We have seen in the last two weeks a massive amount of websites hosting a variant of angler exploit kit that infects computers downloading and activating a variant of teslacrypt 3.0, crypting files with mp3 extension and being able to exploit the CWE-592 vulnerability for Mcafee products. The computer where the analysis took place has Mcafee Host IPS installed without the last patches and updates.

When the teslacrypt exe is executed, it tries to replicate several times as shown in the following figure:

The Mcafee Host IPS works by blocking all the file creation attempts:

The Mcafee Validation Trust Protection service stops. This is where the malware takes advantage of CWE-592:

12-char malware exe file is successfully wrote in the filesystem:

Teslacrypt inits the crypto process to all files in computer:

This teslacrypt malware is able to detect if somebody is trying to kill it, tamper it, perform investigation or any similar task, performing secure deletion of all possible evidence in the hard drive.

Along with this tendency, we have seen as well lots of attempts of LOCKY.A ransomware trying to infect computers using malicious emails directed to .co domains.

Please keep in mind some countermeasures to avoid infection by Angler EK or ransomware:

  • Implements strong antispam, antimalware and antiphishing procedures.
  • Keep operating systems patched against known vulnerabilities.
  • Install patches from vendors as soon as they are distributed, after performing a full test procedure for each patch.
  • Train your users to be careful when opening attachments.
  • Configure antimalware software to automatically scan all email and instant-message attachments.
  • Configure email programs to do not automatically open attachments or automatically render graphics.
  • Ensure that the preview pane of your e-mail reader is turned off.
  • Use a browser plug-in like noscript to block the execution of scripts and iframes.

Manuel Humberto Santander Pelez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Two sudden leaps in the number of advertised "hidden services" on Tor have led to rampant speculation about the cause of them. (credit: The Tor Project)

In recent weeks, the number of "hidden services"—usually Web servers and other Internet services accessible by a ".onion" address on the Tor anonymizing network—has risen dramatically. After experiencing an earlier spike in February, the number of hidden services tracked by Tor spiked to 114,000 onion addresses on March 1. They then dropped just as quickly, falling to just below 70,000 hidden services seen by Tor on Thursday—still twice the number that Tor had held steady at for most of 2015.

"We don't know what's causing this," said Kate Krauss, the director of communications and public policy for the Tor Project. "But it's not difficult for even one person—a researcher, for instance—to create a lot of new onion addresses—which is not the same as actual websites or services. In fact, we want the process of creating onion addresses to be as easy as possible to encourage the creation of more onion services. These spikes are typically temporary—and as you see from the chart, this one is already going away."

Still, there has never been this sort of wild gyration in the number of addresses in recent times—or at least as far back as the Tor Project has kept metric data. So what caused the sudden near-tripling of the size of Tor's hidden Web and its rapid contraction? Based on a deeper look at Tor's metrics and discussions with both Tor developers and security experts, the huge spike in the "size" of the hidden Web within Tor was likely caused by a perfect storm of coincidences: major Internet censorship events in at least two countries, the relatively rapid adoption of a new messaging tool, a malware explosion, and ongoing attempts to undermine the privacy of the network.

Read 14 remaining paragraphs | Comments


In the late 1990s, Microsoft Office macros were a favorite vehicle for surreptitiously installing malware on the computers of unsuspecting targets. Microsoft eventually disabled the automated scripts by default, a setting that forced attackers to look for new infection methods. Remotely exploiting security bugs in Internet Explorer, Adobe Flash, and other widely used software soon came into favor.

Over the past two years, Office Macros have made a dramatic comeback that has reached almost a fevered pitch in the past few months. Booby-trapped Excel macros, for instance, were one of the means by which Ukrainian power authorities were infected in the weeks or months leading up to December's hacker-caused outage that affected 225,000 people. "Locky," a particularly aggressive strain of crypto ransomware that appeared out of nowhere two weeks ago, also relies on Word macros. The return of the macro-delivered malware seemed to begin in late 2014 with the advent of a then-new banking trojan called Dridex.

The return of the macro may have been a reaction to security improvements that Adobe, Microsoft, and Oracle have made to their software. Not only were the companies patching dangerous bugs more quickly, but in many cases, they fortified their code with defenses that caused exploits to simply crash the application rather than force it to execute malicious code. Streamlined update mechanisms and greater end user awareness about the importance of installing security patches right away may also have made code-execution exploits to fall out of favor.

Read 4 remaining paragraphs | Comments

[SYSS-2015-058] Thru Managed File Transfer Portal 9.0.2 - Insecure Direct Object Reference (REVISED)
[SYSS-2015-059] Thru Managed File Transfer Portal 9.0.2 - Insecure Direct Object Reference (REVISED)
[SYSS-2015-060] Thru Managed File Transfer Portal 9.0.2 - Improperly Implemented Security Check for Standard (REVISED)
[SYSS-2015-064] Thru Managed File Transfer Portal 9.0.2 - Insecure Direct Object Reference (REVISED)
[SYSS-2015-053] innovaphone IP222/IP232 - Denial of Service
[security bulletin] HPSBPI03546 rev.1 - HP LaserJet Printers and MFPs, HP OfficeJet Enterprise Printers, Remote Disclosure of Information
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status