “Why should they give up something which works and pay for a new tool?”, asked Hüssy. The developer said that he created the SpyEye Tracker to put SpyEye into the spotlight before it becomes a “big” threat like ZeuS was in the past. Botnet specialist Damballa is currently registering the Ukraine as the location with the largest amount of SpyEye activity.[/i]
Inside Adobe Reader Protected Mode - Part 4 – The Challenge of Sandboxing
[i]Hi, Scott Stender from iSEC Partners here. I was invited by the Adobe Secure Software Engineering Team (ASSET) to comment on our analysis of the sandbox through several stages in its development. Of course, numerous individuals — at Adobe, iSEC and Matasano — were involved in its assessment, so please take this as one person’s perspective. Even so, I would be remiss if I didn’t acknowledge the great work of Andreas Junestam, Andrew Becherer, Alex Vidergar, Chris Clark, and Justine Osborne of iSEC Partners, as well as the good folks at Matasano and Adobe who worked closely with us.
Creating a sandbox is perhaps the most difficult security engineering task one can undertake. Some readers will take immediate objection to that statement – documentation is readily available online for using restricted tokens, chroot jails, and other sandbox building materials. While it is indeed simple to place a restricted wrapper around a minimal service or piece of demonstration code, placing large applications, with all of their dependencies, in a sandbox presents an entirely different challenge…
[/i]
Article: http://blogs.adobe.com/asset/2010/11/inside-adobe-reader-protected-mode-part-4-the-challenge-of-sandboxing.html
Thanks a lot, Nesivos…!! I updated the link. (But it’s no video, it’s the link to download EMET…)
XP SP3 is supported…
EMET 2.0 supports the following operating systems and service pack levels:
Client Operating Systems
• Windows XP service pack 3 and above
• Windows Vista service pack 1 and above
• Windows 7 all service packs
Server Operation Systems
• Windows Server 2003 service pack 1 and above
• Windows Server 2008 all service packs
• Windows Server 2008 R2 all service packs
The real problem is today most hacks are about stealing your identity. I just posted new info…old for some of us keeping up on the PSN forums…about what file structures are being targeted on the PS3 to get virus(injectable code and redirects) thru to whats known as an Operating Enviroment. Strangely enough me and a few others have been treying to get SCEA to deal with this but only get stopped by a very aggressive marketing force, While I wont risk my own freedom decompling the PS3 data to find exactly what it is, the fact remains there is an unmonitored line straight into your gameing console…the audio and video chat lines. Thats what they actually mean by ‘Online play is not rated…’ when the only change occuring is the audio.video content you may be subjected to. The game play itself remains unchanged.
The PS3 is more suseptible to these as you cannot block ‘NON FRIEND MESSAGING’ :o . Thats mess’t when you consider how many under age users are on the thing. Look at the facts that the COD series is more ‘unstable’, or hackable on the Playstation vs. the XBox(where they do allow for blocking nonfirend messaging…thanks for getting one thing right MS 8) )
Bottom line is its more about the money ;D (I need to use my CC when I buy stuff from their store) than anything, but also there seems to be a group trying to impress younger users with their “extra-ordianry” abilities in these games. Now, anyone think they will start monitoring these channels for code ???
Enjoy…Im still trying to find out why one PS3 will goto the TrenMicro page and the other just comes up with the page, but instead f any info filling it says there was an error. Yup, sounds like the redirct type of virus that stops one from going to AntiVir sites on their PC’s and Macs.
