Traditionally, the bad guys’ malware bypasses our signature based defenses with some form of obfuscation, like encoding their malware with XOR, base64, gzip etc. or using any of the malware packers tracked by Shadowserver. Penetration testers have long relied upon the capability in Metasploit to render their payloads undetectable to Antivirus programs.
“All warfare is based on deception” – Sun Tzu, The Art of War
My previous post, “Hiding under the Covers”, reviewed the advantages that attackers gain through the use of Reflective Memory Injection (RMI) techniques. In follow up, let’s take a look at methods to detect injected libraries.
Many years ago I ran the online ‘Security Clinic’ on ITsecurity.com. It offered free advice from a worldwide pool of security experts.
Late one evening I received a telephone call at home. It was the Chief Constable of Strathclyde Police. He was worried that the Clinic was pointing people to L0phtCrack to help recover their forgotten passwords – he thought the advice might benefit hackers.
As far back as a decade ago, attacks consisted of simultaneously launching strikes utilizing multiple vulnerabilities to gain a foothold in a target network and then following up with privilege escalation attacks to make it more worthwhile for the bad guys. For many years, we simply referred to these attacks as blended threats. While “Chained Exploits” may be fairly a new term,
This month’s Microsoft Patch Tuesday update has reached an all time high with 13 bulletins, which surpasses the previous high of 12 released in October 2008. IT pros won’t only have to deal with the large amount of patches, but the update also includes fixes for 34 security issues with zero-day issues continuing to be the real nail biters.
The focus for those of us in the data leakage arena has generally been on the “big holes,” especially when it comes to the risk of insider theft… email, removable devices and drives (e.g., USB flash drives, external HDDs), removable media (e.g., CDs / DVDs). And for good reason. Why? Well, first, as I’ve mentioned before,