HDF5 CVE-2016-4330 Local Heap Overflow Vulnerability
IBM Connections CVE-2016-2953 Man in the Middle Information Disclosure Vulnerability
HDF5 CVE-2016-4332 Local Heap Overflow Vulnerability
HDF5 CVE-2016-4333 Local Heap Buffer Overflow Vulnerability


Almost three million Android phones, many of them used by people in the US, are vulnerable to code-execution attacks that remotely seize full control of the devices, researchers said Thursday.

Until recently, the flaw could have been exploited by anyone who took the time to obtain two Internet domains that remained unregistered despite being hardwired into the firmware that introduced the vulnerability. After discovering the vulnerability, researchers from security ratings firm BitSight Technologies registered the addresses and control them to this day. Even now, the failure of the buggy firmware to encrypt communications sent to a server located in China makes code-execution attacks possible when phones don't use virtual private networking software when connecting to public hotspots and other unsecured networks.

Since BitSight and its subsidiary company Anubis Networks took possession of the two preconfigured domains, more than 2.8 million devices have attempted to connect in search of software that can be executed with unfettered "root" privileges, the researchers said. Had malicious parties obtained the addresses before BitSight did, the actors could have installed keyloggers, bugging software, and other malware that completely bypassed security protections built into the Android operating system. The almost three million devices remain vulnerable to so-called man-in-the-middle attacks because the firmware—which was developed by a Chinese company called Ragentek Group—doesn't encrypt the communications sent and received to phones and doesn't rely on code-signing to authenticate legitimate apps. Based on the IP addresses of the connecting devices, vulnerable phones hail from locations all over the world, with the US being the No. 1 affected country.

Read 10 remaining paragraphs | Comments



KaiXin exploit kit (EK) was first identified in August 2012 by Kahu Security [1], and it received some press from security-related blogs later that year [2, 3, 4]. Within the past year or so, Jack at malwarefor.me and I have posted our analysis of a few KaiXin EK traffic examples [5, 6, 7, 8, 9], and in March 2016 I wrote an ISC diary about this EK [10]. A May 2016 blog from Palo Alto Networks associated some instances of KaiXin EK with a KRBanker trojan that targeted online banking users [11].

Since that time, Ive rarely found KaiXin EK. Every once in a while, Id sometimes find indicators, but I was never able to generate any traffic. Fortunately, someone recently informed me of an active URL, and I retrieved some good examples of KaiXin EK.

Of note, I had to use an older Windows 7 host with Internet Explorer (IE) 8 as the web browser. I was unable to generate any EK traffic from the initial URL if I used Windows 7 with IE 9 or newer.

Todays diary examines these examples of KaiXin EK infection traffic.

The EK infection

I tried a variety of configurations (all using IE 8) in order to get as many exploits as possible. An older Windows host with Java 6 runtime environment update 22 gave me a Java exploit. Newer Windows hosts generated different Flash exploits." />
Shown above:" />
Shown above:" />
Shown above: Third run for the KaiXin EK infection traffic in Wireshark.

L appears to be a gate." />
Shown above:" />
Shown above:" />
Shown above: Alerts on the traffic from the first run.

dnt execute properly for any of my infections. During each infection, a VBS file appeared in the users AppData\Local\Temp directory with a random name of 5 alphabetic characters. An example of the file name and path on a Windows 7 host follows:

  • C:\Users\[username]\AppData\Local\Temp\CZGYO.vbs

I ran the payload through publicly-available sandboxes at malwr.com and hybrid-analysis.com to get the post-infection traffic.

The payload

Todays KaiXin EK payload is a 8,192 byte executable that acts as a file downloader. It appears to download another piece of malware about 2 MB in size. I was unable to identify the follow-up malware based on the HTTP traffic it generated." />
Shown above:" />
Show above:" />
Shown above: Alerts for the post-infection traffic on Security Onion using Sguil with Suricata and the Emerging Threats Pro signature set.

dicators of Compromise (IOCs)

The following are IP addresses, TCP ports, and domain names associated with todays infection:

  • port 12113 - otc.szmshc.com:12113 - KaiXin EK
  • port 10002 - u.ed-vis.com:10002 - KaiXin EK sends payload (file downloader)
  • port 19008 - n.shopzhy.com:19008 - Post-infection traffic from KaiXin EK payload
  • port 80 - conn.guizumall.com - Post-infection traffic from follow-up malware

The following are SHA256 hashes, file names, and descriptions of the EK payload and follow-up malware:

  • SHA256 hash: 21bfb09e9c67c69ff3041b48494b093bce8acb57ee0e9e0fe5da737561064a7b
  • File name: b02q1.exe
  • File description: Payload (a downloader) sent by KaiXin EK (8,192 bytes)
  • SHA256 hash: e4d9c9b5400436204bbd1510f73e6e76cc970b844605f4b1918bac5c2b74b384
  • File name: cj1.exe
  • File description: Follow-up malware retrieved by the KaiXin EK payload (2,095,616 bytes)

Final words

From the beginning, KaiXin EK has been described as a Chinese EK. Ive seen it in traffic associated with China, Japan, Korea, and possibly some nations in Southeast Asia. It usually doesnt make the list with other more advanced EKs, and the exploits used in KaiXin EK seem awfully outdated.

However, the actors and campaigns using KaiXin EK remain a threat.

People can protect themselves by following best security practices like keeping their computers up-to-date with the latest version of Windows, web browsers, and browser-associated applications (like Java, Flash, etc.).

Pcaps, malware, and artifacts associated with this diary can be found here.

Brad Duncan
brad [at] malware-traffic-analysis.net


[1] http://www.kahusecurity.com/2012/new-chinese-exploit-pack/
[2] http://eromang.zataz.com/2012/12/05/kaixin-exploit-kit-evolutions/
[3] https://websiteanalystsresource.wordpress.com/2012/08/10/exploring-the-kaixin-exploit-kit/
[4] http://ondailybasis.com/blog/2012/11/01/kaixin-exploit-pack-is-back-part-1/
[5] http://www.malware-traffic-analysis.net/2015/01/03/index.html
[6] http://www.malware-traffic-analysis.net/2015/01/31/index.html
[7] http://malwarefor.me/2015-09-20-kaixin-ek-from-korean-news-website/
[8] http://www.malware-traffic-analysis.net/2016/03/22/index.html
[9] http://www.malware-traffic-analysis.net/2016/05/31/index2.html
[10] https://isc.sans.edu/forums/diary/Recent+example+of+KaiXin+exploit+kit/20827/
[11] http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge / The BLU R1 HD is one of the devices that was backdoored by a Chinese software provider. (credit: Blue Products)

Security firm Kryptowire has uncovered a backdoor in the firmware installed on low-cost Android phones, including phones from BLU Products sold online through Amazon and Best Buy. The backdoor software, initially discovered on the BLU R1 HD, sent massive amounts of personal data about the phones and their users’ activities back to servers in China that are owned by a firmware update software provider. The data included phone number, location data, the content of text messages, calls made, and applications installed and used.

The company, Shanghai AdUps Technologies, had apparently designed the backdoor to help Chinese phone manufacturers and carriers track the behavior of their customers for advertising purposes. AdUps claims its software runs updates for more than 700 million devices worldwide, including smartphones, tablets, and automobile entertainment systems. The surveillance feature of the software was developed specifically for the Chinese market, the company says, and was unintentionally included in the software for BLU devices.

[Update, November 16 10:00am] While Kryptowire reported that Adups' software was used on Huawei and ZTE handsets in China, a Huawei representative told Ars:

Read 5 remaining paragraphs | Comments


Enlarge (credit: Justin Tallis/AFP/Getty Images)

The UK's home secretary Amber Rudd has signed an extradition order agreeing that hacking suspect Lauri Love should face trial in the US.

Love's family plan to appeal against the decision. The 31-year-old—who has Asperger's syndrome—faces up to 99 years in prison and fears for his own life, his lawyers have said.

A home office spokesperson told Ars: "On Monday 14 November, the secretary of state, having carefully considered all relevant matters, signed an order for Lauri Love’s extradition to the United States. Mr Love has been charged with various computer hacking offences which included targeting US military and federal government agencies."

Read 10 remaining paragraphs | Comments



AdultFriendFinder has been hacked, revealing the account details of more than 400 million people who would undoubtedly prefer to keep their identities private on the "world's largest sex and swinger community" site.

The hacked database—which appears to be one of the largest ever single data breaches in history—apparently contains account details for numerous adult properties belonging to the California-based Friend Finder Network, and includes customers' e-mail addresses, IP addresses last used to log-in to the site, and passwords.

According to data breach notification site LeakedSource.com, the passwords were either kept in plain text format, or used the largely discredited SHA1 hashing algorithm. It claimed to have cracked 99 percent "of all available passwords" which "are now visible in plaintext."

Read 6 remaining paragraphs | Comments


(credit: Bonnie Natko)

Researchers said they have discovered a simple way lone attackers with limited resources can knock large servers offline when they're protected by certain firewalls made by Cisco Systems and other manufacturers.

The denial-of-service technique requires volumes of as little as 15 megabits, or about 40,000 packets per second, to sever the Internet connection of vulnerable servers. The requirements are in stark contrast to recent attacks targeting domain name service provider Dyn and earlier security site KrebsOnSecurity and French Web host OVH. Those assaults bombarded sites with volumes approaching or exceeding 1 terabit per second. Researchers from Denmark-based TDC Security Operations Center have dubbed the new attack technique BlackNurse.

In a blog post published Wednesday, the researchers wrote:

Read 5 remaining paragraphs | Comments


Enlarge (credit: Samy Kamkar)

The perils of leaving computers unattended just got worse, thanks to a newly released exploit tool that takes only 30 seconds to install a privacy-invading backdoor, even when the machine is locked with a strong password.

PoisonTap, as the tool has been dubbed, runs freely available software on a $5/£4 Raspberry Pi Zero device. Once the payment card-sized computer is plugged into a computer's USB slot, it intercepts all unencrypted Web traffic, including any authentication cookies used to log in to private accounts. PoisonTap then sends that data to a server under the attacker's control. The hack also installs a backdoor that makes the owner's Web browser and local network remotely controllable by the attacker.

(credit: Samy Kamkar)

PoisonTap is the latest creation of Samy Kamkar, the engineer behind a long line of low-cost hacks, including a password-pilfering keylogger disguised as a USB charger, a key-sized dongle that jimmies open electronically locked cars and garages, and a DIY stalker app that mined Google Streetview. While inspiring for their creativity and elegance, Kamkar's inventions also underscore the security and privacy tradeoffs that arise from an increasingly computerized world. PoisonTap continues this cautionary theme by challenging the practice of password-protecting an unattended computer rather than shutting it off or, a safer bet still, toting it to the restroom or lunch room.

Read 11 remaining paragraphs | Comments

IBM Spectrum Scale and IBM GPFS CVE-2016-2984 Local Command Execution Vulnerability
curl/libcURL CVE-2016-7167 Multiple Integer Overflow Vulnerabilities
CVE-2016-3247 Microsoft Edge CTextExtractor::GetBlockText OOB read details
Reason Core Security v1.2.0.1 - Unqoted Path Privilege Escalation Vulnerability
[ERPSCAN-16-032] SAP Telnet Console â?? Directory traversal vulnerability
[ERPSCAN-16-031] SAP NetWeaver AS ABAP â?? directory traversal using READ DATASET

It is well-known that bad guys implement pieces of code to defeat security analysts and researchers. Modern malwareshave VM evasiontechniques to detect as soon as possible if they are executed in a sandboxenvironment. The same applies for web services like phishing pages or CC control panels.

Yesterday, I found a website delivering a malicious PE file. The URL was http://www.[redacted].com/king/prince.exe. This PE file was downloaded and executed by a malicious Office document. Nothing special here, its a classic attack scenario. Usually, when I receive aURL like this one, Im always trying to access the upper directory indexes and also some usual filenames / directories (I built and maintain my own dictionary for this purpose). Playing active-defense" />

The file zz.php is less interesting, its a simple PHP mailer. The dbl directory contains interesting pages that providea fake" />

In this case, attackers made another mistake, the source code of the phishing site was left on the server in the dbl.zip file. Once downloaded and analyzed, it revealed a classic attack trying to lure visitors and collect credentials. Note that the attacker was identified via his gmail.com address present in the scripts. But the most interesting file is called blocker.php"> ...include(blocker.php...

Lets have a look at this file. It performs several checks based on the visitors details (IP and browser).

First of all, it performs a reverse lookup of the visitor"> $hostname = gethostbyaddr($_SERVER[REMOTE_ADDR$blocked_words = array(above,google,softlayer,amazonaws,cyveillance,phishtank,dreamhost,netpilot,calyxinstitute,tor-exit, paypalforeach($blocked_words as $word) { if (substr_count($hostname, $word) 0) { header(HTTP/1.0 404 Not Found }}

Next, the visitorif(in_array($_SERVER[REMOTE_ADDR],$bannedIP)) { header(HTTP/1.0 404 Not Found} else { foreach($bannedIP as $ip) { if(preg_match(/ . $ip . /,$_SERVER[REMOTE_ADDR])){ header(HTTP/1.0 404 Not Found } }}

Here is the list of more relevant banned network:

  • Google
  • Digital Ocean
  • Cogent
  • Internet Systems Consortium
  • Amazon
  • Datapipe
  • DoD Network Information Center
  • Omnico"> if(strpos($_SERVER[HTTP_USER_AGENT], google) or strpos($_SERVER[HTTP_USER_AGENT], msnbot) or strpos($_SERVER[HTTP_USER_AGENT], Yahoo! Slurp) or strpos($_SERVER[HTTP_USER_AGENT], YahooSeeker) or strpos($_SERVER[HTTP_USER_AGENT], Googlebot) or strpos($_SERVER[HTTP_USER_AGENT], bingbot) or strpos($_SERVER[HTTP_USER_AGENT], crawler) or strpos($_SERVER[HTTP_USER_AGENT], PycURL) or strpos($_SERVER[HTTP_USER_AGENT], facebookexternalhit) !== false) { header(HTTP/1.0 404 Not Found }

    Surprisingly, this last"> Wget/1.13.4 (linux-gnu)curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5python-requests/2.9.1Python-urllib/2.7Java/1.8.0_111...

    Many ranges of IP addresses belongs to hosting companies. Many researchers use VPS and servers located there, thats why they are banned. In the same way, interesting targets for the phishing page are residential customers of the bank, connected via classic big ISPs.

    Conclusion: if you are hunting for malicious code / sites, use an anonymous IP address (a residential DSL line or cable is top) and be sure to use the right User-Agents to mimic classic targets.

    Xavier Mertens (@xme)
    ISC Handler - Freelance Security Consultant
    PGP Key

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Richard Porter --- ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Earlier this week on Monday 2016-11-14, I found an example of malicious spam (malspam) distributing Troldesh ransomware. Troldesh (also called Filecoder or Shade) was initially reported in 2015 [1, 2]. That same year, I documented two examples of Troldesh ransomware delivered through exploit kit campaigns [3, 4]. By July 2016, Microsoft reported a new variant of Troldesh [5], and that seems to be the variant I found on Monday.

This diary takes a closer look at this weeks Troldesh infection in my lab environment.

The malspam

The emails I saw from this wave of malspam were disguised as an account change notification from Sberbank of Russia." />
Shown above:" />
Shown above: Google translation of the Russian language text.

ng>The malware

The URL from the email redirected to another URL leading to a file named document.zip. Within that zip archive is an executable file with an .scr file extension." />
Shown above:" />
Shown above: Desktop of an infected Windows host.

pted files all had .da_vinci_code as a file extension." />
Shown above:" />
Shown above:" />
Shown above: Translation of the feedback form to English.

e traffic

The traffic is similar to what I saw from two Troldesh examples last year [3, 4]. This particular infection generated Tor traffic immediately after the ransomware was sent." />
Shown above:" />
Shown above:" />
Shown above: Some of the alerts seen from the Snort ruleset.

dicators of Compromise (IOCs)

The following are IOCs associated with this infection.

Link from the email and redirect URL to download the zip archive:

  • port 80 - www.hizlikiralikforklift.com - GET /wp-content/themes/nanocrea/document.html
  • port 80 - appitel.fr - GET /vcard/Philippe/rw_common/themes/affero/document.zip

Downloaded zip archive - file name: document.zip

  • SHA256 hash: 99d54e5c2e033d7703d9f449662bfcef1cb2ea0933dcfe0ca97e13e83cb9177b

Extracted malware - file name: _xls.scr

  • SHA256 hash: 749ed7d4fc97baa5e1068154fd642b23e9981f273fb18da2e02a8d925d7ca4d8

IP address check by the infected Windows host:

  • whatismyipaddress.com - GET /

Tor traffic using various domains, IP addresses, and TCP ports.

Final words

A copy of the infection traffic, associated email, malware, and artifacts can be found here.

Ultimately, Troldesh is one of the many families of malware we see from malspam on a near-daily basis. It remains profitable enough that criminals will not stop distributing it. We expect to find more samples of Troldesh and similar ransomware in the coming months.

Fortunately, best security practices will help prevent infections like the example in todays diary. A good email filtering system, properly administered Windows hosts, and an educated workforce mean users are much less likely to be infected.

Brad Duncan
brad [at] malware-traffic-analysis.net

[1] http://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/
[2] https://blogs.technet.microsoft.com/mmpc/2015/08/09/emerging-ransomware-troldesh/
[3] http://www.malware-traffic-analysis.net/2015/04/09/index.html
[4] http://www.malware-traffic-analysis.net/2015/09/18/index.html
[5] https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

VMWare published today advisory VMSA-2016-0019 affecting products VMware Workstation Pro / Player and VMware Fusion Pro / Fusion. The issue is located in the drag and drop feature, which is affected by an out-of-bounds memory access vulnerability.

We have not seen yet any active exploiting for this CVE. If you see something, please share it with us by our contact form.

More information at http://www.vmware.com/security/advisories/VMSA-2016-0019.html

Manuel Humberto Santander Pelez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status