Skip to main content

Posts

Wikileaks Malware Analysis Continued

Yesterday I released a blog post in which I explained that at least one Wikileaks property, wlstorage.net, is distributing a series of malicious program s as part of a torrent file dump related to the Global Intelligence Files retrieved from Stratfor by Jeremy Hammond and several others. I am slowly going through the malicious files in order to better understand what they are attempting to do. The work primarily involves extracting Visual Basic macros and OBE structures from documents, disassembling executables that are thus scraped from the payload document. Even for files using well documented exploits, as many of these files are, this is slow-going and tedious work that I invite readers experienced in security research to contact me about to offer assistance. One such executable retrieved from the Stratfor files is gifiles-2014\gifiles\attach\151\151784_Command.com . As with the files reviewed yesterday, this was retrieved from the  gifiles-2014.tar.gz.torrent file downloade...

Wikileaks Global Intelligence File Dump is Loaded With Malicious Software

Click here for the second post on this topic, which includes more detailed technical information. Hector Monsegur, formerly sabu of Lulzsec, has offered his point of view on this post. Get his opinion by reading my third post on the topic. In my fourth post on this topic, I explain how malware is not limited to the Stratfor leak torrent - curated links throughout the Wikileaks.Org website allow users to download individual infected files . This series of posts is beginning to receive coverage from several newspapers around the world. German speakers should check out the story in Neue Zürcher Zeitung / New Zurich Times . For English speakers, I recommend The Register from the UK for an excellent summary of these findings . Beginning in  February 27, 2012 , the controversial news organization Wikileaks has been publishing a large and growing trove of emails from the private intelligence firm  Strategic Forecasting, Inc (more widely known as  Stratfor). The leak pu...

Google Networks Have a Weird Malware Policy, Apparently

Applian is a company that makes some fairly widely circulated media software - FLV players, RTMP stream recorders, stuff like that. They are somehow affiliated with NirSoft. Nirsoft makes forensics tools that are often mis-diagnosed as malicious software; its less clear what Applian could be doing to get the same red-flags. But red-flagged they were, by Google's malware team no less. Google's usual plan of red-flagging what appears like bad programs through their browser and search engine while not blocking downloads is a sensible way to get the word out without being overly intrusive. However, when the content that Google believes is malicious is being hosted on their own ASN, it is less clear how appropriate that is. Most system administrators are more comfortable with removing malicious software from their networks. A strange choice.

Windows 8.1 Error 80200056 after installing update KB2267602

Recently I noticed some strange behavior while launching an update through Windows 8.1's 'metro' menu. I launched Computer Settings app to run the update, which was a definitions update for Windows Defender (KB2267602). The Update settings were configured to prompt prior to download & installation. This was the first task launched after awaking the computer from a Sleep state. The computer is not a virtual machine. With Windows 8 and 8.1 the first places to look for Update failures are in the files C:\Windows\WindowsUpdate.log and C:\Windows\SoftwareDistribution\ReportingEvents.log - for those still unfamiliar with navigating the newer Windowses, you can reach a Run prompt to open these files using copy + paste by hitting the Window key and "R" key at the same time.  The relevant entry of the ReportingEvents.log file shows me what Error 80200056 means in the most basic sense - the update failed to download; as opposed to failing to install. {C7C9...