(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Botnetscontinually send out malicious spam (malspam). As mentioned inprevious diaries, we see botnet-basedmalspamdelivering Dridexand Dyremalwarealmost every day [1, 2]. Recently, someone sent us a malicious Word documentfrom what appeared to beDridex malspam on Tuesday 2015-06-16. (Thanks, Wayne... You know who you are!) Unfortunately, while investigating the malware, I could not generate the full range of infection traffic. Otherwise, the traffic follows the same general patterns wevepreviously seen with Dridex">].

Examples of the malspam

Dridex has been using Microsoft Word documents and Excel spreadsheets designed to infect a computer if macros are enabled, which matches the infection vector used by this malspam. Shown below are two examples of themalspam from Tuesday2015-06-16. Both examples claim the recipient has made an error in tax forms. This wave of malspam used aWord documentfor the malicious attachment. As seen before with botnet-based malspam, the emailshave different senders, subject lines, attachment names, and message text. Due to these" />

Examples of the Word documents

The image below shows an example of a Word documentsent on 2015-06-16. File names consist of random characters. Random characters are also seen in the Authors and Last saved by" />

Macros are not enabled in the default installation for Microsoft Office. " />

Traffic seems typical ofDridex weve seen the past couple of months. Last month,the follow-up executable was retrieved from a pastebin.com URL over HTTP. " />

The attempted TCP connections shown below would normally result in SSL traffic, butthe servers did not respond. Thats probably an issue forthis particular sample or possibly my environments connection to the Internet.

  • port 80 - dolphin2000.ir - GET /tmp/89172387.txt
  • port 80 - dolphin2000.ir - GET /tmp/lns.txt
  • - Echo (ping) request
  • www.dropbox.com - GET /s/2djqlpaqdudzlrx/iol.exe?dl=1 (https)
  • port 80 - savepic.su - GET /7230030.png
  • port 80 - savepic.su - GET /images/notfound.png
  • port 2443 - attempted TCP connection
  • port 7443 - attempted TCP connection
  • port 8443 - attempted TCP connection
  • port 2443 - attempted TCP connection
  • port 7443 - attempted TCP connection

Reviewing the traffic in Security Onion using the Emerging Threats and ET PRO signature sets shows a few Snort events, as shown in the image below. Theres nothing Dridex-specific in the events, and Ive seen savepic.su used before with malspam usingChanitortosendVawtrak[3, 4]. At first, I wasntcertain this was Dridex, but the VirusTotal" />


The following artifacts were retrieved from the infected Windowshost:

  • C:\Users\username\AppData\Local\Temp\21807.bat
  • C:\Users\username\AppData\Local\Temp\21807.ps1
  • C:\Users\username\AppData\Local\Temp\21807.vbs
  • C:\Users\username\AppData\Local\Temp\8.exe
  • C:\Users\username\AppData\Local\Temp\444.jpg

The file 8.exe is an executable that deletes itself shortly after it isexecuted.

Final words

Botnet-basedmalspam is something we see almost every day. A quick Google search on Dridexreturns severalarticles withgood insight into this malware. However, traffic from Dridex and other botnetscontinually evolve. Whats current one weekcould be out-of-date the next.

If you run across any interesting malspam, feel free to use our contact form and send us a copy. however, were always interested in the samples.

Traffic and the associated malware for this diary can be found at:

The zip file is protected with the standard password. If you dont know it, email [email protected] and ask.

Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic


[1] https://isc.sans.edu/diary/Recent+Dridex+activity/19687
[2] https://isc.sans.edu/diary/UpatreDyre+the+daily+grind+of+botnetbased+malspam/19657
[3] http://malware-traffic-analysis.net/2015/03/24/index2.html
[4] http://www.rackspace.com/blog/malicious-email-campaign-spreads-vawtrak-malware/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

As many as 600 million Samsung phones may be vulnerable to attacks that allow hackers to surreptitiously monitor the camera and microphone, read incoming and outgoing text messages, and install malicious apps, a security researcher said.

The vulnerability is in the update mechanism for a Samsung-customized version of SwiftKey, available on the Samsung Galaxy S6, S5, and several other Galaxy models. When downloading updates, the Samsung devices don't encrypt the executable file, making it possible for attackers in a position to modify upstream traffic—such as those on the same Wi-Fi network—to replace the legitimate file with a malicious payload. The exploit was demonstrated Tuesday at the Blackhat security conference in London by Ryan Welton, a researcher with security firm NowSecure. A video of his exploit is here.


Phones that come pre-installed with the Samsung IME keyboard, as the Samsung markets its customized version of SwiftKey, periodically query an authorized server to see if updates are available for the keyboard app or any language packs that accompany it. Attackers in a man-in-the-middle position can impersonate the server and send a response that includes a malicious payload that's injected into a language pack update. Because Samsung phones grant extraordinarily elevated privileges to the updates, the malicious payload is able to bypass protections built into Google's Android operating system that normally limit the access third-party apps have over the device.

Read 7 remaining paragraphs | Comments


Google's "Vulnerability Reward Program" has been incentivizing people to report security bugs to the tech giant for its Web services, apps, extensions, Chrome, and Chrome OS for some time now. Today the company announced that it's extending the cash-for-bugs program to its biggest operating system: Android.

The program doesn't cover any Android device, just new devices that Google is 100% responsible for: current, for sale, Nexus devices. For now, that means the Nexus 6 and Nexus 9. Google says that this "makes Nexus the first major line of mobile devices to offer an ongoing vulnerability rewards program."

Google will pay researchers not only for bug disclosures—it offers additional rewards tiers for test cases submitted with the bug, CTS tests that catch the bug, and AOSP patches that fix the bug. "CTS" is Android's "Compatibility Test Suite," the continually updated battery of tests all devices must pass in order to gain access to the Google Play Store. CTS tests ensure that a device and its software are Android-compatible and free of known vulnerabilities, ensure platform API correctness, and follow Google's mandatory (and minimal) UI practices for readability and consistency.

Read 2 remaining paragraphs | Comments


During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency's computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, she said, "It is not feasible to implement on networks that are too old." She added that the agency is now working to encrypt data within its networks.

But even if the systems had been encrypted, it likely wouldn't have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would "not have helped in this case" because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, "You failed utterly and totally." He referred to OPM's own inspector general reports and hammered Seymour in particular for the 11 major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM's own IT department. "They were in your office, which is a horrible example to be setting," Chaffetz told Seymour. In total, 65 percent of OPM's data was stored on those uncertified systems.

Read 11 remaining paragraphs | Comments


Citizenlabs recently reported on a CVE-2014-4114 campaign against pro-democracy / pro-Tibetian groups in Hong Kong. The attacks happening should not surprise anyone, nor that the attacks were sophisticated. The vulnerability itself was patched with MS14-060 and has been used by APT and crime groups for sometime. Trend Micro wrote a good write-up of the issue here.

What is interesting is what, in effect, is an anti-virus bypass that was employed by the actors. This bypass was discussed in this report (disclaimer, from my day job). In short, when CVE-2014-4114 exploit code was put into a .ppsx file generated by the exploit kit, it triggered AV. When the same file was saved as a .pps file, those same AV engines stop detecting it. The ppsx file format (Powerpoint slideshow format / XML) is the more modern format. The .pps format was used in Office 97-2003 using the OLE format. Even though AV engines stop detecting the malicious document, the exploit code ran without issue.

The first takeaway is, obviously, patch your systems and it is surprising how many targeted political organizations seem vulnerable to exploits that have had patches out for months.

The second is, the same malicious code may be represented differently in different file types and its important to get coverage of those other formats to ensure complete protection.

John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The National Institute of Standards and Technology (NIST) has updated its technical specifications and guidance for the next generation of smart identity cards used by the federal governmentaposs workforce. The new specifications add ...
The Cloud Computing Forum amp Workshop VIII will be held July 7-10, 2015, at the National Institute of Standards and Technology (NIST) in Gaithersburg, Md. One of the most influential annual meetings on the topic, particularly for ...
ESA-2015-043: RSA® Validation Manager Security Update for Multiple Vulnerabilities

The St. Louis Cardinals baseball franchise is being investigated by the FBI for allegedly hacking into the network of the Houston Astros in order "to steal closely guarded information about player personnel," The New York Times reported today.

About a year ago, 10 months' worth of Astros' front office communications regarding trade talks and negotiations were leaked online. The Astros notified Major League Baseball (MLB) security and the FBI to determine who stole them.

"Agents soon found that the Astros’ network had been entered from a computer at a home that some Cardinals officials had lived in. The agents then turned their attention to the team’s front office," the Times report said. Besides the trade talks, the stolen information includes "proprietary statistics and scouting reports." Subpoenas for electronic communications have been issued to the Cardinals and MLB.

Read 8 remaining paragraphs | Comments

ESA-2015-106: EMC Unified Infrastructure Manager/Provisioning (UIM/P) Authentication Bypass Vulnerability

Many web application firewalls do block odd user agents. However, decent vulnerability scanners will try to evade these simple protections by trying to emulate the user agent string of commonly used browsers. To figure out if I can distinguish bad from good, I compared some of the logs from our honeypotsto logs from a normalweb server (isc.sans.edu). Many of the top user agents hitting the honeypot are hardly seen on normal web sites, allowing me to identify possible vulnerability scanners.

First: There are a number of legitimate scripts that poll our data on isc.sans.edu. While for example Python is used by many vulnerability scanners, we do have a good number of python scripts using our APIs. I tried to eliminate some of these requests. rv:17.247) Gecko/20100101 Firefox/17.247

Yes, the string User-Agent: is part of the user agent string. The version of Firefox is also old... (if legit at all. I dont have Firefox 17 around to verify). This user agent string is used by a web site uptime monitoring service. I assume the developer didnt quite understand how to set the user agent, and ended up with the extra User-Agent: http://www.majestic12.co.uk/bot.php?+)

I dont see any actual attacks from Majestic, but they are certainly an aggressive bot. As explained on their site, you can download the bot and the goal is to build a distributed network of bot spidering web based content.

Vulnerability Scanners

The following user agent strings are much more common in our honeypot rv:37.0) Gecko/20100101 Firefox/37.0

#2 in our honeypot. Sure... there may be some people browsing the internet using Firefox 37 (a recent version) on Ubuntu. But certainly not your #2 most common browser. On our real system, this user agent comes in as #220. Linux x86_64) Presto/2.12.388 Version/12.16

After some obvious bots (e.g Baidu), we got Opera, a browser that doesnt show up at all in the top 100 user agents used on our ISC website.

So what can you do with this information?

- Some blocking on the web application firewall is probably a good idea for tools like masscan. You may want to allow them if they are used by legitimate pentesters or vulnerability scans that you use to test your web applications.

- If some of these user agents have legit uses, but are more often used maliciously, use them for your log reviews. See what kind of requests you see more likely from odd (usually outdated) user agents . Many tools use a current user agent when they are created, but then the user agent is never updated so they end up with outdated user agent strings that start to stick out as most of your users upgrade.

- Decent web application firewalls will look for other artifacts, like header order, to verify the user agent. We also see user agents like Googlebot abused (see a prior diary about identifying fake google bots) .

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LinuxSecurity.com: The system could be made to run programs as an administrator.
LinuxSecurity.com: The system could be made to run programs as an administrator.
LinuxSecurity.com: The system could be made to run programs as an administrator.
LinuxSecurity.com: The system could be made to run programs as an administrator.
LinuxSecurity.com: The system could be made to run programs as an administrator.
LinuxSecurity.com: The system could be made to run programs as an administrator.
LinuxSecurity.com: The system could be made to run programs as an administrator.
LinuxSecurity.com: The system could be made to run programs as an administrator.
LinuxSecurity.com: Security Report Summary
BlackCat CMS v1.1.1 Arbitrary File Download Vulnerability

We Live Security (blog)

A beginner's guide to starting in InfoSec
We Live Security (blog)
A lot of ink has been spilt about the shortage of people trained in information security – especially about the shortage of women in tech and in this industry in particular. I was recently interviewed by Matthew J. Schwartz for a podcast in which we ...
InfoSec World 2016: Announces Date and Call for SpeakersPR Newswire (press release)

all 3 news articles »
Internet Storm Center Infocon Status