Descendants of the spyware or malware

Malware activities life not easy since malware detector is common and popular. Even though the malware circumvent the detector but it is hard to bypass the monitor of SOC because of SIEM product. It looks that it limit space for spy or malware to hunt your data. The design weakness of malware is that it requires a static connectivity to C&C. I foresee that the descendants of spyware or malware will deploy similar of  smartphone technology relies on HTTP connection (Setting headers in POST request with Java). The spyware or malware make use of this method is able to dynamic connection to destination. Such method benefits to fool the defense mechanism.  To be honest, send JSON data from the client side is popular today. It is hard to judge. Hacker more focusing on application design weakness is ongoing trend of cyber security world. Should you be interested of related details, please refer to following url for reference.

Layer 7 (application layer) – What is the information security key factors?

Sunday (10th Dec 2017) – Crypto currencies won the battle at this moment.

On Sunday (10th Dec 2017), Chicago Board Options Exchange has allowed investors to place their bets on crypto currencies commodities. Seems Crypto currencies won the battle at this moment. Perhaps we now living in digital world. IoT, BYOD, AI, and enterprise firm keen to do the digital transformation. Similar Charles Dickens said in his famous fiction (A Tale of Two Cities), it was the best of times, it was the worst of times. Let’s celebrates Chicago Board Options Exchange has allowed investors to place their bets on commodities from corn to steel (see below URL – CNN News)

New step for Bitcoin’s wild ride: Futures trading

Believe it or not? Homeland security twin brother!

Chinese people mantra, your face may similar to other people. This theory also apply to everything. I agree and believe the US government homeland security web site are unique. Believe it or not , the web site naming convention and contents looks similar to homeland security. However the web site not protected by Akamai network . They do not belongs to US government. To be honest, it make you confused! URL shown as below:

The picture diagram can provides the details to you for reference.

The Force Awakens – but it is Apache struts vulnerability!

Apache struts seems a instigator on Equifax data breach incident. An announced by US Homeland security this week to urge IT guy staying alert on New found Apache Struts vulnerability again (see below URL). My comments on this vulnerability is that it expand the attack space or vector . Why? Are you familiar with REST client. It reproduce a new playground for hacker since it is allow to start the attack to Apache Strust product on mobile phone.  We noticed that Cisco products are also the Struts users (see below)

Vulnerability detail (see below):

Cisco products are also the Struts users (see below)

Out of memory bounds implication – a never ending story


In cyber security world, we are in frequent heard a term privileges escalation. IT guy familiar buffer overflow causes privileges escalation vulnerability of Windows 2000 operating system. Seems buffer overflow issue not only happened in Microsoft product, even through you are using Linux. It will happen. As of today, Apple iPhone and Google Android phone are possible encountered this technical issue. But what’s the major element trigger this cause. It includes software application , operating system driver, Libraries and programming language!

Out of memory bounds status similar a ninja, he can bypass ASLR protection

Above design limitation is an example to show the out of memory bounds concern in computer world. Yes, this issue cover all the computer world and not only limited on Microsoft products. But what is the design difficulties of system designer (OS kernel or software driver)? Basically, the system designer has flexibility to use the memory address in their design. The overall status was changed because of malware born in the computer world. Regarding to my study in Microsoft Technet blog discussion so far. It was a tremendous hard job.

We might feel that Windows 2012R2 design looks perfect since it is a mature product since it summarizes the technical weakness and design limitation experiences in former products (Windows 2008, Windows 2000 and NT). But a technical issue found in 2015 bring me to attention of this matter. The issue was that system owner only delete network interfaces on a server that is running Windows Server 2012 R2 or Windows Server 2012, a random and intermittent crashes on the system


Symptom occurs on system platform: Windows Server 2012 R2 or Windows Server 2012. Some cluster nodes that are running Windows Server 2012 R2 or Windows Server 2012 go down because of the corruption in NDIS and netcfg.

This case reveal to the computer world that memory under the memory protection features (Address space layout randomization protection (ASLR) and Data Execution Prevention (DEP) ). Kernel and driver designers are also headache in this matter. The key word “Prefect” does not appear in realistic world. Those memory protection facilities not prefect. Should you have interested of this item. Please refer below url for reference.

Hints: Cyber security experts aware that memory reuse and privileges escalation. The above our of memory bounds informative diagram specially show an idea how does hacker execute the malicious code of program in user mode instead of kernel mode.

I am a Microsoft OS. Just wonder why I was hacked even though I have protective system?

My bias pin point to Microsoft product, let’s jump to Linux world.

The BYOD and IoT devices empower Linux operating system digital world achievement. It looks that a lot of people similar to my opinion! They will accept the excuse to this baby (Linux). As far as we know, the best partner of Linux is the C or C++ programming language. There are two ways of memory accessible to the programmer.

a. User’s virtual memory space in which application to run.

b. Register memory

From technical point of view, similar embarrass situation (memory corruption) has been occurred in Linux operating system.

  • Buffer overflow – Overwrite beyond allocated length
  • Index of array out of bounds: (array index overflow – index too large/underflow – negative index)
  • Using an address before memory is allocated and set. In this scenario the memory location is NULL or random. It is a run time error occurs when you try to point illegal memory space, usually address 0 which is reserved for OS.
  • Pointer persistence – Function returning a pointer from the stack which can get overwritten by the calling function (in this case main()):

In fact that the smartphone operating system especially Android, the cyber attack hit rate are equivalent to common office automation software application. For more details, please see below diagram for reference.

To conduct a review of the cyber attack.The cyber attack target memory address is not a new findings in mobile phone world. For instance, Huawei mobile phone encountered Out-of-Bounds Memory Access Vulnerability in the Boot Loaders on April 2017 (CVE-2017-8149). Regarding to CVE record details, this vulnerability affects an unknown function of the component Boot Loader. The manipulation as part of a Parameter leads to a memory corruption vulnerability (Out-of-Bounds). The vendor comment is that if vulnerability successful exploit. The impact could cause out-of-bounds memory read, leading to continuous system reboot.

My comment in regards to this technical issue (out of memory bounds)

The impact affects by out of bonds memory all depends on where the access lands in host memory, it could lead to information disclosure. Or crash the process trigger deny of service. It could potentially be leveraged which causes execute arbitrary code with privileges escalation.

How about in programming language, will it happen in this area?

Yes, it will happen. See what’s going on in programming language now! PHP is a server-side scripting language designed primarily for web development but also used as a general-purpose programming language. But there is no excuse given to PHP language. Details shown as below:

Out-of-bounds memory read via gdImageRotateInterpolated (CVE-2016-1903)

Details: The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a large bgd_color argument to the imagerotate function.A buffer over-read flaw was found in the GD library used by the PHP gd extension. A specially crafted image file could cause a PHP application using the imagerotate() function to disclose portions of the server memory or crash the PHP application.


Memory out of bounds looks will be happen in digital world. Sounds like a tumor in animals and human body. The impact affects by out of bonds memory all depends on where the access lands in host memory, it could lead to information disclosure. Or crash the process trigger deny of service. It could potentially be leveraged which causes execute arbitrary code with privileges escalation.

Life is not easy especially IT world. But sometimes it have fun! Wishes Merry X’mas and Happy New year.

How much is your data privacy value today?

We all aware that our activities in cyber world are under surveillance. But do you alert that even though there is no any surveillance, malware to sniff your data. Your loyal and data protection guard install on your workstation and server keep track of you daily. Perhaps you have the basic understanding on how antivirus vendor make use of your data. It is so called meta data. From on going computer cyber trend, artificial intelligence and Big data analytic intend to collect the data. But take oversight over the world. It looks that there are gap of the data collection policy. For instance, we are chosen Brand A antivirus band this year. But next year, we would like to use another brand of antivirus program. As far as I know, the disclaimer of antivirus vendor do not mention in detail how they are going to disposal the meta data belongs to you. To be honest, it is hard to erase your workstation meta data in their repository. Perhaps the vendor told you no personal information will be collected on this function. They are only keep track the antivirus or malware attack behavior. If such monitor not running in 24 hours. How does the monitor and detect functions work well. You may aware that  your loyal antivirus program also keep track of your activities!

Would you mind someone sharing your CPU power during your site visit?

Sharing your power to do the bitcoin mining not a news. Seems the storm spread to Hong Kong. The unknown program implant to the web server which share your CPU resources during your site visit. It looks such method wreak havoc! But the threat occurs in children products web portal. Why? More than 90% of people feeling that hacker will not be interested of this industry. But sharing your CPU power might operating in silent mode, right? Are you the victim of this attack? A simple and easy step to figure out the issue.You open your windows task manager. Then check your CPU resources utilization before and after close the specific web browser function.You will be figure out what is going on? Headline News details shown as follow:

Chinese language Newspaper article

Another former discussion subject : Become a witness of new generation of financial age.For more details, please refer following url:

Become a witness of new generation of financial age. But be careful of hack.


Nautilus & Neuron

The hostile country collect the government confidential information and business economic details not similar 70’s. A group of people so called spy infiltrated to foreign country. It reduces the overall injury. The conceptual idea of malware implement to computer world equivalent the task of spy. National cyber security center urge the IT admin around the world staying alert to current suspicious network activities issued by Turla Group. Read few technical articles, the overall comments is that they are support by country. The most famous tools (rootkit) “snake” was designed by this group. Since “snake” implemented few years. Therefore a new tools (Nautilus and Neuron) has been deployed to replacing the “snake” position. The new tools primary focusing on two microsoft products (Exchange and IIS server). However the target will be focus on both client (endpoint) and server. Read the technical articles is a burden to IT guy since many cyber attacks in frequent. The quick and dirty way to provide a shortest path to IT guy is a key term. What to do, right. Yes, below free of charge scan tool provided by Microsoft will help you in this regard (refer below url for reference).

China IPv6 implementation Road map. Will it be burden on current surveillance task?

A tough new cyber security law has been in placed in China on June 2017. The United States submitted document to WTO Services Council, said if China’s new rules enter into full force in their current form, as expected by the end of 2018, they could impact cross-border services supplied through a commercial presence abroad. A IP V6 road map announcement by General Office of the State Council of the PRC on 26th Nov 2017. The road map driven whole network, application and computer prioritize IPV6 connectivity.We known that RFC 4941 defining “privacy extensions for IPv6” autoconfiguration. This standard defines a mechanism where a device generates a random host address and uses that instead of the device’s MAC address. As a result it is better to avoid surveillance and tracking. The surveillance program in China has difference comparing with other country. Since monitoring network behavior or so called surveillance is the China government policy. See whether RFC 4941 will be a burden in coming future.

What’s happen on next?


Heard that NECURS BOTNET activities growth rapidly.Their major goal is deliver ransomware through email spam or email scam. A announcement broadcast by SANS on 1st Nov 2017 alert that Necurs Botnet malspam pushes Locky using DDE attack. Necurs bot relies on MSword document embedded malware compromise your machine. For instance a Word document embedded objects that call Powershell to compromise your machine. Apart from that they will make use of DDE. NEcurus botnet has a brilliant history. Since his design feature can protect itself to bypass the current detection mechanism. Even through DNS protection is a popular defense mechanism today. But he is not afraid. His program design looks like a assembly so it enhance his infection feature. Should you have interest to know more details, the attach picture can tell. For more details about the status update. Please refer below url for reference.