ZeusVM: Bits and Pieces

ZeusVM is a relatively new addition to the Zeus family of malware. Like the other Zeus variants, it is a banking trojan (“banker”) that focuses on stealing user credentials from financial institutions. Although recent attention has been on non-Zeus based bankers such as Neverquest and Dyreza, ZeusVM is still a formidable threat. At the time […]

ZeusVM: Bits and Pieces

ZeusVM is a relatively new addition to the Zeus family of malware. Like the other Zeus variants, it is a banking trojan (“banker”) that focuses on stealing user credentials from financial institutions. Although recent attention has been on non-Zeus based bankers such as Neverquest and Dyreza, ZeusVM is still a formidable threat. At the time of this writing, it is actively being developed and has implemented some interesting features such as a custom virtual machine and basic steganography. In addition, due to a recent leak of a builder program, the ability to create new ZeusVM campaigns is now in the hands of many more miscreants.

To foster a better understanding of ZeusVM, the attached paper examines some of the internals of the malware from a reverse engineer’s perspective. While it doesn’t cover every component, the visibility provided can help organizations better detect and protect from this threat.

ZeusVM: Bits and Pieces (PDF)

ZeusVM: Bits and Pieces Appendix 1 (TXT)

Weird bug of the day: Twitter in-app browser can’t visit site

We keep a close eye on tweets that mention CloudFlare because sometimes we get early warning about odd errors that we are not seeing ourselves through our monitoring systems.

Towards the end of August we saw a small number of tweets like this one:

indicating that trying to browse to a CloudFlare customer web site using the Twitter in-app browser was resulting in an error page. Which was very odd because it was clearly only happening occasionally: very occasionally.

Luckily, the person who tweeted that was in the same timezone as me and able to help debug together (thanks James White!); we discovered that the following sequence of events was necessary to reproduce the bug:

  1. Click on a link in a tweet to a web site that is using an https URL and open in the Twitter in-app browser (not mobile Safari). This site may or may not be a CloudFlare customer.

  2. Then click on a link on that page to a site over an http URL. This site must be on CloudFlare.

  3. BOOM

That explained why this happened very rarely, but the question became... why did it happen at all? After some debugging it appeared to happen in Continue reading

Which Path in the WAN are those Business Critical Applications Taking?

“Learning about and avoiding impairments (delay, loss, jitter) along the path that business critical traffic takes.”  That is what I wrote in my previous blog “IWAN’s Intelligent Path Control & Using Your Backup Link.”  But how is that possible to do?

Thinking some type of probe? From where to where? Thinking the WAN edge links? But how do you know the path you send your probes over is the path that your business critical traffic is taking?

Let’s talk about what I mean by this by looking at an example.

which_path2

 

 

 

 

 

 

In the above picture we have 2 sites with 1 host per site, and 1 WAN connection between the two.

  • Branch2 w/ host 10.2.10.101
  • Hub Site w/ host 114.114.114.101
  • WAN connection w/ 21.21.102.3 on the Branch2 side and 21.21.1.2 on the Hub Site side.

Let’s say you check the health of the path between Branch2 and the Hub Site with some type of probe/IP SLA.  You will be doing it from the 2 WAN IP addresses 21.21.102.3 and 21.21.1.2.   Right?  Continue reading

Quick look: World’s largest e-waste dump

e-wasteImage by REUTERS/Tyrone SiuReuters recently took a look at what the town of Guiyu in China, which is commonly known, as one of the world's largest electronic waste dump sites. A particularly polluted place as you might imagine, Guiyu exists to salvage bits of valuable metals such as gold, copper and aluminum mostly from hard drives, mobile phones, computer screens and computers from around the world though sources have changed: China now produces 6.1 million metric tons of e-waste a year second only to the US with 7.2 million tons , according to the Ministry of Industry and Information Technology.To read this article in full or to leave a comment, please click here

$60 device spoofs phantom objects and tricks self-driving cars into stopping

A security researcher used a homemade $60 system to outsmart self-driving car lidar sensors that cost thousands; he was able to trick an autonomous vehicle into slowing down and even launched a denial of service attack on a self-driving car's tracking system so that it came to a complete stop.Lidar, a remote sensing technology, is most commonly known as the circular “eye” mounted on the roof of most self-driving cars; it acts somewhat like radar as the lasers spin around to scan the area and detect objects. Lidar devices come in various sizes and prices. The lidar (Light Detection and Ranging) market is estimated to be a one billion market by 2020; it’s not used exclusively for driverless cars as seen in recent news about autonomous golf carts and surveying drones. Yet Jonathan Petit, a principal scientist at Security Innovation, believes lidar sensors are “the most susceptible technologies” in self-driving vehicles.To read this article in full or to leave a comment, please click here

Want IoT? Here’s How a Major US Utility Collects Power Data from Over 5.5 Million Meters

I serendipitously found this fascinating reply by Richard Farley, your friendly neighborhood meter reader, in a local email list giving a rare first-hand account of how the Advanced Metering Infrastructure works in California. This is real Internet of Things territory. So if it doesn't have a typical post structure that is why. He generously allowed it to be reposted with a few redactions. When you see “A Major US Utility”, please replace it with the most likely California power company.

Old mechanical meters had bearings that over time wore out and caused friction that threw off readings. That friction would cause the analog gauge to spin slower than it should, resulting in lower readings than actual usage -- hence "free power". It's like a clock falling behind over time as the gears wear down.

For A Major US Utility "estimated billing" happens when your meter, for whatever reason, was not able to be read. The algorithms approved by the CPUC and are almost always favorable to the consumer. A Major US Utility hates to have to do estimated billing because they almost always have to underestimate based on the algorithms and CPUC rules. Not 100% sure about this, but if they Continue reading

I passed the CCIE Lab Exam in Routing and Switching v5!

Original content from Roger's CCIE Blog Tracking the journey towards getting the ultimate Cisco Certification. The Routing & Switching Lab Exam
Well the post that I have been dreaming of writing since the start of this blog is actually being written. I passed the CCIE Lab Exam in Routing and Switching v5 in Brussels last week and am now CCIE #50038 It has been a journey and as readers of this […]

Other pages of interest:

Post taken from CCIE Blog

Original post I passed the CCIE Lab Exam in Routing and Switching v5!

Kaspersky Lab pushes emergency patch for critical vulnerability

Kaspersky Lab has released an emergency patch for some of its antivirus products after a security researcher found a critical vulnerability that could allow hackers to compromise computers.The flaw was discovered by vulnerability researcher and Google security engineer Tavis Ormandy, who mentioned it Saturday on Twitter, before sending the bug's details to Kaspersky.Ormandy's Twitter message included a screen shot showing the Windows calculator (calc.exe) running under the Kaspersky antivirus process.It works great against versions 15 and 16, he said.Versions 15 and 16 correspond to Kaspersky's 2015 and 2016 product lines. It's not clear if only Kaspersky Anti-Virus was affected or also the vendor's Internet Security and Total Security products.To read this article in full or to leave a comment, please click here

Kernel bypass

In two previous posts we've discussed how to receive 1M UDP packets per second and how to reduce the round trip time. We did the experiments on Linux and the performance was very good considering it's a general purpose operating system.

Unfortunately the speed of vanilla Linux kernel networking is not sufficient for more specialized workloads. For example, here at CloudFlare, we are constantly dealing with large packet floods. Vanilla Linux can do only about 1M pps. This is not enough in our environment, especially since the network cards are capable of handling a much higher throughput. Modern 10Gbps NIC's can usually process at least 10M pps.

hispeed.jpg CC BY 2.0 image by Tony Webster

It's apparent that the only way to squeeze more packets from our hardware is by working around the Linux kernel networking stack. This is called a "kernel bypass" and in this article we'll dig into various ways of achieving it.

The kernel is insufficient

Let's prepare a small experiment to convince you that working around Linux is indeed necessary. Let's see how many packets can be handled by the kernel under perfect conditions. Passing packets to userspace is costly, so instead let's try to drop Continue reading

How to permanently change qemu’s qcow2 image?

Of course you heard of qemu. Its a hypervisor used by UNetLab and GNS3 to integrate virtual routers like Alcatel-Lucent’s 7750 SR, Junipers vMX and Cisco’s XRv. And it is well-known that those virtual routers come in the form of qemu disk images with an odd [crayon-563410ebce426237947726-i/] extension. But how can we alter those disc images if we need,

Fiat Chrysler voluntarily recalls 7,810 SUVs over software issues

Fiat Chrysler said Friday it is voluntarily recalling 7,810 SUVs due to a software glitch that could make the vehicles vulnerable to remote control.Half of the vehicles, which are 2015 Jeep Renegade SUVs equipped with 6.5-inch touchscreens, are still at dealerships, the carmaker said in a statement.The company downplayed the risk to drivers, saying it was unaware of injuries related to the problem and had received no complaints.It further said "the software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code."To read this article in full or to leave a comment, please click here

Crypto wars: FTC commissioner says to encrypt despite feds pushing for backdoors

Surveillance is so out of control that superheroes like Captain America fight against it; even the Avengers tried to show us the dangers of militarizing the Internet. Sure that might be coming from fictional characters just like the cosplay activism campaign going on Dragon Con this weekend in Atlanta. Yet as Project Secret Identity points out:To read this article in full or to leave a comment, please click here

NOSHUT got twitter!

Hey fellows! I know some of you prefer to track new posts in twitter feed. For those of you I created noshut_ru twitter account where you will find all the updates and some reposts from networking gurus. Follow!
1 3,246 3,247 3,248 3,249 3,250 3,756