InfoSec News

Oracle Database 'CTXSYS.CONTEXT' Index Privilege Escalation Vulnerability
Linux Kernel UDF Filesystem Local Buffer Overflow Vulnerability
SpellTower from Zach Gage is an iOS word game whose simple design hides some pretty diabolical challenges. And though the app's controls can be a little too challenging in their own right--particularly if you're playing on an iPhone--it's still a great game for people who love word play.
With Oracle now in a self-imposed "quiet period" prior to its next quarterly earnings release, it's not likely the company will make any major announcements until its OpenWorld conference, which kicks off at the end of September.
Ever been sitting down to dinner with the family and get that phone call saying your computer has a virus and miraculously the person on the other end knows all about it and how to fix it immediately!? This week we cover https://isc.sans.edu/reportfakecall.html where you can send information about the call to help us better understand how common these calls are and what they might hope to achieve.
The form has been available for a few months and calls continue to be reported so please take a moment to look it over in case you ever receive one of these calls. Never do any of the things they ask on a production or personal computer!As soon as there is sufficient data to generate meaningful reports, we'll let ya know so you can see the common threads of these calls.
Previous coverage

Diary by Dr. Ullrich including user comments - http://isc.sans.org/diary/Fake+tech+reps+calling/12874
April 2, 2012 Daily Podcast talking about the calls - https://isc.sans.edu/podcastdetail.html?id=2437
May 1, 2012 Daily Podcast announcing the form - https://isc.sans.edu/podcastdetail.html?id=2503
May 2012 ISCThreat Update webcast


Here's how to get to the form on the ISC website

Hover your mouse over the Data/Reports drop-down menu and select Report Fake Calls
Click Report Fake Tech Support Calls from the https://isc.sans.edu/reports.html#collect section of the Reports page

The form is all optional information you choose to submit about the call. If we make an edit function later you will be able to append/amend your submission if you are logged into the ISC/DShield site when you fill out the form. We will not associate any reporting information with your id or email address. Please do not enter any personal information (like your phone number, or any data like credit card numbers the attacker tried to extract). If you suffered any damage from the attack, you may consider contacting law enforcement.
The form collects general information like caller's gender, non native accent to specific details like URL you might have been asked to visit and their phone number if callerID displayed it. Check out the entire form at https://isc.sans.edu/reportfakecall.html to get an idea of what to ask if you receive one of these cold calls of fill in and please submit if you have details to share.

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form


Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
NASA programmers and engineers will begin upgrading the Mars Curiosity rover's software Saturday, increasing its ability to move and use its robotic arm.
Google released two new internally authored technologies this week that could help ease the burdens of Web developers. One is a tool for spotting memory leaks in JavaScript code, and the other is a library written in Dart for accessing popular Google APIs (application programming interfaces).
Just how much does Apple dominate competitors in the U.S. tablet market? Documents recently filed in the court battle between the company and Samsung provide sales numbers for the two companies, and offer a startling look at how strong Apple's sales are in its home market compared to its rival.
The U.S. Federal Trade Commission has approved a settlement with Facebook related to charges that the social networking leader deceived consumers regarding the privacy of their data.
Samsung announced it will help develop Sprint's small-cell infrastructure for use in Sprint's 4G LTE network and its 3G network improvements.
IBM has shown interest in acquiring the vital enterprise services business of struggling smartphone maker Research in Motion, according to a Bloomberg report on Friday.
Solaris 10 Patch 137097-01 Symlink Attack Local Privilege Escalation Vulnerability
Two security organizations have released online tools that let Windows users check for possible infections by Gauss, the newly-revealed cyber surveillance malware thought to have been government- built.
Microsoft plans to publish a total of nine security bulletins to close holes in its products; five of the bulletins are rated as critical. Adobe has also confirmed that it will release critical security updates for its Reader and Acrobat products

[PRE-SA-2012-05] Multiple heap-based buffer overflows in LibreOffice / OpenOffice
WordPress Plugin 'Quick Post Widget' 1.9.1 Multiple Cross-site scripting vulnerabilities
Microsoft will use 'Windows 8' or 'Modern' as replacements for the now-discarded 'Metro' label to describe apps and their environment in the upcoming operating system, according to reports yesterday and today.
Tablets are now nearly as popular as desktops and laptops for buying items on the Web, according to data from Web merchandising firm Monetate.
Blizzard Entertainment has confirmed that email addresses and other account information has been copied during unauthorised access to its Battle.net servers. Passwords have most likely not been compromised

Did you get a Better Business Bureau Complaint Today? I did, in fact, I got a couple of them. I thought I'd go through a play by play of how I assess these things (there will be a lot of updates as I go through this in semi-real-time.)
Oh, there will also be very little obfuscation, so be careful with that.
Here's the message itself:
RE: Case# 9060933: Alfonso Palmer
Dear Company:
As you are aware, the Better Business Bureau contacted you regarding the above-named complainant, seeking a response to this complaint. Your position is available online.
The following URL (website address) below will take you directly to this complaint and you will be able to view the response directly on our website:
The complainant has been notified of your response.
The BBB believes that your response adequately addresses the disputed issues and/or has exhibited a good faith effort to resolve the complaint. The complaint will close as Administratively Judged Resolved and our records will be updated.
If you fail to honor your agreement or if the consumer has information that disputes the accuracy of your firm's response, we will notify your office with substantiation to support the consumer's position and the case will be re-opened. Cases will not be re-opened without documentation or good cause.
The BBB appreciates this opportunity to serve you. Dispute Resolution Department.
Let's take a look at the headers:

Return-path: [email protected]
Envelope-to: [email protected]
Delivery-date: Fri, 10 Aug 2012 09:36:10 -0400
Received: from wsip-68-99-56-167.pn.at.cox.net ([]:47037)
by paradise.businessx.com with esmtp (Exim 4.77)
(envelope-from [email protected] Fri, 10 Aug 2012 09:36:07 -0400
Received: from apache by bbb-email.org with local (Exim 4.67)
(envelope-from [email protected])
id EG95SG-22TJQ4-AR
for [email protected] Fri, 10 Aug 2012 07:36:01 -0600
To: [email protected]
Subject: RE: Case# 9060933: Alfonso Palmer
X-PHP-Script: bbb-email.org/sendmail.php for
From: Better Business Bureau [email protected]
X-Sender: Better Business Bureau [email protected]
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0

So a simple spoof, from a likely bot-net in Cox.net, and my cheap spam-trap mailserver doesn't do any SPFor DKIM checking.
Take a look at the URL does the displayed match what's in the code? No, not at all.

pba href=http://ghanabook.com/SKpcrwai/index.htmlhttp://complainy.app.bbb.org/complaint/view/9060933/b/526398212f/a/b
Being lazy, I submit this URL to wepawet (http://wepawet.iseclab.org)
After waiting patiently it reports that the link is benign. ORLY, I think, perhaps it's just pharma-spam then.

Content Type



Comparing this to the other samples, the first URLdiffer, but the apartmentsinorlandonow.com is in common. Perhaps the attackers are smart,and only kick out one answer? Or maybe they know wepawet's IP addresses?
The next step is use my own honeyclient instead of a known, public one. Nothing fancy, just a laptop with ubuntu on it. A couple of wgets, first to the apartmentsinorlandonow.com URL (which has only a document link to the next URL,) and the second to I didn't even disguise the user-agent, it happily dumps more obfuscated javascript at me.
Never underestimate the value of google during analysis. A search for turns up a very helpful report: http://urlquery.net/report.php?id=122828 Looks like an active blackhole exploit kit, and someone was looking at this a little over an hour before I was. We're after that next stage, the link to update_flashplayer.exe.
Let's pull that down with another wget request. So now I've got about 150k of Win32 executable. My new favorite little tool for static analysis is exiftool. I was aware of EXIFdata in image formats, but unaware that many other file formats also have handy metadata. In this particular example, it may be interesting to note that the file's original timestamp is 2012:-8:10 05:42:09-04:00.
I calculate the md5sum from the .exe and see if it's up on virustotal yet. I'm 5 minutes behind the first submission time and a surprising 9 out of 42 vendors detect it already.
Now that we have an executable to play with we can start doing some dynamic analysis. Sticking with my theme of lazy, I send it off to Anubis (http://anubis.iseclab.org/) and ThreatExpert (http://www.threatexpert.com/) and compare the results. I like to send off to multiple solutions since one day Anubis works better than ThreatExpert and the next it's vice versa. Other days, nothing is working and that's when you have to break down and work harder at it. Today, I'm lucky and it runs in ThreatExpert which spits out the following network artifacts:

Looks like it checks-in via an HTTP POST to /forum/view/topic.php at There are further requests for more binaries:


Those are the same file, virustotal hasn't seen it yet, 14/42 hit ratio. This is about as far as using the public tools will get us. Now that I have the installers and droppers, the next step is to put it onto a real system and see what it does when I try to do some online banking...
That's going to run longer than my shift (a lot of pcap and memory capture to go through,) so while that's in the works I wanted to move in another direction. Looking at the infrastructure involved in this attack. First there's the systems doing the spamming. I don't have a lot of insight into that, because Cox isn't very forthcoming on details about the machine that sent the email. We can make an assumption that it's part of a botnet, but as for which one, or how it got compromised, there's just no details to go on.
Then there's the first landing pages. The examples that I have are down now so I messed up there. The next hop in the redirect chain are still up. Looking at my example and the others the Gregory provided below I see that most of them are wordpress sites. There are a lot of vulnerabilities to choose from for getting your code up on someone else's wordpress site. Then, we have the downloader site: That looks like it might be a full-blown exploit kit site on first glance. (Lots of people emailing [email protected] might help with that.) There's the check-in at that needs a little more examination. cikonungunlugu.com appears to be registered for the purpose of distributing malware, while ftp.lastraautosport.com is probably a compromised domain. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
RT::Authen::ExternalAuth Extension Security Bypass Vulnerability
Ruby on Rails 'authenticate_or_request_with_http_digest' Method Denial Of Service Vulnerability
NSD NULL Pointer Dereference CVE-2012-2978 Remote Denial of Service Vulnerability
Another Solaris 10 Patch Cluster Symlink Attack
How well does Microsoft support (and follow) their mantra "keep your PC updated"?
SUSE has detailed the UEFI Secure Boot implementation it plans to ship in its commercial products and which it will propose for inclusion in openSUSE. The plan is to develop an extension to Fedora's shim bootloader

Tablets are now nearly as popular as desktops and laptops for buying items on the Web, according to data from Web merchandising firm Monetate.
Mailtraq Multiple HTML Injection Vulnerabilities
The number of new IT and business process outsourcing contracts worldwide dropped by 20 percent to 411 in the second quarter from 516 in the same quarter a year ago, with average contract values also sliding, a research firm said.
Samsung shared more details about its next-generation Exynos 5 Dual dual-core mobile processor, saying it will be twice as fast as comparable Exynos chips used in the company's smartphones and tablets.
Local authorities in China said they found no underage workers at a Samsung Electronics manufacturing supplier that a labor watchdog group claims has been employing students under the age of 16.
A former programmer for Goldman Sachs has been charged again with pilfering sensitive source code despite his successful appeal in April of his federal court trial outcome.
Yahoo's new CEO Marissa Mayer is reviewing the company's business strategy, which could lead it to change its plans to return to shareholders after-tax cash proceeds from a deal with Alibaba Group, the company said in a regulatory filing.
Until recently, a banking trojan that shares code elements with the government-funded Flame trojan was active in the Middle East. "Gauss" targeted data such as a user's banking access credentials


Posted by InfoSec News on Aug 10


Israel Hayom
August 9, 2012

"Remember Emad" hacker group claims it has taken control of an Israeli
server - The group published lists of passwords for Facebook pages,
credit card numbers and email addresses belonging to Israelis.

A hacker group, apparently from an Arab country or countries, claimed on
Wednesday that it had breached the Israeli WebGate company's...

Posted by InfoSec News on Aug 10

Cyber Defence Forum 2012
23rd-25th October, Prague

As part of Defence IQ’s Cyber Defence conference series, the new Cyber
Defence Forum is being launched to provide an enhanced opportunity for
interactive debate and discussion on key cyber issues. The event will
run as a series of panel discussions and round tables, ensuring you get
the answers to your questions and have face to face time with experts
and key...

Posted by InfoSec News on Aug 10


By Dan Goodin
Ars Technica
Aug 9, 2012

Researchers have uncovered yet another state-sponsored computer
espionage operation that uses state-of-the-art software to extract a
wealth of sensitive data from thousands of machines located mostly in
the Middle East.

"Gauss," as Kaspersky Lab researchers have dubbed the malware, was
devised by the same...

Posted by InfoSec News on Aug 10


By Gregg Keizer
August 9, 2012

Microsoft today said it will patch at least 14 vulnerabilities next
week, including four in Internet Explorer (IE), making it three months
in a row that the company has plugged holes in its browser.

Of the nine updates set for Aug. 14, five will be labeled "critical,"
the most serious of the...

Posted by InfoSec News on Aug 10


By Steven Musil
August 9, 2012

Game maker Blizzard Entertainment's internal network security has been
breached, the company informed customers today.

While the company behind World of Warcraft and Diablo believes no
sensitive financial information was compromised, it said e-mail
addresses for non-China Battle.net players...
Security researchers have discovered servers around the world that respond to connection requests with a phrase that has previously been noticed in an analysis of spyware

Internet Storm Center Infocon Status