“There is no delight in owning anything unshared.”

deSheep in Cybersecurity

Cyberattacks May 2013 – Malware on PRU 13 General Elections (Ubah!!)

As Malaysian are excited on the voting days which held at least once every five years. A new Malware has been discovered FinFisher (also called FinSpy). FinSpy is a commercially sold spyware package.


Canada based interdisciplinary laboratory had discovered a sample of FinFisher (a.k.a. FinSpy) surveillance in a Microsoft Word document crafted specifically for Malaysia’s 2013 general elections.

The specifically crafted Malware with the capability of:

  • hijack the camera and microphone.
  • infiltrates computers to grab screenshots.
  • record chat conversations.
  • log keystrokes.

Internet-based sources revealed this attack is targeting on Microsoft Word 2003. It will run VB-Macro and a fake FireFox 14.0 which named as “WINWORD.exe” will be created. The victim’s computer will communicate with the FinFisher Command & Control servers as follow:



  • Block the IP(s) and
  • Be wary before clicking on links or opening files received from known/unknown sources.

May refer to Macro Security Levels in Office 2003 Macro Security Level

Full details by F-Secure: F-Secure Analysis


Cyberattacks January 2013 [Part II] – Zero-Day Java Exploit Debuts in Crimeware

New Java zero-day that exploits a vulnerability (CVE-2013-0422) in fully-patched versions of Java 7.

This zero-day vulnerability affects the latest version, Java 7 Update 10.This vulnerability is already included in most of the Crimeware Kits which included:

  • Blackhole
  • Nuclear Pack
  • Cool Exploit Kit
  • Redkit

while Metasploit  is expected to release an module soon. The zero-day will be exploited in various attack vectors.



  • Disable Java if it is not required.
  • If there is critical application/websites requires Java. It is Suggested to use different web browser to access them such as:
  • Disable Java Plug-in on Web Browser intended for normal web surfing.
  • Enable Java Plug-in on another Web Browser for opening websites which require Java.
  • For Example: Use Firefox (Java Plug-in DISABLED) for normal web surfing and Internet Explorer (Java Plug-in ENABLED) for websites which requires Java.
  • Always wary of clicking on links received from known/unknown sources. An attacker would have to convince the user to exploit this vulnerability, typically by getting them to click on malicious URL through email, instant messenger message, social network and many more…

You may also refer to the in-depth security news provide by KrebsonSecurity:

In-depth KrebsonSecurity on Java Zero Days Exploits

Cyberattacks January 2013 [Part I] – Fraudulent Digital Certificates Could Allow Spoofing

Fake Turkish digital Certificates blocked by Browser vendors – The Hacker News present


A fraudulent digital certificate that could be used for active phishing attacks against Google’s web properties. Using the certificate it is possible to spoof content in a classic phishing schema or perform a man-in-the-middle attack according Google Chrome Security Team and Microsoft experts.Microsoft has been immediately started the procedure to update its Certificate Trust list (CTL) and all versions of its OSs to revoke the certificate. Microsoft has also decided to revoke other two certificates for the same reason, it seems that some attacks using the first certificate have been already detected, fraudulent digital certificate that was mistakenly issued by a domain registrar run by a Turkish domain registrar.

Microsoft is aware of active attacks using one fraudulent digital certificate issued by TURKTRUST Inc., which is a CA present in the Trusted Root Certification Authorities Store. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties. To help protect customers from the fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) and is providing an update for all supported releases of Microsoft Windows that removes the trust of certificates that are causing this issue.” It’s still unknown which is the real target of attack neither their geographic distribution, Microsoft advisory refers the domain kktcmerkezbankasi.org a web site that present itself as the Central Bank of the Turkish Republic of Northern Cyprus (TRNC).

Google On-Line Security Blog published a blog post that reported that on Dec. 24, 2012, its Chrome Web browser detected and blocked an unauthorized digital certificate for the “*.google.com” domain. The security repercussions are very critical, any attacker with the possibility to sign using a certificate of a CA can sign certificates for any domain.


“Microsoft Security Advisory (2798897) -Fraudulent Digital Certificates Could Allow Spoofing”

Microsoft Security Advisory 2798897 Security TechCenter

Cyberattacks December 2012 – New Internet Explorer Zero-Day

IE Zero Days in the wild: This vulnerability had been tracked under CVE-2012-4792

Marc Whitten

The zero-day was first disclosed by a US based network security company on December 28, 2012 during an investigation on Council on Foreign Relations (CFR)’s website compromise. In the security advisory released on December 29, Microsoft had confirmed that Internet Explorer 6, 7 and 8 are vulnerable to this zero-day attack. The company expects to issue a fix within the next few days.

Internet-based sources revealed this attack is targeting on Internet Explorer which configured for English (U.S.), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian. Moreover, it will only target on Internet Explorer with Adobe Flash installed. In this attack, Adobe Flash is used to generate a heap spray attack against Internet Explorer. The consequence of this attack is allowing arbitrary code execution under the context of the user.

Zero Days

Zero Days Exploits Explanation with Graph by Trend Micro 

How do attackers exploit this vulnerability?

Attackers make use of several components in order to successfully exploit IE. These include a malicious HTML file, a malicious .SWF file, and triggering a malicious .EXE as a final payload. When users connect to a compromised website, the malicious HTML file or exploit.html (HTML_EXPDROP.II) serves as the entry point of the attack. It creates multiple instances of the image element (array) in the document, or the current Web page. All of these set the value of src to string “a”. These values are stored in the heap memory. A heap refers to an area of pre-reserved memory that a program can use to store data in some variable amount.

What are other repercussions of unpatched systems?

Exploits generally allow attackers to drop or load malware that downloads other, more menacing malware onto vulnerable or unpatched systems. But even an up-to-date computer can be vulnerable to attacks through zero-day vulnerabilities. Zero-day exploits are more dangerous in nature as they target vulnerabilities that have yet to be resolved by the respective software vendors. Until the software vendor issues a workaround solution, i.e., a fix tool or the actual software update, users are left unprotected and vulnerable to threats.


  1. Upgrade your Internet Explorer to version 9 or later. Microsoft confirmed that Internet Explorer 9 and 10 are not affected.
  2. If you have no choice but to use Internet Explorer version 8 or lower, you can block the attack by: Disabling Javascript and Flash
  3. Install The Enhanced Mitigation Experience Toolkit (EMET) and enable it to protect Internet Explorer.  http://support.microsoft.com/kb/2458544
  4. Be wary before clicking on links received from known/unknown sources. An attacker would have to convince the user to exploit this vulnerability, typically by getting them to click on malicious URL through email, instant messenger message, social network, etc.

Cyberattacks November 2012 Part II – Spoofed DNS Service Attack

Spoofed DNS traffic is an observation traffic from Black Lotus Communications’s IP with source port 53.This traffic indicates backscatter from an attack on Black Lotus’s customers.In other words, some of the IP addresses are being spoofed by the attacker for DNS reflection attack on TCP port 53 (DNS)

Black Lotus

Backscatter is a side-effect of a spoofed denial of service (DoS) attack where the attacker spoofs the source address in IP packets sent to the victim in order for the victim to responds to the spoofed packets where these response packets are known as backscatter. The backscatter response packets from the victim will be sent back to the spoofed destination.

Spoofed DNS
A DDoS mitigation services provider will need to validate the real source of the DNS reflection attack by responding to the spoofed packets.This explained the appearance of IP(s) from Black Lotus Communications with source port 53.

Block Black Lotus Communications IP(s):

  • –
  • –

Configuring Unicast Reverse Path Forwarding (URPF) on network routers to prevent IP address spoofing.

Cyberattacks November 2012 Part I – #opleak Targets Financial Institutions in Asia

#opleak is an operation originating from the hacker group – xl3gi0n, which had hacked, defaced and leaked databases information of four financial institutions in Asia.


The Hacker Group are targeting

  • The Victims: The Asian Banker, Kumari Bank, Midwest Bank and Procredit
  • The Targets: Web servers running on Apache with PHP installed with MySQL
  • The Method : SQL Injection
  • The Tool: Havij – automated SQL injection tool

A good Defenses references from OWASP:

Primary Defenses:

  • Option #1: Use of Prepared Statements (Parameterized Queries)
  • Option #2: Use of Stored Procedures
  • Option #3: Escaping all User Supplied Input

Additional Defenses:

  • Also Enforce: Least Privilege
  • Also Perform: White List Input Validation


  • Ensure web portals sanitize user inputs to ensure data input are as they should be. Limit the use of SQL queries from applications through the use of stored procedures.
  • Webmaster can configure their web server to block access traffic from client where the HTTP User Agent header contains ‘Havij’, although this may be changed.
  • Ensure the systems are using an up to date version of the software and have had all vendor supplied patches applied, especially for the systems which are running Apache, PHP and MySQL.


More details from  OWASP SQL Injection Cheat Sheat


Cyberattacks October 2012 Part (II) – A very Social Malware (Facebook??)

Despite Facebook being not a new attack vector, there is a new kind of malware spreading through Facebook. This malware is protected against both debugging and network traffic analysis. In order to protect binary code from reverse engineering, it was obfuscated using a special Protector. Network traffic is encrypted (even the DNS queries!) and produced in excess. VirusTotal results for this malware sample:

It spreads through Facebook, by writing a chat short chat message and posting following message on a wall:

http://xxxxxxxx.com/xxxxxxxx.php?ref=facebook&w=%5Brandom characters]&resource=youtube&w=[name] :* favourite [random characters] 😀

Then, it sends a following Skype message:

youtube favourite [random characters]! http://xxxxxxxx.com/xxxxxxxx.php?ref=facebook&w=%5Brandom characters]&resource=youtube&w=[name]

Finally, it sends an MSN message

:* http://xxxxxxxx.net/xxxxxxxx.php?ref=facebook&w=%5Brandom characters]&resource=youtube&w=[name] youtube hit [random characters] 😀

If user clicks on the link, malware is downloaded to the victim’s computer.

Kindly refer to the following link for details analysis and further explanation: (Analysis of a very social malware):