Skip to main content

Posts

Wikileaks Malware Analysis Continued

Yesterday I released a blog post in which I explained that at least one Wikileaks property, wlstorage.net, is distributing a series of malicious program s as part of a torrent file dump related to the Global Intelligence Files retrieved from Stratfor by Jeremy Hammond and several others. I am slowly going through the malicious files in order to better understand what they are attempting to do. The work primarily involves extracting Visual Basic macros and OBE structures from documents, disassembling executables that are thus scraped from the payload document. Even for files using well documented exploits, as many of these files are, this is slow-going and tedious work that I invite readers experienced in security research to contact me about to offer assistance. One such executable retrieved from the Stratfor files is gifiles-2014\gifiles\attach\151\151784_Command.com . As with the files reviewed yesterday, this was retrieved from the  gifiles-2014.tar.gz.torrent file downloaded fr

Wikileaks Global Intelligence File Dump is Loaded With Malicious Software

Click here for the second post on this topic, which includes more detailed technical information. Hector Monsegur, formerly sabu of Lulzsec, has offered his point of view on this post. Get his opinion by reading my third post on the topic. In my fourth post on this topic, I explain how malware is not limited to the Stratfor leak torrent - curated links throughout the Wikileaks.Org website allow users to download individual infected files . This series of posts is beginning to receive coverage from several newspapers around the world. German speakers should check out the story in Neue Z├╝rcher Zeitung / New Zurich Times . For English speakers, I recommend The Register from the UK for an excellent summary of these findings . Beginning in  February 27, 2012 , the controversial news organization Wikileaks has been publishing a large and growing trove of emails from the private intelligence firm  Strategic Forecasting, Inc (more widely known as  Stratfor). The leak publication bega

Google Networks Have a Weird Malware Policy, Apparently

Applian is a company that makes some fairly widely circulated media software - FLV players, RTMP stream recorders, stuff like that. They are somehow affiliated with NirSoft. Nirsoft makes forensics tools that are often mis-diagnosed as malicious software; its less clear what Applian could be doing to get the same red-flags. But red-flagged they were, by Google's malware team no less. Google's usual plan of red-flagging what appears like bad programs through their browser and search engine while not blocking downloads is a sensible way to get the word out without being overly intrusive. However, when the content that Google believes is malicious is being hosted on their own ASN, it is less clear how appropriate that is. Most system administrators are more comfortable with removing malicious software from their networks. A strange choice.

Windows 8.1 Error 80200056 after installing update KB2267602

Recently I noticed some strange behavior while launching an update through Windows 8.1's 'metro' menu. I launched Computer Settings app to run the update, which was a definitions update for Windows Defender (KB2267602). The Update settings were configured to prompt prior to download & installation. This was the first task launched after awaking the computer from a Sleep state. The computer is not a virtual machine. With Windows 8 and 8.1 the first places to look for Update failures are in the files C:\Windows\WindowsUpdate.log and C:\Windows\SoftwareDistribution\ReportingEvents.log - for those still unfamiliar with navigating the newer Windowses, you can reach a Run prompt to open these files using copy + paste by hitting the Window key and "R" key at the same time.  The relevant entry of the ReportingEvents.log file shows me what Error 80200056 means in the most basic sense - the update failed to download; as opposed to failing to install. {C7C9

A New URL

Hey all - I have been able to reacquire one of my domains that were so viciously stolen from me by domain squatters some time ago. So, you can now visit the site using www.joshwieder.net . Keep in mind that all links to joshwieder.blogspot.com will continue to work.

Google Maps Javascript API Tutorial is Rubbish

I am working on creating a Google-maps based project. As such, I was using the Google Maps Javascript API Tutorial  to activate an API key and create a 'Hello World' style test script. I continuously received one of the following errors: Google has disabled use of the Maps API for this application. The provided key is not a valid Google API Key, or it is not authorized for the Google Maps Javascript API v3 on this site. If you are the owner of this application, you can learn about obtaining a valid key here: https://developers.google.com/maps/documentation/javascript/tutorial#api_key Google has disabled use of the Maps API for this application. See the Terms of Service for more information: http://www.google.com/intl/en-US_US/help/terms_maps.html. Having not used the API to make a single call, the notion that I had somehow violated the Google TOS was particularly infuriating, as was the notion that I had not enabled the Google Maps API, which I had done, as outlined in