Last Updated: 2014-07-22 01:33:42 UTC
by Daniel Wesemann (Version: 1)
ISC reader Frank reports seeing a couple odd DNS names in his DNS resolver log
4e6.1a4bf.565697d.f52e1.306.60ae.766e0.mdleztmxhvxc.speakan.in. A=126.96.36.199 TTL=30 NS=188.8.131.52
3a.276965.3e6b39.cdaf104.da.e018.72c1a.mdleztmxhvxc.speakan.in. A=184.108.40.206 TTL=30 NS=220.127.116.11
As so often, the first step in the infection chain had been a visit to a benign, but unpatched and hacked Wordpress website. It redirected to an intermediary, which in turn redirected to the domains above. The subsequent http connection with Java exploit attempt was stopped by the proxy filters in Frank's case, so no harm done.
But looking at public passive DNS records, it is obvious that "something" is going on, and has been for a long while. Domain names of this pattern have been observed since about November 2013, and are associated with the Magnitude Exploit Kit. Snort and Emergingthreats have decent signatures, and flag the traffic as "MAGNITUDE EK".
The recently used domain names are all within the Indian TLD ".in", and checking the registration information, they were all registered by the same alleged "Ivan Biloev" from Moscow, and all of them via the same registrar (webiq.in). They even suspended a handful of the domains because of abuse, but they apparently continue to let Ivan happily register new addresses. Maybe a registrar might want to have a chat with a customer who had domains revoked, before letting registrations for additional names go through??
Recent Magnitude mal-domains included, only to name a few: speakan.in busyneeds.in chancessay.in futureroll.in loadsbreak.in suchimages.in touchitems.in waysheader.in putsediting.in regionwhole.in resultsself.in unlikesolve.in advisefailed.in closesthotel.in comesexpands.in installseven.in deducecontact.in poundscaptain.in delayattempted.in lawuniversitys.in obviouslyheads.in
Brad over at malware-traffic-analysis.net has a write-up  on a recent sample. If you have current intel on Magnitude EK, the domain name patterns, the exploits pushed in the current set, etc, then please share in the comments below or via our contact form.
Last Updated: 2014-07-22 01:25:08 UTC
by Adrien de Beaupre (Version: 1)
Affectionately know as ZAP the OWASP Zed Attack Proxy in an excellent web application testing tool. It finds its way into the hands of experienced penetration testers, newer security administrators, vulnerability assessors, as well as auditors and the curious. One of the reasons for its popularity is the ease of use and the extensive granular capability to examine transactions. While some may know ZAP as a fork or successor to the old Paros proxy,it is so much more. Roughly 20% of the code base remains from Paros, meaning that the remainder is new code! Also, ZAP is one of the most active free open source projects around! There are so many excellent features, for example the automated scanner and the interception proxy. That is just for starters. ZAP is:
•Free, Open source
•Involvement is actively encouraged
•Easy to use
•Easy to install
•Works well with other tools
•Reuses well regarded components.
Did I mention free?
ZAP has many features, some developed in the Google Summer of Code (GSoC) over the years. For penetration testers ZAP has many new features such as Zest support and ZAP integration, Advanced access control testing and user access comparison, Advanced Fuzzing, SOAP web service scanning, and more.
I gave a talk about ZAP at SANSFire recently, the slides can be found at: https://isc.sans.edu/diaryimages/BustacapinawebappwithOWASPZAPSANSFIRE2014.pdf
Adrien de Beaupré
If you have more information or corrections regarding our diary, please share.