Hackin9
Executable installers are vulnerable^WEVIL (case 31): MalwareBytes' installers allows arbitrary (remote) code execution WITH escalation of privilege
 
Executable installers are vulnerable^WEVIL (case 30): clamwin-0.99-setup.exe allows arbitrary (remote) code execution WITH escalation of privilege
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

One of our loyal readers, Gebhard, pointed out a nice post (in German) on how to slow down Lockyif you are using a Samba server for filesharing in your environment. The technique takes advantage of fail2ban and some additional Samba logging to keep Locky from encrypting all the files on the share. It is worth a look. ">[de]:">[en]:https://translate.google.com/translate?sl=autotl=enjs=yprev=_thl=enie=UTF-8u=http%3A%2F%2Fheise.de%2F-3120956edit-text=

Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

(credit: nrkbeta)

A security research firm announced Sunday its discovery of what is believed to be the world’s first ransomware that specifically goes after OS X machines.

"This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” Ryan Olson, of Palo Alto Networks, told Reuters.

In an interview Sunday afternoon, Olson told Ars that he expected more Mac ransomware to proliferate.

Read 9 remaining paragraphs | Comments

 

It appears that a large number ofwebsites, approximately 500,hosted on IP192.185.225.116 are being used as PayPal Phishing landing pages. That IP is registered to websitewelcome.com, but we have been told by customers that the IP is in use bypopular U.S. based web hosting company HostGator.

When the FQDNof a legitimate web page on that IPis appended with:

~pbhanney/goobooker/avatars/user_uploaded/manage/ffe02d0542523d2fca9d479a2b50a948/

for example" />

The issue has been reported to both HostGator and Paypal, so hopefully they can clean it up soon.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status