What was that Wiper thing?

In April 2012, several stories were published about a mysterious malware attack shutting down computer systems at businesses throughout Iran. Several articles mentioned that a virus named Wiper was responsible. Yet, no samples were available from these attacks, causing many… Read Full Article

The Current Web-Delivered Java 0day

The Java 0day that we have been monitoring and preventing for the past week has been irresponsbily reported on other blogs, with early links to known sites serving the 0day. In itself, the race to publish on this 0day that will be assigned CVE-2012-4681, a problem with processing access control within “protection domains” is irresponsible. Would you encourage folks to walk down a mugger’s dark alley with no protection or would you work to communicate the muggers’ whereabouts to the right folks and work on lighting the alley or giving better directions? Would you provide that mugger with some new weapons that they haven’t considered? The efforts this time around seem misplaced.

Read Full Article

Thoughts from the IDC Security Roadshow in South Africa

I have been giving a few interviews and I was also presenting at the IDC security conference; my presentation is called “The Diary of a Security Geek” and it includes material from a one year long research project I have had. It basically contains observations made during these conferences and some really interesting facts on how security managers see IT security, how they prioritize and some interesting false perceptions on IT security and risks. Read Full Article

Shamoon the Wiper – Copycats at Work

Earlier today, we received an interesting collection of samples from colleagues at another anti-malware company. The samples are especially interesting because they contain a module with the following string: C:ShamoonArabianGulfwiperreleasewiper.pdb Of course, the ‘wiper’ reference immediately reminds us of the… Read Full Article

The Mystery of the Encrypted Gauss Payload

There are many remaining mysteries in the Gauss and Flame stories. For instance, how do people get infected with the malware? Or, what is the purpose of the uniquely named “Palida Narrow” font that Gauss installs? Perhaps the most interesting mystery is Gauss’ encrypted warhead. Gauss contains a module named “UsbDisk” that features an encrypted payload. The malware tries to decrypt this payload using several strings from the system and, upon success, executes it. Despite our best efforts, we were unable to break the encryption. So today we are presenting all the available information about the payload in the hope that someone can find a solution and unlock its secrets. We are asking anyone interested in cryptology and mathematics to join us in solving the mystery and extracting the hidden payload. Read Full Article