Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Black Hat is coming and with it a good reason to update your "Broadcom-based" devices

Published: 2017-07-21
Last Updated: 2017-07-22 00:19:55 UTC
by Renato Marinho (Version: 1)
0 comment(s)

Black Hat US 2017 is debuting and with it a potential concern to most of us. It turns out that one of the conference presentations, entitled BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM’S WI-FI CHIPSETS [1]will detail how Broadcom BCM43xx Wi-Fi chipsets can be exploited to achieve full code execution on the compromised device without user interaction.

“An attacker within range may be able to execute arbitrary code on the Wi-Fi chip”, says Apple about this vulnerability (CVE-2017–9417) in its latest security bulletin [2]. Google published the patch to fix the vulnerability on Android early this month [3].

Besides Apple, those chipsets are present on most smartphone devices like HTC, LG, Nexus and most Samsumg models as well. Make sure to have this vulnerability fixed in all your devices?—?especially if you are planning to be in Las Vegas next week.

References
[1] https://www.blackhat.com/us-17/briefings.html#broadpwn-remotely-compromising-android-and-ios-via-a-bug-in-broadcoms-wi-fi-chipsets
[2] https://support.apple.com/pt-br/HT207923
[3] https://source.android.com/security/bulletin/2017-07-01

--
Renato Marinho
Morphus Labs | LinkedIn | Twitter

Keywords:
0 comment(s)

Malicious .iso Attachments

Published: 2017-07-21
Last Updated: 2017-07-21 22:23:02 UTC
by Didier Stevens (Version: 1)
0 comment(s)

We've been informed of recent malware campaigns that deliver .iso attachments (.iso files are CD/DVD images). These .iso files contain a malicious executable.

Since Windows 8, Windows will automatically mount .iso files when they are opened. Like this, these .iso files are like .zip files with malware.

Here is an example of an email with .iso attachment:

This email file can be analyzed with emldump:

Part 5 contains the attached .iso file (Quotation-0568.iso), and can be extracted like this:

There are several methods to analyze .iso files, even with Python. Here we will use 7-Zip:

The executable can be extracted like this:

It is indeed a PE file:

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: iso malware
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Bots Searching for Keys & Config Files
Jul 19th 2017
3 days ago by Xme (3 comments)

Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 4 ? Windows Thumbnail Cache, Registry, Prefetch Files, and Link Files artefacts)
Jul 18th 2017
4 days ago by Bojan (0 comments)

SMS Phishing induces victims to photograph its own token card
Jul 17th 2017
5 days ago by Renato (2 comments)

Office maldoc + .lnk
Jul 15th 2017
6 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Luxury Sofa for Sale in Dubai | Best Buy Sacs Online | UAE
created Jul 19th 2017
3 days ago by Anonymous (0 replies)

Suspicious URL http://ust-af-com showing up as denied on logs
created Jul 13th 2017
1 week ago by Anonymous (0 replies)

International visitors come in Morocco to discover New Places
created Jul 11th 2017
1 week ago by ericwatson239 (0 replies)

www.sans.org needs IPv6 address
created Jul 10th 2017
1 week ago by Anonymous (0 replies)

Increased traffic hitting TCP Port 10224
created Jun 28th 2017
3 weeks ago by Brad (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
3 weeks ago by Brad (6 comments)

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
2 months ago by Bojan (6 comments)

Massive wave of ransomware ongoing
May 15th 2017
2 months ago by Xme (10 comments)

Checking out the new Petya variant
Jun 27th 2017
3 weeks ago by Brad (6 comments)

Malspam with password-protected Word documents
Mar 21st 2017
4 months ago by Brad (13 comments)