Latest Alerts

Syndicate content SANS Internet Storm Center, InfoCON: green
Updated: 7 min 30 sec ago

ISC StormCast for Friday, March 13th 2015 http://isc.sans.edu/podcastdetail.html?id=4395, (Fri, Mar 13th)

Thu, 03/12/2015 - 19:16
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Blind SQL Injection against WordPress SEO by Yoast, (Fri, Mar 13th)

Thu, 03/12/2015 - 16:34

WordPress has released an advisory for the WordPress plugin SEO by Yoast. Version up to and including 1.7.3.3 can be exploited with a blind SQL injection. According to WordPress, this plugin has more than one million downloads. A description of the SQL injection with proof of concept is described here and the latest update is available here.

[1] https://wordpress.org/plugins/wordpress-seo/
[2] https://downloads.wordpress.org/plugin/wordpress-seo.1.7.4.zip
[3] https://wpvulndb.com/vulnerabilities/7841

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Who got the bad SSL Certificate? Using tshark to analyze the SSL handshake., (Thu, Mar 12th)

Thu, 03/12/2015 - 07:10

Ever wonder if any of your users connect to sites with bad SSL certificates? I ran into this issue recently when debugging some SSL issues, and ended up with thisquick tshark and shell script trickto extract the necessary information from a packet capture.

First, you may want to compare the host name your clients connect to, to the host name returned as part of the certificate. While the Host header is encrypted and not accessible, modern SSL libraries use Server Name Indication (SNI) as part of the SSL Client Hello to indicate to the server which site they are trying to connect to. The SNI option is sent in the clear to allow for name virtual hosting with SSL.

To extract the SNI fields, I use:

tshark -r file.pcap-Y ssl.handshake.type==1 -T fields -e ip.dst -e tcp.srcport -e ssl.handshake.extensions_server_name | sed s/\t/:/ /tmp/ssi

The tshark command extracts all the SSL Client Hello messages (ssl.handshake.type==1) and then pulls out the destination IP, the destination port as well as the SNI field. I remove the first tab and replace it with a : to receive output like:

173.194.219.108:61879 imap.gmail.com

Your sed command will look a bit different if you are using OS X.

Next, we need to extract the host names advertised by the certificate that the server returns. This is a bit tricky as a certificate may either use a distinguished name (DN) or a subject alternative name if more then one hostname is included in the certificate.

tshark -r file.pcap-Y ssl.handshake.type==11 -T fields -e ip.src -e tcp.dstport -e x509sat.uTF8String -e x509ce.dNSName | sed s/\t/:/ /tmp/in

Just like before, we now filter for certificate messages (type 11) and extract the source ip and the destination port, so we can match up connections with what we extracted above. The output should look like:

173.194.219.109:61898 California,Mountain View,Google Inc,imap.gmail.com imap.gmail.com
173.252.101.48:61897 *.facebook.com *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,fbcdn23dssr3jqnq.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com

Note how it is quite common to include a large list of hostnames.

Next, we need to link the two files. The join command is pretty useful here:

join -1 1 -2 1 -e empty /tmp/in /tmp/out | tr \t

This will join the two files, pretty much how a SQL join would combine two tables, using the first column in each file as index. The output looks now like:

17.172.208.83:61878 *.icloud.com,icloud.com p02-mailws.icloud.com
17.172.208.8:61881 *.icloud.com,management:idms.group.506364,Apple Inc.,California *.icloud.com p02-ckdatabase.icloud.com
173.252.101.48:61897 *.facebook.com *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,fbcdn23dssr3jqnq.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com -) )

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, March 12th 2015 http://isc.sans.edu/podcastdetail.html?id=4393, (Thu, Mar 12th)

Wed, 03/11/2015 - 18:17
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Apple iTunes Store is seeing an extended outage - watch https://www.apple.com/support/systemstatus/ for status changes., (Wed, Mar 11th)

Wed, 03/11/2015 - 06:13

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Syslog Skeet Shooting - Targetting Real Problems in Event Logs, (Wed, Mar 11th)

Wed, 03/11/2015 - 03:56


A common bit of advice that we tend to offer up frequently is monitor your logs or review your logs periodically. However, with daily syslogs - even in a small environment - ranging from 300mb to 5GB, thats no easy task. Weve discussed parsing logs out using grep and similar tools in the past, but that assumes that nothing drastic ever happens - youre banking on the fact that anything being logged can wait until you have time to check your logs.

And face it - with the volume of real project work that faces us each day, how many of us actually have time to manually review our logs, and get meaningful information out of them that we can take action on?

So, can we automate this task? Since theres a rather large number of for-sale products that do this (google SIEM to see just how many), the answer is a resounding yes. But can you take a simpler approach, and send email alerts on specific things you know you want to watch for? And can you do this on a budget of zero or close to it? The answer to this is also yes" />

Before we get to the how though, lets define the what - or at least start that task. What exactly do you want to monitor for? Ill focus on network gear in these examples - routers, switches, firewalls and so on. The list of conditions for alerting is fairly short, and network conditions affect *everything*. Plus Im a network person most days. You can certainly expand this to include storage arrays, Windows and Linux hosts, Active Directory and so on.

Let">

fan
batter
temp

Of course alarms on any of these needs almost immediate action.

Note that Im looking for temp, to include temp or temperature

Similarly, batter covers battery and batteries

Youll also get these same keywords cropping up in logs for your SAN and for host hardware if you have proper logging set up for them.

You definitely want to alert on routing or redundancy Protocols - for the most part these only kick out a message when things are re-negotiating, which should never happen unless there is a problem:

BGP, EIGRP, OSPF. ISIS (or add your routing protocol here. Hopefully RIP isnt in your list). Monitoring for these will in lots of cases catch short outages with WAN providers or ISPs, which traditional polling will often miss.
HSRP, VRRP covers off most interface redundancy issues. If you see an event on either of these, it usually means youve seen a failure.

Another common, common, common thing that you really have to filter on:
duplex
nuff said. I just had a client engage me for 5 days to nail down a high WAN traffic / performance issue. They didnt have a syslog server, but I started by looking at logs in memory (over their objection). And yes, their WAN provider had changed one of their routers from auto/auto to 100/full, of course without telling them. Even in a well managed, controlled environment, you cant control the VOIP contractor who hard-sets their PBX to 100/full without telling anyone else, the ISP that does that to their routers instead of using rate limiting, or the server admin who thinks that setting their NIC to 1000/full is somehow safer than letting it negotiate to that same setting (the way the RFC recommends). And face it, the only things you get ever speed/duplex errors on are the most catastrophic things you could pick to have that error! Once you start looking, you are almost guaranteed to find a number of these in your logs in almost any shop.

Monitoring for vendor-specific text in a syslog message (Both Cisco in this case, though the first works for COMWARE as well):
DUPLICATE_IPADDR_DETECT - yes, lots of this too. I had a client stand up a new DHCP server without conflict detection. Ever wonder what happens when you have a busy workstation with the same IP as the local firewall?

ERR-DISABLE or ERR_DISABLE - as youd expect, this is a switch port thats been disabled due to an error. What kind of error? Often its a BPDUGUARD trigger, port channel config issues, link-flap, late collisions incorrect SFP or GBIC inserted, ARP inspection issues - this port state and syslog message cuts a wide swath.

BPDUGUARD - if you configure a switch port with BPDUGUARD, youre telling it that this is a workstation or server port, so if it sees a BPDU (Bridge Protocol Datagram Unit) frame, that indicates that theres an unauthorized switch attached to that port. (see ERRDISABLE above). A messing involving BPDUGUARD will generally also involve a shut down port. In Cisco and Comware, itll be in an ERRDISABLE state. In Procurve networks though, itll just be shut down, and if you dont check your logs you might be left wondering why it keeps shutting down.

Youll likely also want to monitor for config changes. If you dont have a formal change control process, its something you really want to consider. If a router or switch configuration changes outside of a change window - or worse yet, if a config changes and it wasnt you, thats something you want to know about!

Monitor in real time for config changes, look for SYS-5-CONFIG_I">login on-failure log
login on-success log

Then you can filter syslog for: SEC_LOGIN-4-LOGIN_FAILED and / or SEC_LOGIN-5-LOGIN_SUCCESS - or more simply, to catch both, watch for SEC_LOGIN

Really, youre looking for logins outside of approved windows, login failures (worst case, followed by success). Or if you are the only network admin, any login attempts that arent you!

If you dont have those two lines in your configuration, Id suggest that you add them, then review the Cisco Hardening Guides at the Center for Internet Security (https://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks.network.cisco). Other vendors will have similar guidance, either on their own sites or at CIS.

You get my point. In a perfect situation, you would take your logs and discard everything you DONT want to be alerted on, which should leave the real problems, and new messages that are not problems which you can add to your filter out list. Back in the day, we had a project where we did exactly this for an AS400 - we discarded known good and known innocuous, over time we were just left with just the bad news messages we wanted to see. However, networks and log messages are so varied as you add new devices, and change so much even from version to version, that this traditional approach might not be so viable anymore. Alerting on specific messages, as well as regular manual log parsing to see what else you might want to add to the list, is a nice, low interaction approach that gets you there (or close to it) in the end. This has worked for lots of customers that I have, until they get a proper SIEM or IPS that is.

So back to the how - how do you configure alerts now that we know what we want to alert on? That will depend on your logging solution. If you use Solarwinds Syslog (used to be Kiwi), its built into the GUI. You can trigger on various AND / OR situations - be sure that your seach are case-insensitive. As you can see from the example below, I EXCLUDE the string URL Accessed" />

In Linux, youd think it would be easier. But as so many things in Linux, there are dozens of ways to do this - and theyre all at least marginally more complicated. Its semi-easy to configure email alerts based on severity, as long as the local system mail is tied to a real email system (which is almost never). To trigger on keywords and support real email though requires some gymnastics. You can use logwatch, logcheck (youll generally use logcheck with cron), also OSSEC also does a good job monitoring logs (amongst other things) and on cofigured inputs or conditions, alerting in any of several methods. If you want to do it all with stock tools, you can used named pipes as show here: http://serverfault.com/questions/32360/how-can-i-make-syslogd-email-certain-log-messages-to-me.

Me, I use swatch http://sourceforge.net/projects/swatch/ - mostly because its simple and it works well. Life is too short to complicate a simple process like logging. For an example of using swatch for real - check my very first SANS Gold Paper - all those years ago - http://www.sans.org/reading-room/whitepapers/auditing/vpnscan-extending-audit-compliance-perimeter-1711. I used swatch to trigger policy audits of users VPN-ing in at the time, and I still use swatch for that, along with loads of other things.

What messages or strings would you add to this (short) list of things to alert on? Were looking mainly for network type alerts on routers, switches, firewalls, load balancers and so on. What situations would your list entry prevent or diagnose? Do you have a simpler or more elegant method of triggering on syslog entries in Linux? Please, use our comment form and let us know how you approach this issue!

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, March 11th 2015 http://isc.sans.edu/podcastdetail.html?id=4391, (Wed, Mar 11th)

Tue, 03/10/2015 - 19:46
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Threatglass has pcap files with exploit kit activity, (Tue, Mar 10th)

Tue, 03/10/2015 - 10:13

Threatglassis a one way to find up-to-date examples of exploit kit traffic. Not all of it is exploit kit traffic, but all of it represents some sort of malicious activity. Threatglassdoesnt explain what type of traffic youre looking at from the pcaps the site provides. Letslook at a page from last week on Thursday, March 5th 2015 [1]. This one isexploit kit activity. In the image below, youll find a link to the packet capture in the lower right-hand corner" />

Download the pcap and open it in Wireshark. User http.request as the filter, and make sure youre showing the host name in the column display. " />

For most exploit kits, the pattern oftraffic is: Landing page -- Exploit (Java, Flash, Silverlight, IE, etc) -- Malware payload if the exploit is successful

Lets look at this example by following a few TCP streams in the pcap. " />

When the Flash exploit works, a malware payload is sent. Currently, Nuclear Exploit Kit obfuscates the malware payload with an ASCII string. In this case, the binary was XOR-ed with the ASCII string:" />

The Virus Total results indicate the malware is a Tofsee variant -https://www.virustotal.com/en/file/7659b2be203a34b7491c7101c0275b9e20e8d801d236817a5285c2e63e0ad0e5/analysis/

If you want a sample of the deobfuscated payload, you can get it from malwr.com at:https://malwr.com/analysis/N2U3NDUwMjQ5MWViNGZkNWFlMTBkMjkxMzExZGQxNTM/

If you have the time, review some of the other entries on Threatglass to figure out which ones are exploit kit activity, and which ones are other activity, like fake flash installer pop-up windows. This is one of many resources on line thataspiring analystscan use to build their skills.

---

Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1]http://threatglass.com/malicious_urls/geospotrima-com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft March Patch Tuesday, (Tue, Mar 10th)

Tue, 03/10/2015 - 10:04

Overview of the March 2015 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*) clients servers MS15-018 Cumulative Security Update For Internet Explorer (Replaces MS15-009 ) (note that for IE8 and later, the VBScript vulnerability CVE-2015-0032 is addressed by MS15-019) Internet Explorer
CVE-2015-0032
CVE-2015-0056
CVE-2015-0072
CVE-2015-0099
CVE-2015-0100
CVE-2015-1622
CVE-2015-1623
CVE-2015-1624
CVE-2015-1625
CVE-2015-1626
CVE-2015-1627
CVE-2015-1634 KB 3040297 CVE-2015-1625 has been disclosed in public, but no exploits seen yet.. Severity:Critical
Exploitability: 1 Critical Critical MS15-019 Remote Code Execution Vulnerability in VBScript Scripting Engine (Replaces MS14-084 ) VBScript
CVE-2015-0032 KB 3040297 no known exploits. Severity:Critical
Exploitability: 1 Critical Important MS15-020 Remote Code Execution Via Loading Untrusted DLLs and Windows Text Service Memory Corruption (Replaces MS14-027 ) Windows Text Services
CVE-2015-0081
CVE-2015-0096 KB 3041836 no known exploits. Severity:Critical
Exploitability: 2 Critical Critical MS15-021 Remote Code Execution Vulnerability in Adobe Font Drivers (Replaces MS13-081 ) Adobe Font Drivers
CVE-2015-0074
CVE-2015-0087
CVE-2015-0088
CVE-2015-0089
CVE-2015-0090
CVE-2015-0091
CVE-2015-0092
CVE-2015-0093 KB 3032323 no known exploits. Severity:Critical
Exploitability: 2 Critical Important MS15-022 Remote Code Execution Vulnerability in Microsoft Office (Replaces MS13-072 MS14-022 MS14-023 MS14-050 MS14-073 MS15-012 ) Microsoft Office
CVE-2015-0085
CVE-2015-0086
CVE-2015-0097
CVE-2015-1633
CVE-2015-1636 KB 3038999 no known exploits. Severity:Critical
Exploitability: 1 Critical Important MS15-023 Elevation of Privilege Vulnerability in Kernel Mode Drivers (Replaces MS15-010 ) Kernel Mode Drivers
CVE-2015-0077
CVE-2015-0078
CVE-2015-0094
CVE-2015-0095 KB 3034344 no known exploits. Severity:Important
Exploitability: 2 Important Important MS15-024 Information Disclosure Vulnerability in PNG Processing (Replaces MS15-016 ) Windows
CVE-2015-0080 KB 3035132 no known exploits. Severity:Important
Exploitability: 3 Important Important MS15-025 Elevation of Privilege / Impersonation Vulnerability in Windows Kernel (Replaces MS13-031 MS15-010 MS15-015 ) Windows Kernel
CVE-2015-0073
CVE-2015-0075 KB 3038680 no known exploits. Severity:Important
Exploitability: 2 Important Important MS15-026 Cross Site Scripting Vulnerabilities in Microsoft Exchange Server Microsoft Exchange Server
CVE-2015-1628
CVE-2015-1629
CVE-2015-1630
CVE-2015-1631
CVE-2015-1632 KB 3040856 no known exploits. Severity:Important
Exploitability: 2 Important Important MS15-027 Spoofing Vulnerability in NETLOGON (Replaces MS10-101 ) Windows
CVE-2015-0005 KB 3002657 no known exploits. Severity:Important
Exploitability: 2 Important Important MS15-028 Access Control List Bypass via Windows Task Scheduler Windows
CVE-2015-0084 KB 3030377 no known exploits. Severity:Important
Exploitability: 2 Important Important MS15-029 Information Disclosure in Windows Photo Decoder Windows Photo Decoder
CVE-2015-0076 KB 3035126 no known exploits. Severity:Important
Exploitability: 2 Important Important MS15-030 Denial of Service Vulnerability in RDP (Replaces MS14-030 ) Remote Desktop Protocol
CVE-2015-0079 KB 3039976 no known exploits. Severity:Important
Exploitability: 3 Important Important MS15-031 Schannel Patch for FREAK Schannel
CVE-2015-1637 KB 3046049 yes. Severity:Important
Exploitability: 1 Important Important We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become interesting">Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Apple Patches for iOS, OS X and Apple TV, (Tue, Mar 10th)

Tue, 03/10/2015 - 04:46

With yesterdays updates for iOS, OS X and Apple TV, Apple also addressed a number of security vulnerabilities, most notably the Freak vulnerability. After updating, the affected operating systems no longer support export quality ciphers. However, Apple browsers continue to support SSLv3 and as a result, continue to be vulnerable to POODLE.

Quick Summary of the security content of Apples updates:

XCode 6.2: This update addresses 4 vulnerabilities in subversion and 1 in git.

OS X: 5 vulnerabilities. The most serious of which is likely a code execution vulnerability in Keychain.

Apple TV: 3 vulnerabilities. One of which would allow an attacker to write files to the system if the user mounts a corrupt disk image.

iOS: 6 vulnerabilities. In addition to FREAK and the above mentioned Keychain problem, a vulnerability that allows an attacker with physical access to the device to see the home screen on a locked devices is patched.

For details from Apple, seehttps://support.apple.com/en-us/HT1222

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, March 10th 2015 http://isc.sans.edu/podcastdetail.html?id=4389, (Tue, Mar 10th)

Mon, 03/09/2015 - 19:12
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

The Mystery of a Session Cookie, (Mon, Mar 9th)

Mon, 03/09/2015 - 13:56

An ISC reader sent us a note about a session cookie that has been appearing in web server logs; the cookie contentstriggered cross-site scripting alerts from theWeb Application Firewall. Across the various HTTP session instances, the cookie contained the same hash:3e1dd89fdfa706ed2e69a8eccf98cab048d7b661. Other contents of the cookie included references to malicious-looking third-party URLs that contained affiliateIDs.

I came across an HTTP request on my own server from about a month ago, which contained the same hash value. It looked like this:

Cookie: 3e1dd89fdfa706ed2e69a8eccf98cab048d7b661.session={%22id%22:%226fe15833-083e-4364-84ec-e4a5b9f61ad6%22%2C%22evoke%22:%22back%22%2C%22termsType%22:0%2C%22action%22:1%2C%22firstHistory%22:1%2C%22firstUrl%22:%22http://zeltser.com/extracting-swf-from-pdf-using-swf-mastah%22%2C%22firstReferrer%22:%22https://www.google.nl%22%2C%22actionUrl%22:%22https://interyield.jmp9.com/InterYield/rd.do?affiliate%3Dnxldg2subid%3D36x55xadCountIntervalHours%3D10maxAdCountsPerInterval%3D10snoozeMinutes%3D3url%3Dhttp%253A%252F%252Frd-direct.com%252Fctrd%252Fclick%252Fnewjump1.do%253Faffiliate%253D67935%2526subid%253D36x55x%2526terms%253Dzeltser.com%252520extracting%252520malicious%252520flash%252520objects%252520from%252520pdfs%252520using%252520swf%252520mastah%2526ai%253DGBGY6n-oRoaZ5DbR3BvafDuwZZBHn_Zj87Ciuqy_NiyMy4vZ9stpcd-fUa2UQ4DNx6GUMEj6KeGzltSVzUDRpVk07lWGpUkMlyMG9WcqGbazGffYI9a0cQ_J3FAxb2mL-WwfCJMawYXUETMOQe_CEk1s2vaRI8fq4K3Py5tve0uM4UPyCump1wSNSctzDKm_Heo-CfJZ22AHKUGAA9vCWhmxe1tlg4XjKiyKsUF9q5zzg0jCAeKNHyDqhsVo3r-FUjUmxQbTjRD772JxVD6l9h6R91sJQv9o_GcfcHebSu6NpGla5Wh9eEto8cK2LGb79D3XJm_Agq05Hvr0gevAXCxfNltsfRuPnXnSpSHU8x8XkZ-Ss54r7j-BHL_RLNOI-V7hnpAV_gx6J0Fsvdm99Qfm_U7AppaCJQNh-x93VU6nqyjUXFeIdB4o-MlIBv_Y51meo4_pheFWvlX_lmT2mSY-aFmozUo630hQoQF19xIdxV3bya--fu7Eb8js_zLzMsVrh8k7aTe-Qu8zttSsUbg9J4ZpCk3H__4EhaNL5yvIbyyRFJJo5cLoDJjlk4Vtln78qFTTrd0j5YN5IdCUmw%2526version%253D1.2%2526passThruAttr%253DeventHandler%25253Dbackcatchersearchinfo%3Dzeltser.com%2520extracting%2520malicious%2520flash%2520objects%2520from%2520pdfs%2520using%2520swf%2520mastahservetime%3D15origquery%3Dzeltser.com%2520Extracting%2520Malicious%2520Flash%2520Objects%2520from%2520PDFs%2520Using%2520SWF%2520MastahtargetTitle%3Dserveurl%3Dhttp%253A%252F%252Fzeltser.com%252Fextracting-swf-from-pdf-using-swf-mastah%252Fadultsearch%3Dfalsepop%3DoverattributionDisabled%3DfalsesecUntilMidnight%3D61846%22%2C%22time%22:1423666154148%2C%22exited%22:false%2C%22sawExitOverlay%22:false}

References to zeltser.com are normal and non-malicious (that the mention of swf-from-pdf-using-swf-mastah is also normal, because thats the web page that received the malicious request.However, notice the inclusion of an unexpectedhostnameinteryield.jmp9.com and a mention of adultsearch.

I came across many mentions of the cookie hash value seen above when searching the web, including the following trigger of a SQL injection WAP alert:

Cookie: 3e1dd89fdfa706ed2e69a8eccf98cab048d7b661.session={%22id%22:%229f835ef2-cd7e-43b9-861e-6de9d5113dd6%22%2C%22evoke%22:%22back%22%2C%22termsType%22:0%2C%22action%22:1%2C%22firstHistory%22:1%2C%22firstUrl%22:%22http://www.stoppublicites.fr/?page_id%3D2%22%2C%22firstReferrer%22:%22https://www.google.fr%22%2C%22actionUrl%22:%22https://www.tr553.com/InterYield/rd.do?affiliate%3Drzbkmaxsubid%3D9614_1001_fradCountIntervalHours%3D24maxAdCountsPerInterval%3D12snoozeMinutes%3D2url%3Dhttp%253A%252F%252Fcoreclickhoo.com%252Fctrd%252Fclick%252Fnewjump1.do%253Faffiliate%253D66385%2526subid%253D9614_1001_fr%2526terms%253Dstoppublicites.fr%252520nettoyer%252520son%252520ordinateur%252520stop%252520les%252520publicit%2525C3%2525A9s%252520intempestives%2526ai%253Db5mbQSp35CDIM8MtUy8woqtnjjHFnHB3ffZyrAlbZK9_PMF8spIXolWRiMEY4cAutjyO_Z-a2ptbmfky5jNdYyaxu2fuGRTEb59un12-ny0lAw_qXUhQzSUxJBCzXrgkJd0zYz1reyEsi28kqJHrAgWtVWPqLl7e20nbFGEaOaMP8cyITdxlg8UHWWOovjOInL9RMVxLCn4Q8O_vhgR3PV-1G6VlbN8GywCRSOCdAHHy5Tbrf2ft255bQcJe7X1Wp3dKuiuJhdk2bMcsof2lcGTxuMYmBXRHicP-yNREHlIWCM86s1FwLi06ojqqeiEc9Am73WnkvbKR6vv9sAc8bIfUiE8wTm6673h-ouF0GMfyrhuodcvdL33t_7lMjBGMlg-83EFxqtrD968hqVpKWNVaxP7fbCOUHr4_1oHjQOq0j_S_DrZhrEG953stbKIFAL2z5uhPFs0Y5ByFbRLlSn9YzM7hfxcqmugeCUhUAwiiyNyeNgDXLkAH-X9N5YmFSo03jcQuEPU6_y2upRASxg%2526version%253D1.2%2526passThruAttr%253DeventHandler%25253Dbackcatchersearchinfo%3Dstoppublicites.fr%2520nettoyer%2520son%2520ordinateur%2520stop%2520les%2520publicit%25C3%25A9s%2520intempestivesservetime%3D728origquery%3Dstoppublicites.fr%2520Nettoyer%2520son%2520ordinateur%2520%2520Stop%2520les%2520publicit%25C3%25A9s%2520intempestivestargetTitle%3Dserveurl%3Dhttp%253A%252F%252Fwww.stoppublicites.fr%252F%253Fpage_id%253D2adultsearch%3Dfalsepop%3DoverattributionDisabled%3Dfalse%22%2C%22time%22:1416831764095%2C%22exited%22:false%2C%22sawExitOverlay%22:false}

I noticed the mention of the cookie value3e1dd89fdfa706ed2e69a8eccf98cab048d7b661dating back to 2012.

Were probably dealing with some malicious scanning tool that has this value hardcoded into its cookie-generating code, which is designed to exploit XSS and/or SQL injection vulnerabilities with the goal of redirecting victimized sites">-- Lenny">LennyZeltserfocuses on safeguarding customers IT operations at NCR Corp. He also teaches how toanalyze malwareat SANS Institute. Lenny is activeon Twitterand. He also writes asecurity blog.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, March 9th 2015 http://isc.sans.edu/podcastdetail.html?id=4387, (Mon, Mar 9th)

Sun, 03/08/2015 - 19:04
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

How Malware Generates Mutex Names to Evade Detection, (Mon, Mar 9th)

Sun, 03/08/2015 - 17:05

Malicious software sometimes uses mutex objects to avoid infecting the system more than once, as well as to coordinate communications among its multiple components on the host. Incident responders can look for known mutex names to spot the presence of malware on the system. To evade detection, some malware avoids using a hardcoded name for its mutex, as is the case with the specimen discussed in this note.

Static Mutex Names as Indicators of Compromise

For background details about mutex (a.k.a. mutant) values and their role in incident response, see my earlier article Looking at Mutex Objects for Malware Discovery and Indicators of Compromise. As I described there, when examining a potentially-infected system, we can look for names of mutex objects known to be used by malicious programs. Moreover, in some circumstances, mutex values could be used as markers to immunize the system from infection.Not all malware uses mutex objects, but this is an indicator thats worth looking for.

This approach works well when youve already found malware on some systems and examined it to determine that it uses specific mutex names. You can also obtain mutex name details from threat intelligence feeds, sites such as TotalHash, and the use of automated malware analysis tools. For a long list of mutex names used by various malware samples, take a look at the list published by Hexacorn.

However, malware could name its mutex objects in a less-predictable way, as discussed below.

Mutex Defined by TreasureHunter Malware

Lets take a brief look at a malware sample with the MD5 hash 070e9a317ee53ac3814eb86bc7d5bf49. Its author called this malicious program TreasureHunter, according to a couple of strings that were embedded into the file:

c:\users\admin\documents\visual studio 2012\projects\treasurehunter\release\treasurehunter.pdbTreasureHunter version 0.1 Alpha

This malicious file was named jucheck.exe and was discovered under the %AppData% folder. We won" />

You can further investigate TreasureHunter" />

Running the specimen multiple times results in the same mutex name being used across the experiments. At this point, you might be inclined to use the mutex name 53c044b1f7eb7bc1cbf2bff088c95b30 as an indicator of compromise for TreasureHunter. However, further analysis would show that on other systems this sample names mutex objects differently. For instance, VirusTotal reports the mutex name 3ed1ed60c7d7374bf0dd76fc664b39cd, while VxStream Sandboxreports the name 3ac22cadc45e0558cad697d777f6c3d3. Why such a discrepancy?

How TreasureHunter Generates the Name of Its Mutex

The names of this specimens mutex object appear to be MD5 hashes, but what value is the specimen hashing? Looking more closely at TreasureHunter with the help of a debugger can shed some light on this functionality.

The OllyDbg screenshot above shows that the specimen stored the name of its mutex in a variable located at the offset 414EA0. You could scroll up in the program" />

Further, the code computes the MD5 hash of the string RTTDK-XXXXX-P97R3-YYYYYY-8K7PH( to derive 53c044b1f7eb7bc1cbf2bff088c95b30, which it ends up using as the mutex name.

Where does the string RTTDK-XXXXX-P97R3-YYYYY-8K7PH come from? To figure that out, we can drill into function 401F10, which returned this value. That function invokes several API calls to read the system" />

This is where Windows stores its Product ID. The specimen also looked in several other registry locationswhere Windows sometimes stores this information.

Further in the function, the specimens code transformed the Product IDs into the RTTDK-XXXXX-P97R3-YYYYYY-8K7PH that it later used as the basis for its mutex name using a deterministic algorithm that I had neitherthe patience, nor reason to reverse-engineer. This is why when this specimen ran in automated malware analysissandboxes it used a different mutex value--those products must have had different Windows Product IDs.

The Use of Non-Static Mutex Values in Malicious Software

Malware authors who wish to employ mutex objects need a predictable way of naming those objects, so thatmultiple instances of malicious code running on the infected host can refer to the same mutex. A typical wayto accomplish this has been to hard-code the name of the mutex. The author of TreasureHunter decided to use amore sophisticated approach of deriving the name of the mutex based on the systems Product ID. This helpedthe specimen evade detection in situations where incident responders or anti-malware tools attempted to use a">-- Lenny">LennyZeltserfocuses on safeguarding customers IT operations at NCR Corp. He also teaches how toanalyze malwareat SANS Institute. Lenny is activeon Twitterand. He also writes asecurity blog, where he contemplated using mutex objects and other infection markers for immunizing systems.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

What Happened to You, Asprox Botnet?, (Sun, Mar 8th)

Sat, 03/07/2015 - 21:10

Earlier this year, @Techhelplistcom reported the spam and landing site infrastructure used to spread Asprox malware switched to porn-related URLs [1]. This started back in mid-January 2015, and I still havent seen much about it in the open press. Since then, thisinfrastructure has continued spreading links to pornography or diet-related scams [2] [3].

Were still seeing the malicious emails with the same type of subject lines, but these typically have a zip file attachment with a javascript file inside (.js). The image below contains an example of the malicious spam Ive seen with fake toll road debt subject lines. These all have the zip attachments of .js files. This spam is Asprox-like in subject matter, but the malware is different than what weve previously seen with Asprox botnet. Ive asked a few other people about this. From what I can tell,no one yet" />

What happened to you, Asprox botnet? Are you only spreading spam, now?

The Asprox botnetfirst emerged in 2007 [4]. This botnet sent a large amount of spam over the years, including malicious spam (malspam) containing malware designed to infect a users computer, making it part of the Asprox botnet.

Thismalspam had malicious zip file attachments, or it had links pointing to compromised servers hosting the malware. " />
Shown above: an Asprox">Shown above: anAsproxbotnetemail with a link to the malware.

Sites like techhelplist.com have plenty of examples of Asprox emails [5]. In the absence of anything interesting, I could always find an email from the Asprox botnet and analyze some familiar malware. Thats not the case now.This seems to be the end of an era, at least for themalwarespam[6].

Ive included some images below from the Asprox botnet emails Ive collected over the past few months. Consider this an Asprox botnet greatest hits collection.Like many greatest hits compilations, Im sure people will find their favorites missing from this collection. " />

---

Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://twitter.com/Techhelplistcom/status/558085217907638272
[2] https://twitter.com/Techhelplistcom/status/562997176729874432
[3] https://twitter.com/Techhelplistcom/status/570428997043032064
[4] http://www.trendmicro.com/media/wp/asprox-reborn-whitepaper-en.pdf
[5] https://techhelplist.com/index.php/component/tags/tag/11-asprox
[6] https://twitter.com/herrcore/status/573329942294884352

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Should it be Mandatory to have an Independent Security Audit after a Breach?, (Sat, Mar 7th)

Sat, 03/07/2015 - 14:18

Security breaches seem to be the norm now. Home Depot, Target, Sony, JP Morgan Chase to name a few who have been in the recent past, victim of sophisticated system compromise which ultimately lead to sensitive information leaked to the open. It is difficult to tell how sophisticated the attack was since we rarely ever see a report how the attack took place and what could have been done to prevent it (remember the last step of incident response).

One of the latest victims is Anthem Inc. who may have been compromised as early as December 2014 over a period of several weeks. For those who have been victims of this attack, Antem setup a website to signup for Identity Theft Repair Credit Monitoring Services.

Coming back to my question, should it be mandatory to have an independent security audit performed against the affected systems after a severe breach? The result of the report is made available to the victims to help them regain trust their data is secure and whenever necessary, is encrypted and protected. What do you think?

[1] https://www.anthem.com/health-insurance/home/overview
[2] https://www.anthemfacts.com
[3] http://www.oas.org/cyber/documents/IRM-5-Malicious-Network-Behaviour.pdf

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Cryptowall ,again!, (Fri, Mar 6th)

Fri, 03/06/2015 - 03:23

A new variant Cryptowall (An advanced version of cryptolocker) is now using a malicious .chm file attachment to infect systems.

According to net-security.org, Bitdefender labs has found a spam wave that spread a malicious .chm attachments.

CHM is the compiled version of html thatsupport technologies such as JavaScript which can redirect auser to an external link.

Once the content of the .chm archive is accessed, the malicious code downloads from this location http:// *********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process.

======================================

1-https://isc.sans.edu/diary/Traffic+Patterns+For+CryptoWall+3.0/19203

2-https://isc.sans.edu/forums/diary/Pay+attention+to+Cryptowall/18243/

3-http://www.net-security.org/malware_news.php?id=2981utm_source=feedburnerutm_medium=feedutm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, March 6th 2015 http://isc.sans.edu/podcastdetail.html?id=4385, (Fri, Mar 6th)

Thu, 03/05/2015 - 19:35
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

XML: A New Vector For An Old Trick, (Thu, Mar 5th)

Thu, 03/05/2015 - 10:53

October 2014 saw the beginning of an e-mail campaign spamming malicious Microsoft Office documents. Mostly Word documents using the old binary format, but sometimes Excel documents and sometimes the new" />

The XML file contains an element (w:binData) with a base64 string as content. Its attribute (w:name=editdata.mso) reveals it is a MSO file. Decoding the base64 string, we end up with a binary stream with header ActiveMime. 50 bytes into the stream (position 0x32), a ZLIB compression object starts. Inflating this object reveals an OLE file (header 0xD0CF1LE0) containing the VBA macros.

This OLE file can be analyzed with my oledump tool I mentioned in a previous diary entry [1], but I just released a new version [2] that handles XML files directly. And Philippe Lagadec already released a new version of his olevba tool yesterday [3].

Both tools are Python programs, giving you the means to analyze malicious Microsoft Office documents in any environment supporting Python, without Microsoft Office applications.

If you filter e-mail attachments that are Microsoft Office documents, you should check what your e-mail filter does with XML files. XML declaration identifies the XML file as a Word document, and attribute w:macrosPresent=yes (of element w:wordDocument) indicates the presence of VBA macros. Remark that these strings are different for XML Excel documents.

Until now, we have only seen XML Word documents. Please post a comment if you received another format, like XML Excel documents, if possible with a link to the VirusTotal entry.

The MD5 of the sample discussed in this diary entry is 77739ab6c20e9dfbeffa3e2e6960e156.

1: https://isc.sans.edu/diary/oledump+analysis+of+Rocket+Kitten+-+Guest+Diary+by+Didier+Stevens/19137
2: http://blog.didierstevens.com/programs/oledump-py
3: http://www.decalage.info/python/oletools

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Cuckoo Sandbox 1.2 released http://cuckoosandbox.org/2015-03-04-cuckoo-sandbox-12.html, (Thu, Mar 5th)

Thu, 03/05/2015 - 09:01

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts