Alerts

An Example of Evolving Obfuscation, (Tue, Mar 3rd)

Latest Alerts - Tue, 03/03/2015 - 08:42

Since May of 2014, Ive been tracking a particular group that uses the Sweet Orange exploit kit to deliver malware. This group alsouses obfuscation to make it harder to detectthe infection chain of events.

By 2015, this group included more obfuscation within the initial javascript. It however, the result causes more work to detect the malicious activity.

Either way, the infection chain flows according to following block diagram:


Previous obfuscation

Below are images from an infection chain from July 2014 [1]. Here we find malicious javascript from the compromised website. In this image, Ive highlighted two areas:" />

Here" />

Recent obfuscation

Below are images from an infection chain by the same actor in February 2015 [2]. Again we find malicious javascript from the compromised website. However, in this case, there" />

First is the function that replaces any non-hexadecimal characters with nothing and replaces various symbols with the percent symbol (%). This time, we have unicode-based hexadecimal obfuscation and some variables thrown in. This does the same basic function as the previous example. Its now a bit harder to find when you" />

That URL is now obfuscated with unicode-based hexadecimal characters. For example, \u0074 represents the ASCII character t (lower case).

Once again, let" />

however, the result causes more work for analysts to fully map the chain of events. We can expect continued evolution of these obfuscation used by this and other actors.

---

Brad Duncan,Security Researcher atRackspace
Blog: www.malware-traffic-analysis.net-Twitter: @malware_traffic

References:

[1] http://malware-traffic-analysis.net/2014/07/08/index.html
[2] http://malware-traffic-analysis.net/2015/02/09/index2.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, March 3rd 2015 http://isc.sans.edu/podcastdetail.html?id=4379, (Tue, Mar 3rd)

Latest Alerts - Mon, 03/02/2015 - 18:24
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

How Do You Control the Internet of Things Inside Your Network?, (Mon, Mar 2nd)

Latest Alerts - Mon, 03/02/2015 - 09:21

Klaus Vesthammer recently tweetedthat ">The Internet of Things is just like the regular Internet, just without software patches. We have a flood of announcements about vulnerable devices, and little in terms of patches. At the same time, expect more and more of these devices to be connected to your network, if you want it or not. Bring your own Devices should be addressed more inclusive then just covering smart phones and tablets.

If you do have a working inventory system that recognizes and blocks unauthorized devices in real time, then stop reading and count yourself lucky. But for most of us, network maps are filed under fiction and network access control was this great solution we tried and failed as it hit real network life. So what else is there to do?

One of the critical aspects is to figure out which devices are not just on your network, but also do they talk to systems outside of your network. Active scanning will only get you that far. Many devices, to save power, will not connect to the network unless they have something to say. Some also use bluetooth to connect to smartphones and use them as a gateway. The device will not show up as an entity on your network in this case.

Here are a couple of indicators to look for:

- NTP queries: Some devices do have hard coded NTP servers, that do not match your standard network configuration
- DNS queries: DNS knows everything
- HTTP User-Agent and Server headers

Someone I am sure will provide pointers to do this in Bro. For everybody else, some simple log parsing scripts can help. Any other methods your use to find new and dangerous devices on your network?

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, March 2nd 2015 http://isc.sans.edu/podcastdetail.html?id=4377, (Mon, Mar 2nd)

Latest Alerts - Sun, 03/01/2015 - 17:57
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Advisory: Seagate NAS Remote Code Execution, (Sun, Mar 1st)

Latest Alerts - Sun, 03/01/2015 - 08:14

Beyond Binary is reporting a vulnerability affecting SeagatesBusiness Storage line of NAS devices and possibly other Seagate NAS products. These arefairly common devices in SOHO and even small enterprise applications.

It appears that a number of OTScomponents and the custom web applicationused in the web management interface are out of date and will permit unimpeded access to the administration functions of the device. It is believe that versions of the firmware up to and including 2014.00319 are vulnerable.

It appears to be trivial to exploit the devices and a metasploit module and an exploit are publicly available.

It is hoped that if you have one of these devices in your network that you do not havethe administration interface accessible on the Internet. If you do you will want to remove it.You can be sure that the bad guys have startedscanning for these devices.At this point no updated firmware is available to resolve this issue.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Let's Encrypt!, (Fri, Feb 27th)

Latest Alerts - Fri, 02/27/2015 - 19:34

As I have stated in the past,I am not a fan of all of the incomprehensible warning messages that average users are inundated with, and almost universally fail to understand, and the click-thru culture these dialogsare propagating.

Unfortunately this is not just confined to websites on the Internet. With the increased use of HTTPS for web based management, this issue is increasingly appearing on corporate networks." />

The issue in most cases is caused by what is called a self-signed certificate. Essentially a certificate not backed up by a recognized certificate authority. The fact is that recognized certificates are not cheap. For vendors to supply valid certificates for every device they sell would add significant cost to the product and would require the vendor to manage those certificates on all of their machines.

The Internet Security Research Group (ISRG)a public benefit corporation sponsored by the Electronic Frontier Foundation (EFF), Mozilla and other heavy hitters aims to help reduce this problem and cleanup the invalid certificate warning dialogs.

Their project, Lets Encrypt, aims to provide certificates for free, and automate the deployment and expiry of certificates.

Essentially, a piece of software is installed on the server which will talk to the Lets Encrypt certificate authority. From Lets Encypts website:

The Lets Encrypt management software will:

  • Automatically prove to the Lets Encrypt CA that you control the website
  • Obtain a browser-trusted certificate and set it up on your web server
  • Keep track of when your certificate is going to expire, and automatically renew it
  • Help you revoke the certificate if that ever becomes necessary.

While there is still some complexity involved it should make it a lot easier, and cheaper, for vendors to deploy legitimate certificates into their products. I am interested to see how they will stop bad guys from using their certificates for Phishing sites, and what the process will be to report fraudulent use, but I am sure all of that will come.

Currently, it sounds like the Lets Encrypt certificate authority will start issuing certificates in mid-2015.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

DDOS are way down? Why?, (Fri, Feb 27th)

Latest Alerts - Fri, 02/27/2015 - 12:04

I have been tracking DDOS volume and patterns for a few years. We have seen the attacks move from DNS to NTP, to chargenthen on to SSDP and occasionally QOTD. I think we have a much better understanding of the vulnerabilities which are enabling thesuccessful amplification of">ISPs,to reduce the impact of this style of attack. " />

What I havent been able to understand is why since late last year, other than the occasional booter and attacks on Brian Krebs,the incidence and volume of these attacks has dropped off almost completely?

Any ideas?

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Leonard Nimoy has passed - please be alert for the rounds of Phishing and malware that will inevitably occur!, (Fri, Feb 27th)

Latest Alerts - Fri, 02/27/2015 - 10:23

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Tails 1.3 released - https://tails.boum.org/news/version_1.3/index.en.html, (Fri, Feb 27th)

Latest Alerts - Fri, 02/27/2015 - 05:30

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Tor Browser Version 4.0.4 released - https://blog.torproject.org/blog/tor-browser-404-released, (Fri, Feb 27th)

Latest Alerts - Fri, 02/27/2015 - 05:27

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, February 27th 2015 http://isc.sans.edu/podcastdetail.html?id=4375, (Fri, Feb 27th)

Latest Alerts - Thu, 02/26/2015 - 17:42
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

New Feature: Subnet Report, (Thu, Feb 26th)

Latest Alerts - Thu, 02/26/2015 - 10:17

We do have a new way to search our data more efficiently by subnets. Right now, the data will cover recent reports to DShield and a few of external feeds that we include. You can access the new report here:https://isc.sans.edu/subnetquery.html

I am still monitoring the impact the queries have on our overall database performance. For now, you are limited to 3 queries per minute if you are not logged in.

And as a reminder: The data is only as good as the data we receive. Please consider contributing your own data. See https://isc.sans.edu/howto.html for details. We do also access web server error logs (see: 404 project) and Kippo SSH honeypot logs.

In case of high database load, you will beredirected back tot he index page (index_cached.html),

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, February 26th 2015 http://isc.sans.edu/podcastdetail.html?id=4373, (Thu, Feb 26th)

Latest Alerts - Wed, 02/25/2015 - 19:02
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Samba vulnerability - Remote Code Execution - (CVE-2015-0240), (Wed, Feb 25th)

Latest Alerts - Wed, 02/25/2015 - 18:51

The RedHat security team has released an advisoryon a Samba vulnerabilityeffecting Samba version 3.5.0 through 4.2.0rc4. It can be exploited by a malicious Samba client, by sending specially-crafted packets to the Samba server. No authentication is required to exploit this flaw. It can result in remotely controlled execution of arbitrary code as root. [1]

A patch [2] has been released by the Samba team to address the vulnerability.


[1] https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/

[2] https://www.samba.org/samba/history/security.html

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

, (Wed, Feb 25th)

Latest Alerts - Wed, 02/25/2015 - 03:37

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, February 25th 2015 http://isc.sans.edu/podcastdetail.html?id=4371, (Wed, Feb 25th)

Latest Alerts - Tue, 02/24/2015 - 19:28
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Copy.com Used to Distribute Crypto Ransomware, (Wed, Feb 25th)

Latest Alerts - Tue, 02/24/2015 - 17:04

Thanks to Marco for sending us a sample of yet another piece of crypto-ransom malware. The file was retrieved after visiting a compromised site (www.my- sda24.com) . Interestingly, the malware itselfwas stored on copy.com.

Copy.com is a cloud based file sharing service targeting corporate users. It is run by Barracuda, a company also known for its e-mail and web filtering products that protect users from just such malware. To its credit, Barracuda removed the malware within minutes of Marco finding it.

At least right now, detection for this sample is not great. According to Virustotal, 8 out of 57 virus engines identify the file as malicious [1]. A URL blacklist approach may identify the original site as malicious, but copy.com is unlikely to be blocked. It has become very popular for miscreants to store malicious files on cloud services, in particular if they offer free trial accounts. Not all of them are as fast as Barracudain removing these files.

[1] https://www.virustotal.com/en/file/1473d1688a73b47d1a08dd591ffc5b5591860e3deb79a47aa35e987b2956adf4/analysis/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

11 Ways To Track Your Moves When Using a Web Browser, (Tue, Feb 24th)

Latest Alerts - Tue, 02/24/2015 - 08:41

There are a number of different use cases to track users as they use a particular web site. Some of them are more sinister then others. For most web applications, some form of session tracking is required to maintain the users state. This is typically easily done using well configured cookies (and not the scope of this article). Session are meant to be ephemeral and will not persist for long.

On the other hand, some tracking methodsdo attempt to track the user over a long time, and in particular attempt to make it difficult to evade the tracking. This is sometimes done for advertisement purposes, but can also be done to stop certain attacks like brute forcing or to identify attackers that return to a site. In its worst case, from a private perspective, the tracking is done to follow a user across various web sites.

Over the years, browsers and plugins have provided a number of ways to restrict this tracking. Here are some of the more common techniques how tracking is done and how the user can prevent (some of) it:

1 - Cookies

Cookies are meant to maintain state between different requests. A browser will send a cookie with each request once it is set for a particular site. From a privacy point of view, the expiration time and the domain of the cookie are the most important settings. Most browsers will reject cookies set on behalf of a different site, unless the user permits these cookies to be set. A proper session cookie should not use an expiration date as it should expire as soon as the browser is closed. Most browser do offer means to review, control and delete cookies. In the past, a Cookie2 header was proposed for session cookies, but this header has been deprecated and browser stop supporting it.

https://www.ietf.org/rfc/rfc2965.txt
http://tools.ietf.org/html/rfc6265

2 - Flash Cookies (Local Shared Objects)

Flash has its own persistence mechanism. These flash cookies are files that can be left on the client. They can not be set on behalf of other sites (Cross-Origin), but one SWF scriptcan expose the content of a LSO to other scripts which can be used to implement cross-origin storage. The best way to prevent flash cookies from tracking you is to disable flash. Managing flash cookies is tricky and typically does require special plugins.

https://helpx.adobe.com/flash-player/kb/disable-local-shared-objects-flash.html

3 - IP Address

The IP address is probably the most basic tracking mechanism of all IP based communication, but not always reliable as users IP addresses may change at any time, and multiple users often share the same IP address. You can use various VPN products or systems like Tor to prevent your IP address from being used to track you, but this usually comes with a performance hit. Some modern JavaScript extension (RTC in particular) can be used to retrieve a users internal IP address, which can be used to resolve ambiguities introduced by NAT. But RTC is not yet implemented in all browsers. IPv6 may provide additional methods to use the IP address to identify users as you are less likely going to run into issues with NAT.

http://ipleak.net

4 - User Agent

The User-Agent string sent by a browser is hardly ever unique by default, but spyware sometimes modifies the User-Agent to add unique values to it. Many browsers allow adjusting the User-Agent and more recently, browsers started to reduce the information in the User-Agent or even made it somewhat dynamic to match the expected content. Non-Spyware plugins sometimes modify the User-Agent to indicate support for specific features.

5 - Browser Fingerprinting

A web browser is hardly ever one monolithic piece of software. Instead, web browsers interact with various plugins and extensions the user may have installed. Past work has shown that the combination of plugin versions and configuration options selected by the user tends to be amazingly unique and this technique has been used to derive unique identifiers. There is not much you can do to prevent this, other then minimize the number of plugins you install (but that may be an indicator in itself)

https://panopticlick.eff.org

6 - Local Storage

HTML 5 offers two new ways to store data on the client: Local Storage and Session Storage. Local Storage is most useful for persistent storage on the client, and with that user tracking. Access to local storage is limited to the site that sent the data. Some browsers implement debug features that allow the user to review the data stored. Session Storage is limited to a particular window and is removed as soon as the window is closed.

https://html.spec.whatwg.org/multipage/webstorage.html

7 - Cached Content

Browsers cache content based on the expiration headers provided by the server. A web application can include unique content in a page, and then use JavaScript to check if the content is cached or not in order to identify a user. This technique can be implemented using images, fonts or pretty much any content. It is difficult to defend against unless you routinely (e.g. on closing the browser) delete all content. Some browsers allow you to not cache any content at all. But this can cause significant performance issues. Recently Google has been seen using fonts to track users, but the technique is not new. Cached JavaScript can easily be used to set unique tracking IDs.

http://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/
http://fontfeed.com/archives/google-webfonts-the-spy-inside/

8 - Canvas Fingerprinting

This is a more recent technique and in essence a special form of browser fingerprinting. HTML 5 introduced a Canvas API that allows JavaScript to draw image in your browser. In addition, it is possible to read the image that was created. As it turns out, font configurations and other paramters are unique enough to result in slightly different images when using identical JavaScript code to draw the image. These differences can be used to derive a browser identifier. Not much you can do to prevent this from happening. I am not aware of a browser that allows you to disable the canvas feature, and pretty much all reasonably up to date browsers support it in some form.

https://securehomes.esat.kuleuven.be/~gacar/persistent/index.html

9 - Carrier Injected Headers

Verizon recently added injecting specific headers into HTTP requests to identify users. As this is done in flight, it only works for HTTP and not HTTPS. Each user is assigned a specific ID and the ID is injected into all HTTP requests as X-UIDH header. Verizon offers a for pay service that a web site can use to retrieve demographic information about the user. But just by itself, the header can be used to track users as it stays linked to the user for an extended time.

http://webpolicy.org/2014/10/24/how-verizons-advertising-header-works/

10 - Redirects

This is a bit a varitation on the cached content tracking. If a user is redirected using a 301 (Permanent Redirect) code, then the browser will remember the redirect and pull up the target page right away, not visiting the original page first. So for example, if you click on a link to isc.sans.edu, I could redirect you to isc.sans.edu/index.html?id=sometrackingid. Next time you go to isc.sans.edu, your browser will automatically go direct to the second URL. This technique is less reliable then some of the other techniques as browsers differ in how they cache redirects.

https://www.elie.net/blog/security/tracking-users-that-block-cookies-with-a-http-redirect

11- Cookie Respawning / Syncing

Some of the methods above have pretty simple counter measures. In order to make it harder for users to evade tracking, sites often combine different methods and respawn cookies. This technique is sometimes refered to as Evercookie. If the user deletes for example the HTTP cookie, but not the Flash Cookie, the Flash Cookie is used to re-create the HTTP cookie on the users next visit.

https://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab11001.pdf

Any methods I missed (I am sure there have to be a couple...)

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, February 24th 2015 http://isc.sans.edu/podcastdetail.html?id=4369, (Tue, Feb 24th)

Latest Alerts - Mon, 02/23/2015 - 16:20
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Subscribing to the DShield Top 20 on a Palo Alto Networks Firewall, (Mon, Feb 23rd)

Latest Alerts - Mon, 02/23/2015 - 11:29

This question has come up a few times in my recent travels and it seemed like something to post for our readers, hope you find it useful, comments welcome!

Overview

This will walk you through the steps of subscribing to our top 20 block list on a Palo Alto Networks firewall. It will also show you how to make a rule using the external block list. You can create a rule to block both inbound and outbound, however in this instruction it will include only an outbound rule. Any traffic transiting outbound from an internal host to this list on the top 20 should be considered suspect, prevented, and then investigated.

Our DShield Top 20 List can always be found here:

http://feeds.dshield.org/block.txt

The source for the parsed and Palo Alto Networks formatted version of the DShield block list can be found here:

http://panwdbl.appspot.com/lists/dshieldbl.txt

The full source of external block lists:

http://panwdbl.appspot.com/

It is my understanding that this unofficial source is maintained by a Palo Alto Networks systems engineer, although this is not confirmed.

Creating the External Block List Subscription
1. Goto Objects -" />

2. Click Add

A. Name the External Block List Subscription (e.g. DShield Recommended Block List.)

B. Copy the preformatted subscription from our unofficial formatting app http://panwdbl.appspot.com/lists/dshieldbl.txt and paste into source block.

C. Click Test Source URL
" />
You have just subscribed to an External Block List (EBL). Once an hour this subscription will poll the external block source and automatically update the subscription. This does not actually apply the feed to any rules or polices, in the next section we will create an outbound blocking rule looking for Indicators of Compromise.

Creating the Outbound Rule Overview

There are several ways to use an EBL. One of the most common is to block/restrict on inbound flows, and although this should be done we will be using a different method for this example. In the creating the outbound rule section we will block and alert on outbound traffic from our L3-Trust to L3-Untrust (basically from our trusted internal zone to our untrusted external zone, your naming convention may differ). This will serve as a possible indicator of compromise (IoC).

On the topic of of IoC, let">YOU HAVE BEEN WARNED!!!!. Do not miss this step. Also for troubleshooting reasons if all your traffic stops after this walk-though, you can disable the rule and troubleshoot your External Block List.

1. Goto Policies - Security
" />
2. Click Add

A. Give the Rule a Name (e.g. EBL DShield Rule)

B. Under the source tab select L3-Trust or your trusted internal zone name" />
C. Under the destination tab select L3-Untrustor your untrusted external zone.
" />
D. " />

E. Under the actions tab change allow to deny. Optionally you can set logging to an external syslog here as well." />
F. Click okay.

G. Highlight the new rule, click move, which can be found at the bottom of the GUI, and select top. We are moving this rule to the top as we want to catch all attempts to reach the EBL outbound before any other rule is triggered.
" />
H. ">NOTE: if you receive warning as indicated in the screenshot check your internet connection as it indicates that the EBL was not reachable. Also, some EBL have maximum polling counts and only allow refresh every so often (e.g. 1 hour). This could have been triggered when you tested the URL connection. These are two reasons why your EBL may not be reachable.

It is also possible to check the EBL on the CLI:
request system external-list refresh name
" />
Section 2 Summary
Congratulations, you have just created a rule using an External Block List (EBL). This walk-through rule is designed to provide an example of blocking outbound connections to known suspicious netblocks.

Screencast of the Above

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts
Syndicate content