Chris Mohan --- Internet Storm Center Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Chris Mohan --- Internet Storm Center Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Hewlett-Packard's first low-power server for hyperscale computing environments, developed under a project it calls Moonshot, will go on sale next quarter, CEO Meg Whitman said on Thursday.
Large desktop workstations often have more than enough screen real-estate: One or two 24-inch monitors afford plenty of room for a mission-critical application, plus several chat or email windows alongside. But if you're a laptop user squeaking by with a single 15-inch monitor (or perhaps something even smaller), a virtual desktop might be the next best thing to an extra monitor. Dexpot (25 Euros, which is $33 on 2/21/12; free for personal use) is a great way to get yourself one. Or five.
Websites affiliated with U.S. broadcaster NBC were hacked for several hours on Thursday, serving up malicious software intended to steal bank account details.
Hewlett-Packard's CEO has dismissed persistent rumors that the company might break itself up in a move that could create more value for shareholders.
Multiple OpenStack Products Information Disclosure and Denial of Service Vulnerabilities
Hewlett-Packard reported a drop in profit for the last quarter as printer and PC sales both declined, but said cost-cutting measures the company announced last year are starting to pay off.
Google has launched fee-based support services for customers of its cloud platform and infrastructure products, like App Engine, Compute Engine, Cloud Storage and Big Query.
Attackers are using fake versions of a recently released report about a Chinese cyberespionage group as bait in new spear-phishing attacks that target Japanese and Chinese users.
Facebook's engineers have many challenges ahead of them as they work to scale up Graph Search, the site's new social search tool. One stumbling block: an over-abundance of data to sift through.
Red Hat CloudForms Multiple Insecure File Permissions and Security Bypass Vulnerabilities
Oracle Database Server CVE-2012-1751 SQL Injection Vulnerability
RDoc CVE-2013-0256 Cross Site Scripting Vulnerability

If youve been keeping up with the world of information security this week, you are probably a bit overwhelmed.

Lots of important patches were released in the recent days, as we outlined in theUpdate Palooza diary, including Java and Adobe Reader and Acrobat updates. We saw instances of SSHD servers compromised and are still unsure of the attack vector. High-profile sites, such as NBCand EDUCAUSE were breached. There has been lots of talk of targeted attacks, especially after the release of Mandiants APT report and its subsequent misuse. And this is just a set of items reported here at ISC.

What, if anything, should we be doing now that we werent doing a week ago? One possible advice is to stay vigilant: be careful what attachments you open and which links you click on. Unfortunately, that is not very practical advice, though one that is hard to resist offering. Perhaps more practical advice is to remind you to pay attention to logs and IDS alerts, spitting incidents and responding to them in a prioritized manner. Also, please take a careful look at the vulnerability posture of systems in your organization. Examine the patches that were recently released. If youve been waiting to push out those updates, especially if they patch client-side applications, now is a good time to focus on that task.

Its a dangerous web out there. But you already knew that, didnt you?

-- Lenny Zeltser

Lenny Zeltserfocuses on safeguarding customers IT operations at NCR Corp. He also teaches how toanalyze malwareat SANS Institute. Lenny is activeon Twitterand writes asecurity blog.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Oracle has laid in out in detail how it intends to compete with the likes of Salesforce.com in the highly competitive arena for next-generation marketing software.
Google on Thursday took the wraps off the Chromebook Pixel, a touch-screen-enabled laptop.
Google has launched fee-based support services for customers of its cloud platform and infrastructure products, like App Engine, Compute Engine, Cloud Storage and Big Query.
Twitter has implemented DMARC, a standard for preventing email spoofing, in order to make it harder for attackers to send phishing emails that appear to come from twitter.com addresses.

There are a lot of discussions at the moment about a SSHD rootkit hitting mainly RPM based Linux distributions.

Thanks to our reader unSpawn, we received a bunch of samples of the rootkit. The rootkit is actually a trojanized library that links with SSHD and does *a lot* of nasty things to the system.

At this point in time we still do not know what the initial attack vector is it is unknown how the attackers get root access on the compromised servers that is needed to change the legitimate libkeyutils library with a trojanized one. We are, of course, keeping an eye on the development and will post a new diary or update this one if we receive more information about the attack vectors.

The trojanized library is very, very nasty. Upon execution it performs a number of actions, as described below.

The code first deobfuscates the text strings needed for it to work. The original text is only XORed so this is very easy to retrieve and the deobfuscated strings have already been posted on a lot of sites.

Once that has been done, the library sets up everything needed for it to work. It resolves symbols for the following functions which are used later: PEM_write_RSAPrivateKey, PEM_write_DSAPrivateKey, MD5_Init, MD5_Update, and MD5_Final. As you can already see, it is definitely messing up with the authentication mechanism.

Besides resolving the symbols, the library also hooks the following functions: pam_authenticate, pam_start and crypt as well as audit_log_user_message and audit_log_acct_message. By hooking these functions, the rootkit can modify the flow of the SSHD as you can see, this is a user-mode rootkit, as it does not affect the kernel.

The main activity of the rootkit consists in collection of credentials of authenticated users. Notice that the rootkit can steal username and password pairs as well as RSA and DSA private keys, so no matter which authentication mechanism you use, if the target host is infected it will successfully steal your information. The hooking of audit_log* functions was done to allow the attacker to stay as low profile as possible if the attacker uses the hardcoded backdoor password to issue any commands to the rootkit, no logs will be created.

The current version of the rootkit supports three commands: Xver, Xcat and Xbnd. The first command just prints the rootkit the Xcat commands print the collected information back in the session for the attacker while the Xbnd command allows the attacker to setup a listener.

Besides this, the rootkit can automatically send collected credentials to the attacker. In order to do this the rootkit has a DGA (Domain Generation Algorithm) implemented that will create random looking domain names in the .biz, .info and .net domains (in that order). It will then send a DNS packet containing collected credentials to the target IP address, if it was able to resolve it (meaning the attacker has registered that days domain). If no domains have been resolved, the DNS packet is sent to the hard-coded IP address, which in all samples we received was

The rootkit itself looks very similar to the Ebury trojan which was detected back in 2011. In fact, Im pretty sure that a lot of the code has been directly copied, however, the Ebury trojan patched the whole SSHD and required the attacker to change it.

This was easier to detect and prone to being overwritten with patching. The libkeyutils library, which comes as part of the keyutils-libs package is not changed that often so the chance of it being overwritten automatically is much lower.

If you run a RPM based system you can check the integrity of the file with the rpm command:

# rpm -Vv keyutils-libs-1.2-1.el5

........ /lib/libkeyutils-1.2.so

S.5..... /lib/libkeyutils.so.1

........ /usr/share/doc/keyutils-libs-1.2

........ d /usr/share/doc/keyutils-libs-1.2/LICENCE.LGPL

This will check a lot of things, the most important being the MD5 checksum so if you see the output as one above you have a trojanized library. Proper output should have all (and only) dots. Keep in mind that the RPMs verification, of course, depends on the integrity of its database and the kernel itself.

We will keep an eye on the development and will update the diary accordingly if you have samples or more information, especially on what the initial attack vector is please let us know.

Id like to thanks again to unSpawn for supporting the SANS ISC.


Bojan (@bojanz)

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ISC BIND 9 DNS64 CVE-2012-5689 Remote Denial of Service Vulnerability
If Apple ever makes some kind of "iWatch" wearable device, how the company positions the device will tell a lot about where it's going.

Arxan to Speak at AGC's 9th Annual West Coast InfoSec and Technology Growth ...
Marketwire (press release)
BETHESDA, MD--(Marketwire - Feb 21, 2013) - Arxan Technologies, the leading provider of software security solutions that protects the global App Economy, announced today its Vice President of Business Development Jukka Alanen, will be a featured ...
Netronome CEO to Speak at America's Growth Capital 9th Annual West Coast ...Fort Mills Times

all 2 news articles »

On the heels of Mandiants reportAPT1: Exposing One of Chinas Cyber Espionage Units, attackers are circulating malicious versions of the PDF document. Its a clever social engineering scheme that can be used for the types of attacks that Mandiants report described.

Symantec discovered targeted attacks is using the report as bait in an attempt to infect those who might be interested in reading it. The fake report was distributed as an email attachment named Mandiant.pdf according to Symantec and targeted theCVE-2013-0641 vulnerability in Adobe Reader and Acrobat.

Brandon Dixon came across another malicious PDF file that seemed to follow a similar meme and was named Mandiant_APT2_Report.pdf. According to Brandon, the malicious PDF file was distributed in a password-protected PDF file. The file infected the system with malware and displayed to the victim the original Mandiant APT1 report.

These incidents illustrate how quickly and cleverly the attackers can devise social engineering schemes to target victims in specific organizations, sectors or professions. The audience of Mandiants original report is likely of interest to the types of attackers that the report profiled.

-- Lenny Zeltser

Lenny Zeltserfocuses on safeguarding customers IT operations at NCR Corp. He also teaches how toanalyze malwareat SANS Institute. Lenny is activeon Twitterand writes asecurity blog.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Software patents, facing new scrutiny in the U.S., drive innovation and protect huge investments by developers, representatives of software companies said during a Capitol Hill briefing.
Silent Circle, a startup company that provides encrypted mobile communication services, released a new version of its Silent Text app for iOS that allows users to exchange encrypted files at the push of a button. The files can be set to self-destruct.
Shaw reviews Verizon's Jetpack 4G LTE Mobile Hotspot MiFi 5510L.
Google put out a call for people to test drive its upcoming Glass wearable computers and is getting a lot of ideas for how to use them, as well as a lot of snark.
Thanks to the influx of mainland tourists, Hong Kong's retail industry has experienced unprecedented growth in the past few years. The Hong Kong Census and Statistic Department shows the city's retail sales in the first 11 months of 2012 reached HK$399 billion, a 9.9% growth from the previous year.
Our LinkedIn guide delivers expert advice on the site's features, step-by-step how-to instructions, details on its apps and proper LinkedIn etiquette. Also included: tips and tricks for your job search and company analysis.

We became aware that the NBC[.]com website is redirecting to malicious websites that contains exploitkit.

At this point it seems like most of the pages contains an iframe that is redirecting to the first stage of the RedKit exploit kit.

Some twitter users are already poiting out some of these bad pages.

Some of bad iframes public known are:




The Redkit exploit kit will deploy the banking trojan Citadel.

We will update this diary when more info become available.


Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A patent application filed by Google last year provides a detailed look at some of the metrics the company considers when ranking news stories and deciding how prominently to display them on its Google News page.
Ruby on Rails CVE-2013-0276 Remote Security Bypass Vulnerability
TeamSHATTER Security Advisory: Oracle 11g Stealth Password Cracking Vulnerability (CVE-2012-3137)
TeamSHATTER Security Advisory: SQL Injection in Oracle Alter FBA Table (CVE-2012-1751)
[security bulletin] HPSBMU02836 SSRT101056 rev.1 - HP ArcSight Connector Appliance and ArcSight Logger, Remote Disclosure of Information, Command Injection, Cross-Site Scripting (XSS)
Re: Alt-N MDaemon Email Body HTML/JS Injection Vulnerability
Xen Linux PCI Backend Drivers Local Denial of Service Vulnerability
Ruby on Rails CVE-2013-0277 Remote Code Execution Vulnerability


Ireland to promote infosec expertise at RSA 2013 event
Industry observers said private-sector security spending is also set to increase and Griffith said this will create opportunities for nimble, focused infosec providers. “The role of smaller vendors is becoming very prominent. Some systems integrators ...

and more »
Microsoft is wielding the big stick of dramatically higher custom support costs as it pushes enterprises to abandon the 11-year-old Windows XP.
Before Jonathan Trull took over as Chief Information Security Office for the state of Colorado in 2012, he had already been working in the Colorado Office of the State Auditor for a decade. As the Deputy State Auditor, he was responsible for overseeing annual audits of the state's systems.
Forget the ThinkPad, IBM is now all about MobileFirst.
ZoneMinder 'view' Parameter Local File Include Vulnerability
Jenkins Cross-Site Scripting, Security Bypass, and Denial of Service Vulnerabilities
ibacm Denial of Service And Insecure File Permissions Vulnerabilities
LG Electronics launched the Optimus F5 and Optimus F7 smartphones, which will bring LTE to a "mass audience."
With the release of version 7.3 of NetBeans, Oracle has updated the integrated developer environment so Java developers can more easily build rich HTML5-based user interfaces for their mobile and Web applications.
They are probably the biggest cellphone makers most people have never heard of. Despite ranking third and fourth in the global smartphone market in the fourth quarter, mention Huawei and ZTE to many Americans or Europeans and you're likely to be met with a blank stare.
Linux Kernel CVE-2013-0311 Denial Of Service Vulnerability
Linux Kernel CVE-2013-0309 Local Denial of Service Vulnerability
Linux Kernel CVE-2013-0310 NULL Pointer Dereference Denial of Service Vulnerability
Samsung has announced a new service that will make searching for movies and shows easier on TV, smartphones and tablets.
VCE Thursday announced the addition of two low-end models to its Vblock line of pre-configured, cloud computing systems.
Oracle is moving 130 manufacturing jobs from Mexico to Oregon, a company spokeswoman said.
Apache 'mod_negotiation' HTML Injection and HTTP Response Splitting Vulnerability
Apache Apache HTTP Server 'mod_proxy_ajp Module Denial Of Service Vulnerability
Some major computer makers are pushing Office 365 with their new PCs, but others have stuck with a more traditional bundling tactic of including a factory-installed, single-license trial.
Some companies are going whole-hog with mobile apps, including for some core line-of-business functions.
Wesley McGrew, a research assistant at Mississippi State University, may be among the few people thrilled with the latest grim report into a years-long hacking campaign against dozens of U.S. companies and organizations.
Oracle is moving 130 manufacturing jobs from Mexico to Oregon in the U.S., a company spokeswoman said.
Apache Commons HttpClient CVE-2012-5783 SSL Certificate Validation Security Bypass Vulnerability

Technology analysis: How easy are infosec products to use?
SC Magazine UK
Yet the innate complications of infosec can have negative effects: employees might stop bringing their own devices to work if the kit is made significantly harder to use as a result of security; fed up with attempts to block or restrict their access ...

Gas prices may be rising, federal sequestration looming, and perhaps another meteor will strike. Bad things are happening, but not so much to Software as a Service providers.
Just a week after multiple critical holes were confirmed, new versions of Adobe Reader and Acrobat have become available for the supported Windows, Mac OS X and Linux platforms

Drupal Banckle Chat Module Access Bypass Vulnerability
Drupal Core Image Derivatives Denial of Service Vulnerability
Drupal Ubercart Views and Ubercart Modules 'full name' field HTML Injection Vulnerability
Drupal Menu Reference Module HTML Injection Vulnerability
Forget the ThinkPad, IBM is now all about ThinkMobile.

Posted by InfoSec News on Feb 20


By Bill Gertz
Washington Free Beacon
February 20, 2013

The Obama administration plan to counter massive cyber espionage from China
will not focus on a single country, a White House official said.

The administration is set to release its “Strategy to Mitigate the Theft of
U.S. Trade Secrets” at a press conference of senior officials, including
Attorney General Eric Holder.

“We know that trade...

Posted by InfoSec News on Feb 20


By Bob Brewin
February 20, 2013

Pentagon plans to create an award for drone operators and cyber warriors that
ranks above medals earned in physical battle is drawing fire from combat
veterans, a former high-ranking Defense Department official and an advocacy
group. But a Pentagon spokesman told Nextgov that Defense...

Posted by InfoSec News on Feb 20


By Eric Chabrow
February 20, 2013

A government audit reveals that the Census Bureau does not do a good enough job
protecting the confidentiality of its data - a stinging conclusion, considering
the bureau collects personal information about every individual residing in the
United States.

In the report made public Feb. 20 - entitled Information...

Posted by InfoSec News on Feb 20


By John E Dunn
20 February 2013

Large organisations are struggling to manage trust assets such as encryption
keys and digital certificates in a muddle that could open many to the risk of
cyberattack, a Ponemon survey for security management firm Venafi has

The Cost of Failed Trust report [registration required]...

Posted by InfoSec News on Feb 20



BEIJING, Feb. 20 (Xinhua) -- U.S. cybersecurity firm Mandiant on Monday claimed
in a report that hackers related to the Chinese military attacked some U.S.
websites, once again stirring up the "Chinese hackers threat."

Mandiant put forward as its main evidence a claim that many of the cyber
attacks were launched from IP addresses...
Internet Storm Center Infocon Status