Tageszusammenfassung - Dienstag 10-12-2013

End-of-Shift report

Timeframe: Montag 09-12-2013 18:00 − Dienstag 10-12-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a

French Government Spoofs Google Certificate

Google revoked digital certificates for some of its domains that had been fraudulently signed by an intermediate certificate authority with links to ANSSI, Frances cyber-defense agency.

http://threatpost.com/french-government-spoofs-google-certificate/103128

How We Decoded Some Nasty Multi-Level Encoded Malware

>From time to time, we come up with interesting bits of malware that are just calling us to decode and learn more about them. This is one of those cases. Recently, I crossed pathes with this little gem: That snippet is encoded malicious content.

http://blog.sucuri.net/2013/12/how-we-decoded-some-nasty-multi-level-encoded-malware.html

Microsoft Security Advisory (2916652): Improperly Issued Digital Certificates Could Allow Spoofing - Version: 1.0

Microsoft is aware of an improperly issued subordinate CA certificate that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The subordinate CA certificate was improperly issued by the Directorate General of the Treasury (DG Trésor), subordinate to the Government of France CA (ANSSI), which is a CA present in the Trusted Root Certification Authorities Store. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.

http://technet.microsoft.com/en-us/security/advisory/2916652

Untouched P2P Communication Infrastructure Keeps ZeroAccess Up and Running

Microsofts takedown of the ZeroAccess botnet wasnt a complete success. Experts point out that Microsoft targeted only the money-making aspects of the botnet, and that its communication protocol was untouched.

http://threatpost.com/untouched-p2p-communication-infrastructure-keeps-zeroaccess-up-and-running/103133

The Curious Case of the Malicious IIS Module

Recently, we´ve seen a few instances of a malicious DLL that is installed as an IIS module making its rounds in forensic cases. This module is of particular concern as it is currently undetectable by almost all anti-virus products. The malware is used by attackers to target sensitive information in POST requests, and has mechanisms in place for data exfiltration.

http://blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html

CyanogenMod to have built in text message encryption system

People are now more concerned regarding their privacy after discovering about efforts made by governments to spy on their communications. The most practical solution to keep messages, emails and calls secure is to use a cryptographic encryption mechanism. However, just like the name of the method, the installation process is complex for most users. To solve this, CyanogenMod will come equipped with built in encryption system for text messages.

http://www.muktware.com/2013/12/cyanogenmod-built-text-message-encryption-system/17305

Phantom menace? A guide to APTs - and why most of us have little to fear from these 'cyberweapons'

APTs - or Advanced Persistent Threats - are the most menacing cyber attack there is, some say. Orchestrated by teams of hundreds of experts, they penetrate systems so deeply that they can remain for years, stealing secrets by the terabyte.

http://www.welivesecurity.com/2013/12/09/phantom-menace-a-guide-to-apts-and-why-most-of-us-have-little-to-fear-from-these-cyberweapons/

New security features added to Microsoft accounts

We´re excited to announce that over the next couple of days we´re rolling out a few new capabilities - based on your ongoing feedback - that give you more visibility and control of your Microsoft account.

http://blogs.technet.com/b/microsoft_blog/archive/2013/12/09/new-security-features-added-to-microsoft-accounts.aspx?Redirected=true

Analysis: Kaspersky Security Bulletin 2013. Overall statistics for 2013

This section of the report forms part of the Kaspersky Security Bulletin 2013 and is based on data obtained and processed using Kaspersky Security Network. KSN integrates cloud-based technologies into personal and corporate products, and is one of Kaspersky Lab´s most important innovations.

http://www.securelist.com/en/analysis/204792318/Kaspersky_Security_Bulletin_2013_Overall_statistics_for_2013

November 2013 virus activity review from Doctor Web

December 2, 2013 Virus analysts at the Russian anti-virus company Doctor Web discovered and examined quite a variety of information security threats in November 2013. In particular, a Trojan targeting SAP business software and malware that generates fake search results on Windows machines were added to the Dr.Web virus database at the beginning of the month.

http://news.drweb.com/show/?i=4122&lng=en&c=9