Saturday, October 15, 2016

MS16-124 Security Update for Windows Registry (3193227) - Decoding Registry SID areas

According to MS security bulletin Security Update for Windows Registry (3193227) released Oct 11, 2016

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker can access sensitive registry information.This security update is rated Important for all supported releases of Microsoft Windows. For more information, see the Affected Software and Vulnerability Severity Ratings section.
The security update addresses the vulnerabilities by correcting how the kernel API restricts access to this information.
For more information about the vulnerabilities, see the Vulnerability Information section. For more information about this update, see Microsoft Knowledge Base Article 3193227.


Some of the security and core system related keys are hidden from user even when part of an administrator group cannot see these special keys.

Here are some of the such hidden registry keys


SECURITY registry key stores all the system policy and LSA secrets related information.  SAM registry key has details for user accounts along with LM/NTLM password hashes for each user.

There are many ways we can view these hidden registry keys. We can use psexec.exe tool (part of pstools package from sysinternals) to launch the regedit.exe as system account as shown below.

psexec.exe -s -i regedit.exe


RegtoText is a command line utility that converts a Windows Registry exported file (.reg) into a human readable text (.txt) file. Hex numbers are converted into ASCII characters when possible. Conversion can be challenging since registry key can accept any binary format, so heuristic and probabilistic methods are used to decode values when possible to ASCII.

This tool target as forensic (FBI,CIA, Antivirus Co)/management/educational tool to quickly search and eyeball the entire registry file for encoded values that are suspicious. Registry keys could hold persistant malware signatures (like Poweliks), back-doors or simply hidden secret messages. Most commonly, keys contain   foreign languages encodings that can be spotted more efficiently with human eyes. Furthermore, once this file is decoded using RegtoText, it is searchable as a human readable text file and can be indexed in any internal forensic exploit search engine/database.

Get it RegtoText now!

Wednesday, October 12, 2016

Seth Lloyd of MIT talk about Quantum Life

Big Ideas presents the brilliant Seth Lloyd of the Massachusetts Institute for Technology on Quantum Life, how organisms have evolved to make use of quantum effects. I keep on coming back to this older video.

In particular, how photosynthesis processes use quantum mechanics, meanwhile inadvertently proving growing your bio-fuels is just not an efficient option.

Tuesday, October 11, 2016

Odinaff Trojan hitting banks using Microsoft Office macros

Those behind Odinaff are using a variety of techniques to break into the networks of targeted organisations: the most common method of gaining access is tricking employees into opening documents containing malicious macros.

While macros are turned off by default in Microsoft Word, the recipient can opt to enable them -- which they're encouraged to do by a malicious attachment -- at which point the Odinaff Trojan will be installed on their system. One way a user can avoid being infected in this way is simply to keep the default setting of not allowing macros to be disabled.

Another common technique involves the use of password protected .RAR archive files, which trick the victim into installing Odinaff. While cybersecurity researchers haven't been able to determine how these malicious documents and links are distributed by cybercrminals, it's believed spear-phishing is the main method of deployment.

Image result for rar file

Full article