FEBRUARY 2014 Covering the global threat landscape CONTENTS IN THIS ISSUE 2 COMMENT A LIFE OF GRIME It is time for defenders to go on the offence Cross-platform execution is one of the promises of Java – but cross-platform infection is probably 3 NEWS not what the designers had in mind. Nevertheless, that was clearly in the mind of the author of Law minister is former spammer W32/Java.Grimy, a virus for the Windows platform, Cash for hacks which infects Java class fi les. Peter Ferrie has the details. MALWARE ANALYSES page 4 4 Getting one’s hands dirty LAME DUCK 6 Salted algorithm – part 2 Sometimes what looks like a genuine MP3 encoder 11 Inside W32.Xpaj.B’s infection – part 2 library, and even works as a functional encoder, actually hides malicious code deep amongst a 19 FEATURE pile of clean code. Gabor Szappanos reveals the Needle in a haystack lengths to which one piece of malware goes to hide its tracks. page 19 27 BOOK REVIEW Don’t forget to write READING CORNER Industry veteran, prolifi c writer and educator David 30 SPOTLIGHT Harley reviews two recently published eBooks that aim to provide security guidance for consumers: Greetz from academe: Full frontal ‘Improve Your Security’ by Sorin Mustaca, and ‘One Parent to Another’ by Tony Anscombe. 31 END NOTES & NEWS page 27 ISSN 1749-7027 COMMENT ‘Challenge for example, an IPS or anti-virus product will still do some level of good if you do no more than install it on [defenders] to your network and make sure it gets updated occasionally, take a penetration a SIEM will not do anything except generate a (huge) bill. Although most vendors will include a set of testing or exploit default correlation rules, being welcomed by 12,000 development class.’ so-called ‘security events’ the fi rst time you log into the management interface is an overwhelming experience Andreas Lindh, ISecure for anyone. The point is, if you don’t know what you are looking for, a SIEM is only likely to cause you pain. IT IS TIME FOR DEFENDERS TO So what can be done? Well, for a start, defenders GO ON THE OFFENCE need to be allowed to develop their offensive skill set. Instead of routinely sending security staff to some Defence is hard. From a defender’s point of view, it only vendor-supplied or defensive training, challenge them to takes one slip-up, one misconfi guration or one unpatched take a penetration testing or exploit development class. machine for an attacker to gain access and capitalize By knowing and understanding offensive techniques, with potentially disastrous consequences. Not only that, defenders will be able to start thinking like attackers but it is also very diffi cult to know if or how well your and defend accordingly. If you don’t understand what defences are working. Sure, you can measure it to a post-exploitation is or how it works, how are you degree, but only for the events that you and your security supposed to be able to spot it going on in your network? products can actually see. For an attacker, it is pretty And how are you going to be able to detect an SQL much the other way around; they usually know if what injection attack on your web application if you don’t they are doing is working or not. know anything about attacking web applications? One of the major problems for those tasked with The challenge here is to make sure that defenders defending networks is a lack of knowledge about what get offensive training that actually refl ects current, they are supposed to be protecting against, on a technical real-world attacks, and not outdated techniques that are level. A lot of defenders are former network or fi rewall only used by penetration testers. administrators who are great at TCP/IP and routing, but seriously lacking when it comes to understanding how Another area defenders need to be more profi cient in is exploits work or how security products can be bypassed. threat intelligence. Although most vendors have some This, coupled with the way some vendors are marketing kind of offering in this area, they seldom offer anything their products (basically as self-playing pianos) has that does not relate directly to their own product(s). in many cases led to investments in and reliance on While these offerings can certainly be of some use, a automated security products instead of competence and more vendor-agnostic approach is needed. The point personnel development. I believe that this is a dangerous of threat intelligence is to be able to make informed road to travel as attackers will always be able to subvert decisions on defensive prioritizations by studying actual security products that are run in out-of-the-box mode. attacks and trends. This is an area in which defenders in general could get more involved by doing their own There are few areas where such a lack of knowledge research and contributing their own conclusions to the becomes more painfully visible than in Security security community as a whole. (It should be noted that Information and Event Management, or SIEM. While, to be able to do this, a whole different skill set from confi guring a fi rewall is needed.) Editor: Helen Martin Technical Editor: Dr Morton Swimmer To conclude: it is time for defenders to go on the Test Team Director: John Hawes offence. It is time to stop defending based on gut feeling Anti-Spam Test Director: Martijn Grooten and outdated best practices. It is time to start making Security Test Engineer: Scott James informed decisions based on real attacking knowledge Sales Executive: Allison Sketchley and intelligence. After all, a defender who knows Perl Developer: Tom Gracey nothing about offence is effectively no more than a Consulting Editors: system administrator who happens to manage a security Nick FitzGerald, AVG, NZ product. Ian Whalley, Google, USA Dr Richard Ford, Florida Institute of Technology, USA And there is no reason why defenders cannot be hackers too. I know I am. 2 FEBRUARY 2014 VIRUS BULLETIN www.virusbtn.com NEWS CALL FOR PAPERS LAW MINISTER IS FORMER SPAMMER VB2014 SEATTLE Delhi law minister Somnath Bharti has found himself in a Virus Bulletin is seeking submissions tight corner as revelations connecting him with a spamming from those wishing to present papers 2014 outfi t in the early 2000s have come to light. Security analyst at VB2014, which will take place SEATTLE Conrad Longmore, who writes on Dynamoo’s Blog, says 24–26 September 2014 at the Westin he fi rst came across Bharti more than a decade ago when Seattle hotel, Seattle, WA, USA. investigating a spamming operation known as TopSites LLC. Somnath Bharti and his company, Magden Solutions, was The conference will include a programme of 30-minute a partner of TopSites, and Bharti even found his way onto presentations running in two concurrent streams. Unlike in Spamhaus’s ROKSO list of known professional spammers. previous years, the two streams will not be distinguished as ‘corporate’ and ‘technical’, but instead will be split into It seems that at some point after Longmore’s original themed sessions covering both traditional AV issues and investigations, Bharti took a change in career path and some slightly broader aspects of security: became a lawyer – some time after which he developed an interest in politics, eventually becoming Delhi’s law minister. • Malware & botnets At the time of his involvement with the spamming • Anti-malware tools & methods operations, the act of spamming was not illegal in India • Mobile devices (indeed the country still does not have effective anti-spam • Spam & social networks legislation), but Bharti was named in a lawsuit fi led in • Hacking & vulnerabilities California in 2004 against a number of alleged spammers (the suit was settled out of court). • Network security Bharti strongly denies his involvement with the spamming Submissions are invited on topics that fall into any of the outfi t, claiming that the allegations are part of a conspiracy subject areas listed above. A more detailed list of topics and to malign him – but there are several pieces of evidence suggestions can be found at http://www.virusbtn.com/ that indicate that he is evading the truth. Longmore points conference/vb2014/call/. to Bharti having been listed as CEO of TopSites, his name having appeared in the WHOIS records for the original SUBMITTING A PROPOSAL domain used in the spam (topsites.us), and his name having The deadline for submission of proposals is Friday appeared in the internal databases of clone sites. 7 March 2014. Abstracts should be submitted via our Unsurprisingly, the story has found its way into India’s online abstract submission system. You will need to include: mainstream news and media – and it seems that Bharti • An abstract of approximately 200 words outlining the already has a rather shaky reputation, a Times Now reporter proposed paper and including fi ve key points that you describing the minister as ‘erring and blundering’ and saying intend the paper to cover. ‘his cup of controversies brimmeth over’. While the lack of effective anti-spam legislation in India means that Bharti is • Full contact details. unlikely to face legal action, the minister seems likely to be • An indication of which stream the paper is intended for. in for a bumpy ride in his political career. The abstract submission form can be found at http://www.virusbtn.com/conference/abstracts/. CASH FOR HACKS One presenter per selected paper will be offered a Source code hosting website Github has become the latest complimentary conference registration, while co-authors organization to launch a bug bounty programme, offering will be offered registration at a 50% reduced rate (up to a between $100 and $5000 for each vulnerability reported.