Salted Links: 25 November 2013

Conficker, confusing shells, APTs, BYOD, and more!

This time of year, and especially this week, IT is running with skeleton crews. There's vacation time to use, so most of the organization is gone or working remotely. In short, the office is a ghost town.

The ticket system is either DOA, or most of the outstanding, non-essential work is being placed on the backburner. But, here you are, at your desk, reading my blog. Thanks for that.

When I started Salted Hash, I said I would link to interesting bits of information, and resources that may be useful in your day-to-day existence in the trenches. So assuming you're not buried with work, here's a few interesting articles to read. Share some for others in the comment section if you want.

Malicious shells; Established != Active (SpiderLabs)

This one is interesting. While they were working an investigation, a team from SpiderLabs discovered a shell that reported active on the system. The thing is, while the system was reporting an active connection, the network cable to the machine itself had been cut for more than a month. How is that possible? Netcat. [SOURCE]

AutoCAD Malware (TrendLabs)

Trend Micro recently discovered AutoCAD malware, that passes itself off as a legit AutoCAD component with a *.FAS extension. However, when they examined the code, it turns out that it opens the infected system up to the attackers targeting older vulnerabilities. If you're an AutoCAD shop, this may be worth looking into. [SOURCE]

Why is MS08-67 still a thing? Conficker is still alive and kicking (TrendLabs)

This is the second post from Trend Micro, but it caught my attention and made me sad. After all the hype and coverage that Conficker gained in the mass media, it's still alive. Worse, not only is it alive, the number of infections has increased over the last four years. Admins, Y U Do Dis?! Why is MS08-067 still a valid attack surface on your network, or worse, at home?  [SOURCE]

Unmasking China's 'Quarian' Campaigns (ThreatConnect)

If you follow hacks and malware trends out of China, or believe that APTs represent a single attack from a single source (I know, you don't I'm kidding), ThreatConnect has a rather informative post about the group behind Quarian. [SOURCE]

Careful with those BYOD policies, you may need a lawyer (CIO)

This last link is from CSO's mirror half, CIO. The story itself caught my attention, because I never considered the legal aspect of a policy implementation or change. But it turns out, if your BYOD policies are too strict, you've broken the law. [SOURCE]

Have a happy Thanksgiving everyone. See you after the holiday.

New! Download the State of Cybercrime 2017 report