Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Tuesday, July 22nd 2014 http://isc.sans.edu/podcastdetail.html?id=4071

Ivan's Order of Magnitude

Published: 2014-07-22
Last Updated: 2014-07-22 01:33:42 UTC
by Daniel Wesemann (Version: 1)
1 comment(s)

ISC reader Frank reports seeing a couple odd DNS names in his DNS resolver log

4e6.1a4bf.565697d.f52e1.306.60ae.766e0.mdleztmxhvxc.speakan.in. A=193.169.245.133  TTL=30 NS=193.169.245.133
3a.276965.3e6b39.cdaf104.da.e018.72c1a.mdleztmxhvxc.speakan.in. A=193.169.245.133  TTL=30 NS=193.169.245.133

As so often, the first step in the infection chain had been a visit to a benign, but unpatched and hacked Wordpress website. It redirected to an intermediary, which in turn redirected to the domains above. The subsequent http connection with Java exploit attempt was stopped by the proxy filters in Frank's case, so no harm done.

But looking at public passive DNS records, it is obvious that "something" is going on, and has been for a long while. Domain names of this pattern have been observed since about November 2013, and are associated with the Magnitude Exploit Kit. Snort and Emergingthreats have decent signatures, and flag the traffic as "MAGNITUDE EK".

The recently used domain names are all within the Indian TLD ".in", and checking the registration information, they were all registered by the same alleged "Ivan Biloev" from Moscow, and all of them via the same registrar (webiq.in). They even suspended a handful of the domains because of abuse, but they apparently continue to let Ivan happily register new addresses. Maybe a registrar might want to have a chat with a customer who had domains revoked, before letting registrations for additional names go through??

Recent Magnitude mal-domains included, only to name a few: speakan.in busyneeds.in chancessay.in futureroll.in loadsbreak.in suchimages.in touchitems.in waysheader.in putsediting.in regionwhole.in resultsself.in unlikesolve.in advisefailed.in closesthotel.in comesexpands.in installseven.in deducecontact.in poundscaptain.in delayattempted.in lawuniversitys.in obviouslyheads.in

Brad over at malware-traffic-analysis.net has a write-up [1] on a recent sample. If you have current intel on Magnitude EK, the domain name patterns, the exploits pushed in the current set, etc, then please share in the comments below or via our contact form.
 

[1]  http://malware-traffic-analysis.net/2014/07/15/index.html

Keywords: exploitkit malware
1 comment(s)

OWASP Zed Attack Proxy

Published: 2014-07-21
Last Updated: 2014-07-22 01:25:08 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

Affectionately know as ZAP the OWASP Zed Attack Proxy in an excellent web application testing tool. It finds its way into the hands of experienced penetration testers, newer security administrators, vulnerability assessors, as well as auditors and the curious. One of the reasons for its popularity is the ease of use and the extensive granular capability to examine transactions. While some may know ZAP as a fork or successor to the old Paros proxy,it is so much more. Roughly 20% of the code base remains from Paros, meaning that the remainder is new code! Also, ZAP is one of the most active free open source projects around! There are so many excellent features, for example the automated scanner and the interception proxy. That is just for starters. ZAP is:

•Free, Open source
•Involvement is actively encouraged
•Cross platform
•Easy to use
•Easy to install
•Internationalized
•Fully documented
•Works well with other tools
•Reuses well regarded components.

Did I mention free?

ZAP has many features, some developed in the Google Summer of Code (GSoC) over the years. For penetration testers ZAP has many new features such as Zest support and ZAP integration, Advanced access control testing and user access comparison, Advanced Fuzzing, SOAP web service scanning, and more.

I gave a talk about ZAP at SANSFire recently, the slides can be found at: https://isc.sans.edu/diaryimages/BustacapinawebappwithOWASPZAPSANSFIRE2014.pdf

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

I will be teaching SANS Sec560 Network Penetration testing in Albuquerque, NM

Keywords:
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

OWASP Zed Attack Proxy
published 13 hours ago by Adrien de Beaupre (0 comments)

Keeping the RATs out: the trap is sprung - Part 3
published 3 days ago by Russ McRee (4 comments)

Gameover Zeus reported as "returned from the dead"
published 3 days ago by Russ McRee (0 comments)

Keeping the RATs out: **it happens - Part 2
published 4 days ago by Russ McRee (0 comments)

Keeping the RATs out: an exercise in building IOCs - Part 1
published 6 days ago by Russ McRee (2 comments)

Oracle July 2014 CPU (patch bundle)
published 6 days ago by Daniel (1 comment)

Oracle Java: 20 new vulnerabilities patched
published 6 days ago by Daniel (6 comments)

AOC Cloud
published 1 week ago by Daniel (6 comments)

View All Diaries →

Latest Discussions

DSHIELD with fail2ban
created 1 week ago by Ernest (0 replies)

Router Upgrade
created 1 week ago by ICI2Eye (0 replies)

ENDPOINT SERVICE DEFINITIONS (TCP/UDP)
created 1 week ago by Ratatosk (1 reply)

Router- FW Upgrade
created 2 weeks ago by ICI2Eye (0 replies)

Malware infected ATMs in China via specialized device
created 2 weeks ago by Safensoft (0 replies)

View All Forums →

Latest News

View All News →