InfoSec News

Business Insider

This Is China's Response To The US Navy's Struggling $600 ...
Business Insider
... Events · About BI · Events · BI Intelligence · Military & Defense Home · Troops · Hardware · INFOSEC · The Smoke Pit · After Action Report · Hive · Contributors ...

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Thanks to ISC readers Yin, Doug, Lorenzo, Ron, Jan and Placebo for contributing their data to the ongoing analysis of Run, Forest! (JS.Runfore) after our earlier SANS ISC diary last week.
Here's what we have so far:

Run, Forest is pretty fickle. They seem to be running an underground web server called Sutra TDS, and are doing a quite decent job at using this web server's features to make analysis hard. Redirection usually happens via two stages of URLs, and only takes place if the correct cookies were set by the prior stage, and the correct referer is provided. It also looks like their web server does geo-location and responds accordingly, and it also black-lists too nosy analysts. If the defenses trigger, the web server responds with This domain has been suspended for policy violations or some wording along those lines ... and admittedly, this actually fooled us the first time (aka Yeeha, someone else already got them). Turns out that no .. it is just one more clever smoke grenade in the bad guys' arsenal.

If you DO get the exploits, it looks like it currently delivers a regular Blackhole Exploit Kit. The most recent exploit that we've seen included in the package so far was for CVE2012-0507, the Java AtomicReferenceArray vulnerability that affects Java 1.6_30 and Java 1.7_2 and earlier. Bad enough, because there are still lots of unpatched Java installations out there. The other exploits in the pack seem to be for older CVE2010-xxxx vulnerabilities, particularly in Adobe Reader. But don't count on it, the way Blackhole is built, it is quite trivial for the attackers to swap out one exploit against another. That they are not using the latest sploits yet .. simply means that the oldies are still netting the bad guys enough new bots.

If the exploits that we saw were successful, the end result was usually a variant of ZBot, with low detection on Virustotal.

If the machine is well patched and none of the exploits in the pack are feasible, it looks like the kit does some sort of geo location, and then presents a reasonably language and design adjusted variant of Fake AV, in the hope that the user will fall for it and click. We so far had reports of this behavior from Switzerland and Germany only - if you have a full trace of such an incident from its starting runforestrun URL all the way through to the Fake AV, we'd appreciate a copy.

If you want to play on your own (be careful!), here's a couple recent Wepawet analysis results




How do web servers get infected with Run Forest's initial attack vector?
Good question. All we have so far is that existing JavaScript (.js) files apparently were amended with the obfuscated Blackhole redirect code. Symantec's early analysis suggests that Run Forest comes with a file infector that looks for and changes .JS files. The sites from where we received infected files didn't have much in common, and also didn't have (sigh!) any useful logs that would have allowed tracking back to the source of infection. If you have additional details, please share!

How to defend
Don't count on anti-virus. While Symantec was quick to detect and name JS.Runfore one week ago, they are now missing the latest versions, pretty much like every other AV Vendor out there.
Here's AV detection for the Blackhole Redirect Script on Virustotal: 4/41

Here's AV detection for the PDF Exploit on Virustotal: 11/42

Here's AV detection for the final EXE (ZBot): 5/42

In a company or university setting, if you can get away with it, block all traffic to, which is the IP that has been used by this scam for their 16-byte initial .ru URLs for the past week now. Obviously, the IP is trivially easy to change for the attackers, but you might get at least some temporary reprieve to allow the AV companies to get their act together, and catch up.
Your best defense, as usual, is to keep all your software fully up to date, and to make sure all your computer users are educated not to click on scams .. especially not on scams that pop up unexpectedly after visiting a completely unrelated web page.
Let me rephrase that: Your best defense is to go off grid completely, and start growing your own potatoes and cabbage in some remote rural corner of Wisconsin or Idaho. But things are not quite that dire yet :).
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Verizon Wireless and T-Mobile USA unveiled a high-profile spectrum deal on Monday, but the odd couple also joined together earlier this month on a lesser known proposal for FCC rules on cellular signal boosters.
As Google ramps up for its big I/O conference in San Francisco this week, analysts say the company must continue to prove the value of its Android operating system to developers.
logrotate Gentoo Linux 'var/log/' Symlink Local Privilege Escalation Vulnerability

SYS-CON Media (press release) (blog)

Drama in the Cloud: Coming to a Security Theatre Near You
SYS-CON Media (press release) (blog)
#mobile #infosec #gdi Conflicting messages from various trends are confusing … should you care about the client end-point or not? drama in the cloud On the ...

and more »
Microsoft has agreed to acquire Yammer, a maker of cloud-based enterprise social networking (ESN) software, for US$1.2 billion [b] in cash, a deal rumored to be in the works for the past week and a half.
The adoption of cloud computing is rapidly gathering momentum, as more companies use this technology to store data and access applications online. However as cloud computing becomes more mainstream, security concerns are being raised.
The world of data management has become much more challenging in the past two decades, but in terms of NetApp's business, that's a good thing because it gives plenty of room to innovate, says Dave Hitz, executive vice president and founder.
Last week Daniel published the diary Run, Forest! If you are using Snort IDS and running some of the Blackhole signatures from Emerging Threats, you most likely noticed they trigger on Blackhole regularly. Using JSDetox, you can finally view the content of these scripts. All you need is a copy of the script and install JSDetox on a Linux system (mine is running on Slackware).
Steps to Decode Java Obfuscated Script
1- Copy the code into the Code Analysis window and select Analyze.

2- The script will then be formatted in the Code Formatted window.

3- Select Execute, then select Show Code and Send to Analyze to show the script in its actual deobfuscated form.

The final result is quite similar to the Wepawet report in Daniel's diary.

[1] http://www.relentless-coding.com/projects/jsdetox

[2] https://isc.sans.edu/diary.html?storyid=13540

[3] http://wepawet.iseclab.org/view.php?hash=e89cfa2fa6a91f90cfeb125c10c1f0ft=1340389400type=js

[4] http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-current_events.rules

[5] http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
RETIRED: Zoph Multiple Remote Security Vulnerabilities
According to this newspaper article (in Dutch), the Belgian government has arrested 2 Russian and 2 Polish nationals -legally in the country- in connection to stealing 3 million EURO through hacking online banking customers.
The article reminds me a lot of a diary we brought in 2007 of a Dutch bank being hacked.In the end they managed to arrest the money mules in that case. It seems they got one step closer to those behind it this time.
It seems customers of 5 large Belgian banks were hit by malware, money was then transferred via mules - who got to keep 5 to 10% of the amount stolen and then our 4 friends above collected it.
Now almost all large Belgian banks use solid protection for their online banking: 2 factor authentication using offline hardware tokens, different procedures for authenticating and authorizing (signing) transactions -well one of them isn't doing this essential step-, awareness campaigns towards their customers, ... And still the malware appears to have pulled off the job.
Luckily money leaves a trail that can be followed and lead to arrests of these -no doubt- mere middle men. The investigation is said to focus on a criminal organization.
Interesting are the numbers they got:

one bank: 7500 customers for a total of 1836130.52 EURO
second bank: 4900 customers for 1496012 EURO
[no data on the other 3 banks]

That's from about 250 to slightly over 300 EUR average per victim - not a huge amount. Still, given enough victims it does add up to significant amounts.
If you're using one of these advanced systems for your online banking:make sure to always validate the transactions before you authorize them, not trusting anything you see on the screen, check what you sign:the amount has to match up! Don't just match up large amounts or most significant digits or so:they're stealing hundreds, not tens of thousands in one go. Also with the upcoming holiday season out here:do only use computers you can trust to be malware-free to do online banking, so avoid cybercafes and other public computers to access your online banking.

Now don't gloat if you're not on one of these systems:you're far more vulnerable.
I've no more details at this point - and with an ongoing investigation we're not going to get all that much details of the malware and/or who's behind it for sure.

Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Today's U.S. Supreme Court decision that allows Arizona police to check peoples' immigration status means that H-1B workers in the state should have their visa documents available at all times, immigration attorneys say.
PostgreSQL 'SECURITY DEFINER' and 'SET' Attributes Remote Denial of Service Vulnerability
Microsoft Remote Desktop Protocol Service CVE-2012-0152 Denial of Service Vulnerability
Microsoft has released an Important update to the Windows Update function (Windows Update Agent 7.6.7600.256) because users have been experiencing update issues. Some users experience failed installation with error code 80070057 or 8007041B. Microsoft has provided a Fix it tool that can be directly downloaded here for those cases that won't automatically apply the update and the Knowledge Base article located here. Have you been experiencing this issue? Please let us know!
[1] http://support.microsoft.com/kb/949104

[2] http://social.technet.microsoft.com/Forums/en-US/w7itproinstall/thread/d046bce8-38dd-4be5-8abb-5486200379a6/

[3] http://isc.sans.edu/diary.html?storyid=13453
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Facebook is testing a mobile-only feature, called Find Friends Nearby, that allows users to connect with new social contacts based on who is nearby and using a browser.
Microsoft has agreed to acquire Yammer, a maker of cloud-based enterprise social networking (ESN) software, for US$1.2 billion [b] in cash, a deal rumored to be in the works for the past week and a half.
Hewlett-Packard plans to trim its workforce by about 9,000 in the U.S. as part of its long-term plan to reduce 27,000 jobs worldwide by fiscal 2014, a source familiar with the company's plans said.
Oracle tends to keep a tight lid on the specific announcements it will make each year at the OpenWorld conference prior to show time, but a newly released session catalog provides plenty of clues and fodder for speculation as to what's in store at the event, which runs from Sept. 30 to Oct. 4 in San Francisco.
Microsoft is a little more than three weeks away from wrapping up Windows 8, according to leaks of recent builds of the upcoming operating system and claims by a Russian blog.
Two members of the LulzSec hacking group Monday pleaded guilty to attacking and disabling the Websites of several large organizations, including Central Intelligence Agency, Sony, Fox Entertainment Group, the Arizona State Police and Britain's Serious Organized Crime Agency.
RSyslog Function Imfile Module Buffer Overflow Vulnerability
A low-cost Nexus tablet from Google that sports high-end features would raise the stakes for Amazon's Kindle Fire and Barnes & Noble's Nook tablet -- and it might even compete with the iPad, said analysts.
Earlier this month mis-asia.com interviewed two senior executives from global contact centre, unified communications and business process automation solutions provider Interactive Intelligence. Gary Blough, Executive VP, Worldwide Sales and Simon Lee, Regional General Manager for Asia at the US-based company told us about their company's plans for growing their business in the region, its target markets moving forward, and how it intends to respond to global economic trends.
Google is gearing up for its annual developers conference this week, and analysts say it's time for the company to deliver an ecosystem that can compete head to head with Apple.
Microsoft Monday confirmed that it would acquire enterprise social network company Yammer for $1.2 billion in cash. Yammer will be absorbed into the Microsoft Office Division, headed by Kurt DelBene, though Yammer staff will continue to report to the company's current CEO, David Sacks. Yammer claims to have more than 5 million corporate users and to be used by staff at 85 percent of the Fortune 500. Rumors of a Microsoft deal to buy Yammer cropped up earlier this month.
Apple has again warned MobileMe subscribers that it will pull the plug on its sync and storage service at the end of this month.
Name: Rick Gilbody
[SECURITY] [DSA 2499-1] icedove security update
[ MDVSA-2012:088-1 ] mozilla
Microsoft has no plans to build its own smartphones, contrary to a report from an analyst last week.
A long time ago in a mind-set far away, I spent a lunch with friends trying to figure out what we'd do if we could reprogram our cellphones. Our ideas were, in retrospect, lame. Maybe we would change the font on the dialer or come up with a screensaver animation. Wouldn't it be cool if we could get flying toasters running on the screen of our cellphone?
Box announced that its OneCloud enterprise mobile cloud service now supports Android, allowing companies to access Android applications and store and share Android data in Box's public cloud.
Tablet devices designed for use in hospitals and stores could get better graphics through Advanced Micro Devices' latest low-power G-T16R embedded processor, which the company announced on Monday.
Research In Motion reiterated its commitment to turning itself around, even as a report said the company could be planning to split off its BlackBerry smartphone division.
Verizon Wireless will swap spectrum with T-Mobile USA in the AWS (advanced wireless service) band, if Verizon can get regulatory approval to buy the spectrum from a group of cable companies, the companies announced Monday.
System management software vendor Quest said Monday that an unnamed "strategic bidder" had submitted an acquisition offer of approximately $2.3 billion.

Special Training Offer from SANS vLive for IT Professionals ...
MarketWatch (press release)
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, newsletters and it operates the Internet's early ...

and more »
Google will launch its own sub-$200 7-in. Nexus tablet this week at its Google I/O conference in San Francisco, according to training documents viewed by Gizmodo Australia.
Printers connected to Windows computers infected with new variants of a malware program called Trojan.Milicenso, will automatically print out pages full of garbled data, according to security researchers from antivirus firm Symantec.
gdk-pixbuf 'read_bitmap_file_data()' Remote Integer Overflow Vulnerability
ICANN has suspended the Digital Archery contest part of its new Generic Top-level Domain program, which was destined to decide which gTLD applications would be handled first. The future of this application process is still to be determined, ICANN said during a news conference in Prague on Monday.
Oracle is planning to build on its acquisitions of companies such as ATG, Fatwire and RightNow with a new product strategy centered around "customer experience management," as co-president Mark Hurd will explain on Monday during an event in New York.
Remarks by Readdle is one more in a growing list of iOS PDF reader and annotation apps. This category interests me in particular because of my lifelong struggle with paper. (I occasionally win a few battles but, after taking a quick scan of my desk, it's apparent that I'm losing the war.)
When reviewing photos using the LCD on the back of my camera, it's fun to keep the navigation button held down and let the camera quickly zip through all the images. Especially since I frequently shoot in burst mode--holding the shutter button to shoot several shots in succession--the effect is like watching a stop-motion animation movie.
Samba 'CAP_DAC_OVERRIDE' File Permissions Security Bypass Vulnerability
Samba Oplock Break Notification Remote Denial of Service Vulnerability
Early adopters say the expense and time spent to revamp a data center's switching gear are well worth it; benefits include killer bandwidth and more flexibility.
Sony and Panasonic said Monday they will team up to create mass production technology for super-high resolution TVs based on OLED technology, in a concerted effort to drive mainstream adoption and revive their struggling television businesses.
Mozilla's new silent updater has not sped up the migration to Firefox 13, according to usage statistics compiled by an Irish metrics company.
Apache HTTP Server 'LD_LIBRARY_PATH' Insecure Library Loading Arbitrary Code Execution Vulnerability
European regulators have urged an Internet standards-setting body to let Microsoft set users' preferences for the "Do Not Track" privacy feature in the upcoming Internet Explorer 10.
Acme thttpd and mini_httpd Terminal Escape Sequence in Logs Command Injection Vulnerability
dhcpcd CVE-2012-2152 Remote Stack Buffer Overflow Vulnerability

InfoSec 2012סיקר סקיוריטי
Daily Maily אנשים ומחשבים
"פיתוח של יישום כולל הרבה שלבים וכל אחד מהם טומן בחובו פרצות פוטנציאליות של אבטחת מידע. לכן, נדרש לאתר את פרצות האבטחה ביישומים כבר במהלך שלבי הפיתוח ולא בסיום ...

and more »

How to Break Into Security, Ptacek Edition
Krebs on Security
But if you watched “Sneakers” and ideated a life spent breaking or defending software, great news: infosec can be more fun in real life, and its fairly lucrative.

Internet Storm Center Infocon Status