“System Service Descriptor Table (SSDT) patching has been widely used by rootkits and is usually easily detected.  BlackEnergy version 2 has implemented a technique which successfully hides from basic rootkit detection.  Basic rootkit detectors typically only check address ranges, on function pointers, listed in the SSDT.  If the pointers are outside the kernel address range, it implies that the SSDT is hooked.

The following will illustrate a procedural check, used to uncover this technique, using a kernel debugger…”

Read more here:

Rootkit Analysis – Hiding SSDT Hooks

Written by: Nick Jogie

Enter GoogleSharing.

On Tuesday, Moxie Marlinspike released a small lightweight Firefox extension that is aimed to prevent the collection of users search/behavioral data by Google. GoogleSharing works by serving all of your queries through a custom proxy that contains a collection of what Moxie calls “GoogleSharing Identities”.  When enabled, if the Firefox plug-in detects a request sent out to any of Google’s services, it routes you through the proxy, removes any identification information and then replaces that data with one of the random, pooled Google Sharing Identities.  Pretty slick!  Obviously, if you are already logged into any of Google’s many services (Gmail, iGoogle, Groups etc) GoogleSharing won’t help one bit.

While anonymous proxies are nothing new, GoogleSharing introduces a different method of anonymity for a pretty specific threat. With its lean and quick Firefox extension, GoogleSharing is a step in the right direction of trying to regain some sort of privacy back on the net.

Early Tuesday morning, China’s premier internet search engine Baidu, was attacked by the group calling themselves the Iranian Cyber Army. The DoS attack which took place over the night rendered the search giant’s website unavailable throughout most of the morning with one Taiwanese version of the site still recovering. The attack vector used on Baidu seems to be the same ‘internal credentials’ method in which the Iranian Cyber Army used against Twitter just last month.

With this type of DNS attack seeming to be all the rage these days; it didn’t take long for Chinese hackers to slap back with a message of their own. Within hours of Baidu going down, at least two Iranian website have been compromised with more said to be on the way. This isn’t the last we’ll hear of this intercontinental cyber-street-fight…

Stealing the headlines late yesterday though was the news that Google.cn was attacked as part of a large scale sophisticated attack on their infrastructure. According to Tuesday evening’s blog post, the mid-December attack targeted various Gmail accounts of Chinese human rights activists. The attackers however, were not able to gain total access into the email accounts; they only obtained bits of information from the subject line of the emails. As a form of retaliation, Google has since stopped censoring search results in China and threatened to pull out of the country all together.

While the details of this story are slow to unfold, it is looking more and more like a high profile corporate espionage operation organized or maybe even sponsored by Chinese government. A statement from Leslie Harris, president and CEO of the Center for Democracy and Technology seems to echo that fact: “They wouldn’t be taking an action suggesting that they cannot operate in China … if it was not related to the Chinese government,” she said.

Based on recent posts by Adobe and now news that Yahoo may have been targeted as well, a statement issued by the US government is letting China know that they are taking these allegations very seriously. It will be interesting to see what comes of all this as more details are emerging by the minute.

Blog post by:  Sean Hausauer

Latest tools from DC16!

And if Jay Beale is reading this, we want Middler to come out!

Free Mags via Lifehacker!

Weird, I could of sworn I heard someone say free 2600 mags

**By no means do we here at SecuraBit encourage engaging in unlawful activity however there are some free magazines on this site as well that could come in handy.

“The Secretary and Chief of Staff of the Air Force have considered delaying currently planned actions on Air Force Cyber Command to allow ample time for a comprehensive assessment of all AFCYBER requirements and to synchronize the AFCYBER mission with other key Air Force initiatives,” the service said in a statement released Thursday.

Makes you wonder why ample time wasn’t dedicated in the first place for a “comprehensive assessment.”

Read the full article here compliments of Security Focus.

Eleven people in the US city of Boston have been charged with credit card fraud. The US authorities say the suspects stole the data from more than 40 million credit cards.

The hackers obtained the information by installing software in computers and databases of banks and major store chains. They also drove through residential districts with a laptop to hack into personal computers with wireless connections.

Prosecutors speak of the biggest credit card swindle in US history. The suspects, who have US, Estonian, Ukrainian, Belarus and Chinese nationalities, allegedly embezzled tens of millions of dollars.

So while I’m sitting at DEFCON 16 enjoying a “free” bar tab, I wonder if I’ll see it show up my own credit card since I could quite possibly be funding one of these parties and not even know until it’s too late. Oh well, that’s what the fraud department is for right…

Obviously, be careful what you download, but if we can get some traffic their way and get people to upload both malicious and normal traffic captures to them, I think it will end up being an extremely useful resource for anyone who uses packet data for their job, such as writing snort signatures!

Their site is https://www.openpacket.org.  Remember that this isn’t for uploading 10 gigs of traffic you captured off of your neighbor’s wifi, and don’t submit your own traffic that includes your paypal and online banking sessions either.   Make sure you have permission if you’re going to be submitting a capture with information someone other than you generated.