Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Introduction

Earlier this year, we started seeing reports of macro-based Bartalex malware [1]. Bartalex has beenused in Microsoft Officedocuments sentthrough malicious spam (malspam). On Tuesday 2015-07-21, we found a sample to examine for todays diary. We used this example of Bartalexto infectaWindows hostwith Pony malware that downloaded a Dyre banking Trojan [2].

Example of the malspam

This malspam samplehas ADP as a spoofed sender. " />

The email headers showthis email didn" />

There" />

The malicious attachment

A sample of the Bartalex Word document is available here. Before opening the Word document on a test host, we reviewed itwith OfficeMalScanner. Using OfficeMalScanners info" />

OfficeMalScanner generated some text files, and we couldexaminethe macro code.The largest file" />

Theres a bit of obfuscation, but we foundsomeURLs used by the malware. " />

Opening the Word document will execute the associated macro(s) if they are enabled. Heres what the document looks like when it" />

Traffic generated by the malware

We opened the Word document on a virtual machine (VM) and enabled macros. Unfortunately,the VM had only one processor core. Why is that unfortunate, you ask? Earlier this year, Dyre began checking if a machine has only one processor core. On a single-core VM, Dyre will terminate itself before doing anything [3], which is what happened on this VM. Below is an image of the traffic filtered in Wireshark. " />
Click on the image above for a full-size view.

Doing the same thing on a dual-core host generated additional post-infection traffic. Below is an image of Wiresharkfrom the dual-core host. On this host, post-infection traffic shows patterns associated with Dyre.

">Click on the image above for a full-size view.

We reviewed some of the Dyre post-infection traffic in Wireshark. The image below shows one of the TCP streams using SSL over port 4443. In Wiresharks Analyze menu, use Decode As and select SSL to see the information properly parsed. " />

Final words

Below are links for two EXE files found on the infected host. The hybrid-analysispages contain links to download the malware samples:

Bartalex malspam continues to be a concern. In some cases, these attachments may slip through spam filters before anti-virus programs candetect them. Fortunately, post-infection traffic should trigger network alerts. If yourorganization has adequate network security monitoring, you can detect any users that fall for this malspam.

---
Brad Duncan
ISC Handler andSecurity Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://blog.trendmicro.com/trendlabs-security-intelligence/enterprises-hit-by-bartalex-macro-malware-in-recent-spam-outbreak/
[2] http://www.zdnet.com/article/dyre-wolf-attacks-your-corporate-bank-account-door/
[3] http://www.seculert.com/blog/2015/04/new-dyre-version-evades-sandboxes.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

According to The New York Times and Bloomberg News, four men in Florida and Israel have been arrested in relation to the 2014 hack against JPMorgan Chase, which resulted in gigabytes of bank data being exfiltrated. The news outlets, citing anonymous sources, did not fully explain how all the suspects were connected.

The United States Attorney in Manhattan announced that the two Florida men were arrested Tuesday, and were formally charged with operating an unlicensed Bitcoin exchange, coin.mx.

However, their criminal complaints make no mention of JPMorgan Chase. The two Israelis were named as Gery Shalon and Ziv Orenstein, and were arrested by authorities there. A fifth man, Joshua Samuel Aaron, an American living in Israel, is reportedly still at large.

Read 8 remaining paragraphs | Comments

 

A security researcher has taken umbrage at Italian malware developer Hacking Team after discovering that his open source exploit tools were included in Android surveillance software sold to governments around the world.

Collin Mulliner, well-known in security circles for exposing vulnerabilities in mobile devices, published a blog post Tuesday that attempts to set the record straight. To wit: his tools—which among other things surreptitiously capture conversations and other sounds within earshot of infected Android phones—were used without permission or notice by Hacking Team. He learned about the use only after the breach of Hacking Team computers, which resulted in a 400-gigabyte leak of confidential company documents, including these e-mails showing company engineers discussing Mulliner's tools.

In Tuesday's post, Mulliner wrote:

Read 1 remaining paragraphs | Comments

 
Oracle MySQL Server CVE-2015-4771 Remote Security Vulnerability
 
Oracle MySQL Server CVE-2015-4757 Remote Security Vulnerability
 
ISC BIND 'isselfsigned()' Function Remote Denial of Service Vulnerability
 

A recently disclosed bug in OpenSSH software used to remotely access Internet-facing computers and servers allows attackers to make thousands of password guesses in a short period of time, a defect that could open systems to password cracking, a security researcher has warned.

Under normal circumstances, OpenSSH will allow just three or six login attempts before closing a connection, the researcher who goes by the moniker KingCope wrote in a blog post published last week. The recently discovered vulnerability, however, allows attackers to perform thousands of authentication requests during an open login window, which by default lasts two minutes. As a result, attackers who cycle through the most commonly used passwords face much better odds of finding the right one, since the vulnerability allows them to try many more candidates than they otherwise would.

KingCope wrote:

Read 6 remaining paragraphs | Comments

 
Mozilla Firefox/Thunderbird CVE-2014-1565 Out of Bounds Memory Corruption Vulnerability
 
WorldCIST'2016 - Brazil: Call for Workshops Proposals - Best Papers published by ISI/SCI Journals
 
Mozilla Firefox/Thunderbird Multiple Security Vulnerabilities
 
Mozilla Firefox Firefox ESR and Thunderbird Multiple Memory Corruption Vulnerabilities
 

A pair of computer security researchers based in St. Louis demonstrated weaknesses in an automobile system with cellular connectivity installed in as many as 471,000 vehicles in the US. Charlie Miller and Chris Valasek highlighted the vulnerability of the system by attacking a Jeep Cherokee equipped with the Uconnect system remotely while Wired's Andy Greenberg was driving it.

Uconnect, a "connected car" system sold in a number of vehicles produced by Fiat Chrysler for the US market, uses the Sprint cellular network to connect to the Internet and allows owners to interact with their vehicle over their smartphone—performing tasks like remote engine start, obtaining the location of the vehicle via GPS, and activating anti-theft features. But vulnerabilities in Uconnect, which Fiat Chrysler has issued a patch for, made it possible for an attacker to scan Sprint's cellular network for Uconnect-equipped vehicles, obtaining their location and vehicle identification information. Miller and Valasek demonstrated that they could then attack the systems within the car via the IP address of the vehicle, allowing them to turn the engine of the car off, turn the brakes on or off, remotely activate the windshield wipers, and take control of the vehicle's information display and entertainment system.

Miller and Valasek also found that they could take remote control of the steering of their test vehicle, the aforementioned Jeep Cherokee—but only while it was in reverse.

Read 2 remaining paragraphs | Comments

 
 
Oracle Java SE CVE-2015-2613 Remote Security Vulnerability
 
Oracle Java SE CVE-2015-4736 Remote Security Vulnerability
 
LinuxSecurity.com: The Asterisk Development Team has announced security releases for CertifiedAsterisk 1.8.28, 11.6, and 13.1 and Asterisk 1.8, 11, 12, and 13. The availablesecurity releases are released as versions 1.8.28.cert-5, 1.8.32.3, 11.6-cert11,11.17.1, 12.8.2, 13.1-cert2, and 13.3.2.These releases are available for immediate download athttp://downloads.asterisk.org/pub/telephony/asterisk/releasesThe release of these versions resolves the following security vulnerability:* AST-2015-003: TLS Certificate Common name NULL byte exploit When Asterisk registers to a SIP TLS device and and verifies the server, Asterisk will accept signed certificates that match a common name other than the one Asterisk is expecting if the signed certificate has a common name containing a null byte after the portion of the common name that Asterisk expected. This potentially allows for a man in the middle attack.For more information about the details of this vulnerability, please readsecurity advisory AST-2015-003, which was released at the same time as thisannouncement.For a full list of changes in the current releases, please see the ChangeLogs:http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert5http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.3http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert11http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.17.1http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.8.2http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-13.1-cert2http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.3.2The security advisory is available at: * http://downloads.asterisk.org/pub/security/AST-2015-003.pdf
 
LinuxSecurity.com: security update to oracle CPU july 2015 - http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
 
LinuxSecurity.com: **Horde_Form 2.0.10*** [jan] SECURITY: Fixed XSS in form renderer.**Horde_Icalendar 2.1.1*** [jan] Fix generated VALARM TRIGGER attributes with empty duration (Ralf Becker).**Horde_Auth 2.1.10*** [jan] SECURITY: Don't allow to login to LDAP with an emtpy password.**Horde_Core 2.20.6*** [jan] SECURITY: Don't allow to login with an emtpy password.* [jan] Give administrators access to all groups, even with $conf['share']['any_group'] disabled.
 
LinuxSecurity.com: **Horde_Form 2.0.10*** [jan] SECURITY: Fixed XSS in form renderer.**Horde_Icalendar 2.1.1*** [jan] Fix generated VALARM TRIGGER attributes with empty duration (Ralf Becker).**Horde_Auth 2.1.10*** [jan] SECURITY: Don't allow to login to LDAP with an emtpy password.**Horde_Core 2.20.6*** [jan] SECURITY: Don't allow to login with an emtpy password.* [jan] Give administrators access to all groups, even with $conf['share']['any_group'] disabled.
 
LinuxSecurity.com: **Horde_Form 2.0.10*** [jan] SECURITY: Fixed XSS in form renderer.**Horde_Icalendar 2.1.1*** [jan] Fix generated VALARM TRIGGER attributes with empty duration (Ralf Becker).**Horde_Auth 2.1.10*** [jan] SECURITY: Don't allow to login to LDAP with an emtpy password.**Horde_Core 2.20.6*** [jan] SECURITY: Don't allow to login with an emtpy password.* [jan] Give administrators access to all groups, even with $conf['share']['any_group'] disabled.
 
LinuxSecurity.com: security update to oracle CPU july 2015 - http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
 
LinuxSecurity.com: Security fix for CVE-2015-3218, CVE-2015-3255, CVE-2015-3256, CVE-2015-4625.Please make sure to reboot or run (systemctl restart polkit.service) after applying this update.
 
LinuxSecurity.com: fix for CVE-2015-4620
 
LinuxSecurity.com: **Horde_Form 2.0.10*** [jan] SECURITY: Fixed XSS in form renderer.**Horde_Icalendar 2.1.1*** [jan] Fix generated VALARM TRIGGER attributes with empty duration (Ralf Becker).**Horde_Auth 2.1.10*** [jan] SECURITY: Don't allow to login to LDAP with an emtpy password.**Horde_Core 2.20.6*** [jan] SECURITY: Don't allow to login with an emtpy password.* [jan] Give administrators access to all groups, even with $conf['share']['any_group'] disabled.
 
LinuxSecurity.com: **Horde_Form 2.0.10*** [jan] SECURITY: Fixed XSS in form renderer.**Horde_Icalendar 2.1.1*** [jan] Fix generated VALARM TRIGGER attributes with empty duration (Ralf Becker).**Horde_Auth 2.1.10*** [jan] SECURITY: Don't allow to login to LDAP with an emtpy password.**Horde_Core 2.20.6*** [jan] SECURITY: Don't allow to login with an emtpy password.* [jan] Give administrators access to all groups, even with $conf['share']['any_group'] disabled.
 
LinuxSecurity.com: **Horde_Form 2.0.10*** [jan] SECURITY: Fixed XSS in form renderer.**Horde_Icalendar 2.1.1*** [jan] Fix generated VALARM TRIGGER attributes with empty duration (Ralf Becker).**Horde_Auth 2.1.10*** [jan] SECURITY: Don't allow to login to LDAP with an emtpy password.**Horde_Core 2.20.6*** [jan] SECURITY: Don't allow to login with an emtpy password.* [jan] Give administrators access to all groups, even with $conf['share']['any_group'] disabled.
 
LinuxSecurity.com: **Horde_Form 2.0.10*** [jan] SECURITY: Fixed XSS in form renderer.**Horde_Icalendar 2.1.1*** [jan] Fix generated VALARM TRIGGER attributes with empty duration (Ralf Becker).**Horde_Auth 2.1.10*** [jan] SECURITY: Don't allow to login to LDAP with an emtpy password.**Horde_Core 2.20.6*** [jan] SECURITY: Don't allow to login with an emtpy password.* [jan] Give administrators access to all groups, even with $conf['share']['any_group'] disabled.
 
CVE-2015-5379: Axigen XSS vulnerability for html attachments
 
[security bulletin] HPSBMU03380 rev.1 - HP System Management Homepage (SMH) on Linux and Windows, Multiple Vulnerabilities
 

InfoSec pros spend most time, money on self-inflicted problems | CSO Online
CSO Online
According to a new survey of Black Hat attendees released last week, InfoSec professionals are spending the biggest amount of their time and budgets on security problems created within the organization itself. Security vulnerabilities introduced by ...

and more »
 

Now that my overview of Sysinternals tools with VirusTotal support is complete (Process Explorer, Autoruns and Sigcheck), lets address a couple of remarks I received (BTW, if I missed a Sysinternals tools, let me know with a comment).

1) Upload of files. Some people are worried that the Sysinternals tools will upload (confidential) files to VirusTotal. That is a valid concern, but for each tool I described, I showed how to enable hash searching first. Configured like this, the Sysinternals tools will only submit hashes to VirusTotal, and not upload files. The Sysinternals tools can upload files, but this has to be done manually (Process Explorer) or configured explicitly (Autoruns and Sigcheck).

2) Internet access. It is obvious that these tools require Internet access to connect to VirusTotal (BTW, if you have a proxy, read the comments for Process Explorer). But that is not always possible or desirable. Several years ago, I needed a tool to search through the VirusTotal database for a list of MD5 hashes. At that time, I found no programs or scripts that searched the VirusTotal database via the API (though there were scripts to submit files, but not search). Thus I wrote my own tool: virustotal-search.py. You need to obtain a VirusTotal API key to use with virustotal-search.py (create a free VirusTotal account and youll get one). And then you let virustotal-search.py run with a list of search terms (MD5, SHA1 or SHA256 hashes) and it will produce a CSV file with the results. This will take some time, as virustotal-search.py respects VirusTotals quota for free accounts: 4 requests per minute and maximum 4 search terms per request. I wont go into al the features of virustotal-search, if you are interested, visit my virustotal-search page. Here is an example of a CSV file produced by virustotal-search.py:

In an upcoming diary entry, Ill give some pointers to produce lists of hashes (tip: some Sysinternals tools can calculate hashes).

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status