(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Multiple IBM DB2 Products CVE-2016-0211 Denial of Service Vulnerability
Multiple IBM DB2 Products CVE-2014-0919 Information Disclosure Vulnerability

I am sure what you really want is more malware ;-). But a few people asked for tricks to collect malware.Malware can be useful for a number of reasons: First of all, you could extract indicators of compromise from malware using various more or less automated methods. In addition, it is a good idea to keep an eye on what your users may be seeing, in particular, if they receive e-mail from sources other than your corporate e-mail system.

Sadly, many corporations these days switch to cloud providers for e-mail. But it can still be useful to setup a relay to pre-filter your e-mail before it hits the cloud provider to get more insight into e-mail that your cloud providers limited logs do not provide.

Personally, I am using postfix, so what I am going to talk about, will be postfix specific (and some procmail... which may be used with other mail servers). If you have similar tricks for other mail servers, then please comment.

(1) improved logging

Quite often, a user (or maybe even an AV system) may flag an e-mail as suspect. If this turns out to be a real malicious e-mail (phishing, malware...), then it is nice to be quickly able to look for other e-mails with the same subject or the same From address. In order to make this easier, I like to have Postfix log From, To and Subject headers. You can easily accomplish this by adding header check. In postfix, header checks can be used to filter e-mail with specific headers. But if you flag them just as a Warning, then the header will be logged. I added the following lines to my header_check file to log the Subject, To, and From:

/^subject:/      WARN/^to:/           WARN/^from:/         WARN/^Subject:/      WARN/^To:/           WARN/^From:/         WARN

You then need to add the following line to your main.cf to use these header checks:

header_checks = regexp:/etc/postfix/header_checks

(/etc/postfix/header_checks is the name of the file. Yours may be different)

you will now see lines like this in your maillog:

Sep  6 15:26:50 mail postfix/cleanup[24158]: 39B0D7FFA9: warning:  [email protected] [email protected] proto=ESMTP helo=[]

Next, a little procmail trick that will get rid of most of current malicious e-mail: A simple check to see if any compressed attachments include known bad extensions:

:0 B{        :0 fbhw        | /usr/local/bin/mime-zip-trojan.pl}

mime-zip-trojan.pl is an amazingly simple perl script. You can very easily modify it to extend the extension blacklist. (I cant bring up the site for this script right now. so please trust the Google to find it for you)

The script doesnt block anything, but instead, it just adds a header to the e-mail (X-Zip-Trojan: Yes) that you can then use to filter the e-mail with additional procmail rules.

Finally, you should of course send all e-mail (including e-mail found by mime-zip-trojan.pl) through an AV scanner so you dont waste your time analyzing old malware.

One thing you SHOULD NEVER do: Send all attachments to Virustotal. Virustotal is a great service, and they offer some tools to automate submissions. But do not send anything beyond a hash, unless you are pretty sure it is malicious, and absolutely sure it is not confidential. Any files send to Virustotal are made available to researchers and others.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
NTP CVE-2016-1551 Remote Security Vulnerability
Siemens EN100 Ethernet Module CVE-2016-7112 Authentication Bypass Vulnerability
Siemens EN100 Ethernet Module CVE-2016-7113 Denial of Service Vulnerability
Siemens EN100 Ethernet Module CVE-2016-7114 Authentication Bypass Vulnerability

(credit: Marc Falardeau)

Another major site breach from four years ago has resurfaced. Today, LeakedSource revealed that it had received a copy of a February 2012 dump of the user database of Rambler.ru, a Russian search, news, and e-mail portal site that closely mirrors the functionality of Yahoo. The dump included usernames, passwords, and ICQ instant messaging accounts for over 98 million users. And while previous breaches uncovered by LeakedSource this year had at least some encryption of passwords, the Rambler.ru database stored user passwords in plain text—meaning that whoever breached the database instantly had access to the e-mail accounts of all of Rambler.ru's users.

The breach is the latest in a series of "mega-breaches" that LeakedSource says it is processing for release. Rambler isn't the only Russian site that has been caught storing unencrpyted passwords by hackers. In June, a hacker offered for sale the entire user database of the Russian-language social networking site VK.com (formerly VKontakte) from a breach that took place in late 2012 or early 2013; that database also included unencrypted user passwords, as ZDNet's Zach Whittaker reported.

The Rambler database shows that its users had the same proclivity toward using weak passwords as users of other sites breached during the same period—the most common password, used by 723,039 users, was "asdasd," followed by 437,638 accounts that used "asdasd123." The majority of the top 50 passwords were simple numerical sequences. While that would be expected for "throwaway" passwords for sites with relatively low levels of privacy data (such as Last.fm), Rambler provides e-mail services—so the risk to user privacy of weak passwords was much higher.

Read 1 remaining paragraphs | Comments

SSL/TLS Protocol CVE-2016-2183 Information Disclosure Vulnerability
Red Hat JBoss BPMS CVE-2016-7033 Multiple HTML Injection Vulnerabilities
cURL/libcURL CVE-2016-5420 Certificate Validation Security Bypass Vulnerability
ADOdb CVE-2016-4855 Cross Site Scripting Vulnerability
Internet Storm Center Infocon Status