Hello, welcome to the Friday, July 12th, 2019 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from London, England.

While I'm here in London, teaching the Security 503 intrusion detection in-depth class,

and students always ask in this class where they can find more packet captures in order to practice their skills.

One resource I always redirect them to is Pratt Duncan's Diaries on our Internet Storm Center page, and he today published yet another one of his

famous malware walkthroughs. The latest one deals with the Azo Ralt Malware and in this case he was

actually able based on a tweet to discover an open directory on a web server that did contain some of this malware.

In this case, the malware took the form of an ISO file.

Now, he has talked about ISO files before.

There are, of course, nice vehicles in order to deliver malicious files.

In this case an executable is contained inside the ISO that then executed and launches the malware.

As usual Brad makes available the packet capture as well as malware samples, so that's

great for you to practice with and hone your packet analysis skills.

Let me get an update on the Zoom software for Mac OS.

Now there is a patch available for this software now,

and Apple actually collaborated with Zoom in order to also delete this buggy web server

that earlier versions of Zoom installed from Macs. Apple did this using

their antivirus engine that's built into Mac OS by essentially instructing it that this

particular web server is malicious and giving it instructions to remove this web server.

If you're running the updated version of Zoom, you should recognize that it will prompt you before it's being started.

One reason that the older version of Zoom did rely on this somewhat suspect web server was in order to avoid this

prompt. And one of the features added in the latest version of watchOS was the walkie-talkie

...