(credit: Moyan Brenn)

The Windows 10 November update (version 1511, build 10586) included a handful of new security features to provide protection against some security issues that have kept on popping up in Windows for a number of years. Google yesterday added source code support for these features to the Chrome browser, making Windows 10 the best version of Windows to use with Google's browser.

Over the last few years, Windows has had a number of flaws that relate to its font handling. The TrueType and PostScript fonts that Windows supports are complex things, and for historic reasons, much of the code used to handle these fonts runs in Windows' kernel mode. This makes it attractive to attackers: if a bug exists in this font-handling code, it can be used to obtain kernel-level privileges.

Compounding this, the code is also quite exposed: a Word document, for example, can contain its own embedded fonts, and opening the document means that those embedded fonts will be loaded into the kernel. If the fonts are malicious, constructed to exploit bugs in the font-handling code, this can compromise your system simply by opening a document.

Read 11 remaining paragraphs | Comments



I was discussing malicious spam (malspam) with a fellow security professional earlier this week. He was examining malspam with zip attachments containing .js files. This is something Ive covered previously in ISC diaries [1, 2]. However, the traffic patterns he saw was somewhat different than Ive seen, so I figured its time to revisit this type of malspam.


This particular wave of .js malspam started on Wednesday 2016-02-03, and these emails were reported by My Online Security the same day [3]. " />

I found 13 messages with the following subject lines during the past two days:

  • Problem with the Order, Reference: #117931
  • Problem with the Order, Reference: #469155
  • Problem with Your Order, Reference: #543361
  • Problem with Your Purchase, Reference: #629146
  • Problem with Your Purchase, Reference: #913251
  • Problems with the Purchase, Reference Number #568643
  • Problems with Your Purchase, Reference Number #199837
  • Problems with Your Purchase, Reference Number #797440
  • Problems with Your Purchase, Reference: #113736
  • Troubles with the Order, Reference: #719684
  • Troubles with the Purchase, Reference Number #459991
  • Troubles with the Purchase, Reference Number #529057
  • Troubles with Your Order, Reference: #987848

Attachments names were different for each of the 13 messages:

  • Ali Washington.zip
  • Cary Harris.zip
  • Dino Hayden.zip
  • Garth Porter.zip
  • Hans Fitzgerald.zip
  • Harold Walter.zip
  • Leonel Mcneil.zip
  • Marc Harding.zip
  • Nickolas Baldwin.zip
  • Romeo Wright.zip
  • Stanley Floyd.zip
  • Ted Fields.zip
  • Ward Shea.zip

Each of the attachments were zip files that contained a .js file. " />

The script in these .js files is highly-obfuscated. however, I prefer to execute the .js files and see where the traffic takes us.

Traffic and malware

Each of the scripts tried to download and execute three malware items. " />

script.php_wndz1.jpg - 255.5 KB (261,632 bytes) - File type: Windows EXE

script.php_wndz2.jpg - 159.5 KB (163,328 bytes) - File type: Windows EXE

script.php_wndz3.jpg - 84.5 KB (86,528 bytes) - File type: Windows EXE

Based on the callback traffic reported on the first sample, that file appears to be CryptoWall. I havent had the time to dig into the other two items.

Final words

The malspam and malware samples can be found here. My thanks to Chris, who emailed me about this most recent wave of malspam.

Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic


[1] https://isc.sans.edu/forums/diary/Malicious+spam+continues+to+serve+zip+archives+of+javascript+files/19973/
[2] https://isc.sans.edu/forums/diary/Malicious+spam+with+zip+attachments+containing+js+files/20153/
[3] http://myonlinesecurity.co.uk/congratulations-your-order-has-been-shipped-out-parcel-441467-js-malware/
[4] https://isc.sans.edu/forums/diary/JavaScript+Deobfuscation+Tool/20619/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

If you're a gamer (or anyone else), this is not a screen you want to see. (credit: Bromium Labs)

It's still not clear how, but a disproportionately large number of websites that run on the WordPress content management system are being hacked to deliver crypto ransomware and other malicious software to unwitting end users.

In the past four days, researchers from three separate security firms have reported that a large number of legitimate WordPress sites have been hacked to silently redirect visitors to a series of malicious sites. The attack sites host code from the Nuclear exploit kit that's available for sale in black markets across the Internet. People who visit the WordPress sites using out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer can then find their computers infected with the Teslacrypt ransomware package, which encrypts user files and demands a hefty ransom for the decryption key needed to restore them.

"WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads," Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. "This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit."

Read 6 remaining paragraphs | Comments

WordPress User Meta Manager Plugin [Privilege Escalation]
WordPress User Meta Manager Plugin [Blind SQLI]

Yesterday, while investigating some Facebook click-bait, I came across a fake Flash update that is targeting OS X users. Fake flash updates have been very common to infect OS X. They do not rely on a vulnerability in the operating system. Instead, the user is asked to willingly install them, by making them look like genuine Adobe Flash warnings (and we keep telling users to make sure Flash is up to date, so they are likely going to obey the warning and install the update).

The Installer for the fake Flash update will install various scare ware (I observed a couple different varieties when re-running the installer), and it actually installs an up to date genuine version of Flash as well.

While I wasnt able to capture the exact trigger for the popup advertising the update, I suspect it was injected by one of the many ads on the page:

flash warning popup.

Once the user clicks on the popup, the following page offers the Flash Player update for download:

Antivirus coverage was pretty bad yesterday when I came across this (4 out of 51 on Virustotal). On a brand new OS X 10.11 install, the Installer appears to install a genuine copy of Adobe Flash in addition to Scareware that asks for money after informing you of various system problems.

The installer is signed with a valid Apple developer certificate issued to a Maksim Noskov:

I recorded a small video showing what happens when you install the update on a clean OS X 10.11 system:

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple iOS v9.1, 9.2 & 9.2.1 - Application Update Loop Pass Code Bypass
[slackware-security] php (SSA:2016-034-04)

Network World

Startup PatternEx Launches AI Platform for Information Security
"The most frustrating thing in InfoSec is that the data to detect malicious behavior often already exists in enterprise infrastructures today," Veeramachaneni said. "The human analysts can detect it, but analysts are difficult to hire and are not ...
PatternEx Launches Company With First Artificial Intelligent Security AnalystDark Reading

all 8 news articles »
AST-2016-003: Remote crash vulnerability when receiving UDPTL FAX data.
AST-2016-002: File descriptor exhaustion in chan_sip
AST-2016-001: BEAST vulnerability in HTTP server
[CERT 777024 / CVE-2016-1524/5]: RCE and file download in Netgear NMS300
Dell SecureWorks iOS Application - MITM SSL Certificate Vulnerability
Internet Storm Center Infocon Status