security kaizen magazine, issue 15

YourMobileSecure

Vol.4 Issue 15 July-August 2014

www.bluekaizen.org

Interview With CEO of Spyders Inc. A Canadian Company founded by an Egyptian

The Current State of SMTP STARTTLS Deployment

Infecting Android processes for fun and profit

ww

w.b

luek

aize

n.or

g

Cont

ents

Gulf Information Security Exhibition and conference Event Review31

Social EngineeringBook Review

RansomwareMalware Review27 33

Reviews

Infecting Android processes for fun and profit11

Grey Hat

With CEO of Spyders Inc. A Canadian Company founded by an Egyptian5

With Regional Director of MobileIron for Middle East and Africa9

New & News

Interviews

20

17

Bluekaizen News


23 Q2 Statistics Report

Demystifying Mobile Security37

Best Practice

Issue 15 | Securitykaizen Magazine | 3

Stay tuned for more updates about CSCAMP 2014!

ww

w.b

luek

aize

n.or

g

Bluekaizen Founder

Edito

r’s

Not

e

For Advertisement In Security Kaizen

Magazine &

www.bluekaizen.org Website

[email protected]

OrPhone: +2 0100 267 5570 +971 5695 40127

Security Kaizen is issued Bi-Monthly

Reproduction in Whole or part without written permission is strictly

prohibitedALL COPYRIGHTS ARE

PRESERVED TOWWW.BLUEKAIZEN.ORG

Chairman & Editor-in-ChiefMoataz Salah

ContributorsAseem Jakhar

Michael AdkinsKhaled Battah

Mohamed ElhennawyNitin Bhatnagar

Website DevelopmentMariam Samy

Marketing CoordinatorMahitab Ahmed

DistributionMohamed Saeed

ProofreadingJeff Compton

Design & PrintingMedhat A.Elbaky

Magazine Team

Today the rate of threats and Malware targeting mobile devices are increasing rapidly. When it comes to Malware targeting operating systems, Android comes in second place after Windows.New concepts and expressions are regularly introduced in our dictionary like BYOD (Bring your own Device), MDM (Mobile Device Management) and others. Cities like Dubai decided to migrate all its e-government activities to mobile devices, which can cause more risks to confidentiality, integrity and availability. In this issue we will try to cover some of this threats, new expressions and technologies.

This year we celebrate the fifth year of our annual event Cairo Security Camp. We decided to add few more activities this year. One is the Information Security Awards Ceremony for the best information security instructor, best Security Company, best CISO and best Security product. Also, celebrating 5 years of knowledge, we decided to dedicate a separate workshop hall open for free to all attendees during the two days of the event. All you need is to register on www.cairosecuritycamp.com and you will have access to these free workshops. None of the other benefits will be included: lunch and coffee breaks, welcome kit and others.

Recently, We monitored a great interest in the bug bounty programs in our Bluekaizen community. People are getting prizes from Facebook; have their name mentioned on the wall of fame at twitter and Google to name a few. That is why we’ve decided to invite them to share their success with us. All you need to do is submit your stories on www.cairosecuritycamp.com to be part of the Bug Hunters Session during CSCAMP 2014. (Hurry though because limited number will be selected). For the same reason, CSCAMP team is inviting Chris Evans, who founded and built the Google chrome security team, he also launched the Chromium Vulnerability Reward Program.

Issue 15 | www.bluekaizen.org | 4

ww

w.b

luek

aize

n.or

g


ww

w.b

luek

aize

n.or

g

Inte

rvie

ws

Khaled Mansour

Khaled Mansour

WWW.Bluekaizen.org

Mr. Khalid, Can you please introduce yourself to security kaizen Magazine Readers?

I am the founder, President and CEO of Spyders Inc., one of Canada Profit200, Profit500 and Greater Toronto Area Profit50 fastest growing IT Managed Security Services and consulting firms. I have over fifteen years of IT security risk management experience and twenty seven years of broad, in-depth experience with technical and managerial achievement in Telecommunication Networks, Operations, IT Security, Outsourcing, Process re-engineering and Acquisitions. My wealth of experience was gained in key roles with Spyders Inc. as CEO, Cyberklix Inc. as CEO, CGI Group Inc. as Vice President, HP, CIBC, IBM Canada, The Gemini Group and Air Canada.

Under my leadership and stewardship, I have led two successful IT security businesses through multi-year double digit growth and I am at the helm of Spyders Inc.’s product division and its flagship product, IntelliGO, an intelligent solution for the mobile enterprise.

I received B.A.Sc. in Computer and Communication Engineering from University of Ottawa and a B.Sc in General Sciences from University of Toronto, I attended management courses at the Ivey School of Business and is a long-time member of the Ordre Des Ingenieurs Du Quebec.

Interview withPresident and CEO of Spyders Inc.

CEO of Spyders Inc.A Canadian Company founded by an Egyptian


Send us your achievements and be one of the speakers at CSCamp 2014 #Bug_ Hunters

What is Mobile Device Management?

In my view, MDM is the business of being able to provide control, visibility and integration capabilities through a single, intelligent platform to address the challenges associated with mobile device adoption and provide secure access to corporate information.

Spyders is a leading provider of information security and computer networking solutions and services for clients across all industries. The company has been recognized by PROFIT magazine as one of the fastest growing companies in Canada, and is featured on the 2014 Branham300 list, the definitive listing of Canada’s top Information and Communication Technology (ICT) companies. Spyders is the manufacturer of IntelliGO, our flag ship product, and we deliver three service offerings in the areas of information security and computer networking. These services include Spyders’ assessment and advisory services, solution integration of Gartner leading technologies, and managed services.

IntelliGO is a mobile device enablement platform that gives organizations the confidence to easily and securely implement BYOD and mobile initiatives. The solution combines two critical aspects of mobile enablement into a single platform, Network Access Control (NAC) and Mobile Device Management (MDM). This makes it easy to provide employees, contractors & guests with quick, secure access to corporate resources through mobile devices.

IntelliGO takes the complexity out of deploying a NAC solution and adds all the key features of an MDM solution in a single user-friendly management portal to enable the smooth onboarding & off-boarding of devices, & full visibility & control over all devices on the network whether they connect through the corporate wireless, wired or VPN network.

Can you give us an overview about Spyders, when did it start? What kind of products do you provide?

What differentiates your product from other vendors? Gartner, Forrester and NetworkWorld have all recommended that there must be a strong and cohesive integration between NAC and MDM, two point solutions, in order to properly secure your network and mobile endpoints today. Point solutions are challenging and are a fundamentally flawed approach to security. For example within the context of MDM;• MDM systems can only see and manage devices that have already been enrolled in the MDM system. This leaves IT Managers blind to unmanaged devices on the network.• MDM systems typically do not control access to the network; they typically control access to applications (for example, Microsoft Exchange).• MDM system is often managed by a different group of people than are not responsible for computer security. This creates an opportunity for policies to be inconsistently applied and translated across the various IT management systems and groups.IntelliGO was built from the ground up to consolidate network access control and mobile device management in a single appliance, with one unified policy for all devices on the LAN, WLAN and VPN. It brings together Simplicity and Security to deliver mobile enablement for any organization. IntelliGO is really delivering Network Access Control (NAC) functionality and Mobile Device Management (MDM) functionality in one solution. It is a standards-based platform that makes use of digital certificates to securely authenticate and manage corporate and user owned mobile devices across most popular mobile platforms.Our platform is the foundation for the next-generation of mobile device management and mobile security. The other vendors would have to reinvent their platforms to do what we are doing today.Therefore, our one differentiator is our integration of Network Access Control and Mobile Device Management in a single standards based platform that can integrate into any network environment.

Within this single platform IntelliGO delivers: 1. Holistic Security - securing network, mobile endpoint and communication. IntelliGO’s built-in certificate authority and on-demand VPN ensures only authorized users can access the network and all communications are encrypted. Our remote device command features go beyond lock, wipe, locate. IntelliGO can capture webcam, screen capture, sends messages and audible alerts to mobile devices.

How do you see your future growth?

Issue 15 | Securitykaizen Magazine |7

We have expanded our sales and business development beyond the North American borders and we are now introducing IntelliGO to the MENA markets by establishing presence in this region. We see the global demands for an intelligent mobile platform exceeding supply and the initial entrants in that MDM space have to reinvent themselves to meet new and evolving business requirements in this mobility space. We will grow because we have a single platform solution with the right foundation that offers both NAC and MDM. On this platform we will continue to meet clients’ business requirements by adding new features and functions that will enhance the security posture of organizations and without charging clients for new features and functions. Some of these include Biometric authentication of

2. Solution Consolidation - single pane of glass, single policy, single administration

3. Device Coverage - go beyond laptops, smartphones, tablets to authenticate printers, medical devices, gaming consoles etc. We support Chromebooks for EAP-TLS, which most competitors

4. Scalable - scales to support deployments of 1000’s of devices through a robust architecture; can be deployed in a HA environment to support DR requirements.

users and devices, better application security, enhanced compliance and security policy enforcement capabilities, and better integration with Mobile Application management solutions.

We think we are on the right roadmap to an explosive growth in this space.

Mobile devices are exposed to a lot of threats, what kind of security features does your solution provide?

Not only are mobile devices subject to security risk, but are becoming a targeted vector to attack and exploit the entire IT infrastructure and applications to which these devices connect. Organizations will always be facing external threats and internal threats as well as compliance requirements. Mobility and Cloud will no doubt increase the risk of attempted attacks and security breaches. What we have done with IntellIGO is recognize that there are three areas that must be addressed to reduce security risks. These include control, visibility and integration.

1. Control includes access control and control of mobile device activities post access to the network. Control features must also recognize the variety of ways a user can connect mobile devices to the network such as wired, wireless or VPN connections as well as the diversity of mobile devices types, operating systems and their different levels, Windows, Apple iOS, Andorid, ChromeBooks, etc. 2. Visibility – IT needs real time visibility into all devices and their status on the network, and must have the ability to track historical information and use such information to take the control actions which may be deemed appropriate to protect the enterprise from potential breaches.

3. Integration is being able to extend the services of the mobile enablement platform to the rest of the network elements to have them work in a coordinated fashion to mitigate risk. These include integration with Active Directories for authentication, mobile device and user identity federation into other security solutions such other firewalls, SIEM solutions or interface to AppStores to download mobile applications to mobile devices or remove them from mobile devices.

Our solution, IntelliGO, provides all these functions and features and it is a solution that goes beyond basic MDM features to include more robust security features that are a must have if you are looking to reduce the security risk associated with Bring Your Own Device (BYOD) and the adoption of mobile devices.


ww

w.b

luek

aize

n.or

g w

ww

.blu

ekai

zen.

org

Inte

rvie

ws

Bahaa Hudairi

Bahaa HudairiRegional Director MENA, MobileIron EMEA

WWW.Bluekaizen.org

Can you please introduce yourself to security kaizen Magazine Readers?

My Name is Bahaa Hudairi , I am the Regional Director of MobileIron for Middle East and Africa. I have been in the IT industry for over 15 years where I started from the technical role moving to the current position. I have been working the region for the past 12 years, focussing on security solution and now is in the very exiting Mobility Space.

What is Mobile Device Management?

Well Mobile Device Management or (MDM) for short is the capability of securing and managing smart phones/ Tables/and in some cases laptops. This includes the ability to check on the health and status of devices and compare them to the corporate policies and the ability to automatically push email/Wireless/VPN/ and applications to the devices depending on their group subscription to active directory. It also means providing control and visibility to organisations over the corporate data. Seeing the huge increase and adaptations of smart devices into the corporate environment and with BYOD becoming a requirement MDM becomes a necessity for corporates.

Interview withRegional Director of MobileIron for

Middle East and Africa


ective wipping data , local app store, and certificate management to name a few. • Strong Partner Ecosystem, Broad Infrastructure Support ( After hearing our customers , we released that providing them with choice of preferred apps and integrating with their existing security solutions infrastructure is key and is very attractive for our customers, and because of that we led the market in introducing the most elaborate partner Ecosystem where they can integrate their solutions to leverage. Currently there are over 130 app and solutions integrated with or apps wrapped using our security.• Commitment to Customer Success. All the current success that we’ve had so far has been attributed towards providing very strong mentoring and support for our customers and this will continue to be a main focus us in the region and globally.How do you see your future growth?We see huge opportunity in this field. With the current market conditions where there is a big consumer push towards mobile adaptation and business wanting to leverage this medium to reach their customers and get to utilise the mobility platform to enhance and increase user productivity and efficiency. Currently in the ME , there are many initiatives that are driving adaptation of the mobile platform especially in Government / Education / Large enterprises , and financial institutions. Mobility touches our lives in daily bases into everything that we do.

Mobile devices are exposed to a lot of threats, What kind of security features does your solution provide?

We provide many security features that can help protect mobile devices, such as protection of corporate data from either loss or misuse. Also we secure the communication to and from the mobile devices. We also enforce encryption of data at rest on the devices and check periodically the health of the devices against the corporate policies such as ( black listed application , Compromised jail broken devices) etc.. We also can encrypt attachments on the fly as they pass through our gateway solution and provide DLP features such as protecting secure documents against copy /paste /screen shot leakage. But most important of all is that all there security features are invisible to the end user and don’t in any way obstruct him from doing his work or get bothered by it. For the end user this will be a tool that allows him to do what was not possible before because it wasn’t secured and this is our key differentiator

Can you give us an overview about Mobileiron, when did it start? What kind of products do you provide?

MobileIron was started in 2007 when the iPhone was introduced to the market and our founders saw the opportunity that was there in this space. Since then we have grown our revenue from 0-100M and have grown our customers from 0 to around 7000 customers globally. We are now a publicly traded company on the NASDAQ with MOBL as the symbol. Our primary focus is large enterprise customers that require a platform for Mobility not just MDM. So basically we provide MDM, MAM, and MCM or what has now become called EMM ( Enterprise Mobility Management). We have been in the Gartner leaders quadrant for the past four years ( since the first introduction of the Quadrant) and the latest MQ places us as the leading visionary company in this space. We many offices around the word. We started our Middle East HQ in Dubai in 2013 to service our customers in the region. Since then we have added many customers in the region that saw the power and completeness of vision in our solution.

What differs your product from other vendors?

Four key points stand out about our offering compared to the market and these are :• Experienced and Focused Vendor, Purpose Built for Mobile IT ( From the start we wanted to have a complete offering and this is why we built a platform for mobility , a solution that purpose built to handle the complex word of mobility. Also being a dedicated company focused on mobility allows us to keep us with the ever changing and challenging space as you have to keep pace with the OS vendors continued innovation and being dedicated to this fields allows us to stand out in front of the competition. Many large vendors came into this space, but quickly found out that they can’t keep up with continuous changes and have failed and either stepped out of the space or sought alliances with dedicated vendors such as MobileIron or acquired solutions to help them compete.• Comprehensive Solution across Mobile Apps, Content, and Devices ( MDM is not good enough these days and this is why Gartner has changed the MQ to become EMM and added the additional components as a requirement. Now we have always understood this and this is the reason why we have built our so-lution to provide those functionalities. We have also been the pioneers and have many patents such as Sell-


ww

w.b

luek

aize

n.or

g

Gre

y H

at

Founder - nullcon Security Conference Director -

Research, Payatu Technologies

Infecting Android processes for fun and profit

In this article we will discuss a way to inject code into a process running on Android and make it execute that code within the context of that running process. The motivation for this project started during my adventures with windows malware. It was very convenient for windows malware to inject malicious code in other processes such as IE etc. Being a passionate Linux programmer I thought of implementing an API similar to Windows provided API.


Free workshops for the first time in #CSCamp2014 #Tell_your_friends

IndroidI ported the code base to run on ARM Android and released the project as open source. The project is called Indroid. For the curious ones, if you are interested in playing around with it - the source code can be downloaded from http://bitbucket.org/aseemjakhar/indroid. The indroid toolkit allows a program to inject ARM shellcode into another process on Android.

How do I play around with Indroid• Make sure you have only one connected device – either emulator or actual phone• Make sure the ndk-build directory is in $PATH as the Makefile directly calls ndk-build without its path which will obvously be different for each machine based on where you store the Android ndk.• The Indroid project has two sample programs◦ indroid – This implements the Indroid injector program◦ testproc – A test program that is used as the victim process to test indroid. This program only prints some content on the terminal in a loop.• $ emulator -avd <name> # Start the emulator called name• $ adb devices # To check if adb can see the emulator• $ git clone https://bitbucket.org/aseemjakhar/indroid.git• $ cd indroid• $ make install• $ adb shell # To get a shell on the emulator for running indroid• $ adb shell # Take another shell on the emulator for running testproc• On the Emulator shell 1◦ # cd /data/local/tmp◦ # ./testproc◦ Note down the PID of testproc• On the Emulator shell 2◦ # cd /data/local/tmp◦ #./indroid <PID-of-testproc◦ Type n for all the detach questions asked by indroid on the shell◦ Once it exits, go to shell 1 and notice the string w00t!!! printed among other testproc output. This string is not printed by testproc (you can confirm that by looking at testproc source code) but it is the default shellcode used by Indroid to print the string and is injected into testproc and executed as a thread within testproc.

BackgroundI started a Linux project a few years ago on creating an API similar to Windows which allows a process to create a thread within another process. The API provided by windows is CreateRemoteThread(). I was able to create a framework called Jugaad which allowed a program to inject shellcode within a victim process and execute it in a stealthy manner. It uses the ptrace() functionality which is the common way to manipulate remote processes and almost all Linux debuggers use this functionality to hook onto a process for debugging.The detailed paper describing the technical details and source code of Jugaad can be found at –

1. Whitepaper – http://null.co.in/2011/07/03/project-jugaad/2. Source code details - http://null.co.in/2011/07/03/project-jugaad-2/

I wanted to extend this functionality to other Linux platforms available and the most interesting one that caught my attention was Android. Android OS uses Linux as its kernel with some patches specific to Android. I needed to port my code to Android and as it turns out Android phones mostly run on ARM based processors. The Jugaad framework is dependent on the processor (x86) as it injects shellcode and other debugging instructions specific to the processor and also manipulates processor registers. Since, the implementation was processor specific I set out on the journey to learn ARM architecture and its instruction set.


b) PTRACE_CONT – Restarts the stopped child process. c) PTRACE_DETACH – Restarts the stopped child as for PTRACE_CONT, but first detaches from the process. d) PTRACE_PEEKTEXT – Reads a word at the location addr in the child’s memory. e) PTRACE_POKETEXT – Copies the word data to location addr in the child’s memory. f) PTRACE_GETREGS – Copies the child’s general purpose registers to location data in the parent. g) PTRACE_SETREGS – Copies the child’s general purpose or floating-point registers, respectively, from location data in the parent.

Running indroid on testproc (PID 1269)

Notice that testproc prints something that it is not suppposed to print

Technical detailsBefore we dive into the technical details of Indroid, we will discuss some important functionality which will form the backbone of the implementation.

Windows APIWindows OS provides the below API for creating a thread within another process.

HANDLE WINAPI CreateRemoteThread(__in HANDLE hProcess, __in LPSECURITY_ATTRIBUTES lpThreadAttributes, __in SIZE_T dwStackSize, __in LPTHREAD_START_ROUTINE lpStartAddress, __in LPVOID lpParameter, __in DWORD dwCreationFlags, __out LPDWORD lpThreadId),

Some parameters of interest are1. hProcess – A handle to the process in which the thread is to be created. 2. dwStackSize – The initial size of the stack for the thread, in bytes. 3. lpStartAddress – A pointer to the application-defined function to be executed by the thread and represents the starting address of the thread in the remote process. Please note that the function code must exist within the remote process memory prior to calling CreateRemoteThread().

Linux ptrace()Awesomeness unlimited! Indeed ptrace() is one of the most powerful functions I have seen on Linux. Ptrace() is used by all the debuggers for manipulating debugee processes. The following is the API and operations that ptrace() performs

long ptrace(enum __ptrace_request request, pid_t pid, void *addr, void *data);

1. pid – The process identifier of the process being traced. 2. addr and data – The values depend on the type of operation. 3. request – The operation to be performed on the traced process. The following operations can be performed:a) PTRACE_ATTACH – Attaches to the process specified in pid.


The problemThe runtime injection problem can be divided into1. Code execution2. Memory Allocation3. Thread-ification4. Malicious payload

Code executionThe first problem to solve is code execution within the victim process. We hook onto the victim process using the ptrace() attach functionality which allows a debugger process to attach to another process. Once attached, we can examine the registers and memory of the process. The ptrace(0 function interestingly also allows the attaching process to write to process memory and register values. The code execution can be achieved by changing the value of the PC register to point to a memory location within the process where our malicious code will reside. The PC holds the address of the next intruction to be fetched so, if we change its value the processor will pick up the instructions from there instead of the normal program flow. Memory AllocationWe need a place within the victim process to hold our code which can be executed using the above technique. Why do we need space and what code? For starters we need to allocate some memory within the process to store our malicious code. We can simply take a backup of a predefined memory location within the process and overwrite it with shellcode that will allow us to allocate memory within the process. The process we follow is1. Access a pre-defined memory location and backup data from that location. This can be performed using ptrace() peektext/peekdata functionality to read data.2. Overwite that location using ptrace() poketext/pokedata functionality (allows writing to process memory) with a simple shellcode that calls mmap2() system call to allocate the amount of memory desired with execute permission. Append a breakpoint instruction to the shellcode so we get the control back after it executes. A breakpoint instruction (BKPT) is defined by the ARM processer and stops the process and sends a signal to the parent process. Breakpoint instructions are used by debuggers to set breakpoints in debugged process. This way our code gets the control back when the process executes that instruction.3. Once we get the control back, we read the value R0 register using ptrace() getregs functionality. Why R0 register? Because the return value i.e. the address of memory allocated by mmap2() will be stored in R0 register. This is the standard system call convention

for ARM Linux i.e. the return value of the system call is stored in R0 register. So, now we know where our allocated memory starts within the process. Thread-ificationThis is an important aspect from execution and stealth perspective as we want the victim process to execute normally and at the same time also want our malicious code to independently execute within the context of the victim process. Linux provides clone() system call to create a thread within the process which we will utilise to threadify our malicious code. To perform the desired action we follow the below steps.1. Create a shellcode that contains the clone() system. For people new to clone system call() it returns in two places, in the main thread(victim process) and in the newly created thread (which will execute our code). If the clone returns in the new thread we start executing the the malicious shellcode and become independent of the parent thread. In the parent thread we execute the breakpoint instruction and give control back to In-droid.2. Allocate memory withing the victim process for our malicious shellcode and the clone system call shellcode (appended with BKPT instruction).3. When we get the control back in Indroid, we restore the main process memory we had overwritten originally (to put mmap2() shellcode) and the registers and allow it execute using ptrace() continue functionality.4. We finally detach from the victim process.5. The outcome is that, our malicious code executes as a thread within the context of the victim process and the process also continues to execute where it stopped when we hooked into it.

Malicious PayloadThis is what is needed by the program that wants to inject stealthy code into a victim process. All that is required is to write a shellcode that performs certain operations and pass it to Indroid API. Please note that the shellcode should be thread aware and not tamper with something that can cause harm to other threads or the main thread.Why execute as a thread?Because I wanted to execute the malicious code within the context of a victim process without the process or the sysadmin knowing that the process has been patched and the malicious code is running independently.


The simple APIint create_remote_thread(pid_t pid, size_t stack_size, unsigned char * tpayload, size_t tpsize);

1. pid – The process identifier of the process being infected.2. stack_size – The initial size of the stack for the thread, in bytes.3. tpayload – The shellcode to be injected and executed within the victim process. It is ok if the shellcode contains null bytes.4. tpsize - The size of the shellcode in bytes.

The extended APIint create_remote_thread_ex(pid_t pid, size_t stack_size, unsigned char * tpayload, size_t tpsize, int thread_flags, int mmap_prot, int mmap_flags, void * bkpaddr);The details and documentation on the APIs can be found in jugaad.h header file within the project – <project-dir>/indroid/jni/jugaad.h

About the AuthorAseem Jakhar is the director, research at Payatu Technologies Pvt Ltd, a boutique security testing company and the founder of nullcon security conference. He is also the Founder of null – The open security community, a non-profit organization and largest security community in Asia. He trains budding smartphone hackers on advanced Android and iOS exploitation. He has extensive experience in system programming, security research, consulting and managing security software development projects. He has designed and developed various security software including UTM appliances, messaging/security appliances, anti-spam engine, anti-virus software, multicast packet reflector, Transparent HTTPS proxy with captive portal, bayesian spam filter to name a few. He is an active speaker at security and open source conferences; some of the conferences he has spoken at include AusCERT, BlackHat, Defcon, PHDays, Hack.lu, OSI Days, XCon among others.

Why execute shellcode?There are existing techniques that inject a library into the process memory. However the problem with this approach is that the library name can be seen in the process maps file, which means if someone is analysing known processes, a single glance at the process maps file would tell them that there is a fishy library loaded in the process memory. With shellcode all we do is allocate space within the process and put our shellocde which is executed. The process memory maps will not show anything other than information on memory mapped within the process, which is defficult to comprehend as being malicious.

Android SandboxingYes, Android sandboxing is an issue here due to the limited capabilities (permissions) of the malware that wants to infect other processes. However, there are certain mis-use cases that you can try out if you are still awake and reading the article:

1. adbd daemon on Android phones runs as SHELL user and you can connect to your phone using adb which drops you onto a shell with the same SHELL user privileges. You may want to try infecting adbd and share the results with me.

2. The project should easily compile for standard ARM Linux using the arm compiler toolchain. Embedded devices that run Linux are a good target for playing around as standard Linux does not have the same permission restrictions as put in Android a.k.a Sandboxing.

The Indroid APIIt is a very simple API to use. However, there is a non-script kiddie version with more options available for people who are interested in more control and customization. The API is even more convenient than the windows counterpart as the caller can directly specify the shellcode to be injected as opposed to CreateRemoteThread() where the caller first needs to arrange for the code to be injected into the process before calling CreateRemoteThread(). In most cases you will need to use the extended API for specifying a custom backup address (bkpaddr) as the default backup address hardcoded in the program will not work for every process. The backup address is the memory location in victim process’s that is intially overwritten with the mmap2 shellcode.

ww

w.b

luek

aize

n.or

g

New

& N

ews


We found that 76% of unique MX hostnames that receive our emails support STARTTLS. As a result, 58% of notification emails are successfully encrypted. Additionally, certificate validation passes for about half of the encrypted email, and the other half is opportunistically encrypted. 74% of hosts that support STARTTLS also provide Perfect Forward Secrecy.

It’s clear to us that STARTTLS has achieved critical mass and there is immediate value in deploying it. We encourage anyone who has not already deployed STARTTLS to at least deploy it for opportunistic encryption. As more systems support email encryption, the value increases for everyone.

A lot of sensitive data is sent over email, so we encrypt emails in transit via STARTTLS when available. STARTTLS has been around for 15 years, but we’d heard that it wasn’t widely deployed. To test that perception, we decided to see how many of the notification emails we send are successfully encrypted.

Mail Integrity Engineer at Facebook


Methodology

Facebook sends several billion emails to several million domains every day. This is mostly comprised of notification emails about various activities on Facebook as well as account-related emails such as registration confirmations and password resets. We used a single day’s worth of our notification email logs from our production system for this report, since our goal here is to show a snapshot of current deployments rather than configuration changes over time. These logs contain the kind of data you would expect to find in any email server logs, such as the sender and recipient, where the email came from, and where we are sending it. For the purposes of this report we only concern ourselves with the STARTTLS results, the recipient’s domain, the MX hostname we connected to, and the receiving email server’s IP address.

The majority of email addresses we send to are assumed to be for personal use. Given the large number of addresses and domains we send to, we feel that our data provides a good representative sample of personal and general purpose mailbox providers. Government and corporate email systems are likely underrepresented in this report.

Our system attempts to negotiate TLS encryption with every SMTP server it connects to which advertises the STARTTLS capability. If the negotiation is successful, we encrypt the email and send it on. If we can’t successfully negotiate, then we send the email unencrypted. We log the results in either case, including the negotiated cipher suite and attributes of the certificate presented by the server when we are successful. We then load the logs into Hadoop for further analysis. It’s also worth noting that the performance impact of enabling TLS for outbound connections was negligible.

Data and Observations

The following graphs show the log data aggregated in various ways. For graphs that show STARTTLS results, we show the relative percentages of ‘Strict’, ‘Opportunistic’, ‘Failure’, and ‘None’. These categories are defined as follows:

Strict: A TLS cipher suite was successfully negotiated and the presented certificate passed strict validation. Strict validation means that the certificate was not expired, was signed by a trusted certificate authority, and matched the hostname we connected to. We allow wildcarded certificates.

Opportunistic: A TLS cipher suite was successfully negotiated but the presented certificate did not pass strict validation for one or more reasons.

Failure: The SMTP server advertised STARTTLS, but we could not successfully negotiate a cipher suite. This could be due to a lack of acceptable cipher suites or other configuration issues. As a result, the email was sent unencrypted.

None: The SMTP server did not advertise STARTTLS. The email was sent unencrypted.

Figure 1 - Overall STARTTLS ResultsFigure 1 shows the overall results of STARTTLS behavior. From the ‘All Email’ bar on the left we can see that nearly 60% of all emails are sent via an encrypted connection, but only about 30% pass strict validation. 60% is an encouragingly high percentage, but this number is potentially skewed since the bulk of email volume is sent to a small number of large mailbox providers. We need to aggregate the data in a few different ways in order to compensate for this and get a clearer picture of STARTTLS behavior across all email systems. The other three bars in Figure 1 are based on unique counts of the following identifiers:

Domain: The domain portion of the recipient email address.

MX Hostname: The hostname returned by querying the MX record of the domain.

IP Address: The IP address of the receiving SMTP server.

The relationships between these three identifiers vary as inbound email infrastructure is deployed and configured as needed, and operators use different


Mismatched certificates are the single largest reason why strict certificate validation fails across all identifiers. 99.35% of all opportunistically encrypted emails fail validation simply because the certificate does not match the hostname; the certificates are otherwise acceptable. The next three largest categories include mismatched certificates as part of the reason, but have additional issues.

Figure 3 - Successfully negotiated cipher suites

The strength of supported cipher suites is a common concern, as weak or vulnerable ciphers can be easily defeated. Figure 3 shows the successfully negotiated cipher suites broken down by identifier. The majority of encrypted email is sent with the ECDHE-RSA-RC4-SHA or DHE-RSA-AES256-SHA cipher suite. This is likely due to those being the preferred cipher suites of the major providers. DHE-RSA-AES128-SHA, however, is the preferred cipher suite for the largest percentage of deployments. AES128-SHA is the next most prevalent, which is concerning because it does not provide Perfect Forward Secrecy.

Although the second most prevalent cipher suite does not provide Perfect Forward Secrecy, the majority of preferred cipher suites do—as shown in Figure 4.

Conclusion

STARTTLS encryption is widely supported and has achieved critical mass despite some issues with certificate management. A system deploying STARTTLS support for the first time can expect more than half of its outbound email to be encrypted. Also, the majority of deployments provide Perfect Forward Secrecy. We see two high priority areas for improvement. First, we encourage the industry to work together to develop better tools for preventing mismatched certificates. Second, we encourage everyone to deploy support for opportunistic encryption via STARTTLS.

techniques to manage their infrastructure at different scales. For example, 25.76% of unique recipient address domains pass strict validation, while 7.97% of unique MX hostnames pass strict validation and only 6.63% of unique server IP addresses pass strict validation. This is because a single MX hostname can handle traffic for many domains and can have multiple unique IP addresses behind it, a single domain can have multiple MX hostnames, etc.

The ‘Domain’, ‘MX Hostname’, and ‘IP Address’ bars show a higher percentage of encrypted traffic but a lower percentage of strict validations than the ‘All Email’ bar. These results show that STARTTLS support is widely deployed, but that there are also widespread issues with certificates. Also of note, in all cases the number of failures is very small.

Figure 2 - Overall reasons for strict validation failureFigure 2 shows the top reasons why strict validation fails as a percentage of opportunistically encrypted traffic. Some reasons or combinations of reasons are not listed, such as ‘Expired and Mismatched’. Those have been omitted because they account for less then 1% for each identifier. The failure reasons are as follows:

Self Signed: The presented certificate was signed by the domain itself instead of a certificate authority.

Untrusted CA: The presented certificate was signed by a certificate authority that we consider untrustworthy.

Mismatched: The presented certificate does not match the hostname exactly or via wildcard.Expired: The presented certificate has passed its expiration date.



ww

w.b

luek

aize

n.or

g

New

& N

ews

Egyptian Ministry of Information Website Hacked by Libyan Hackers

A peek under the hood to the recent security breaches

In the last week of April, The official website of Egyptian Ministry of Information has been hacked and defaced by hackers from a group going with the handle of Libyan Cyber Army.Egyptian ministry website was hacked few hours ago and left with a deface page, displaying Libyan flag on it. The reason for targeting the Egyptian Ministry of Information was not mentioned anywhere.

News

WWW.Bluekaizen.org

#OpWorldCup: Anonymous Hacks Brazilian Govt, Police, Court, Globo TV and Cemig TelecomAnonymous has fulfilled its promise ofconducting cyber attacks on the government of Brazil during football World Cup.Anonymous has came up with a massive breach of Brazil’s top most institutions in which emails, passwords and personal information has been leaked online. All hacks and breaches were conducted under the banner of #OpMundial2014 #OpWorldCup #Freebrazil and #OpHackingCup.

#OpPetrol: Anonymous to attack major oil exporting countries on 20th June, 2014The Anonymous hackers who initiated #OpPetrol in 2013 are back in news with same operation, this year on 20th June, 2014.AnonGhost hacking group has announced that it will target Saudi—Kuwaiti oil companies for their affiliation with Israeli companies.The list of targets also induce following countries and some major oil exporting companies, according to a pastie on Pastebin.• USA • CANADA • ENGLAND• ISRAEL • CHINA • ITALY• FRANCE • RUSSIA • GERMANY• QATAR (Only Gov)

Fake Heartbleed Removal Tool swipes Users Details found by Symantec. Heartbleed bug has shocked almost web savvy person with a serious vulnerability in OpenSSL. Spammers are now taking advantage of Heartbleed bug that was found in OpenSSL Library. Symantec currently revealed about a Heartbleed spam campaign that scares people about Heartbleed infection on PC.

Fake Heartbleed Removal Tool swipes Users Details found by Symantec


Android ‘SMS Stealer’ Malware Hidden in World Cup Themed AppsBe careful of any new World cup themed apps, lest you should be tricked into downloading a malicious app, says a recent report published by Trend Micro. More than 375 spurious apps, based on World cup themes, targeting Android platform have cropped up in unauthorized third-party apps stores.

As part of what is predominantly an Android security issue, a CTO and consultant has discovered a vulnerability in WhatsApp encryption that could allow another app to access and read all of a user’s chat conversations within it.Here’s how it works:WhatsApp for Android stores conversations on the phone’s SD card, which is accessible by many other apps on the phone as long as the user gives those apps the permissions they ask for (many apps ask for full access to the phone). This is an infrastructure issue for Android more than a gaping security flaw on the part of WhatsApp.From there, a malicious app could access the WhatsApp conversation database. Savvy users will note that this is hardly a hack but more of a problem with Android’s data sandboxing system.Bosschert built a companion app to test it out, and used a cute loading screen to distract the user while the database files were being uploaded.

Hole In WhatsApp For Android Lets Hackers Steal Your Conversations


ww

w.b

luek

aize

n.or

g

New

& N

ews


Malware facts and statistics:

Middle east:In the Second Quarter of 2014 Kaspersky Lab products neutralized more than 53.1 million cyber-attacks and malware infections on computers and mobile devices of users in the Middle East which means more than 50% increase in the number of incidents compared to Q1 (34.9 million).More than 10 million of these were threats coming from the internet while the rest was for local threats. KSN statistics during Q2 shows that:√ Iraq has the highest local threat level with 51.2% of users in Iraq facing local threats.

√ Qatar has the highest web threat level with 31.6% of Iraq users facing threats while online.

√ The highest number of incidents was reported from Saudi with a total of about 14.3 million incidents.

√ Lebanon has the lowest threat level In Middle East for both online and local threats.

√ Adware incidents increased during Q2. Amonetize adware recoreded 2.5 million infections during Q2.

Kaspersky Lab,Global Research and Analysis

Team

Q2 Statistics Report


Africa:During the Second Quarter of 2014 Kaspersky Lab products neutralized more than 47.9 Million of cyber-attacks and malware infections on computers and mobile devices of users in Africa which is slightly lower than the number of incidents reported during Q1.the biggest share of these incidents is for threats coming from local networks and removable media (removable USB drives, CDs and DVD) KSN statistics during Q1 shows that:√ Algeria has the highest threat level both locally and on the internet with more than 53% of Algerian users facing local threats and 35.9% facing threats from the web.

√ South Africa has the lowest local threat level .while Kenya has the lowest online threat level.

√ The most popular malware during Q1 was the Dinihou Worm with about 3.2 million infections. This worm spread through removable media devices making use of .LNK files.

Country

Country

Saudi Arabia

Morocco

Kuwait

Kenya

Qatar

Algeria

Lebanon

Libyan Arab Jamahiriya

Turkey

Sudan

UAE

Egypt

Iraq

South Africa

Egypt

Tunisia

Oman

Nigeria

30.4%

27.9%

24.6%

12.4%

31.6%

35.9%

15.1%

24.1%

30.4%

21.4%

29.3%

25.7%

27.7%

17.7%

25.7%

31.8%

22.7%

12.5%

47.4%

46.2%

39.0%

29.4%

44.8%

53.4%

33.2%

44.3%

44.6%

45.1%

44.0%

50.5%

51.2%

29.4%

50.5%

47.7%

42.8%

32.9%

% of users affected by Online threats

% of users affected by Online threats

% of users affected by Local threats

% of users affected by Local threats


ww

w.b

luek

aize

n.or

g

IT Specialist -DashSoft

Revi

ews

Book Review

I was always fond of the idea of being intelligent, get-ting information or investigating someone to get in-formation. I watched the British TV series “Sherlock” and “The Mentalist” and I admired the idea of observing the environment and people around you to easily get the information you need. I was also stunned by Kevin Metnik, the Father of Social Engi-neering and his achievements. I started by reading and learning about hacking, not hacking PC’s and servers but hacking humans. The book, Social Engi-neering: The Art of Human Hacking was just the kick start to it.

Social EngineeringThe Art of Human Hacking


software elements, completely ignoring the people element. The social engineer can then use that gap to their advantage.

• Chapter 1 goes though the necessary introduction to the topic, with chapter 2 detailing the various aspects of information gathering. Once I started reading, it was hard to put the book down.

• In chapter 3 on elicitation, the author details the reality of the requirements on how to carefully and cautiously elicit information from the target. Elicitation is not something for the social engineer alone, even the US Department of Homeland Security has a pamphlet(Pdf) that it uses to assist agents with elicitation.

• Chapter 4 details the art of pretexting, which is when an attacker creates an invented scenario to use to extract information from the victim. • Chapter 5 on mind tricks starts getting into the psychological element of social engineering. The author details topics such as micro expressions, modes of thinking, interrogation, neuro-linguistic programming and more.

• Chapter 6 is on influence and the power of persuasion. The author notes that people are trained from a young age in nearly every culture to listen to and respect authority. When the social engineer takes on that role, it becomes a most powerful tool; far more powerful than any script or piece of software.

• The author wisely waits until chapter 7 to discuss software tools used during a social engineering engagement. One of the author’s favorite and most powerful tools is Maltego, which is an open source intelligence and forensics application. While the author concludes that it is the human element that is the most powerful, and that a great tool in the hand of a novice is worthless; the other side is that good tools (of which the author lists many), in the hands of an experienced social engineer, is an extremely powerful and often overwhelming combination.

• Every chapter in the book is superb, but chapter 9 – Prevention and Mitigation stands out. After spending 338 pages about how to use social engineering; chapter 9 details the steps a firm must put in place to ensure they do not become a victim of a social

You can get the book as a pdf online or order it from Amazon for about $20 with shipping to Egypt, or do as I did and rent it from the Blue Kaizen library.So many thanks to the Blue Kaizen Team, I wish you the best of the best.

What is Social Engineering? Social Engineering (SE) is a blend of science, psychology and art. While it is amazing and complex, it is also very simple. It is defined as “Any act that influences a person to take an action that may or may not be in their best interest.”

We have defined it in very broad terms because we feel that social engineering is not always negative, but encompasses how we communicate with our parents, therapists, children, spouses and others.

• Social Engineering: The Art of Human Hacking is a fascinating and engrossing book on an important topic. The author takes the reader on a vast journey of the many aspects of social engineering. Since social engineering is such a people oriented topic, a large part of the book is dedicated to sociological and psychological topics. This is an important area, as far too many technology books focus on the hardware and

Which speaker/ topic you want to see in CSCamp_2014 #prepare_the_Agenda

WHAT DOES MALTEGO DO?

• Maltego is a program that can be used to determine the relationships and real world links between:» People» Groups of people (social networks)» Companies» Organizations» Web sites» Internet infrastructure such as:

> Domains > DNS names > Netblocks > IP addresses

» Phrases» Affiliations» Documents and files

• These entities are linked using open source intelligence.

• Maltego is easy and quick to install - it uses Java, so it runs on Windows, Mac and Linux.

• Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate - making it possible to see hidden connections.• Using the graphical user interface (GUI) you can see relationships easily - even if they are three or four degrees of separation away.• Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.

http://www.social-engineer.orghttp://ctas.paterva.com/view/What_is_Maltego

engineering attack. The chapter lists the following six steps that must be executed upon:

1) Learning to identify social engineering attacks

2) Creating a personal security awareness program

3) Creating awareness of the value of the information

that is being sought by social engineers

4) Keeping software updated

5) Developing scripts

6) Learning from social engineering audits

• As to awareness, if nothing else, Social Engineering: The Art of Human Hacking demonstrates the importance of ensuring that social engineering is an integral part of an information security awareness program. This can’t be underemphasized as even the definitive book on security awareness Managing an Information Security and Privacy Awareness and Training Program only has about 10 pages on social engineering attacks .

• The Social Engineering Framework is a searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering.

• Social Engineering in my point of view is a powerful attack, which gives you access to many attacks, but only to those who can master it …

MALTEGO? With The Continued Growth Of Your Organization, The People And Hardware Deployed To Ensure That It Remains In Working Order Is Essential, Yet The Threat Picture Of Your “Environment” Is Not Always Clear Or Complete. In Fact, Most Often It’s Not What We Know That Is Harmful - It’s What We Don’t Know That Causes The Most Damage. This Being Stated, How Do You Develop A Clear Profile Of What The Current Deployment Of Your Infrastructure Resembles? What Are The Cutting Edge Tool Platforms Designed To Offer The Granularity Essential To Understand The Complexity Of Your Network, Both Physical And Resource Based


ww

w.b

luek

aize

n.or

g

Revi

ews

Event Review


On 9th of June, The World trade center (the organizer of the famous Gitex technology week in Dubai) hosted its annual conference and exhibition, Gulf Information Security Exhibition and conference, GISEC 2014

The Gulf Information Security Expo and Conference (GISEC) is the Middle East’s largest annual ICT event attracting top industry professionals including CIOs, CTOs, CSOs and senior management from key industries including finance, energy, telecoms, government sectors and I.T.

Gulf Information SecurityExhibition and conference

GISEC 2014

WWW.Bluekaizen.org

Best Data Loss Prevention

Winner: Gulf Air

Best Cloud Security Implementation

Winner: UAE General Civil Aviation Authority

Best Information Security Program Implementation

Winner: Roads & Transport Authority (RTA)

Dubai

Best Security Information and Event

Management

Winner: du

Best Endpoint & Mobile Device Security

Implementation

Winner: UAE Ministry of Environment & Water

GISEC introduced a new IT Security Awards, the winners for 2014 were announced below

The event was divided into 3 days showcase of 100 top brands free for business professionals, Free Security Sessions and Free (ISC) 2 workshop. 2 days of keynote addresses, compelling panel discussions and insightful case studies led by global experts.

After inviting Kevin Metnik in its first version last year, Gisec invited two keynotes Robert Bigman, Former CISO in the CIA and Mikko Hypponen, Chief Research officer of F-Secure.

The exhibition this year was full of many security companies and security products. Great focus on mobile device management products was noticed in the exhibition area from the number of companies who provide such solutions.

Security Kaizen Magazine was one of the Main Media sponsors for GISEC as every year. We had the opportunity to distribute hundreds of our security kaizen magazine, met our beloved readers from the whole Middle East and get introduced to new readers. We also had interviews with some security professionals during the event that should be published on Bluekaizen TV like Access Data, Infoblox, HelpAg and others.

and the winners for 2014 are



ww

w.b

luek

aize

n.or

g

Malware Analyst EngineerEG-Cert

Revi

ews

Malware Review

Ransomware( provided by EGCERT )

General information

1.0

26/06/2014

Mohamed El-hennawyCreated by

Version

Date

Public

Malware Analysis and Reverse Engineering Department

Classification

Department


1. EXECUTIVE SUMMARY This is an analysis of a packed executable malware. This sample is identified as ransomware. In-depth behavioral and code analysis is performed on this sample. This malware is a packed executable (The executable was packed by UPX). This malware is a Trojan that encrypts most file types in a system so that they can’t be accessible unless the user enters the correct password.

2. Identification2.1 Packed File Information

File Size 7.0 KB ( 7168 bytes )

Packed File Identification

Type Trojan

SHA1 7fdc30175ccc6db2655f39030aef4e74ea23330a

Type of file Application “Win32 EXE”

MD5 0b3498fbc9b422fa6c66edb933828fb1

File name sample1.exe

Packers UPX

SHA256 c755bafd353061eba835d39f9a0c2c7a9015a9953293ead962a78359f594e0fd

File Format Portable Executable (32 bit)


2.2 Packing detection

3. Behavior analysis 3.1 Process Activity:Malware doesn’t create or kill any processes

3.2 File Activity:As a malware encrypt files on the system so it almost reads and writes all files exist in the systemIn addition it creates two filesC:\Documents and Settings\Administrator\Local Settings\Temp\3mN6As37iqV6y5t.exeC:\Documents and Settings\Administrator\Desktop\-+- -+-+++-+-+-_ +++-¦.txt

3.3 Registry Activity:• Set a new value “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3mN6As37iqV6y5t.exe” in “HKEY_LO-CAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur-rentVersion\Run” with name “Alcmeter”• Create sub key “HKEY_CLASSES_ROOT\.crypt” with value “UVLBIYGQHQZADNF” • Create sub keys “HKEY_CLASSES_ROOT\UVLBI-YGQHQZADNF” with unnamed value “CRYPTED!” • Create sub key “HKEY_CLASSES_ROOT\UVL-BIYGQHQZADNF\DefaultIcon” with unnamed value “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3mN6As37iqV6y5t.exe,0”• Create sub key “HKEY_CLASSES_ROOT\UVLBI-

YGQHQZADNF\shell\open\command” with unnamed value “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3mN6As37iqV6y5t.exe” 3.4 Network Activity:Malware doesn’t initiate or receive any network connection

4. Code analysis At first the malware prepares the data needed in its operation. It gets this data from a bitmap resource by reading its data and decoding and then arranging this data in memory by RtlMoveMemory API• Dword_144c30 » list of targeted extinction• Dword_143e38 » string “crypt”• Dword_406db9 » encoding key• Dword_406dc9 » hash of password (MD5 hashed five times)•Dword_406dd9 » random name for file copied in temp folder• Dword_406de9 » random name for created registry key under Class_root registry

After preparing data in memory malware starts copying itself in “C:\Documents and Settings\Administrator\Local Settings\Temp” directory and set its metadata to the metadata of the file “explorer.exe”.


After finishing encryption of all files, the malware creates a text file on desktop with name“-+- -+-+++-+-+-_ +++-¦.txt” then it searches for another bitmap resource called “pussylicker.bmp” and tries to use its data to write a new file but actually it didn’t find this resource. At this point, the malware finishes its destructive action and waits for user action.When a user restarts the system or double-clicks any encrypted file it runs the copied version of malware existed in Temp folder. When this copy runs, it asks the user to enter password then it hashes the password by MD5 algorithm five times then compares the resulted hash with the stored hash in address 0x406dc9. If the password is wrong a massage popped up then returns to waiting state. If the entered password is right, the malware executes exactly what it executed in encryption process with some differences:

• It searches only for files with extensions .crypt• After key generation, it runs decryption procedure instead of encryption procedure

After decryption of all files of the system, the malware deletes the sub key “HKEY_CLASSES_ROOT\ .crypt” then deletes the sample (keep the run registry and the copy in Temp folder)

5. Removing malwareStep 1:Patch the malware to reverse its action after comparing password and run it on the system.This step will lead to decryption of all encrypted files and deleting the malware and sub key registry HKEY_CLASSES_ROOT\.crypt when entering any wrong pass-wordStep 2:Delete the files created by the malwareC:\Documents and Settings\Administrator\Local Settings\Temp\3mN6As37iqV6y5t.exeC:\Documents and Settings\Administrator\Desktop\-+- -+-+++-+-+-_ +++-¦.txt. Confirm that the sample file is deleted

Step3:Delete the value “Alcmeter” that is added in “HKEY_LOCAL_MACHINE\SOFT WARE\Microsof t\Windows\CurrentVersion\Run” registryDelete the sub key HKEY_CLASSES_ROOT\ UVLBIYGQHQZADNFConfirm that the value in Run registry is deleted

Now the malware needs to ensure that it is running at startup and defines how the new file type “.crypt” created by malware behaves when it is double-clicked. After that, it creates a new value “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3mN6As37iqV6y5t.exe” with name “Alcmeter” in registry key “HKEY_LO-CAL_MACHINE\SOFTWARE\Microsof t\Windows\CurrentVersion\Run” to ensure its running at startup. It creates sub key “HKEY_CLASSES_ROOT\.crypt” with unnamed value “UVLBIYGQHQZADNF” which is the key contains the program used to run this type of files and the sub key “HKEY_CLASSES_ROOT\UVLBIYGQHQZAD-NF” with unnamed value “CRYPTED!” , sub key “HKEY_CLASSES_ROOT\UVLBIYGQHQZADNF\DefaultIcon” with unnamed value “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3mN6As37iqV6y5t.exe,0”, and sub key “HKEY_CLASSES_ROOT\UVLBIYGQHQZADNF\shell\open\command” with unnamed value “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3mN6As37iqV6y5t.exe” to define the behavior of the encrypted file.

Now the malware prepares everything and becomes ready to start its destructive action. It starts to crawl all files in the system and checks which of them exists in list of targets to encrypt it.

It gets the available partitions on the system then crawls them one by one. When it gets the first file it checks if it is file or directory. If it is directory, malware check if it is the same directory (.), the parent directory, or it is not. In case of same directory or parent directory malware escape it and continues to the next file otherwise it will access the directory and continue crawling. In case it is file, the malware starts comparing its extension with targeted list. If the extension is not existed in the list, the file is escaped and malware continues to the next file, else the procedure of encryption is started. When the file extension exists in the target list then the mal-ware starts the process of encryption.

At first the malware gets the file size and metadata then moves the file pointer 79 bytes then reads the file into memory. After reading the file, the malware gets the first character of file name and uses it with the data in address 0x406595 to generate the encryption key in address 0x406585 then starts the encryption procedure. After encryption, the malware moves the file pointer 79 bytes then writes the encrypted data to the file and sets its metadata to one that it did read before. Finally it renames the file to the same name with the new extension (.crypt) and continues to the next file.


ww

w.b

luek

aize

n.or

g

Best

Pra

ctic

e

Head- Business Development (EMEA) at SISA

Mobile is the essential devices of the modern mobile world. We use Mobile to tackle seemingly limitless tasks such as texting, chatting, shopping online, and updating our social networking status, researching, emailing, creating documents, making phone calls, video conferencing, and banking. The list will only grow as smartphone capabilities continue to expand. According to the studies conducted on smartphone users and usage, the mobile phone market which was approx. 4.08 billion users globally in 2012 grew by 6.2% in 2013 to 4.33 billion users. The mobile marketplace is supposed to raise by 5.1% to 4.55 billion users in 2014 and further by 4.7% to 4.77 billion users. The mobile phone users are likely to reach 6.0 billion globally by 2017.

DemystifyingMobile Security


CSCAMP 2014 Awards Nominations will be announced Soon

device or computer. It includes Trojan horses, worms, spyware, computer viruses, root kits, key loggers and other malicious program.

Because of the nature of Mobile as known as multi-purpose devices, the risk posed by viruses or malware can be visible in surprising ways. Study conducted on the Geinimi Trojan, a malware that is embedded in certain apps and games. For a user to contract this Trojan, all they need to do is download an infected application. After installing the app, the Trojan allows hackers to remotely control the device; these criminals can use Mobile to place phone calls, send and delete text messages, and even locate the device geographically using the phone’s maps application via the GPS (Global Positioning System) functionality that is embedded in the device. If the smartphone’s owner had been using the device to conduct mobile banking, then the hackers would even be able to access their banking account or to record their account information. Once the customer data has been identified or captured, then the hacker can send the data back to the “mother ship” via a number of mechanisms, including e-mail and/or text messages.

Phishing is a deceitful act of attempting to capture personally identified sensitive user information by trustworthy and/or legitimate source e-mail. These forms of attacks can exploit social engineering tactics. Phishing mail may contain links leading to websites that are infected with malware. Using this dependence, they then attempt to acquire sensitive user information such as account passwords, usernames, credit card data and sensitive corporate information. These attacks are quite appealing, typically involving spam e-mail or other communications circulated to many people. Be vigilant of unsolicited communications. It is always suggested to type the URL directly in the browser rather than copy and paste it.

We, as mobile device users, think that we cannot get infected by any kind of viruses on our mobile devices. But, the fact is, we are vulnerable to all types of threats. Some of the most common noteworthy Worms, mobile viruses and Trojans are:

• Skulls: Skull virus swaps all phone desktop icons with images of a skull and the device turn out to be unusable.

In 2012 around 58.2% of the global population was using smart phones, this percentage grew to 61.1% in 2013 and is further expected to grow to 63.5% of the global population.

Mobile users are now accessing the internet from their mobile devices, whether it is through a Smartphone or their simple mobile devices. Mobile are attractive devices that can simplify many of our most essential and mundane tasks. Not only do they allow us to connect and interact with others in a simplified manner, but they also allow us to conduct many essential business tasks without the need for comparatively bulky laptops. Mobile devices also carry certain number of risks and threats.

Emerging Threats to Mobile Phones 1- Malware 2- Phishing 3- Virus/worms/others

The most commonly known threat is malware. Malware is used or created by attackers to disrupt many types of computer operations, collect sensitive user information, or gain access to a private mobile


• ZitMo: ZitMo malware targets users for online banking information. Once this malware is installed, the corrupt software will forward all incoming SMS. Once hackers have this data, they will use this data to attack your banking accounts.

• DroidKungFu: DroidKungFu is an influential Trojan for Android applications that obtains manager/master privileges on your device. This Trojan horse collects and sends the data to a remote server.

• Zeus: A new Trojan horse that steals customer banking information. This malware is executed by a technique known as man-in-the-browser keystroke logging. Trojan is spread mainly through drive-by downloads and phishing schemes.

• SpyEye: SpyEye injects new fields into a web page. This practice is termed as HTML injection. It demands data from users trying to use their banking websites. Once hackers have this data, they can access your bank accounts.

• Gingermaster: Malware was fashioned for the Android platform mobile devices. This specific malware spreads by installing an application that holds an unseen set of code that runs in the background on the device.

Future threats

One of the key areas that have been established a lot of consideration is BYOD “Bringing your own device”. Looking at the future, we will foresee advanced malwares for mobile devices. Commonly, we presume to see few of the following:

• Malware that takes benefit of your location via Global Positioning System (GPS).

• Hackers will take data from your device and customize it for phishing and social engineering attacks. This is why it is so imperative for you to protect your personally identified information. It is easy for hackers to encroach upon your privacy and then use your data against you.

• We also forecast more applications that look to be genuine, but in reality it is a Greenfield for hackers to attack you.

• More use of Short Messaging Services to transport infected payloads of malware.

• We will also see superfluous malware that is customized to you.


• Lock down your security on your mobile device.

• Install OS updates and security fixes as soon as it is available for download to ensure your mobile device firmware is up to date.

Preventative measures – how to reduce the likelihood that your device will be hacked

iPhone

• Make sure you have a password enabled on your iPhone.• Enable the Erase Data function. The Erase Data functionality adds another layer of security to your iPhone. This feature will erase all data after 10 failed passcode attempts. So, if a hacker steals your phone, it will remove all data after 10 unsuccessful attempted on the password. To enable this, you need toset Erase Data to ON in the Passcode Lock screen. • Find my iPhone – if you ever lose or misplace youriPhone or iPad, youcan use the Find My iPhone / Find My iPad feature. All you need to do is to download the application on your device and get it through iCloud (icloud.com).

• Encrypted Backup – the Encrypt Backup setting is found in iTunes.

Android

• Enable lock screens – you can find this under the Settings | Security settings

• Disable USB debugging – you will find this under the Settings | USB debugging section

• Enable full disk encryption – this is found in the Settings | Security section

• Be sure and only use official application stores Screen lock – make sure you have enabled a screen lock on your phone, thatway it will automatically lock the phone after it is idle for a few minutes

For any deviceMake sure that you have the latest OS installed.

• As more mobile devices are infected, a superior number of corporate networks will be infected. This will be a gigantic issue for corporate managers.

Steps you can take to protect yourself

• Always use extra attention and install only approved applications available through your vendor’s authorized application store.

• Before using Wi-Fi hotspot functionality, including Mobile and portable hotspot devices, WPA2 Wi-Fi encryption security must be supported and configured with a strong password to thwart unauthorized access to the Wi-Fi network created by the device.

• Use a password/pin that is challenging for others to predict. There is an unconventional feature that you can use, well-known as two-factor authentication.• Change your voicemail and phone password frequently.

• Don’t use sensitive personally identified information on public Wi-Fi.

• It is very vital for you to sign out of your applications when you are done with work.

• Check your Twitter/Facebook privacy settings.