In the battle to keep your personal information private, it's not just hackers you have to worry about but lax security and stupidity.

Security analysts have detected a new strain of malware based heavily on the Gameover ZeuS, which infected users’ computers and joined them up to a massive botnet. That botnet, in turn, specifically was designed to steal banking passwords on Windows machines.

The revival comes just six weeks after American authorities announced a global takedown of the botnet earlier this year. Prosecutors say Gameover ZeuS’ masterminds have stolen more than $100 million as a result.

In a sneaky move similar to its predecessor, the new strain uses a “Domain Generation Algorithm” (DGA), where the infected computer attempts to contact a list of gibberish domain names. In this case, the analysts at the security firm Malcovery determined that it was able to successfully connect to the domain cfs50p1je5ljdfs3p7n17odtuw.biz.

Read 4 remaining paragraphs | Comments

xClassified 'ads.php' SQL Injection Vulnerability
Microsoft's CEO Satya Nadella distributed his Thursday memo beyond the halls of his company to signal to everyone that big changes, likely including staffing cuts, are coming.
Toshiba is not the only company selling a 4K laptop anymore; Lenovo has finally shipped its first 4K laptop, sporting a 5.6-inch screen, after months of delays.
Microsoft plans to enhance its Azure cloud backup and recovery by integrating technology from InMage, a business continuity vendor it just acquired.
Oracle is planning to release 115 security patches for vulnerabilities affecting a wide array of its products, including its flagship database, Java SE, Fusion Middleware and business applications.
The U.S. Federal Communications Commission has voted to spend $2 billion over the next two years on improving Wi-Fi networks at schools and libraries, despite questions from Republican commissioners about the source of those funds.
WordPress Meta Slider Plugin 'admin.php' Cross Site Scripting Vulnerability
WordPress BannerMan Plugin 'bannerman_background' Parameter Cross Site Scripting Vulnerability
FoeCMS Multiple Input Validation Vulnerabilities
The government's military research agency, DARPA, says it has demonstrated a bullet capable of locking onto a moving target from up to a mile away.
Robotic spheres aboard the International Space Station soon will will be quite a bit smarter, gaining the ability to fly safely and adroitly around the orbiter.
The solar power industry is expanding quickly, but not when it comes to funding for technology advances.
In a 3,100 word email to Microsoft's 130,000 employees, CEO Satya Nadella said the firm's two-year-old "devices and services" strategy is dead. So what should Microsoft's new focus be?
Corporate employees are taking a surprisingly lax approach towards security issues raised by the business use of personally owned mobile devices.
Samsung depends on Google's Android OS, but needs to find a way to differentiate itself from rivals who also use Android if it's to grow and thrive.
Libav LZO 'av_lzo1x_decode' Function Memory Corruption Vulnerability
LZ4 'lz4.c' Memory Corruption Vulnerability
Cybercriminals are trying to create a new botnet based on what is likely a modification of Gameover Zeus, a sophisticated Trojan program whose command-and-control infrastructure was taken over by law enforcement agencies at the beginning of June.

Update your metasploit instances to take advantage of the new "Reverse HTTP Hop Stager" for meterpreter payloads.  Because any day you can pivot is a good day, and if you can pivot through native web services, that's an awesome day!  Hop adds the ability to use any basic PHP host as a hop point for meterpreter by adding a new reverse_hop_http payload.

Details here ==> https://community.rapid7.com/community/metasploit/blog/2014/07/10/weekly-metasploit-update
Video here ==> http://youtu.be/FktILE206z0

Rob VandenBrink

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
China's state-run TV is telling iPhone owners that the device is a threat to national security because it tracks their movements.
Google's huge entry into robotics leaves little doubt that we'll shortly be up to our armpits in robot alternatives to people. Robots will enter all aspects of our business and personal lives. Machines, vehicles, drones, cameras, sensors, you name it.
X.Org xf86-video-intel Video Driver 'tools/backlight_helper.c' Unspecified Security Vulnerability
PNP4Nagios 'kohana_error_page.php' Cross Site Scripting Vulnerability
PNP4Nagios Multiple Cross Site Scripting Vulnerabilities

One of the major tools that we have in our arsenal to control malware is outbound filtering at firewalls and other network "choke points".  
Over the years, it's become obvious that "enumerating badness" on the internet is next to impossible, it's generally much easier to enumerate "known good" traffic, and simply deny the rest as bad or at least suspect.  Often the management response is "we trust our people", but that's not really the point.  While maybe you can trust all of your people, you can't trust the malware they may have, or all the links they might click.  But let's be honest, it's likely that you can't trust all of your people to never install a bittorrent client or other higher-risk program.

So, as they say in the circus - "This Way to the Egress!"

An egress filter is generally put on your firewall, allowing known good traffic, and denying everything else outbound (and logging those attempts - hopefully you're monitoring your logs right?).  So, how do you go about setting up an egress filter?  You can't just list 10 protocols that you know are good and deny the rest - that's a good way to find out what OTHER protocols your business requires when you break those business processes - in other words, that's the hard way to do this.

We'll use the approach in the previous story to figure out what exactly we're running through the firewall, so we can then make go/no-go decisions about each one.

We can take a big chunk out of this by:
allowing DNS only from DNS Servers
Allow mail only from mail servers (permitted mail servers)
allow browser web traffic (either just from a proxy, or from all permitted workstations, depending on the organization)

So we can list the tcp protocols in play with:
D:\syslog\archive\2014-07-03>type SyslogCatchAll.txt | grep outbound | grep TCP | sed s/\t/" "/g | cut -d " " -f 12 | cut -d "/" -f 2 | grep -v 80 | grep -v 443  | grep -v 25 | sort | uniq -c | sort /R

This gives us the following output, listing the remaining protocols, in descending order.

    118 22
     81 1935
     80 8080
     79 993
     68 445
     66 843
     39 5228
     34 53
     28 5223
      4 52223
      3 135
      2 52165
      1 52222
      1 40009

Hmm - that gives us something to work with.  We can use the techniques covered in yesterday's story (https://isc.sans.edu/forums/diary/Finding+the+Clowns+on+the+Syslog+Carousel/18373) to dig deeper into these.

It turns out that the 135 and 445 traffic was drive maps through an inbound vpn session - no problem there.
The tcp/22 was sftp outbound - two business processes involving a transfer of financial information.  
For one, we allowed the outbound from the designated transfer host.  for the other, we allowed the outbound traffic to the designated destination.  Then denied 22 from others.
The "8080" protocol was an application (not a browser) using an outside proxy server.  This could as easily have been malware using a proxy, or someone using an "anonymizer" proxy or a "make it look like I'm in the US" proxy (we get some of that in Canada).

.. and so on.

Of course, you'll have to do the same for UDP also, and also the other protocols that aren't either tcp or udp.

So you'll have a list (in pseudo english / cisco speak) like:

ip access list extended ACL_INSIDE_OUTBOUND
permit dns from known dns servers, to the permitted dns forwarders only (we turned root hints off at the servers)
deny dns from anything else, and log the attempt
permit mail from the mail servers
deny mail from anything else, and log the attempt
permit http
permit https
permit tcp/22 from the one transfer client to anything
permit tcp/22 from anyone else to the second transfer server
deny tcp/22 from anything to anything else, and log the attempt
deny ip protocol 41 and log the attempt  (remember from yesterday that this is IPv6 Teredo tunneling)
 and so on
permit ip any any log

The last line is the critical one.  With that entry, you can then use the log mining techniques we've been discussing to mine the logs for just the entries that trigger that last line - the "permit ip any any log" line.  Eventually, you'll find that after whittling down the protocol list, you'll have a shorter and shorter list each day. At some point, you'll need to change that last line to a "deny any any log" at the bottom of the list.  Be sure that you've gone through a month end, and maybe even a year end before you add that last line. (the year end might be stretching it, unless your accounting year matches up with this project for you)

In answer to "we trust our people" - Those high port numbers in our initial list turned out to be bittorrent traffic - the giveaway was that it was from odd high ports to other odd high ports.  After digging through the logs a bit more, we identified the IP address that was running the protocol, and thought we'd be dealing with one of those uncomfortable "people problems".  Even better though - the source of this traffic turned out to be in the server IP range.  After some digging, it turned out to be a QNAP NAS that was used to store laptop images.  After cracking the manual, we found this box shared everything out via bittorrent via default.  At that point we were both saying - really?  This whole "collaboration / sharing" thing can go to far, and this was in fact too far!  Who's idea was it to make these NAS devices a "share all my data with the world" devices?

So maybe you can trust your people, but you can't trust them to read the manual !  And you can't trust them to always think about security before they plug new gear in.

Egress filters aren't 100% effective, but the are a critical part of your "defense in depth" strategy.  For instance, lots of malware (and bittorent clients and other apps too) will "hunt" until they find an open outbound port - so you'll often see them using ports like tcp/80, 443 or udp/53.  But with a proper egress filter, you'll quite often catch even this "port hunting" behaviour in the logs also.  If you are able to stand up a proxy server, often it's possible to deny almost all direct communication from the workstations, but really, that's just moving the same problem to the proxy server.

In newer architectures (those NGFW's we're all talking about), you'll find much more effective controls, but the concepts of filtering outbound traffic, and how to implement this, remain very much the same.  For instance, at home I've got a time-based ACL that allows my kid to play minecraft only in certain time windows (what can I say, it was fun to code that up). 

If you are doing egress filtering, what have you found in the process of putting them in?  What's the coolest thing you've caught after you've had it in place?   Let us know in our comment form.

If you're not doing egress filtering, why not?

Rob VandenBrink

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The words chosen by Microsoft CEO Satya Nadella for the long mission statement he issued Thursday show the firm's two-year-old "devices and services" strategy is dead.
Google is going to tour Europe with a band of external advisers this fall to discuss a landmark ruling by Europe''on excluded from search engine listings in Europe.
Cisco Unified Communications Manager CVE-2014-3318 Directory Traversal Vulnerability
Cisco Unified Communications Manager CVE-2014-3317 Directory Traversal Vulnerability
Cisco Unified Communications Manager CVE-2014-3316 Arbitrary File Upload Vulnerability
Cisco Unified Communications Manager Dialed Number Analyzer Cross Site Scripting Vulnerability

A Third of Infosec Professionals Don't Bother with Encryption
Infosecurity Magazine
Discussions surrounding data residency, lawful intercept and protecting data from advanced threats have been top of mind for many years, and recent stories shine a spotlight on the risks to data, including theft and extortion. Yet, so many IT security ...

and more »
Apple users accessing Gmail on mobile devices could be at risk of having their data intercepted, a mobile security company said Thursday.
Amazon.com has asked the U.S. Federal Aviation Administration permission to test drones outdoors for use in its Prime Air package delivery service.
Samsung Electronics has updated and rebranded its app store, in an apparent bid to cut into Google's revenue from its Play store for apps running on Android devices.
MonkeyParking, an app that lets people bid on public parking spaces, said Thursday it will suspend its service in San Francisco to avoid a potential lawsuit from the city attorney.
IBM plans to spend $3 billion to develop new computer chips and chip architectures. So what's this non-silicon future look like?
AMC's new TV series harks back to the early days of PCs -- but drama, not desktops, takes center stage.
The source code for an impressively small but capable malware program that targets online bank accounts has been leaked, according to CSIS Security Group of Denmark.
A dozen mega corporations are demanding that the U.S. government and the energy industry boost renewable energy supplies and make them easier to buy.
Indian outsourcer Infosys said its revenue and profit grew in the second quarter as the company won some large deals in the period.
Internet Storm Center Infocon Status