Information Security News
Theres a new vulnerability in town... The new bug, dubbed LogJam, is a cousin of Freak. But its in the basic design of TLS itself, meaning all Web browsers, and some email servers, are vulnerable.  According to the article, Internet-security experts crafted a fix for a previously undisclosed bug in security tools used by all modern Web browsers. But deploying the fix could break the Internet for thousands of websites.
Logjam attack can allow an attacker to significantly weaken the encrypted connection between a user and a Web or email server...">We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed...
Were starting to see news coverage from other outlets, and were sure more analysis will emerge. However, at this time your best source for more information on this bug is at weakdh.org.
For now, ensure you have the most recent version of your browser installed, and check for updates frequently. If youre a system administrator, please review the Guide to Deploying Diffie-Hellman for TLS at https://weakdh.org/sysadmin.html
ISC Handler and Security Researcher at Rackspace
Yesterday on 2015-05-19, I attended a meeting from my local chapter of the Information Systems Security Association (ISSA). During the meeting, one of the speakers discussed different levels of incident response by Security Operations Center (SOC) personnel. For non-targeted issues like botnet-based malicious spam (malspam) infecting a Windows host, you probably wont waste valuable time investigating every little detail. In most cases, youll probably start the process to re-image the infected computer and move on. Other suspicious events await, and they might reveal a more serious, targeted threat.
However, we still recover information about these malspam campaigns. Traffic patterns evolve, and changes should be documented.
Todays example of malspam
Searching through my employers blocked spam filters, I found the following Upatre/Dyre wave of malspam:
As shown in the above image, these messages were tailored for the recipients. Youll also notice some of the recipient email addresses contain random characters and numbers. Nothing new here. Its just one of the many waves of malspam our filters block every day. I reported a similar wave earlier this month . Let" />
The attachment is a typical example of Upatre, much like weve seen before. Lets see what this malware does in a controlled environment.
Indicators of compromise (IOC)
I ran the malware on a physical host and generated the following traffic:
In my last post about Upatre/Dyre, we saw Upatre-style HTTP GET requests to 126.96.36.199 but no HTTP response from the server . Thats been the case for quite some time now." />
Shown above: Attempted TCP connections to the same IP address now reset (RST) by the server
How can we tell this is Upatre?" />
As Ive mentioned before, icanhazip.com is a service run by one of my fellow Rackspace employees . By itself, its not malicious. Unfortunately, malware authors use this and similar services to check an infected computers IP address.
What alerts trigger on this traffic?" />
Related files on the infected host include:
Some Windows registry changes for persistence:
A pcap of the infection traffic is available at:
A zip file of the associated Upatre/Dyre malware is available at:
The zip file is password-protected with the standard password. If you dont know it, email [email protected] and ask.
This was yet another wave of Upatre/Dyre malspam. No real surprises, but its always interesting to note the small changes from these campaigns.
Yes, there is a security patch for the Apple Watch now. It fixes 13 different vulnerabilities. At least one of the vulnerabilities (CVE-2015-1093) can be used to execute arbitrary code. But not all of the vulnerabilities are cutting edge. We also got an ICMP redirect issue (CVE-2015-1103) and of course SSL issues that are addressed by disabling old ciphers (FREAK vulnerability) and updating the list of trusted CAs.
The Internet of Things certainly does get a lot of attention this year, and I think rightfully so. I consider web gateways/routers a prime example, and just to make that point, here the top 10 attacks against our web application honeypot:
25700 GET / HTTP/1.1\r\n
10596 GET http
9059 ">GET /cgi-bin/authLogin.cgi HTTP/1.1\n - QNAPshellshock issue
6771 GET /phpMyAdmin/scripts/setup.php HTTP/1.1\r\n
6638 GET /pma/scripts/setup.php HTTP/1.1\r\n
6511 GET /myadmin/scripts/setup.php HTTP/1.1\r\n
4297 GET /manager/html HTTP/1.1\r\n
3939 GET /manager/html/ HTTP/1.1\r\n
3672 ">GET /tmUnblock.cgi HTTP/1.1\r\n - Linksys Routers (see Moon Worm)
2820 GET /pony/includes/templates/error.tpl HTTP/1.1\r\n
Two of our top ten URLs are attacking exclusively devices. So better make sure you are patched as well as it gets, and try to avoid exposing the admin interface to the public.
Thanks to Xavier for bringing this to our attention. It looks a couple of days ago, a legitimate Microsoft host name, settings-win.data.microsoft.com started to resolve to a Microsoft IP that is commonly used for blackholes that Microsoft operates:
$ host settings-win.data.microsoft.comsettings-win.data.microsoft.com is an alias for settings.data.glbdns2.microsoft.com.settings.data.glbdns2.microsoft.com is an alias for blackhole6.glbdns2.microsoft.com.blackhole6.glbdns2.microsoft.com has address 188.8.131.52
Connecting to a blackhole IP like this is often an indicator of compromise, and many IDS">[**] [1:2016101:2] ET TROJAN DNS Reply Sinkhole - Microsoft - 184.108.40.206/24 [**] [Classification: A Network Trojan was detected] [Priority: 1] ...
It is not yet clear what process causes the connect to this IP on port 443. But a number of other users are reporting similar issues. For example, see here:
At this point, I am assuming that this is some kind of configuration error at Microsoft.