Theres a new vulnerability in town... The new bug, dubbed LogJam, is a cousin of Freak. But its in the basic design of TLS itself, meaning all Web browsers, and some email servers, are vulnerable. [1] According to the article, Internet-security experts crafted a fix for a previously undisclosed bug in security tools used by all modern Web browsers. But deploying the fix could break the Internet for thousands of websites.

Logjam attack can allow an attacker to significantly weaken the encrypted connection between a user and a Web or email server...">We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed...

Were starting to see news coverage from other outlets, and were sure more analysis will emerge. However, at this time your best source for more information on this bug is at weakdh.org.

For now, ensure you have the most recent version of your browser installed, and check for updates frequently. If youre a system administrator, please review the Guide to Deploying Diffie-Hellman for TLS at https://weakdh.org/sysadmin.html

Brad Duncan
ISC Handler and Security Researcher at Rackspace


[1] http://www.wsj.com/articles/new-computer-bug-exposes-broad-security-flaws-1432076565
[2] http://www.pcworld.com/article/2924532/new-encryption-flaw-logjam-puts-web-surfers-at-risk.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Yesterday on 2015-05-19, I attended a meeting from my local chapter of the Information Systems Security Association (ISSA). During the meeting, one of the speakers discussed different levels of incident response by Security Operations Center (SOC) personnel. For non-targeted issues like botnet-based malicious spam (malspam) infecting a Windows host, you probably wont waste valuable time investigating every little detail. In most cases, youll probably start the process to re-image the infected computer and move on. Other suspicious events await, and they might reveal a more serious, targeted threat.

However, we still recover information about these malspam campaigns. Traffic patterns evolve, and changes should be documented.

Todays example of malspam

Searching through my employers blocked spam filters, I found the following Upatre/Dyre wave of malspam:

  • Date/Time: 2015-05-19 from from 12:00 AM to 5:47 AM CST
  • Number of messages: 20
  • Sender (spoofed): [email protected]
  • Subject: eFax message from unknown" />

    As shown in the above image, these messages were tailored for the recipients. Youll also notice some of the recipient email addresses contain random characters and numbers. Nothing new here. Its just one of the many waves of malspam our filters block every day. I reported a similar wave earlier this month [1]. Let" />

    The attachment is a typical example of Upatre, much like weve seen before. Lets see what this malware does in a controlled environment.

    Indicators of compromise (IOC)

    I ran the malware on a physical host and generated the following traffic:

    • 2015-05-19 15:16:12 UTC - port 80 - icanhazip.com - GET /
    • 2015-05-19 15:16:13 UTC - port 13410 - SYN packet to server, no response
    • 2015-05-19 15:16:16 UTC - port 443 - two SYN packets to server, no response
    • 2015-05-19 15:16:58 UTC - port 443 - two SYN packets to server, no response
    • 2015-05-19 15:17:40 UTC - port 443 - SSL traffic - approx 510 KB sent from server to infected host
    • 2015-05-19 15:17:56 UTC - port 3478 - UDP STUN traffic to: stun.sipgate.net
    • 2015-05-19 15:17:58 UTC - port 443 - SSL traffic - approx 256 KB sent from server to infected host
    • 2015-05-19 15:18:40 UTC - port 13409 - SYN packet to server, no response

    In my last post about Upatre/Dyre, we saw Upatre-style HTTP GET requests to but no HTTP response from the server [1]. Thats been the case for quite some time now." />
    Shown above: Attempted TCP connections to the same IP address now reset (RST) by the server

    How can we tell this is Upatre?" />

    As Ive mentioned before, icanhazip.com is a service run by one of my fellow Rackspace employees [2]. By itself, its not malicious. Unfortunately, malware authors use this and similar services to check an infected computers IP address.

    What alerts trigger on this traffic?" />

    Related files on the infected host include:

    • C:\Users\username\AppData\Local\PwTwUwWTWcqBhWG.exe (Dyre)
    • C:\Users\username\AppData\Local\ne9bzef6m8.dll
    • C:\Users\username\AppData\Local\Temp\~TP95D5.tmp (encrypted or otherwise obfuscated)
    • C:\Users\username\AppData\Local\Temp\Jinhoteb.exe (where Upatre copied itself after it was run)

    Some Windows registry changes for persistence:

    • Key name: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • Key name: HKEY_USERS\S-1-5-21-52162474-342682794-3533990878-1000\Software\Microsoft\Windows\CurrentVersion\Run
    • Value name: GoogleUpdate
    • Value type: REG_SZ
    • Value data: C:\Users\username\AppData\Local\PwTwUwWTWcqBhWG.exe

    A pcap of the infection traffic is available at:

    A zip file of the associated Upatre/Dyre malware is available at:

    The zip file is password-protected with the standard password. If you dont know it, email [email protected] and ask.

    Final words

    This was yet another wave of Upatre/Dyre malspam. No real surprises, but its always interesting to note the small changes from these campaigns.

    Brad Duncan, Security Researcher at Rackspace
    Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic


    [1] https://isc.sans.edu/diary/UpatreDyre+the+daily+grind+of+botnetbased+malspam/19657
    [2] https://major.io/icanhazip-com-faq

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple iOS and TV Multiple Information Disclosure Vulnerabilities
Apple TV/Mac OS X/iOS Multiple Security Vulnerabilities

Yes, there is a security patch for the Apple Watch now. It fixes 13 different vulnerabilities. At least one of the vulnerabilities (CVE-2015-1093) can be used to execute arbitrary code. But not all of the vulnerabilities are cutting edge. We also got an ICMP redirect issue (CVE-2015-1103) and of course SSL issues that are addressed by disabling old ciphers (FREAK vulnerability) and updating the list of trusted CAs.

The Internet of Things certainly does get a lot of attention this year, and I think rightfully so. I consider web gateways/routers a prime example, and just to make that point, here the top 10 attacks against our web application honeypot:

25700 GET / HTTP/1.1\r\n
10596 GET http
9059 ">GET /cgi-bin/authLogin.cgi HTTP/1.1\n - QNAPshellshock issue
6771 GET /phpMyAdmin/scripts/setup.php HTTP/1.1\r\n
6638 GET /pma/scripts/setup.php HTTP/1.1\r\n
6511 GET /myadmin/scripts/setup.php HTTP/1.1\r\n
4297 GET /manager/html HTTP/1.1\r\n
3939 GET /manager/html/ HTTP/1.1\r\n
3672 ">GET /tmUnblock.cgi HTTP/1.1\r\n - Linksys Routers (see Moon Worm)
2820 GET /pony/includes/templates/error.tpl HTTP/1.1\r\n

Two of our top ten URLs are attacking exclusively devices. So better make sure you are patched as well as it gets, and try to avoid exposing the admin interface to the public.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Thanks to Xavier for bringing this to our attention. It looks a couple of days ago, a legitimate Microsoft host name, settings-win.data.microsoft.com started to resolve to a Microsoft IP that is commonly used for blackholes that Microsoft operates:

$ host settings-win.data.microsoft.comsettings-win.data.microsoft.com is an alias for settings.data.glbdns2.microsoft.com.settings.data.glbdns2.microsoft.com is an alias for blackhole6.glbdns2.microsoft.com.blackhole6.glbdns2.microsoft.com has address

Connecting to a blackhole IP like this is often an indicator of compromise, and many IDS">[**] [1:2016101:2] ET TROJAN DNS Reply Sinkhole - Microsoft - [**] [Classification: A Network Trojan was detected] [Priority: 1] ...

It is not yet clear what process causes the connect to this IP on port 443. But a number of other users are reporting similar issues. For example, see here:


At this point, I am assuming that this is some kind of configuration error at Microsoft.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple Mac OS X Prior to 10.10.3 and iOS Prior to 8.3 Multiple Security Vulnerabilities
APPLE-SA-2015-05-19-1 Watch OS 1.0.1
Oracle Outside In Technology CVE-2015-0493 Local Heap Buffer Overflow Vulnerability
Oracle Outside In Technology CVE-2015-0474 Local Security Vulnerability
GNU glibc 'send_dg()' Function Local Information Disclosure Weakness
Huawei E587 Authentication Bypass Vulnerability
[security bulletin] HPSBPI03322 rev.1 - HP Access Control Software, Local Unauthorized Access
FreeBSD CVE-2015-1414 Remote Denial of Service Vulnerability
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Several security issues were fixed in Thunderbird.
Mozilla Firefox Firefox ESR and Thunderbird CVE-2015-0816 Privilege Escalation Vulnerability
Mozilla Firefox/Thunderbird CVE-2015-0813 Use After Free Memory Corruption Vulnerability
WISE-FTP Software v8.0.2 - DLL Hijacking Vulnerability
[SECURITY] [DSA 3175-2] kfreebsd-9 security update
[SECURITY] [DSA 3262-1] xen security update
OYO File Manager 1.1 iOS&Android - Multiple Vulnerabilities
Wireless Photo Transfer v3.0 iOS - File Include Vulnerability
CRUCMS Crucial Networking - SQL Injection Vulnerability
Internet Storm Center Infocon Status