(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Since late November 2015, malicious spam (malspam) distributing TelsaCrypt ransomware has surged in a recent attack offensive [1]. This offensive is on-going. Criminal groups are sending out massive amounts of emails containing attachments with zipped .js files. These zipped .js files--called Nemucod by ESET and some other security vendors [2]--download and install the TeslaCrypt ransomware.

This is no different from other zipped .js file downloaders that Ive already posted diaries about [3, 4]. The only difference is the payload." />

As the malspam continued, other sources began reporting about it [for example: 5, 6, 7, 8, 9]. Two of my favorite sites for malspam analysis have good information on this campaign: Dynamoos Blog [references 10 through 18] and TechHelpList.com [references 19 through 28]. Every day or two, these two blogs have reported on these waves of TeslaCrypt malspam.

Reviewing my organizations spam filters, I however, Ive heard a great deal more about it from other security professionals. Lets reviewan example from Thursday 2015-12-17.

The email

Thursday" />

The extracted .js file is quite obfuscated." />
Shown above: Desktop of the Windows host after a TeslaCrypt infection.

Encrypted files are given the suffix .vvv which indicates this was version 2.2 of TeslaCrypt [1]." />
Shown above:" />
Shown above:" />
Shown above: The infected host checking its IP address.

Shown above: Callback traffic from the infected host.

I read a pcap of the traffic using snort on a Debian 7 host running Snort with the Snort subscriber ruleset." />
Shown above: Alerts from the traffic using the Snort subscriber ruleset.

I also used tcpreplay on a pcap of the infection traffic in Security Onion with the EmergingThreats (ET) Pro ruleset." />
Shown above: Alerts from the traffic using the ET Pro ruleset.

Final words

This is a notable trend, but its not a serious threat. Properly-administered Windows hosts and a decent mail filtering system should protect users from getting infected by the malspam. However, this type of campaign is apparently profitable for the criminals behind it. Why? Somewhere, peoples computers are getting infected because of the TeslaCrypt malspam. Otherwise, why would it continue?

Pcap and malware samples used in this diary are available here.

Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic


[1] http://www.symantec.com/connect/blogs/major-teslacrypt-ransomware-offensive-underway
[2] http://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/
[3] https://isc.sans.edu/forums/diary/Malicious+spam+with+zip+attachments+containing+js+files/20153/
[4] https://isc.sans.edu/forums/diary/Malicious+spam+continues+to+serve+zip+archives+of+javascript+files/19973/
[5] https://heimdalsecurity.com/blog/security-alert-teslacrypt-infections-rise-spam-campaign-hits-companies-europe/
[6] http://www.computerworld.com/article/3015454/security/teslacrypt-ransomware-attacks-are-increasing.html
[7] http://www.infosecurity-magazine.com/news/teslacrypt-reappears-with-savvy/
[8] http://www.csoonline.com/article/3015498/security/attacks-using-teslacrypt-ransomware-intensify.html
[9] http://www.computing.co.uk/ctg/news/2439008/teslacrypt-criminals-launch-very-strong-spam-campaign-to-spread-crypto-malware
[10] http://blog.dynamoo.com/2015/12/malware-spam-november-invoice-60132748.html
[11] http://blog.dynamoo.com/2015/12/malware-spam-invoice-from-passion.html
[12] http://blog.dynamoo.com/2015/12/fake-fretter-inc-leads-to-teslacrypt.html
[13] http://blog.dynamoo.com/2015/12/malware-spam-foreman-ltd-last-payment.html
[14] http://blog.dynamoo.com/2015/12/malware-spam-invoice-66626337ba2deb0f.html
[15] http://blog.dynamoo.com/2015/12/malware-spam-your-order-12345678-11.html
[16] http://blog.dynamoo.com/2015/12/malware-spam-reference-number-89044096.html
[17] http://blog.dynamoo.com/2015/12/malware-spam-unpaid-invoice-from.html
[18] http://blog.dynamoo.com/2015/12/malware-spam-required-your-attention.html
[19] https://techhelplist.com/spam-list/996-invoice-from-cimquest-ingear-malware
[20] https://techhelplist.com/spam-list/997-your-order-corresponding-invoice-malware
[21] https://techhelplist.com/spam-list/999-invoice-from-datacorp-inc-malware
[22] https://techhelplist.com/spam-list/1000-reference-number-last-payment-notice-malware
[23] https://techhelplist.com/spam-list/1002-payment-request-ref-nr-2015-malware
[24] https://techhelplist.com/spam-list/1003-invoice-our-finance-department-malware
[25] https://techhelplist.com/spam-list/1005-agri-basics-invoice-and-malware
[26] https://techhelplist.com/spam-list/1007-reference-number-notice-of-unpaid-invoice-malware
[27] https://techhelplist.com/spam-list/1009-unpaid-invoice-from-staples-inc-ref-urgent-notice-malware
[28] https://techhelplist.com/spam-list/1014-required-your-attention-special-prices-malware

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

An operating system used to manage firewalls sold by Juniper Networks contains unauthorized code that surreptitiously decrypts traffic sent through virtual private networks, officials from the company warned Thursday.

It's not clear how the code got there or how long it has been there. An advisory published by the company said that NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected and require immediate patching. Release notes published by Juniper suggest the earliest vulnerable versions date back to at least 2012 and possibly earlier. There's no evidence right now that the backdoor was put in other Juniper OSes or devices.

"During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections," Juniper Chief Information officer Bob Worrall wrote. "Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS."

Read 5 remaining paragraphs | Comments


Oh, look, Flash can open right in Outlook. This is bad. (credit: Haifei Li)

One of a heaping collection of critical bug fixes pushed out by Microsoft on December 8 as part of the company's monthly "Patch Tuesday" was an update to the Microsoft Office suite designed to close a vulnerability that would allow an attacker to sneak past Outlook's security features. While the patch addressed multiple vulnerabilities in the way Office manages objects in memory, the most severe of them allows for remote code execution through a "specially crafted Microsoft Office file," Microsoft reported.

Now more details of just how bad that vulnerability is have been provided by security researcher Haifei Li in a paper entitled "BadWinmail: The 'Enterprise Killer' Attack Vector in Microsoft Outlook." The vulnerability allows a crafted attachment to an e-mail to bypass Outlook's layers of security by exploiting Office's Object Linking and Embedding (OLE) capabilities and Outlook's Transport Neutral Encapsulation Format (TNEF)—the e-mail attachment method associated with Outlook messages' winmail.dat attachments.

The winmail.dat file includes instructions on how to handle attachments embedded within it. "When the value of the 'PidTagAttachMethod' [within winmail.dat] is set to ATTACH_OLE (6)," Haifei wrote, "the 'attachment file' (which is another file contained in the winmail.dat file) will be rendered as an OLE object."

Read 6 remaining paragraphs | Comments


(credit: The Intercept)

A secret catalog of cellphone spying gear has been leaked to The Intercept, reportedly by a person inside the intelligence community who is concerned about the growing militarization of domestic law enforcement.

Among the 53 items are the now-familiar Stingray I/II surveillance boxes. They're billed as the "dragnet surveillance workhorse [that] has been deployed for years by numerous local law enforcement agencies across the United States." It has a range of 200 meters and sells for $134,000. A chief selling point is the "ready-made non-disclosure agreements from the FBI and Harris Corp. [that] will provide a pretext for concealing these features from the public." The listing also touts Harris' "next-generation Hailstorm, a must-have for cracking the 4G LTE network."

Besides manufacturing the Stingray brand of surveillance gear, Harris once employed a spokesman name Marc Raimondi. According to an Intercept article accompanying the leaked catalog, Raimondi is now a Department of Justice spokesman who says the agency's use of stingray equipment is legal.

Read 3 remaining paragraphs | Comments

ESA-2015-148: EMC Isilon OneFS Security Privilege Escalation Vulnerability
Libxml2 'parser.c' Buffer Overflow Vulnerability
libxml2 'parser.c' Out of Bounds Read Multiple Information Disclosure Vulnerabilities

The InfoSec Gender Divide: Practical Advice For Empowering Women
Dark Reading
Along the way, I increased my competencies and certifications in information security and business continuity to establish myself as a senior security and compliance management consultant and as a senior instructor for security training and ...

and more »

The InfoSec Gender Divide: Practical Advice For Empowering Women
Dark Reading
Along the way, I increased my competencies and certifications in information security and business continuity to establish myself as a senior security and compliance management consultant and as a senior instructor for security training and ...

[oCERT 2015-011] PyAMF input sanitization errors (XXE)

This is a Guest Diary submitted by Pasquale Stirparo.

In my previous diary [https://isc.sans.edu/forums/diary/When+Hunting+BeEF+Yara+rules/20395], we had a look at a phishing attack scenario, where we were using BeEF to abuse the users browser, steal his credentials and deliver a successful attack that would give remote access. As mentioned, at an initial analysis, BeEF appeared to be pretty stealthy and main artifacts were retrievable only in memory. This is where Yara came into help. For your information, if would like to test/check the rules, you can find all the Yara rules mentioned in this diary on my github page [https://github.com/pstirparo/yara_rules].

BeEF has one main javascript that is used to hook the browser, hook.js, and then 3 files in each module: [https://github.com/beefproject/beef/wiki/Module-creation]:

  • config.yaml, the YAML configuration file which describes properties of the module
  • module.rb, integrates the module into the BeEF web interface
  • command.js, the javascript payload which will be executed on the hooked browser

I wrote the following Yara rule, taking strings from the hook.js source, and confirmed that it correctly detects artefacts of hook.js in memory.

In a second step, I used yarGen [https://github.com/Neo23x0/yarGen] to automatically generate two other Yara signatures, one for hook.js and one for command.js, for the Pretty Theft module (see below).

Talking about yarGen, one of the awesome features is that it ships with a huge (literally) string database of common and benign software, generated from Windows system folder files of Windows 2003, Windows 7 and Windows 2008 R2 server, typical software like Microsoft Office, 7zip, Firefox, Chrome, etc. and various AV solution. Of course, such database can also be enhanced and customized by the user. Pointing yarGen to the target sample (hook.js or command.js in this case), it extracts all ASCII and UNICODE strings from the sample, removing those that do also appear in the goodware string database. Then it evaluates and scores every string by using fuzzy regular expressions and the Gibberish Detector that allows yarGen to detect and prefer real language over character chains without meaning. The top 20 of the strings will be integrated in the resulting rule.

The power of yara is already well known, and its potential when applied to memory is even greater. Here are some take aways from these tests that I would like to share:

  • when hunting memory with yara, always put both wide ascii attributes to your strings, because you never know how they are represented (see code snippet below).
  • Matching conditions need to be tuned properly. Unlike when using yara against a binary, where you have the full file content, in memory you may only get remnants of what you are looking for. Making all 20 signatures returned by yarGen mandatory might make you miss partial matches. Requiring ~15 matches turned out to be a good trade-off between catching real artefacts and avoiding false positives.

To conclude, all the three rules mentioned matched on the memory dump of the infected machine, confirming therefore that BeEF and the specific module were used in the attack. Since it is not difficult to obfuscate the BeEF modules, the yara rules still need some further development to accurately match also in such situations.

For those using Yara (beginners and more experienced users alike), I would suggest to read How to Write Simple but Sound Yara Rules [https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/] by Florian Roth, author of yarGen, which gives plenty of advice on how to write very effective rules.

Happy Hunting,

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[SECURITY] [DSA 3425-1] tryton-server security update
[SECURITY] [DSA 3425-1] tryton-server security update
CVE-2015-5348 - Apache Camel medium disclosure vulnerability

Posted by InfoSec News on Dec 17


By Tracy Kitten
Bank Info Security
December 16, 2015

Two leading payments processors that each suffered massive data breaches
are consolidating. Atlanta-based Global Payments Inc. plans to buy its
smaller rival, Princeton, N.J.-based Heartland Payment Systems Inc., for
$4.3 billion.

The deal that is expected to close during the fiscal fourth...

Posted by InfoSec News on Dec 17


By Andrea Peterson
The Washington Post
December 16, 2015

Police in Britain arrested a 21-year-old man Tuesday as part of an
investigation into the massive hack against Hong Kong-based toymaker

VTech sells popular toys for young children, including smartwatches and
tablets. The November breach of several company databases exposed
information about...

Posted by InfoSec News on Dec 17


By Jack Moore
December 15, 2015

Federal agencies face a rapidly approaching deadline to identify
cybersecurity workforce shortages.

Boosting the government’s information security workforce is a key part of
the Obama administration’s long-term strategy for securing federal
networks. It follows a 30-day rapid...

Posted by InfoSec News on Dec 17


By Andrada Fiscutean
December 14, 2015

Cybersecurity researcher Peter Kruse, founder of CSIS Security Group in
Denmark, thought his mother was calling. Her number appeared on his phone,
but when he answered, it wasn't her. Instead, a male voice told him to
stop what he was doing as a computer expert.

"They checked my family...

Posted by InfoSec News on Dec 17


By Dan Goodin
Ars Technica
Dec 16, 2015

When you're a Fortune 500 company that's a favorite target of
sophisticated hackers, it often makes sense to install security appliances
at the outer edges of your network to stop attacks before they get far.
Now, researchers say they have uncovered a vulnerability in such a product

Posted by InfoSec News on Dec 17


The New York Times
DEC. 16, 2015

WASHINGTON -- Defense Secretary Ashton B. Carter relied on a personal
email account to conduct a portion of his government business during his
first months at the Pentagon, according to White House and Defense
Department officials and copies of...

Posted by InfoSec News on Dec 17


By Lucian Constantin
IDG News Service
Dec 16, 2015

There are at least 35,000 publicly accessible and insecure MongoDB
databases on the Internet, and their number appears to be growing.
Combined they expose 684.8 terabytes of data to potential theft.

Matherly originally sounded the alarm about this issue back in...
[SECURITY] [DSA 3337-2] gdk-pixbuf security update
[SECURITY] [DSA 3424-1] subversion security update
[security bulletin] HPSBHF03528 rev.1 - HP Network Products running VCX, Remote Unauthorized Modification
[SECURITY] [DSA 3423-1] cacti security update
[SECURITY] [DSA 3421-1] grub2 security update
Internet Storm Center Infocon Status