meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Thursday, September 22nd 2016

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News, Technology

4.9696 Ratings

🗓️ 21 September 2016

⏱️ 6 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min infosec news summary. News, patches, vulnerabilities and trends in information security. #Locky Update; #ASMI bypass; #Cloudflare #SSL Rewrite

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Thursday, September 22nd, 2016 edition of the Sansonet Storms and a Storms and a stormcast.

0:08.4

My name is Johannes Ulrich and the day I'm recording from Baltimore, Maryland.

0:13.2

Brad got a nice review of recent changes to Locky Crypto ransomware, in particular the switch from executables to DLLs.

0:23.6

I guess in part a real surprising issue here is that nothing has changed about the initial

0:29.6

downloader, these compressed JavaScript or Windows scripting files, and in part probably

0:36.6

because as I pointed out in a diary a couple weeks ago,

0:41.3

the antivirus tools really focus on the actual ransomware. So probably by moving from the EXE to the DLL,

0:50.8

there is a better chance of actually getting the system encrypted.

0:56.7

The initial downloader is all too often not detected, so not a lot of pressure really on the

1:02.8

Locky creators here to make any changes to the initial downloader.

1:07.9

And just a little reminder to those of you who rely on network-based tools

1:13.6

in order to detect the actual malware download, Lockhe does encrypt that part so you don't see

1:21.6

the typical MZ header or things like that that usually identified as an executable. Now I'm talking about attacks that

1:30.5

are using scripts like JavaScript, VB script, and of course a PowerShell that has been an ongoing

1:37.5

problem for Windows and with Windows 10, Microsoft introduced something new and and this is the anti-malware scan interface,

1:49.0

which in particular is meant to capture things like malicious PowerShell scripts.

1:55.0

There's now a black hat presentation that has been made public that goes to quite a bit of detail in what this tool

2:02.8

actually does, what it prevents, and how it can be bypassed by an attacker. Since it's still

2:09.7

signature-based, it can be bypassed by obfuscating the binary or the script in this case. For example, you need to change things like variable

2:20.2

names and then signatures may no longer be able to identify the script as malicious. But this article

2:28.8

goes well beyond that. So if you are using PowerShell scripts in, for example, pen testing work, you may want to take a look at this

2:37.6

presentation because, well, with Windows 10 AMSI is enabled by default, so you may run into it.

...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2025.