(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge (credit: Enesse Bhé)

Antivirus provider Webroot is causing a world of trouble for customers. A signature update just nuked hundreds of benign files needed to run Microsoft Windows, as well as apps that run on top of the operating system.

Social media sites ignited on late Monday afternoon with customers reporting that servers and computers alike stopped working as a result of the mishap. The admin and security pundit who goes by the Twitter handle SwiftOnSecurity told Ars that, at the company he or she worked for, the false positive quarantined "several hundred" files used by Windows Insider Preview. Hundreds of "line of business" apps, such as those that track patient appointments or manage office equipment, suffered the same fate. Webroot was also flagging Facebook as a phishing site.

As this post was going live, Webroot's cloud-based system for issuing commands to clients was unable to revert the quarantined files. Officials have yet to confirm they would be able to revert all the bad determinations.

Read 4 remaining paragraphs | Comments

Cisco Prime Infrastructure CVE-2017-6611 Cross Site Scripting Vulnerability
Shopware CVE-2016-3109 Arbitrary Code Execution Vulnerability
XOOPS CVE-2017-7944 Cross Site Scripting Vulnerability
pcs daemon CVE-2016-0721 Session Fixation Vulnerability
Linux Kernel CVE-2017-8064 Local Denial of Service Vulnerability

Enlarge (credit: BoatingWithTR.com)

BrickerBot, the botnet that permanently incapacitates poorly secured Internet of Things devices before they can be conscripted into Internet-crippling denial-of-service armies, is back with a new squadron of foot soldiers armed with a meaner arsenal of weapons.

Pascal Geenens, the researcher who first documented what he calls the permanent denial-of-service botnet, has dubbed the fiercest new instance BrickerBot.3. It appeared out of nowhere on April 20, exactly one month after BrickerBot.1 first surfaced. Not only did BrickerBot.3 mount a much quicker number of attacks—with 1,295 attacks coming in just 15 hours—it used a modified attack script that added several commands designed to more completely shock and awe its targets. BrickerBot.1, by comparison, fired 1,895 volleys during the four days it was active, and the still-active BrickerBot.2 has spit out close to 12 attacks per day.

"Just like BrickerBot.1, this attack was a short but intense burst," Geenens told Ars. "Shorter than the four days BrickerBot.1 lasted, but even more intense. The attacks from BrickerBot.3 came in on a different honeypot than the one that recorded BrickerBot.1. There is, however, no correlation between the devices used in the previous attack versus the ones in this attack."

Read 5 remaining paragraphs | Comments


[This is a guest post submitted by Remco Verhoef. Got something interesting to share? Please use our contact form to suggest your topic]

Today I got lucky walking around within a phishing site and found some left-over deployment files, containing the complete source code of the site. This gives a unique insight into the inner workings and complexity of the site. Ive analyzed many phishing site source codes before, but this one is definitely more sophisticated than usual.

The site has been called Scam Paypal v1.10 by the author Shadow Z118.

Ill walk you through the source code and my findings. The source code consists of 127 files, 6MB in size, with date ranges from the September 2016 till now. The author is definitely using the Agile development process here.

The `.htaccess` file contains several measures against (automated) analysis for known anti-phishing tools:

  • it will rewrite to the actual phishing page
  • deny rules for ip ranges and domains for e.g. google.com, paypal.com, firefox.com, apple.com
  • an environment variable called stealthed
  • rewrite conditions on referer (Google, Paypal and Firefox)
  • rewrite on user agent
  • rewrites to paypal.com when coming from specific IPs
  • set the environment variable bad_bot for specific user-agents
  • deny from all kind of av vendors
  • disable Indexes (which wasnt applied to root, yay!)

There is also a duplicate of this file, called htaccess (without the usual leading dot). I assume this is a mistake.

Phishtank had an issue last week where the kinds of redirects were causing incorrect flagging safe domains as phishing.

The `index.php` file contains several more checks for bots:

  • A function is_bitch is used to identify various bots. Worth to mention that curl is included in the list.
  • user-agent google will get a 404 response. Google will not index the site as a result.
  • Google is not only identified by User-Agent, but also by the hostname the IP address resolves to.

This index will copy the code from a source/template folder to a random folder per user (/customer_center/customer-IDPP00C followed by a random number). After the copy, the user will be redirected to this new location. Not completely sure why this hasnt been done with rewrites.

The `robots.txt` contains disallow all rules for folders to disable indexing by robots.txt respecting bots.

The source code contains quite some aversive methods against automated analyzed by a/v vendors and bots. The `bots` folder contains more scripts that will return 404s for all kind of checks.

  • known ip ranges
  • part of domains (including tor-exit, google and amazonaws)
  • user-agents
  • list of banned ips

For every request, a global hit counter will be incremented on each hit. When the counter exceeds 30 it will create a deny record for that specific remote address, user-agent and hostname.

Track all user-agents and ip addresses for bots, depending on a list of words. This will create a database with all user-agents and ip addresses for specific a/v vendors.

An `HTTP/1.0 404 Not Found` will be returned, sometimes accompanied by the friendly message `HELLOOOOO BITCHES | I FUCKING LOVE YOU HAHAHAHAHAHAHA 3 | TRY BYPASS ME NEXT TIME BB 3.`. Note the HTTP/1.0 it will return, even when the request has been made with HTTP/1.1

All emails will be sent to both [email protected]` and [email protected]`, accompanied by the text `PUT UR FUCKING E-MAIL BRO`. There is also a reference to [email protected]`, which is somewhat obfuscated that will receive a copy of each email. It looks like that the maker of the software want to keep track of things without the phishers knowledge. Within the code I find references to `Mr-YcN Z.1.1.8` and `SHADOW Z.1.1.8`.

Code contains the following api calls, for checking credit cards and country detections and uses the micro services of api.bincodes.com and ip-api.com and includes an api_key as well.

* https://api.bincodes.com/creditcard-checker.php?api_key=2d974e94811161f1dda14bbf63aa9790cc

* http://ip-api.com/json/

There is a file which will detect the browser specific os and browser family using the user-agent.

A file containing language entries. Currently, only English is supported.

The lib folder contains all scripts and css files.

The actual phishing flow is as follows:

* first the user will have to sign in, using her email and password

* next the user will be asked to verify the account, by entering card number, card type, c_valid, expiry dates, csc, name on card, fullname, address, zipcode, city, state, country

* then it will check if the credit card type is visa, mastercard or maestro and if you are from France, Spain or Norway the next step will be skipped

* youre being asked to upload your identity photos, with allowed extensions (gif, jpeg, jpg and png)

* social security number details, day of birth, and country-specific social security numbers

* a success page containing a summary of all entered data, redirecting you to PayPal after 5 second

Each step the user will go through will result in sending an email to the noted addresses. This email will contain all entered information and is distinguishable by different subjects and different senders.

* NEW BB XD ? LOGIN INFO FROM : .$_SESSION[_forlogin_]. ? .$_POST[login_email]. ?

* .$_SESSION[_cardholder_]. ? FULLZ : .$_SESSION[_ccglobal_]. ? .$_SESSION[_global_]. ? .$_SESSION[_login_email_]. ?

* .$_SESSION[_cardholder_]. ? VBV FULLZ : .$_SESSION[_ccglobal_]. ? .$_SESSION[_global_]. ? .$_SESSION[_login_email_]. ?

* .$_SESSION[_cardholder_]. ? NEW ID CARD - ENJOY BTC ? .$_SESSION[_global_]. ?

* some of the comments are in french

* the html contains a randomiziation routine for class names

* all userdata will be saved in php sessions for persistence between the steps

* the forms contain validation

* emails will be send only when there has been entered useful data, eg password, creditcard number

* all pages contain anti bots measures

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
NTP CVE-2016-7427 Denial of Service Vulnerability
NTP CVE-2015-8158 Denial of Service Vulnerability
Linux Kernel CVE-2017-7979 Local Denial of Service Vulnerability
Apache ActiveMQ CVE-2015-7559 Denial of Service Vulnerability
Novell NetIQ Access Manager CVE-2017-5190 Remote Information Disclosure Vulnerability
Apache CXF CVE-2017-5656 Information Disclosure Vulnerability
Oracle MySQL Server CVE-2017-3458 Remote Security Vulnerability
Oracle Hospitality OPERA 5 Property Services CVE-2017-3568 Local Security Vulnerability
Oracle MySQL Connectors CVE-2017-3589 Local Security Vulnerability
Oracle MySQL Workbench CVE-2017-3469 Remote Security Vulnerability
cURL/libcURL CVE-2017-7468 Remote Security Bypass Vulnerability
libbpg 'image_alloc()' Function Null Pointer Dereference Denial of Service Vulnerability
Atlassian Confluence CVE-2017-7415 Information Disclosure Vulnerability
Oracle Sun ZFS Storage Appliance Kit (AK) CVE-2017-3578 Local Security Vulnerability
Oracle Fusion Middleware CVE-2017-3541 Remote Security Vulnerability
Oracle Automatic Service Request CVE-2017-3620 Local Security Vulnerability
Oracle Solaris CVE-2017-3510 Remote Security Vulnerability
MySQL-GUI-tools CVE-2010-4178 Local Information Disclosure Vulnerability
MySQL-GUI-tools CVE-2010-4177 Local Information Disclosure Vulnerability
Internet Storm Center Infocon Status