meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Tuesday, May 8th 2018

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News

4.9754 Ratings

🗓️ 8 May 2018

⏱️ 5 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. Parsing Windows Job Files; SYN-ACK Dopplegangs; Drupal/Coinhive; Russia vs. Telegram

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Tuesday, May 8th, 2018 edition of the Santernet Storm Center's Stormcast.

0:07.2

My name is Johannes Ulrich, and the I'm recording from Indianapolis, Indiana.

0:12.3

Attackers always try to get persistence on exploited systems, often by scheduling tasks.

0:20.2

Now, Xavier recently ran into a maladsemble that just that

0:24.6

by creating a job file that was then used in Windows to start a scheduled task. The job files

0:33.0

Windows uses to define these scheduled tasks are written in XML and you can parse them manually,

0:40.3

but that's of course tedious and not much fun.

0:43.4

So Xavier found a Python script written by Jamie Levy that does the boring task for you and

0:51.7

will spit out a summary of what particular job tries to accomplish.

0:57.0

And remember, double-ganging. This was a vulnerability, really a technique described late last year in December

1:06.0

that allows an attacker to essentially swap files that are loaded from NTFS volumes.

1:13.6

The trick here is that you do load a file into memory after it has been inspected, for example,

1:20.6

by antivirus, but you're actually loading a different file into memory, not the one that was inspected. So with this it's possible

1:29.9

to get malware to run that would otherwise be intercepted by anti-malware solutions.

1:36.3

Well, according to some reports, this technique has now been adapted by the CINAC ransomware

1:43.3

in order to bypass anti-malware. In addition, this version of Cynac

1:47.6

also makes it particularly difficult to reverse engineer it with a number of anti-reversing tricks.

1:55.0

One sort of interesting little side note here is, like most Malware, Sinak does delete a number of processes that it considers

2:05.1

either hurting its performance or potentially interfering with it. Well, typically, you can find in

2:11.7

Maler a list of all the names that this particular Malver tries to kill. In the case of Synac, it actually doesn't actually have a list of file names or process names it's trying to kill.

2:25.0

Instead, it just contains a list of hashes of processes that it tries to kill.

2:31.3

So this makes it, of course, more difficult to figure out what this version of

...

Please login to see the full transcript.

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2026.