Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Our reader Travis sent us the following message:

We have had 2 users this morning hit a Forbes page: hxxp://www.forbes.com/sites/jimblasingame/2013/05/07/success-or-achievement/

And then after being referred from there to: hxxp://ml314.com/tag.aspx?2772014

They are setting off our FireEye web appliance. It is advising that this is an "Infection Match" which I am not entirely familiar with their systems determinations as it is fairly new to us. I called down the source of the link they went to and can submit that as well if you would like it, but I haven't had a chance to look at it yet just beautified it and saved it.

I went ahead and downloaded the "ml314.com" URL using wget, and what comes back is heavily obfuscated Javascript. I am just quoting some excerpts of it below:

(function(a){var g=window.document;var h=[];var e=[];var f=(g.readyState=="complete"||g.readyState=="loaded"||g.readyState=="interactive");var d=null;var j=function(k){try{k.apply(this,e)}catch(l){if(d!==null){d.call(this,l)}}};var c=functi...36);F=p(F,D,B,G,E[1],12,-389564586);G=p(G,F,D,B,E[2],17,606105819);B=p(B,G,F,D,E[3],22,-1044525330);D=p(D,B,G,F,E[4],7,-176418897);F=p(F,D,B,G,E[5],12,1200080426);G=p(G,F,D,B,E[6],17,-1473231341);B=p(B,G,F,D,E[7],22,-45705983);D=p(D,B,G,F,E[8],7,1770035416);F=p(F,D,B,G,E[9],12,-1958414417);G=p(G,F,D,B,E[10],17,-42063);B=p(B,G,F,D,E[11],22,-1990404162);D=p(D,B,G,F,E[12],7,1804603682);F=p(F,D,B,G,E[13],12,-40341101);G=p(G,F,D, ... function f(o){o.preventDefault();o.stopPropagation()}function i(o){if(g){return g}if(o.matches){g=o.matches}if(o.webkitMatchesSelector){g=o.webkitMatchesSelector}if(o.mozMatchesSelector){g=o.mozMatchesSelector}if(o.msMatchesSelector){g=o.msMatchesSelector}if(o.oMat ... try{s=new ActiveXObject("ShockwaveFlash.ShockwaveFlash");p=s.GetVariable("$version").substring(4);p=p.split(",");p=p[0]+"."+p[1]}catch(r){}if(s){q="Flash"}return{name:q,version:

In short: Very obfuscated (not just "minimized"), and a lot of keywords that point to detecting plugin versions. Something that you would certainly find in your average exploit kit. But overall, it didn't quite "add up". Not having a ton of time, I ran it through a couple Javascript de-obfuscators without much luck. The domain "ml314.com" also looked a bit "odd", but lets see when it was registered:

$ whois ml314.com​

   Domain Name: ML314.COM
   Name Server: NS.RACKSPACE.COM
   Name Server: NS2.RACKSPACE.COM
   Updated Date: 22-apr-2013
   Creation Date: 22-apr-2013
   Expiration Date: 22-apr-2018

​Admin Organization: Madison Logic
Admin Street: 257 Park Ave South
Admin Street: 5th Floor

The domain name isn't new, and hosted in what I would call a "decent" neighborhood on the Internet. The owner information doesn't look outright fake, and indeed gives us a bit more information to solve the puzzle. Turns out that "Madison Logic" is in the web advertisement / click through business, so what you are seeing is likely their proprietary Javascript to track users better. 

In the end, I call this a "false positive", but then again, feel free to correct me. This is just one example how sometimes things are not simple "black/white" when it comes to odd Javascript.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

On Thursday the Federal Trade Commission (FTC) announced the winners of a robocall-defeating contest that the commission held at DefCon in early August. Three groups of contestants each won $3,133.70, and two runners-up each won $1,337 (for being just that elite). The FTC says it receives 150,000 robocall complaints each month, down from 200,000 per month one year ago.

The contest was called “Zapping Rachel,” for the well-known scam in which a pre-recorded woman's voice tells an unsuspecting phone answerer, “Hi this is Rachel at cardholder services." The FTC separated the contestants into Creator, Attacker, and Detective categories—Creator entrants were asked to build a honeypot to lure robocallers, Detective entrants were given the honeypot data and asked to analyze it, and Attacker entrants were tasked with finding honeypot vulnerabilities. Contestants were given between 24 and 48 hours to submit their entries, depending on the category they entered.

For the Creator category, Jon Olawski, who is a software engineering director for an Internet marketing company by day, won the prize. He built a honeypot that used “an audio captcha filter, call detail analysis, and recording and transcription analysis” to automatically rate an incoming call as to whether it came from a robocaller or not. In an e-mail to Ars, Olawski described his idea as “a 10-point 'strike' system,” and if a caller hits a certain number of strikes, that number is known to be a robocaller and can be placed on a blacklist.

Read 10 remaining paragraphs | Comments

 
IBM PowerVC 'api-paste.ini' Multiple Insecure File Permissions Vulnerabilities
 
Cisco 1800 Series CVE-2014-3347 Denial of Service Vulnerability
 
Re: SaaS Marketing platform Hubspot export vulnerability
 

Within four days of the first public reports of a major flaw in OpenSSL's software for securing communications on the Internet, mass attacks searched for and targeted vulnerable servers.

In a report released this week, IBM found that while the attacks have died down, approximately half of the original 500,000 potentially vulnerable servers remain unpatched, leaving businesses at continuing risk of the Heartbleed flaw. On average, the company currently sees 7,000 daily attacks against its customers, down from a high of 300,000 attacks in a single 24-hour period in April, according to the report based on data from the company's Managed Security Services division.

"Despite the initial rush to patch systems, approximately 50 percent of potentially vulnerable servers have been left unpatched—making Heartbleed an ongoing, critical threat," the report stated.

Read 6 remaining paragraphs | Comments

 
[SECURITY] [DSA 3014-1] squid3 security update
 
JPMorgan Chase was one of at least five US banks hit by a sophisticated attack against its networks that netted the attacker large volumes of bank account data—for an unknown purpose.

The FBI is reportedly investigating whether a sophisticated attack on JPMorgan Chase and at least four other banks was the work of state-sponsored hackers from Russia. The attacks, which were detected earlier this month, netted gigabytes of checking and savings account data, according to a report by The New York Times.

Update: According to one source Ars contacted who claims to be familiar with the investigation at JPMorgan Chase, the attack on the bank stemmed from malware that infected an employee's desktop computer. It was not clear whether the malware was delivered by a web attack or by an email "phishing" attack.

In a statement sent to Ars, John Prisco, CEO of the security firm Triumfant said, "The nature of the JPMorgan breach was a persistent threat with a backdoor that enabled the attacker to enter whenever they wanted." He expressed surprise that the breach went undetected for so long, claiming that it was "fairly easy breach to detect."

Read 5 remaining paragraphs | Comments

 
SEC Consult SA-20140828-0 :: F5 BIG-IP Reflected Cross-Site Scripting
 
Aerohive Hive Manager and Hive OS Multiple Vulnerabilities
 
[SECURITY] [DSA 3013-1] s3ql security update
 
[The ManageOwnage Series, part II]: User credential disclosure in ManageEngine DeviceExpert
 

5 things infosec can learn from adventure games
Help Net Security
Unfortunately, in infosec we don't have a common way of evaluating security controls – there is no such thing as a +3 firewall, for example. However, we can come up with our own factors to evaluate countermeasures so we can objectively compare one ...

 
Internet Storm Center Infocon Status