In the new to me department. It looks like this one has been around for more thanthree years.

Today I was doing some banner grabbing looking for a Mirainodethat had gotten away from me, and came across the Telnet banner below. It appears this device is infected with a piece of malware called Reincarna/Linux.Wifatch. It purports to being a memory resident malware that defends the device from more malicious malware.

More information aboutreincarna/Linux.wifatch from Symantec. Symantecs write-up states that the malware provides a backdoor and connects back to a Command and Control server, so maybe not so benevolent after all.


# telnet X.X.X.X
Trying X.X.X.X
Connected to X.X.X.X.
Escape character is ^].

REINCARNA / Linux.Wifatch

Your device has been infected by REINCARNA / Linux.Wifatch.

We have no intent of damaging your device or harm your privacy in any way.

Telnet and other backdoors have been closed to avoid further infection of
this device. Please disable telnet, change root/admin passwords, and/or
update the firmware.

This software can be removed by rebooting your device, but unless you take
steps to secure it, it will be infected again by REINCARNA, or more harmful

This remote disinfection bot is free software. The source code
is currently available at

Team White


-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
DokuWiki CVE-2016-7964 SSRF Security Bypass Vulnerability
MuJS Multiple Security Vulnerabilities
OpenSSL CVE-2016-7053 NULL Pointer Dereference Denial of Service Vulnerability
Computer Associates Unified Infrastructure Management Directory Traversal Vulnerability

As Trump was giving his victory speech, a new wave of spear phishing attacks from Russian hackers was already on its way using his win as click-bait. (credit: Gage Skidmore)

Less than six hours after Donald Trump won the US presidential election, a new spear phishing campaign was launched by a Russia-based group. The group is apparently one of the two organizations connected to the breach at the Democratic National Committee, and it's responsible for nearly a decade of intelligence collection campaigns against military and diplomatic targets.

Security firm Volexity refers to the group as "the Dukes" based on the malware family being utilized. According to a report by Volexity founder Steven Adair, the group is known for a malware family known as "the Dukes"—also referred to as APT29 or "Cozy Bear." The Dukes' primary targets in this latest round of attacks appear to be non-governmental organizations (NGOs) and policy think tanks in the US.

According to Volexity's data, the threat group sent e-mails from purpose-built Gmail accounts and what may be a compromised e-mail account from Harvard University's Faculty of Arts and Science. The phishing e-mails dropped a new variant of backdoor malware dubbed "PowerDuke" by Volexity, and this malware gave attackers remote access to compromised systems. Volexity has been tracking a number of campaigns based on PowerDuke since August, when some "highly targeted" malicious e-mails were sent to individuals at a number of policy research organizations in the US and Europe. The e-mails were disguised as messages from the Center for a New American Security (CNAS), Transparency International, the Council on Foreign Relations, the International Institute for Strategic Studies (IISS), and Eurasia Group. Another wave of similar e-mails targeted universities in October.

Read 4 remaining paragraphs | Comments

OpenSSL CVE-2016-7055 Denial of Service Vulnerability
RealNetworks RealPlayer CVE-2016-9018 Null Pointer Dereference Denial of Service Vulnerability
Brocade NetIron OS CVE-2016-8203 Memory Corruption Vulnerability
F5 BIG-IP LTM Products CVE-2016-5745 Security Bypass Vulnerability
Bitcoin Knots CVE-2016-8889 Local Information Disclosure Vulnerability
Micro Focus Rumba CVE-2016-9176 Multiple Local Stack Buffer Overflow Vulnerabilities
libcsp Multiple Buffer Overflow Vulnerabilities
DokuWiki CVE-2016-7965 Host Address Spoofing Vulnerability
Apache Ranger CVE-2016-6815 Local Privilege Escalation Vulnerability
Foreman CVE-2016-7077 Local Information Disclosure Vulnerability
Python Pillow Multiple Security Vulnerabilities
OpenSSL CVE-2016-7054 Denial of Service Vulnerability
perl-Image-Info CVE-2016-9181 XML External Entity Injection Vulnerability
JasPer CVE-2016-9262 Integer Overflow Vulnerability
Redhat JBoss Enterprise Application Platform CVE-2016-7061 Information Disclosure Vulnerability
CVE-2016-6809 â?? Arbitrary Code Execution Vulnerability in Apache Tikaâ??s MATLAB Parser
Secunia Research: Oracle Outside In "GetTxObj()" Use-After-Free Vulnerability
Secunia Research: Oracle Outside In "VwStreamRead()" Buffer Overflow Vulnerability

Thanks to our reader Mikael for pointing out a new branded vulnerability with domain name, logo and catchy name: BlackNurse. (no jingle though). [1]

The problem pointed out by this announcement is that firewalls can spend significant resources on processing these relatively common ICMPerror messages. Type 3 error messages are used for various Unreachable messages. For example, Type 3 Code 3 is used for port unreachable. For a complete list, see the official IANA list [2] .

The announcement doesnt make any statements as to why these packets take up so much CPU time. In my opinion, this is likely due to the firewall attempting to perform stateful analysis of these packets. ICMP unreachable packets include as payload the first few bytes of the packet that caused the error. A firewall can use this payload to determine if the error is caused by a legit packet that left the network in the past. This analysis can take significant resources.

According to the description of the attack, firewalls will suffer performance issues if hit by a few 10s of MBits of ICMPtraffic, even for firewalls that are supposed to be able to dell with Gigabit networks. The fix is to block or rate limit the traffic.

It is not recommended to block all Type 3 ICMP messages. In particular Type 3 Code 4 (Fragmentation Needed and Dont Fragment was Set) messages are requied for path MTU discovery, which many modern operating systems use. Port unreachable messages (Type 3 Code 3), which were used in most of the tests performed by the group releasing this vulnerability, can usually be blocked but you may see some performance issue if for example a DNS resolver is attempting to connect to a non-existing DNS server, and then delays trying a secondary server because it never receives the port unreachable message.

So what should you do?

  • Dont panic. This is not a big deal. Test your firewall if you can, or check if is on the vulnerable list
  • You are vulnerable if you use a smaller Cisco ASA firewall. Newer/Larger multi-core versions appear to be fine. SonicWall and some Palo Alto firewalls appear to be vulnerable too.
  • iptables based firewalls are not affected
  • Monitor incoming ICMPunreachables. The advisory includes some snort rules to do so, but anything monitoring ICMP should work (netflow?) as no payload inspection is necessary
  • Cisco does not consider this a security issue. There is no CVE.


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
SparkJava Spark CVE-2016-9177 Directory Traversal Vulnerability
Linux Kernel 'crypto/lrw.c' Local Denial of Service Vulnerability
perl-XML-Twig CVE-2016-9180 XML External Entity Injection Vulnerability
IBM BigFix Platform CVE-2016-0296 Local Information Disclosure Vulnerability
Secunia Research: Microsoft Windows OTF Parsing Table Encoding Record Offset Vulnerability

(credit: Neon Tommy)

Yahoo admitted to the world—on a news day dominated by a guy called Trump—that some of its employees were aware that it had suffered a breach shortly after a "state-sponsored actor" hacked into the ailing Web firm's systems in 2014.

In a filing to the US Securities and Exchange Commission on Wednesday, Yahoo said that a panel of independent experts was looking at how much knowledge employees at the company had of the incident shortly after the massive breach had occurred.

Yahoo has previously stated that it only became aware of the hack attack following a "recent investigation." As Ars reported previously, Yahoo confirmed in September that at least half a billion of its user accounts had been breached.

Read 8 remaining paragraphs | Comments

Lynx CVE-2016-9179 URL Redirection Vulnerability
Linux Kernel CVE-2016-8632 Local Heap Overflow Vulnerability
Google Nexus Qualcomm Crypto Engine Driver CVE-2016-6738 Privilege Escalation Vulnerability
Google Nexus Mediaserver CVE-2016-6747 Denial of Service Vulnerability
Google Android Qualcomm Bus Driver CVE-2016-3904 Privilege Escalation Vulnerability
Google Pixel C NVIDIA GPU driver CVE-2016-6746 Information Disclosure Vulnerability

As a quickfollow-up to Didiers post, I wanted to quickly summarize some of the other tools (aside from tcpdump) that can be used to collect full packet captures. I limited myself to open source tools that are meant to run unattended (no GUI) on a remote system and use libpcap. By using libpcap, all these tools are able to use BPF to limit the collected data and they all produce pcap output.

To make it a bit easier to compare, I added an example command line for each tool that will listen on the eth0 interface androtate logs once an hour. I am also excluding ssh traffic to show how BPF syntax can be used to limit capture.

daemonlogger: This comes out of the snort project. One nice option is the -M option that will allow you to log packets and automatically delete old logs if the disk fills up. For example, -M 90 makes sure the disk usage never exceeds 90%. My favorite utility just for that option alone.A typical command line:

daemonlogger -d -n packetfiles  -g pcapgrp -u pcapuser -t 3600 -i eth0 not port 22

snort: Snort itself can be used to log packets to a directory. Snort automatically appends a time stamp to the log file, avoiding overwriting existing files. But snort doesnt have a rotate option, so you need to send a signal to snort ot reload.

snort -l /var/log -i eth0 -b -D not port 22

dumpcap: dumpcapcomes aspart of Wireshark. It can capture packets in monitor mode on wireless interfaces. It has a ringbuffer mode that keeps the last x files. So you have to make sure they dont exceed the available space (not as nice as -M in daemonlogger). It can log in pcapng format and if you do so, you can add a comment to the file. A timestamp is inserted into the filename.

dumpcap -i eth0 -a files:24 -a duration:3600 -P -w packets.pcap

pcapdump: Very simple/basic utility but has the unique feature to be able to sample packets (even randomly). It can also limit packet captures to link/network and transport layer header and strip off all application data (-H option)

pcapdump -i eth0 -w pcapfile.pcap -u pcapuser -g pcapgrp -r 3600 

netsniff-ng: one of the less well known tools, and one I havent played with yet. It claims to be optimized for performance by taking advantage of newer linux kernels. It does not use libpacp, so not strictly speaking in scope for this list.It also comes with a packet generator.

tshark: I just include it here for completeness. I dont consider it a capture utility. Wireshark provides dumpcap for that.

Any other options I forgot about? (open source, non-GUI, libpcap compatible...)

Links to tools:


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Linux Kernel CVE-2015-8963 Use After Free Remote Code Execution Vulnerability
Foreman CVE-2016-8634 HTML Injection Vulnerability
Linux Kernel 'tuners/tuner-xc2028.c' Local Use After Free Memory Corruption Vulnerability
Google Android Kernel ION Subsystem Multiple Remote Privilege Escalation Vulnerabilities
WININET CHttpHeaderParser::ParseStatusLine out-of-bounds read details
Blind SQL Injection Vulnerability in Exponent CMS 2.4.0
MSIE 9-11 MSHTML PROPERTYDESC::HandleStyleComponentProperty OOB read details
OpenStack Heat Template URL CVE-2016-9185 Information Disclosure Vulnerability
Google Android CVE-2016-6754 Remote Code Execution Vulnerability
Google Nexus Qualcomm Bootloader CVE-2016-6729 Privilege Escalation Vulnerability
Linux kernel 'usb/gadget/function/f_fs.c' Use After Free Local Denial of Service Vulnerability
Palo Alto Networks PAN-OS Cross Site Scripting Vulnerability
Palo Alto Networks PAN-OS Denial of Service Vulnerability
Palo Alto Networks PAN-OS Security Bypass Vulnerability
Google Chrome Multiple Security Vulnerabilities
Internet Storm Center Infocon Status