meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Tuesday, August 9th 2016

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News, Technology

4.9696 Ratings

🗓️ 8 August 2016

⏱️ 6 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min infosec news summary. News, patches, vulnerabilities and trends in information security. Finding Files Encrypted By Ransomware; Bypassing Windows Executable Signatures

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Tuesday, August 9th, 2016 edition of the Santernet Storm Center's Stormcast.

0:07.7

My name is Johannes Ulrich, and the I'm recording from Jacksonville, Florida.

0:11.5

As part of a diary that Rob wrote today, he published a script that does try to identify files that have been affected by Ransomware.

0:23.6

Essentially what the script does is it looks at the entropy of a file, encrypted files typically

0:30.6

do distinguish themselves by having a higher entropy than files that are not encrypted. So this particular script will essentially just

0:40.5

sort files by entropy and with that hopefully tell you which files have been encrypted with

0:47.7

ransomware. One use case is that if you have a system that is affected by ransomware, you can then use the script

0:57.0

to essentially isolate the files that are still okay and the files that need to be restored

1:04.5

from backups or where you have to try to decrypt them.

1:09.5

Of course, this script does not identify the actual ransomware

1:13.6

itself. That would be more something that you do with anti-malware or hopefully you can restore

1:21.6

the system from a complete backup and then identify any files that have changed.

1:26.6

And the research group known as the Deep Instinct Research Team came out with a new way to inject

1:34.2

malicious code into signed Windows binaries without invalidating the signature.

1:41.4

The trick is pretty neat in that they're injecting the malicious code into the

1:47.0

space in the binary file where the certificate is held and that part of the binary is not validated

1:54.0

by the signature. So as a result it is possible to inject additional code into the binary and then they also came up with an interesting trick to load that code into the binary once it's being launched.

2:10.6

So with this particular bypass technique, digital signatures can be circumvented and a user may execute a binary that

2:20.3

claims to be nicely and valid signed.

2:23.3

At this point there isn't really much you can do in order to detect or avoid this attack.

2:29.3

I guess ultimately you could check the size of the certificate area, make sure it's not

2:34.6

normally large.

...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2025.