Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
LibVNCServer CVE-2014-6055 Multiple Stack Based Buffer Overflow Vulnerabilities
 
RSyslog and sysklogd CVE-2014-3634 Denial of Service Vulnerability
 
Mediawiki 'OutputPage.php' Cross Site Scripting Vulnerability
 
Xen CVE-2014-7188 Denial of Service Vulnerability
 
[security bulletin] HPSBHF03136 rev.1 - HP TippingPoint NGFW running OpenSSL, Remote Disclosure of Information
 

Hassan submitted this story:

While reviewing our IDS logs, we noticed an alert for IRC botnet traffic coming from multiple servers in a specific VLAN.

Ouch! One thing I keep saying in our IDS Class: If your servers all for sudden start joining IRC channels, then they are either very bored, or very compromised. But lets see how it went for Hassan. Hassan had what every analyst wants: pcaps! So he looked at the full packet capture of the traffic:

The traffic wasnt 100% IRC. But it looked suspect

Further analysis showed that the traffic originated from servers that were currently in the process of being moved between hosts via vMotion. The content of the memory / disk being transferred">Using volatility we took a vaddump of the memory dump and searched the individual process dumps for the string pattern to identify the infected process.">we found out that this part of the memory belongs to the AV process :). Apparently part of its signatures expanded in the memory during the scan.

Great work Hassan! This one was a good one and yes, anti-virus patterns will often contain malicious strings and can trigger an IDS if it spots these strings in transfer. The signatures as downloaded from the vendor are often encrypted, compressed or otherwise obfuscated, so your IDS usually doesnt recognize these patterns. But once loaded into memory on the host, the signatures are in the clear.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
LinuxSecurity.com: Several security issues were fixed in Bash.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Exuberant Ctags could be made to consume resources.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: APT could be made to overwrite files.
 
[security bulletin] HPSBMU03110 rev.1 - HP Sprinter, Remote Execution of Code
 
[security bulletin] HPSBMU03127 rev.1 - HP Operations Manager for UNIX, Remote Code Execution
 
[SECURITY] [DSA 3048-1] apt security update
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software
 
[Onapsis Security Advisory 2014-033] SAP Business Warehouse Missing Authorization Check
 
[Onapsis Security Advisory 2014-029] SAP Business Objects Information Disclosure
 
[Onapsis Security Advisory 2014-030] SAP Business Objects Denial of Service via CORBA
 
[Onapsis Security Advisory 2014-031] SAP Business Objects Information Disclosure via CORBA
 
Two XSS in Contact Form DB WordPress plugin
 
Reflected Cross-Site Scripting (XSS) in EWWW Image Optimizer WordPress Plugin
 
[SECURITY] [DSA 3047-1] rsyslog security update
 
Reflected Cross-Site Scripting (XSS) in Google Calendar Events WordPress Plugin
 
IBM WebSphere Application Server CVE-2014-3083 Unspecified Information Disclosure Vulnerability
 

Posted by InfoSec News on Oct 09

http://www.csoonline.com/article/2692415/data-protection/an-inside-look-at-russian-cybercriminals.html

By Antone Gonsalves
CSO
Oct 8, 2014

A detailed look at Russian cybercriminals focused on accessing online
banking accounts reveals an effective hidden system for spreading malware
through compromised websites.

The criminal operation, described in a report released Tuesday by email
security company Proofpoint, has infected 500,000 mostly...
 

Posted by InfoSec News on Oct 09

http://news.techworld.com/security/3575748/symantec-reportedly-in-talks-to-split-into-storage-and-security-units/

By John Ribeiro
Techworld.com
08 October 2014

Taking a cue from Hewlett-Packard and eBay, Symantec is said to be in
talks to carve out the company into two entities.

One of the entities will focus on storage while the other will address the
security business, reported Bloomberg, citing people who asked not to be
identified...
 

Posted by InfoSec News on Oct 09

https://www.techdirt.com/articles/20141004/07211128727/mythical-almost-certainly-made-up-legend-walter-obrien-continues-to-grow.shtml

By Mike Masnick
Techdirt.com
Oct 6th 2014

A few weeks ago, we wrote about "Walter O'Brien," the guy who is supposed
to be the basis of the CBS TV show Scorpion. The problem we had was that
O'Brien made a ton of absolutely fantastical claims and, after doing a
little fact checking, none of...
 

Posted by InfoSec News on Oct 09

http://dealbook.nytimes.com/2014/10/08/cyberattack-on-jpmorgan-raises-alarms-at-white-house-and-on-wall-street/

By MICHAEL CORKERY, JESSICA SILVER-GREENBERG and DAVID E. SANGER
The New York Times
OCTOBER 8, 2014

President Obama and his top national security advisers began receiving
periodic briefings on the huge cyberattack at JPMorgan Chase and other
financial institutions this summer, part of a new effort to keep security
officials as...
 

Posted by InfoSec News on Oct 09

http://www.theweek.co.uk/business/60787/atm-hack-lets-criminals-take-wads-of-cash

The Week
9 OCT 2014

A flaw in cash machine software is letting criminals withdraw money
without using a bank card.

Security firm Kaspersky Labs identified the problem, leading Interpol to
mount a widespread investigation across the USA, India, France, Israel,
Malaysia and China.

ATMs infected with malicious software can be instructed to give out 40
notes at...
 
Internet Storm Center Infocon Status