(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Advisory X41-2016-001: Memory Corruption Vulnerability in "libotr"

ISC Reader Eric Volking submitted a very nice sample of some Powershell based malware. Lets take a look! The malware starts inthe traditional way, by launching itself with an autorun registry key. The">C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp HKCU:\Software\Classes\UBZZXDJZAOGD

Upon startup this will launch Powershell and execute the Base64 (UTF-16LE) encoded script stored in the registry path"> in the keyXLQWFZRMYEZV. That script, when decoded contains something that looks like the block of code below. For readability, Ive removed a large blob of text from the script and collapsed the twofunctions that the malware uses to decrypt and extract" />

This script decodes a big blob of Base64 encoded data that is stored in thevariable$eOIzeGbcRBwsK. It decrypts it with the key stored in variable$DUUZTJAPEMZand inflates the gzip encoded data. Windows Powershell ISE makes getting to the decrypteddata painless. On my malware analysis VM,I go to the Powershell_ISE Right click on line 43 and select Toggle Break Point. Line 43 assigns the decrypted payload to variable">$eOIzeGbcRBwsK. I execute the script and the ISE breakpoint dutifully stops on the selected line. My Poweshell prompt changes to [DBG]: PS C:\Users\mark letting me know I am in the middle of debugging the script. I can use my Powershell prompt to inspect or change variables. I can alsoexport the contents of that variable to another file. I go to the bottom of the ISE and type $eOIzeGbcRBwsK | out-file -FilePath .\decoded.ps1. " />

Now I can open up the file decoded.ps1and see the unencryptedpayload. In decoded.ps1 we find a modified version of Invoke-ReflectedPEInjection. The malware authorshave obviously used part of thePowersploit framework in their attack. Powersploit is a very useful framework to penetration testers and network defenders alike so it doesnt surprise me that bad actors find value in it also. Invoke-ReflectedPEInjection will load a Windows EXE into memory and launch it without it ever writing to the hard drive. So where does the script get its EXE? ">if ([IntPtr]::Size -eq 8) {



The script is checkingthe size of an Integer to determine if the victim is a 32 bit or a 64 bit system. Depending upon the architecture it extracts a 32 bit or 64 bit version of the malware from the registry and launches it usingInvoke-ReflectedPEInjection.

By using Powershell the attackers have been able to put malware that might other wise be detected on a hard drive into the Windows Registry. (Dear Trolls, Yes, I know the registry is technically on the hard drive.) As network defenders we should familiarize ourselves with these techniques and how to use Powershell_ISE to examine the scripts.

Thanks for the submission Eric!

Check out SEC573at one of our upcoming events! https://www.sans.org/course/python-for-pen-testers Already know Python?? Prove it! http://www.giac.org/certification/python-coder-gpyc

Follow me on twitterhttps://twitter.com/markbaggett

Mark Baggett

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[SECURITY] [DSA 3510-1] iceweasel security update
[CORE-2016-0004] - SAP Download Manager Password Weak Encryption
[CORE-2016-0003] - Samsung SW Update Tool MiTM

Not that kind of crack. (credit: Geoff Parsons)

The custom firmware that the FBI would like Apple to produce in order to unlock the San Bernardino iPhone would be the most straightforward way of accessing the device, allowing the federal agency to rapidly attempt PIN codes until it found the one that unlocked the phone.

But it's probably not the only way to achieve what the FBI wants. There may well be approaches that don't require Apple to build a custom firmware to defeat some of the iPhone's security measures.

The iPhone 5c used by the San Bernardino killers encrypts its data using a key derived from a combination of an ID embedded in the iPhone's processor and the user's PIN. Assuming that a 4-digit PIN is being used, that's a mere 10,000 different combinations to try out. However, the iPhone has two protections against attempts to try every PIN in turn. First, it inserts delays to force you to wait ever longer between PIN attempts (up to one hour at its longest). Second, it has an optional capability to delete its encryption keys after 10 bad PINs, permanently depriving access to any encrypted data.

Read 28 remaining paragraphs | Comments

Cisco Security Advisory: Cisco Wireless Residential Gateway with EDVA Denial of Service Vulnerability
[SECURITY] [DSA 3509-1] rails security update
Re: Windows Mail Find People DLL side loading vulnerability
[SECURITY] [DSA 3509-1] rails security update

The Internal Revenue Service has temporarily suspended use of its Identity Protection PIN tool "as part of its ongoing security review," according to a notice issued by the IRS. The IP PIN is supposed to act as an extra layer of security for taxpayers who are at higher risk of becoming the victims of fraud because of personal information leaked in commercial data breaches.

Last year, the IRS shut down an electronic tool for obtaining tax data after a massive fraud operation using stolen Social Security numbers and other data from commercial data breaches managed to extract filing data for hundreds of thousands of taxpayers. This year, the IRS is facing a new wave of fraud, as criminals engage in a phishing campaign to obtain employees' W-2 form data.

On March 1, the IRS issued a warning to human resources departments throughout the US about the wave of phishing attacks—e-mails purportedly from company CEOs directed to payroll or HR employees, usually with text such as:

Read 6 remaining paragraphs | Comments


A lot of attention has been paid lately to the Cryptowall / Ransomware family (as in crime family) of malware. What I get asked a lot by clients is how can I prepare / prevent an infection?

Prepare is a good word in this case, it encompasses both prevention and setting up processes for dealing with the infection that will inevitably happen in spite of those preventative processes. Plus its the first step in the Preparation / Identification / Containment / Eradication / Restore Service / Lessons Learned Incident Handling process (see SANS SEC 504, or ask anyone with GCIH after their name)

My best advice is - look at how the infection happens, and make this as difficult as possible for the attacker, the same as you would try to prevent any malware. Most malware these days outsources the delivery mechanism - so Cryptowall is typically delivered by an exploit kit. These days, that typically means the Angler, Rig, or maybe Nuclear exploit kits (Angler being the most prevalent at the moment). These kits arent magic, they generally try to exploit old versions of Java, Flash, Silverlight or take advantage of missing Windows updates. When patches come out, the authors of these kits reverse the patches and bolt the exploits into their kit. Weve analyzed several versions of these kits over the last few years, most recently Manuels post last week

So to help prevent these kits from working, we need to give them fewer toeholds in your environment - start by uninstalling these add-ons across the board:

If you cant uninstall them, be sure that you are patched up, and that as new patches and updates come out you have an AUTOMATED way of keeping them up to date. But seriously, if you can, uninstall them. Maybe you needed Java and Flash 5 years ago, my bet is that you dont need them now. Any you likely never needed Silverlight.

Keep your windows desktops and servers patched up. Patch on Patch Tuesday already!! Patch Tuesday was yesterday - have you patched yet? Have your rebooted your patched servers yet so the patches are actually live? Is there a really good reason why not?

Know whats on your network, and be sure its all patched as patches and updates are released. If youve got old gear that isnt being updated anymore, its time to retire and replace those stations.
Know what software is running on each of your workstations, and be sure thats all patched or updated as updates come out.
Hardware, OS and Software inventory is one of the basics - you need to automate this as much as possible, because not everything on the network always comes in through IT. Think TVs, projectors, exersize equipment, thermostats and HVAC systems, door controls, fridges and teapots (yes teapots) - the list only starts there. Everybody seems to be entitled to bolt things onto your network.
Those appliances on your network arent immune to malware, theyre likely more susceptible because they dont get patched. That 20 Ton press on your shop floor? That IV pump? Theyre both likely running a 10 year old OS (either XP or a Linux variant). Even if you bought them last week they might be running an OS that old, even in the best case itll be months or years behind in patches.
Uninstall any software that you dont need. You cant infect what isnt there.
Be sure that folks arent running as administrator on their workstations, and dont have access to that set of rights.

Is that it you ask? Nope - cryptowall almost always comes in via email as SPAM. If you dont have a decent anti-spam solution, its time to get one! If your firewall has the capability of running attachments in a sandbox (for instance, Palo Alto and Cisco both have this), its time to crank this feature up.

Block attachments that will execute (exes, msis, scrs, jars, cmd, bat, etc)

Block zip files with passwords

What else should you have in place?
Using Group Policy, force your users to store their data on a network share rather than their local disk (redirect my documents etc).
Be sure that you have control of the ACLs on your server shares. The days of we trust our users are long gone - you cant trust your users malware, so if you dont have a you have access to what you need and only that policy, its time. Those permit all directories were all created in teh 1990s, and its time to rethink them - Read Only is your friend! There is very little data in your organization that everyone needs read/write access to, but thats what we so often see, and thats what things like Cryptowall takes advantage of.

Also using Group Policy, disable Macros in Microsoft Office, and disable VBS while youre at it. You can do this station by station, but the true win for a medium to large organization is using Group Policy to enforce a consistent set of rules across the board. The Australian Cyber Security Center has a nice document that outlines possible settings, depending on how your organizations requirements. Me, Id say disable all of it. As awesome as document automation is, running someone elses automation to destroy your data is the exact opposite of awesome! If you use automation within your organization, trust your own macros and disable the rest (yes, you can do that and yes, its easy - stay tuned, Ill write this up in the next week or so).

Get some semblance of a Security Awareness program going in your workplace. Folks should know NOT to click links or open attachments in email. This wont protect them from malvertising, but its a great start. It also wont protect you after that second click. Once a user has clicked OK to run malware, each successive click comes easier and with less thought. After the second click its a foregone conclusion, theyre determined to get to the end - if the malware is any good that person (and their workstation) is compromised.

Hopefully, with the list above, youve got a number of layers in your defence-in-depth (yes, I had to say it) strategy. But in the end, the link between the keyboard and the chair really is your last line of defense.

Have an incident response plan. Be sure that nobody is talking about cleaning workstations or servers. The absolute best recovery from any malware infection is nuke from orbit - wipe the drive and re-image from scratch.

BE SURE YOUR BACKUPS ARE UP TO DATE. Be sure that you can recover yesterdays files, last weeks files and last months files. Cryptowall attacks are often delayed, so that they get better coverage to help avoid detection. Know that in the end, you will be compromised, and you will need to do the Incident Response and data recovery thing.

Does this list sound familiar? Im hoping so - essentially its the first 14 of the 20 CIS Critical Controls https://www.sans.org/critical-security-controls and https://www.cisecurity.org/critical-controls/.

Is this list complete? Im guessing not - what important thing am I missing? Please, use our comment form and let us know what youve been doing to stem the tide of malware were seeing lately.

Rob VandenBrink

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
OS-S 2016-12 Linux digi_acceleport Nullpointer Dereference
OS-S 2016-11 Linux wacom multiple Nullpointer Dereferences
OS-S 2016-10 Linux visor (treo_attach) Nullpointer Dereference CVE-2016-2782
Re: Windows Mail Find People DLL side loading vulnerability
OS-S 2016-09 Linux visor clie_5_attach Nullpointer Dereference CVE-2015-7566
OS-S 2016-08 Linux mct_u232 Nullpointer Dereference
Re: OS-S 2016-06 Linux cdc_acm Nullpointer Dereference
OS-S 2016-07 Linux cypress_m8 Nullpointer Dereference
OS-S 2016-06 Linux cdc_acm Nullpointer Dereference
OS-S 2016-05 Linux aiptek Nullpointer Dereference CVE-2015-7515
LSE Leading Security Experts GmbH - LSE-2016-01-01 - Wordpress ProjectTheme - Multiple Vulnerabilities
Thomson TWG850 Wireless Router Multiple Vulnerabilities
Windows Mail Find People DLL side loading vulnerability
[security bulletin] HPSBHF03557 rev.1 - HPE Networking Products using Comware 7 (CW7) running NTP, Remote Denial of Service (DoS)
[slackware-security] samba (SSA:2016-068-02)
Internet Storm Center Infocon Status