InfoSec Weekly Roundtable/Discussion

[blindfuzzy]

Sounds neat man.... My preference would be something around 0300-0900 UTC... Or anytime on the weekends.

We spoke on this in irc but I just want to let everyone know that Sunday will most likely be the day for the weekend. Haven't figured out a time. Ummm this will most likely NOT start this Sunday as I have my kid.

[blindfuzzy]

Next Week's Agenda: Watch and follow along as I exploit the Android Application

Screenshare/conference call will be set up. Everyone will be able to talk and I can talk my way through as I'm doing the app testing.

If you are going to follow along I recommend getting the AppUse vm. I will be using that during the testing and exploitation along with drozer, which is open-source and can be found here: https://github.com/mwrlabs/drozer

Just getting this here on page 2 for everyone to see. Sundays will start next week.

[blindfuzzy]

So, this weeks meeting all but failed. I didn't really get to exploit the app but I did cover AppUse and various other subjects. I've been short on time this week.

What we established from this "live" run:

• We will be using Google Hangouts to run screenshare
• I need to get everything in one spot

I have data all over the place. My fault as I ran out of time to get everything setup. A blog is going to be setup also for videos and chat logs of the weekly meetings. This one just sucked and I want to apologize to everyone that was there for that.

[0E 800]

So, this weeks meeting all but failed. I didn't really get to exploit the app but I did cover AppUse and various other subjects. I've been short on time this week.

What we established from this "live" run:

• We will be using Google Hangouts to run screenshare
• I need to get everything in one spot

I have data all over the place. My fault as I ran out of time to get everything setup. A blog is going to be setup also for videos and chat logs of the weekly meetings. This one just sucked and I want to apologize to everyone that was there for that.

Here is the screen recording, please ignore any hangout messages and the grey boxes covering them. Next meeting i hope to have a dedicated machine for recording so I wont need to spend time editing out shit.

Security Meeting 2 - Appuse.mp4


BTW - sorry about that, was trying to record sound but also not trying to have people at work hear the voice in the box, i kinda screwed myself by reducing the vol. My bad.
VLC - Volume raise 150%


Ez.Sec.Meet Streaming:

Meeting #2 - Appuse
https://www.youtube.com/watch?v=49v06n9bZKs

Meeting #4 - Intro Malware
https://www.youtube.com/watch?v=xjE-ppTojhA

[blindfuzzy]

Thanks OE for being the go to video guy. I appreciate you getting that setup and squared away.

[archfox]

This is awesome, I would join the upcoming meeting

[blindfuzzy]

This is awesome, I would join the upcoming meeting

The more people the better. I like growth. 

[blindfuzzy]

With the holidays up on us I have decided not to have a discussion on any topic this week. Everyone enjoy the holidays!

(If you guys wanna hangout in the channel and talk about things a good topic is the Juniper backdoor)

[blindfuzzy]

Wednesdays @1700 UTC #security

This weeks topic: Threat Intel and a Career Q&A. Hope to see everyone there!

[white-knight]

This weeks topic: Threat Intel and a Career Q&A. Hope to see everyone there!

What day and time ?

[blindfuzzy]

What day and time ?

Wednesdays @1700 UTC

[vanity]

I am currently on nights but I would love to join this weekly meeting. I go to Days in about 5 weeks so I will mark this in my calendar for then and look forward to being apart of the meeting.

-V

[blindfuzzy]

This weeks topic: Malware: Intro

Wednesday @ 1700 UTC in #security

I am currently on nights but I would love to join this weekly meeting. I go to Days in about 5 weeks so I will mark this in my calendar for then and look forward to being apart of the meeting.

-V

See you there!

This has been bumped an hour! #security @ 1800 UTC

[0E 800]

For all those who missed meeting #4 - Intro Malware:

https://www.youtube.com/watch?v=xjE-ppTojhA

[blindfuzzy]

For all those who missed meeting #4 - Intro Malware:

https://www.youtube.com/watch?v=xjE-ppTojhA

Awesome job man! Thank you!

IRC:

<Anorak> ARE WE GONNA START OR WHAT?
<blindfuzzy> sorry i forgot you werent in there lmfao
<blindfuzzy> Macro Malware: Introduced back in the 1990’s, macro malware has been practically extinct until a recent resurgence. Malware authors are revisiting macro malware because of its sheer simplicity not only in coding it, but also in how it is distributed – the most popular way being phishing emails.

<blindfuzzy> Macro malware targets Microsoft Office applications (Word, Excel, etc.). Malicious VBA macros are used to infect anyone who opens the file, mostly with Trojan downloaders. Any application that supports the uploading/downloading of Microsoft Office documents is at risk.

<blindfuzzy>     VBA is Visual Basic for Applications, a macro programming environment of the Microsoft Office Suite. It is the modern version of the BASIC programming language.  It is typically used to set up macros for specific document formats that are commonly used to format text in documents. Essentially a macro is just a shortcut to a task you would otherwise have to do repeatedly.

<blindfuzzy>     Starting in Office 2007, Microsoft Office has VBA macros disabled by default. This is good for security, yet macro malware is still alive and well because malware authors are using social engineering to trick users into enabling macros in malicious documents. Some enterprises also re-enable macros because their document workflows require them to run unimpeded.

<blindfuzzy> The problem lies in how simple it is to code this “macro malware”. It is no longer necessary to learn VBA as there are ready-made VBA malware templates all over the internet, which streamlines the creation of malicious documents. There are hundreds of new malware variants based on these templates since early 2015.

<blindfuzzy> Macro malware decreased in prevalence after Microsoft patched their Office Suite, and began warning users about macros included in the files they received. This functionality was implemented in Office 2007 and has been effective at preventing a significant amount of macro malware. However, a resurgence began in late 2014, when researchers at CYREN observed an outbreak of over 3.02 billion emails containing new macro malware.

<blindfuzzy> Subsequent outbreaks in December consisted of as many as 1.2 billion emails a day. The chart above only shows a small number of the newly formed macro malware in quarter one of 2015, but it gives a picture of recent macro malware growth.

<blindfuzzy> VBA malware is hardly ever self-contained, but instead acts as a “downloader”. The VBA will connect to the internet, specifically to a server that hosts a malicious .EXE, download the malicious executable and run it, all without a single prompt for a user decision.

<blindfuzzy> Now, the attackers have an executable with full malicious capabilities that will keep running in the background not only after you exit the Word document, but potentially even when their victims log out and reboot. This attack vector is becoming increasingly difficult to detect as newer VBA malware code has been seen making calls to lesser known system functions. These calls frequently turn out to be longer time-wasting

<blindfuzzy> loops in an attempt to avoid detection. This is achieved by slowing down the malware execution time making it hard for antivirus to detect it as malicious. Most AV’s have a time period of scanning per file scanned so the AV will usually drop a file if it is taking too long to scan.

<blindfuzzy> Malware authors know that VBA is blocked within Microsoft Office by default, and overcome this obstacle by deploying social engineering tricks. They prepare the content of the documents in such a way that it would lure the recipient into enabling the execution of macros, and thus open the door for infection.

<blindfuzzy> VBA can be implemented that will actually blur out the entire contents of the document until the user enables macros, which in turn will execute the embedded macro virus.

<blindfuzzy> The user is left with no other option but to “enable macros” to view the document. A company that uploads and downloads documents or a user that unknowingly opens a file received from the all too common phishing emails becomes at risk for these types of attacks. More information on obfuscation techniques used by VBA malware authors will be covered in part two of this series.

<oe800> i dont want to redirect your lesson, but are .scr malware vba?
<Anorak> no oe800 but it can be converted and run as vba
<oe800> thnx

<blindfuzzy> In Microsoft Word, these events are tied to starting the Word application (the event could be captured with a macro procedure named AutoExec), exiting Word (AutoExit), opening a document (AutoOpen), closing a document (AutoClose), or creating a new document (AutoNew).

<blindfuzzy> Microsoft Excel has a wider selection of automatic macros, but includes similar functions, such as starting Excel (Auto_Open), exiting Excel (Auto_Close), opening a workbook (Workbook_Open), and closing a workbook (Workbook_Close). The structure of the Trojan’s macro code ensures that the code is executed whenever the document is opened. Even though the code itself is not cross-application, Workbook_Open and Auto_Ope
<blindfuzzy> n could make it work in Excel.

<blindfuzzy> Most VBA malware calls the UrlDownloadToFile Windows API function to download the final payload from a hard-coded URL. The file is then saved either to the %TEMP% folder or the %APPDATA% folder, and executed it using the ShellExecute function. The dropped executable was usually registered for automatic execution during system start-up in one of the registry autorun locations, such as HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

We talked a lot about SIFT workstation. You need an account with SANS to download it for free. This is the alternative: https://www.dropbox.com/s/qqbt5i6cmupl4fz/SIFT%20Workstation%203%20-%20Virtual%20Machine%20Distro%20Version.zip?dl=0

Unfortunately, I am unable to upload this through ez due to file size restrictions it is 2.36gb zipped.