Skip to main content


Showing posts from March, 2016

Petya Ransomware encrypts the MBR

The Dell Sonicwall Threat Research team has received reports of yet another ransomware called Petya. Over the past year, Ransomware has proven to be an inceasingly lucrative business for cybercriminals and has become very widespread that victims have resorted to paying to get their data back. Petya is no different, but instead of just encrypting files it overwrites the system's master boot record (MBR) effectively locking the victim out and rendering the machine unusable unless payment is made. Infection Cycle:   Upon execution, Petya replaces the boot drive's MBR with a malicious loader which will cause Windows to crash. On reboot, it will display a fake CHKDSK screen.    The victim is then greeted with a flashing skull.    After pressing any key, the instructions on how to pay to get their data back is then displayed.    At this point, the victim is locked out of their machine and renders it useless. Rebooting into safe mode is also not possible. Victims can reformat their

Microsoft Windows Media arbitrary code execution-CVE-2016-0101

Microsoft Windows operating system provides Windows Media for playing audio, video and viewing images. Remote attacker can entice user to open malicious media file which can lead to remote code execution with security context of user. Windows Media uses MPEG2 Transport Stream file format to store media and protocol data. Vulnerable dynamic library is MFDS because of boundary error in it. The function MPEG2_PMT_SECTION::Parse() is used to parse descriptors array in Program Map Table (PMT) in packets of MPEG2-TS file. The function calculates the number of descriptor elements according to the Elementary Info Length field, but function does not validate the Elementary Info Length field properly. Attacker can provide large value to this field which may lead to execution of arbitrary code in user context. Unsuccessful attempts may lead to denial of service. This vulnerability affects the following products: Microsoft Windows 7 Microsoft Windows 8.1 Microsoft Windows RT 8.1 Microsoft Windows

Runouce Trojan with IRC bot spreads via .eml files

A Trojan that spreads via .eml files. The Trojan contains IRC functionality and also has the ability to infect pre-installed system executable files with malicious code: Infection Cycle: The Trojan makes the following DNS queries: On our test system the following files were created: %USERPROFILE%\kuelio.exe %SYSTEM32%\runouce.exe ("runonce" with "n" changed to "u" (patched))   %SYSTEM32%\runonce.exe (patched) The following files were also created: %APPDATA%\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\readme.eml %APPDATA%\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\readme.eml %APPDATA%\Google\Chrome\User Data\Default\Extensions\enacoimjcgeinfnnnpajinjgmkahmfgb\0.65.0_0\readme.eml %APPDATA%\Google\Chrome\User Data\Default\Extensions\enacoimjcgeinfnnnpajinjgmkahmfgb\0.65.0_0\tabs\readme.eml %APPDATA%\Google\Chrome\User Data\Default\Extensions\felcaaldnbdnc

Preventing DROWN Attack

On March 1st 2016, OpenSSL released patches that disable the SSLv2 protocol by default, as well as removing SSLv2 EXPORT ciphers. A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN. The vulnerability is referred by CVE as CVE-2016-0800 . ( ) So, please patch your system to prevent this attack if you are not done yet. Have a good time. (Be knowledgeable, pass it on then)Type your summary here. Type the rest of your post here.