ISC StormCast for Friday, May 12th 2017
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 12 May 2017
⏱️ 13 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Friday, May 12th, 2017 edition of the Sands and its Storm Center's Stormcast. My name is Johannes Ulrich, |
| 0:08.8 | and the I'm recording from San Diego, California. If you're wondering what the Rick Exploid kit is about, |
| 0:15.3 | Brad has a little update here. He's observing it, installing the Ramnet Trojan lately. Now, it's your typical |
| 0:24.5 | infection in that it starts out by visiting a compromised website that then redirects you to the |
| 0:32.4 | URL that Cisco calls the seamless campaign, which will then attempt to use the exploit kit in order to install the Ramnet Trojan. |
| 0:42.4 | As usual, Brad does provide full packet captures of an infected system as well as various indicators of compromise. |
| 0:52.9 | His advice is keep your systems patched and you should probably |
| 0:57.2 | be okay. But well, it doesn't always take Malver to have problematic software on your system. |
| 1:05.7 | The latest example is software that was found initially on some HP laptops, but apparently does also |
| 1:14.0 | affect a number of other manufacturers. The problem here is an audio driver. Now, this audio |
| 1:21.3 | driver was written by Connexent. Connexent is a company that makes a lot of the audio processing chips that you do find in modern computers, |
| 1:30.6 | and this driver was developed by Connection for its hardware. But turns out that this driver does a lot more than just process audio signals. |
| 1:40.9 | It also records all keystrokes that a user types into a log file in the clear. |
| 1:48.1 | This log file appears to be available, world readable, on the system. |
| 1:54.0 | Now at this point, there is no evidence that these logs are being exfiltrated to a remote system. |
| 2:01.3 | Whenever the user logs in again into this laptop |
| 2:04.9 | and it's usually laptops where you find these audio drivers, |
| 2:09.5 | the log is overwritten and started with a new log. |
| 2:13.4 | But still, anybody that has access to the system |
| 2:16.4 | has access to the log, which of course does contain usernames and passwords. |
| 2:22.6 | So it could easily be used to escalate privileges, could also be used to pivot to other systems to which the user has access. |
| 2:31.5 | Overall, the scope is really not quite clear yet from what have I've seen, |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.