Lost+Found: Cyber weapons manufacturers, ASLR, PowerShell and the Dalai Lama

Too short for news, too good to lose; Lost+Found is a roundup of useful and interesting security news. In this edition: General Dynamics is looking for exploit authors, picky malware, Microsoft improves ASLR in Windows 8, hooking the CryptProtectData() function, Mac malware targeted at the Dalai Lama, and a support backdoor becomes a real problem.

• If nobody buys submarines, tanks and war planes any more, new ways of making money have to be found: General Dynamics is looking for security experts with experience in the field of exploit development – among others, targeting platforms such as Linux, Android, BlackBerry and iOS.

• The Shylock malware is quite picky: it only executes itself on systems with at least 12GB of hard drive space, 256MB of RAM and a running smart card service. It does these checks not because it needs a lot of system resources to run, but to weed out virtual machines – which are often used in virus test labs – from real systems. This way, Shylock tries to evade analysis.

• Microsoft has further improved scrambling memory (Address Space Layout Randomisation, ASLR) in Windows 8. How exactly this works is explained by the two security specialists Artem Shishkin and Ilya Smith.

• Developer Adam Driscoll shows how to hook the CryptProtectData() function of the Data Protection API in Windows. The data, which should actually be protected, gets dumped in clear text into a file.

• F-Secure has discovered new Mac malware called "Dockster" which is apparently targeted at followers of the Dalai Lama. The systems are infected via a vulnerability in older Java versions.

• In a Technical Advisory dealing with the case of a default password found in the Symantec Messaging Gateway in August, Ben Williams points to the Linux kernel Symantec is using: it was released in 2007 and includes a number of privilege escalation holes. This elevates a support backdoor to a remote execution exploit.

(fab)