One reason you can tell your friends like you: They will share packets with you :) . One such friend sent me an interesting packet capture this weekend: And SSH Protocol Mismatch Error in response to an SSL Client Hello. That" />

The different: The first client hello only allowed for TLS 1.2, while the second client hello was version tolerant and allowed for TLS 1.0-1.2. Safari on the other hand only sent the version tolerant client hello. I wasnt quite able to use openssl to recreate the client hello as tight as Windows 10 does. But this was the only significant difference between the two Client Hellos. APNS, SNI and other option didnt seem to matter.

So what is happening here?

My suspicion is that this is not malicious behavior. instead, the server is running behind a multiplexer like sslh [1]. It profiles incoming requests and then sends them to one out of various servers. By default, if it doesnt recognize the request, it forwards it to an ssh server. The goal of this tool is to allow someone to run multiple servers on port 443 to be able to connect to them from behind corporate firewalls that only allow outbound port 443 traffic.

The version of sslh (or similar tool) apparently doesnt support TLS 1.2 yet, and as a result redirects the rather strict Windows 10 requests to SSH, the default option. Windows 10 on the other hand realizes that TLS 1.2 isnt universally supported yet, and downgrades if the initial client hello fails.

The version of sslh I installed from MacPorts on my system doesnt quite behave like this and seems to understand TLS 1.2. But it may be a later version than the one installed on the server that triggered the odd behavior.

Could it be malicious? Sure. A setup like this could be used to exfiltrate data stealthy over port 443. But like my friend, many networks watch for things like ssh banners on odd ports.

Got any other explanations? Please let me know.


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Libdwarf 'dwarf_util.c' Heap Buffer Overflow Vulnerability
GraphicsMagick CVE-2016-8683 Denial of Service Vulnerability
GraphicsMagick CVE-2016-8682 Stack Based Buffer Overflow Vulnerability

Enlarge / Excerpt of an FBI interview report detailing a Judicial Watch deal with a defense contractor to search for hacked Clinton files.

More records from the Federal Bureau of Investigation's review of Hillary Clinton's e-mail practices have been released through the FBI's Freedom of Information Act site, including interviews with a number of individuals related to the security of the server. One of them was an employee of a defense contractor who claimed he was funded by Judicial Watch to investigate whether Clinton was hacked.

In the interview, the individual, whose name was redacted, claimed that he used the services of Dark Horse Data, a company owned by former Deputy Undersecretary of Defense for Intelligence Reginald Hyde, to search for e-mails associated with Clinton's personal account. The company focuses on "specialized data acquisition for both US and International customers" and has provided database intelligence analysis to the US government.

The credibility of that information, however, is certainly in doubt. Hyde denied that his company was involved in any such task, telling Ars Technica in a phone interview that he "was quite astounded to learn" of the assertion in the FBI documents and saying that it was like "being asked how your day on Mars was. My company was categorically not involved in this."

Read 4 remaining paragraphs | Comments

ImageMagick 'pixel-accessor.h' Heap Buffer Overflow Vulnerability
ASUS RP-AC52 Access Point Multiple Security Vulnerabilities


A website used to fund the campaigns of Republican senators was infected with malware that for more than six months collected donors' personal information, including full names, addresses, and credit card data, a researcher said.

The storefront for the National Republican Senatorial Committee was one of about 5,900 e-commerce platforms recently found to be compromised by malicious skimming software, according to researcher and developer Willem de Groot. He said the NSRC site was infected from March 16 to October 5 by malware that sent donors' credit card data to attacker-controlled domains. One of the addresses—jquery-code[dot]su—is hosted by dataflow[dot]su, a service that provides so-called bulletproof hosting to money launderers, sellers of synthetic drugs and stolen credit card data, and other providers of illicit wares or services.

De Groot said it's not clear how many credit cards were compromised over the six months the site was infected. Based on data from TrafficEstimates, the NRSC site received about 350,000 visits per month. Assuming 1 percent of those visits involved the visitor using a credit card, that would translate to 3,500 transactions per month, or about 21,000 transactions over the time the site was compromised. Assuming a black market value of $4 to $21 per compromised card, the crooks behind the hack may have generated revenue of $600,000.

Read 4 remaining paragraphs | Comments

PHP LibGD CVE-2016-8670 Stack Buffer Overflow Vulnerability
Linux Kernel CVE-2016-6136 Local Information Disclosure Vulnerability
Libdwarf 'dwarf_util.c' Heap Based Buffer Overflow Vulnerability
Motorola Multiple Devices For Android Local Privilege Escalation Vulnerability
[ERPSCAN-16-030] SAP NetWeaver - buffer overflow vulnerability
WordPress tera-charts Plugin 'treemap.php' Cross Site Scripting Vulnerability
WordPress 'tidio-form' Plugin Cross Site Scripting Vulnerability

Saturday I posted my Maldoc VBA Anti-Analysis diary entry: I step through the analysis of a malicious document that tries to detect (automated) analysis environments.

Here is a video of the analysis of this maldoc.

Didier Stevens
Microsoft MVP Consumer Security

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
[SECURITY] [DSA 3693-1] libgd2 security update
Internet Storm Center Infocon Status