Information Security News
In the past few days, weve seenNuclear and Anglerexploit kits (EKs) deliveringmalware identified as Necurs. It certainly isntthe only payload sentfrom Nuclear and otherEKs, but I hadnt really looked into EK traffic sending Necurs lately.
We ranacross Nuclear EK delivering Necurs again on 2015-05-20. In this example, the gate was on 18.104.22.168.
I can however, we can look at the rest of thetraffic.
Infection traffic details
Preliminary malware analysis
Malware payload delivered by the Nuclear exploit kit (Necurs)
Additional malware found on the infected host (Necurs-related):
Some of the registry keys for persistence:
A pcap of the infection traffic is available at:
A zip file of the associated Upatre/Dyre malware is available at:
The zip file is password-protected with the standard password. If you dont know it, email [email protected] and ask.
by Peter Bright
As companies continue to beat the Internet of Things drum, promoting a world when every device is smart, and anything electronic is network connected, we have some news that shows just what a horrible idea this really is. A security firm has found that a Linux kernel driver called NetUSB contains an amateurish error that can be exploited by hackers to remotely compromise any device running the driver. The driver is commonly found in home routers, and while some offer the ability to disable it, others do not appear to do so.
NetUSB is developed by Taiwanese company KCodes. The purpose of the driver is to allow PCs and Macs to connect to USB devices over a network, so that these devices can be shared just by plugging them into a Wi-Fi router or similar. To do this, a driver is needed at each end; a client driver on the PC or Mac, and a server driver on the router itself.
This router-side driver listens to connections on TCP port 20005, and it's this driver that contains a major security flaw. SEC Consult Vulnerability Lab, which publicised the problem, discovered that the Linux driver contains a simple buffer overflow. As part of the communication between client and server, the client sends the name of the client computer; if this name is longer than 64 bytes, the buffer overflows. The company says that this overflow can be exploited to enable both denial of service (crashing the router), and remote code execution.
(ISC)2 Unveils Government Infosec Winners
A judging committee of senior information security experts from (ISC)2's U.S. Government Advisory Council (USGAC) and industry assessed individual and team achievements of a select group of nominees and awarded GISLAs in seven distinct categories.
Tens of thousands of HTTPS-protected websites, mail servers, and other widely used Internet services are vulnerable to a new attack that lets eavesdroppers read and modify data passing through encrypted connections, a team of computer scientists has found.
The vulnerability affects an estimated 8.4 percent of the top one million websites and a slightly bigger percentage of mail servers populating the IPv4 address space, the researchers said. The threat stems from a flaw in the transport layer security protocol that websites and mail servers use to establish encrypted connections with end users. The new attack, which its creators have dubbed Logjam, can be exploited against a subset of servers that support the widely used Diffie-Hellman key exchange, which allows two parties that have never met before to negotiate a secret key even though they're communicating over an unsecured, public channel.
The weakness is the result of export restrictions the US government mandated in the 1990s on US developers who wanted their software to be used abroad. The regime was established by the Clinton administration so the FBI and other agencies could break the encryption used by foreign entities. Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties.