Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Introduction

In the past few days, weve seenNuclear and Anglerexploit kits (EKs) deliveringmalware identified as Necurs. It certainly isntthe only payload sentfrom Nuclear and otherEKs, but I hadnt really looked into EK traffic sending Necurs lately.

Documented as early as 2012, Necurs is a type of malware that opens a back door on the infected computer [1]. It may also disable antivirus products as well as download additional malware [1][2].

I sawNecurs as a malware payload from Nuclear and Angler EKs last week [3][4]. In each case, traffic went througha gate on 185.14.30.218 (betweenthe compromised website andthe EK landing page).

We ranacross Nuclear EK delivering Necurs again on 2015-05-20. In this example, the gate was on 91.121.63.249.

I can however, we can look at the rest of thetraffic.

Infection traffic details

Associated domains:

 

As companies continue to beat the Internet of Things drum, promoting a world when every device is smart, and anything electronic is network connected, we have some news that shows just what a horrible idea this really is. A security firm has found that a Linux kernel driver called NetUSB contains an amateurish error that can be exploited by hackers to remotely compromise any device running the driver. The driver is commonly found in home routers, and while some offer the ability to disable it, others do not appear to do so.

NetUSB is developed by Taiwanese company KCodes. The purpose of the driver is to allow PCs and Macs to connect to USB devices over a network, so that these devices can be shared just by plugging them into a Wi-Fi router or similar. To do this, a driver is needed at each end; a client driver on the PC or Mac, and a server driver on the router itself.

This router-side driver listens to connections on TCP port 20005, and it's this driver that contains a major security flaw. SEC Consult Vulnerability Lab, which publicised the problem, discovered that the Linux driver contains a simple buffer overflow. As part of the communication between client and server, the client sends the name of the client computer; if this name is longer than 64 bytes, the buffer overflows. The company says that this overflow can be exploited to enable both denial of service (crashing the router), and remote code execution.

Read 5 remaining paragraphs | Comments

 
OpenSSL '/evp/encode.c' Remote Memory Corruption Vulnerability
 
OpenSSL CVE-2015-0209 Remote Memory Corruption Vulnerability
 
OpenSSL CVE-2015-0288 Denial of Service Vulnerability
 

(ISC)2 Unveils Government Infosec Winners
Infosecurity Magazine
A judging committee of senior information security experts from (ISC)2's U.S. Government Advisory Council (USGAC) and industry assessed individual and team achievements of a select group of nominees and awarded GISLAs in seven distinct categories.

and more »
 
Linux Kernel 'btrfs/ctree.c' Local Privilege Escalation Vulnerability
 
[security bulletin] HPSBUX03334 SSRT102000 rev.1 - HP-UX Running OpenSSL, Remote Denial of Service (DoS) and Other Vulnerabilities
 
[security bulletin] HPSBUX03333 SSRT102029 rev.1 - HP-UX Running NTP, Remote Denial of Service (DoS), or Other Vulnerabilities
 
ProFTPD CVE-2015-3306 Information Disclosure Vulnerabilities
 
Stored XSS in WP Photo Album Plus WordPress Plugin
 
Eisbär SCADA (All Versions - iOS, Android & W8) - Persistent UI Vulnerability
 
The community of the future will solve problems using machines linked and coordinated by Internet-style networks. For a glimpse of this exciting future as it arrives, visit the Global Cities Teams Challenge Expo on June 1, 2015, at the ...
 
[SECURITY] [DSA 3265-1] zendframework security update
 
Staff FTP v3.04 Software - DLL Hijacking Vulnerability
 
HiDisk 2.4 iOS - (currentFolderPath) Persistent Vulnerability
 
[SECURITY] [DSA 3263-1] proftpd-dfsg security update
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: fixes CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process- dovecot updated to 2.2.16- auth: Don't crash if master user login is attempted without any configured master=yes passdbs- Parsing UTF-8 text for mails could have caused broken results sometimes if buffering was split in the middle of a UTF-8 character. This affected at least searching messages.- String sanitization for some logged output wasn't done properly: UTF-8 text could have been truncated wrongly or the truncation may not have happened at all.- fts-lucene: Lookups from virtual mailbox consisting of over 32 physical mailboxes could have caused crashes.- dovecot updated to 2.2.16- auth: Don't crash if master user login is attempted without any configured master=yes passdbs- Parsing UTF-8 text for mails could have caused broken results sometimes if buffering was split in the middle of a UTF-8 character. This affected at least searching messages.- String sanitization for some logged output wasn't done properly: UTF-8 text could have been truncated wrongly or the truncation may not have happened at all.- fts-lucene: Lookups from virtual mailbox consisting of over 32 physical mailboxes could have caused crashes.
 
LinuxSecurity.com: Update to new upstream.
 
LinuxSecurity.com: Update to new upstream.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: The system could be made to crash if it received specially craftednetwork traffic.
 
LinuxSecurity.com: Security Report Summary
 
[security bulletin] HPSBGN03286 rev.1 - HP LoadRunner, Buffer Overflow
 
[SECURITY] [DSA 3264-1] icedove security update
 

Tens of thousands of HTTPS-protected websites, mail servers, and other widely used Internet services are vulnerable to a new attack that lets eavesdroppers read and modify data passing through encrypted connections, a team of computer scientists has found.

The vulnerability affects an estimated 8.4 percent of the top one million websites and a slightly bigger percentage of mail servers populating the IPv4 address space, the researchers said. The threat stems from a flaw in the transport layer security protocol that websites and mail servers use to establish encrypted connections with end users. The new attack, which its creators have dubbed Logjam, can be exploited against a subset of servers that support the widely used Diffie-Hellman key exchange, which allows two parties that have never met before to negotiate a secret key even though they're communicating over an unsecured, public channel.

The weakness is the result of export restrictions the US government mandated in the 1990s on US developers who wanted their software to be used abroad. The regime was established by the Clinton administration so the FBI and other agencies could break the encryption used by foreign entities. Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties.

Read 9 remaining paragraphs | Comments

 
Internet Storm Center Infocon Status