Security Research


Over the past few months we have seen a lot of malware activity around the Netcore vulnerability, so we decided to take closer look at its exploitation. The following screen shot shows attack traffic captured through Wireshark. Figure 1 Figure 2 shows a quick enumeration of the sample. (There are different versions of the sample for several architectures. We chose to analyze the MIPS one) Figure 2 My analysis shows that this sample is a variant of the Gafgyt family, with some changes which I will discuss in detail later in this... [Read More]
by RSS Amir Zali  |  Jan 20, 2017  |  Filed in: Security Research
Tags:
Another TKEY record-related bug in BIND has been fixed with a patch from the Internet Systems Consortium (ISC) that was released just after the New Year. This bug may take down BIND recursive servers by sending a simple query response with TKEY record, thereby causing a denial of service (DoS). This potential DoS vulnerability is caused by an assertion failure in Resolver.c when caching the DNS response with TKEY Record. In this post we will analyze the BIND source codes and expose the root cause of this vulnerability. The TKEY record... [Read More]
by RSS Dehui Yin  |  Jan 18, 2017  |  Filed in: Security Research
Fortinet security researcher Kai Lu discovered and reported two critical zero-day vulnerabilities in Adobe Flash Player in November 2016. Adobe identified them as CVE-2017-2926 and CVE-2017-2927 and released a patch to fix them on January 10, 2017. Here is a brief summary of each of these detected vulnerabilities. CVE-2017-2926 This is a memory corruption vulnerability found in Flash Player’s engine when processing MP4 files. Specifically, the vulnerability is caused by a MP4 file with a crafted sample size in the MP4 atom... [Read More]
by RSS Kai Lu  |  Jan 17, 2017  |  Filed in: Security Research
Last month, we found a new android locker malware that launches ransomware, displays a locker screen on the device, and extorts the user to submit their bankcard info to unblock the device. The interesting twist on this ransomware variant is that it leverages the Google Cloud Messaging (GCM) platform, a push notification service for sending messages to registered clients, as part of its C2 infrastructure. It also uses AES encryption in the communication between the infected device and the C2 server. In this blog we provide a detailed analysis... [Read More]
by RSS Kai Lu  |  Jan 16, 2017  |  Filed in: Security Research
PHP is an open source, general-purpose scripting language used for web development that can also be embedded into HTML. It has over 9 million users, and is used by many popular tools, such as WordPress, Drupal, Joomla!, and so on. This week, a high-level security update was released to fix a remote code execution vulnerability (CVE-2016-10033) in PHPMailer, which is an open source PHP library for sending emails from PHP websites. This critical vulnerability is caused by class.phpmailer.php incorrectly processing user requests. As a result, remote... [Read More]
by RSS Zhouyuan Yang  |  Jan 05, 2017  |  Filed in: Security Research
To survive, Macro downloaders have to constantly develop new techniques for evading sandbox environments and anti-virus applications. Recently, Fortinet spotted a malicious document macro designed to bypass Microsoft Windows’ UAC security and execute Fareit, an information stealing malware, with high system privilege. SPAM This malicious document is distributed by a SPAM email.  As part of its social engineering strategy, it is presented in the context of someone being interested in a product. Fig.1 SPAM with the malicious... [Read More]
by RSS Joie Salvio and Rommel Joven  |  Dec 16, 2016  |  Filed in: Security Research
WooCommerce is a free eCommerce plugin for WordPress. It has been downloaded over 1 million times and over 30% of all online stores are now powered by WooCommerce. I recently discovered that WooCommerce is vulnerable to a cross-site scripting (XSS) attack. This XSS vulnerability is caused because the WooCommerce tax rates setting incorrectly processes user-supplied data. Remote attackers are tricking WooCommerce administrators into uploading a malicious CSV file that claims to provide required tax rate data for a particular country or region.. [Read More]
by RSS Zhouyuan Yang  |  Dec 16, 2016  |  Filed in: Security Research
Introduction A new unversioned Cerber has surfaced! It appears that the author(s) of Cerber is working hard to make more money during Christmas season. This latest version has relatively more changes as compared to the previous versions. The version number has now been removed from the desktop wallpapers of the infected machines, and this new Cerber release no longer has an apparent version number, which might make the tracking of the Cerber family more difficult than before. Another noticeable change is that the modified wallpaper now comes... [Read More]
by RSS Sarah (Qi) Wu, Jacob (Kuan Long) Leong  |  Dec 09, 2016  |  Filed in: Security Research
Quite strangely, there is no easy way to check the battery level of your Fitbit tracker. You can configure your profile to send you notifications when the battery is low, but that's about all. As I was researching Bluetooth Low Energy (BLE), I noticed however that Fitbit trackers do offer the standard Battery Service (0x180f) along with the (standard) Battery Level characteristic (0x2a19). [Read More]
by RSS Axelle Apvrille  |  Dec 09, 2016  |  Filed in: Security Research
A few days ago, a variant of Mirai hit a German telco, forcing 900,000 customers off the Internet. The FortiGuard team has issued an AV signature for it, named Linux/Mirai.B!worm. Several binaries were found in the wild for different architectures. I'll examine the one for ARM here, as that's the architecture I'm the most familiar with. A look at the strings in the binary reveals the following: [Read More]
by RSS Axelle Apvrille  |  Dec 08, 2016  |  Filed in: Security Research