Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The Register

Australian Cyber Security Centre uses discredited data to quantify infosec threats
The Register
The cost of “cyber attacks” in Australia appears to be stabilising and the country has never been subject to an attack at the national scale, but the government's Cyber ForceTM (not its real name) is still pitching the growth of the threat. Along the ...
Aussie cyber centre warns of growing threat in first reportiT News

all 13 news articles »
 

Introduction

In January 2015, the Asprox botnet switched from sending malware attachments to spamming pornography and diet-related scams [1]. Since then, weve noticed an increase is a different type of malicious spam (malspam). This malspam haszip attachments containing javascript files (.js), and ituses the same type of subject lines we saw from the Asprox botnet prior to 2015 [1].

We still see malspam using zipped .js attachments. One popular theme with this sort of malspam is fake resumes [2]. A reader sent us an example last week on Friday 2015-07-24 [3]. That exampleinfected a computer with CryptoWall 3.0 when we checked it out in our lab environment.

We saw a different malspam campaign onMonday2015-07-27 deliverKovter and Miuref/Boaxxe.

The malspam

As usual, botnet-based malspam comes from a variety of sources, and it uses variations for the subject line. Theres no easy way to filter your queries when trying to retrieve this sort of malspam. " />

I gathered seven of these malspam examples. Details follow:

Date/time: 2015-07-27 08:28 UTC
From: E-ZPass Manager ( [email protected] )
Subject: Indebtedness for driving on toll road #00383521
Attachment name: Invoice_00383521.zip - 1,834 bytes - MD5 hash: 9225b83e28ee6bc7cd45e99e50848bc6
Extracted file: Invoice_00383521.doc.js - 11,387 bytes - MD5 hash: c4754dadf67b40e96ecf50694d90e9eb

Date/time: 2015-07-27 08:45 UTC
From: E-ZPass Support ( [email protected] )
Subject: Payment for driving on toll road, invoice #000460414
Attachment name: E-ZPass_Invoice_000460414.zip - 1,841 bytes - MD5 hash: 509e4f3dd518113e665423d0068f5d7e
Extracted file: E-ZPass_Invoice_000460414.doc.js - 11,709 bytes - MD5 hash: 4750ea90c5c31ab622153025e0537d60

Date/time: 2015-07-27 11:10 UTC
From: E-ZPass Support ( [email protected] )
Subject: Indebtedness for driving on toll road #00000708707
Attachment name: 00000708707.zip - 1,826 bytes - MD5 hash: 25f07fc22952453665a2c1b6deb0b9d8
Extracted file: 00000708707.doc.js - 11,454 bytes - MD5 hash: 1be977c85a8c4fc9ca6b6be0e41510d7

Date/time: 2015-07-27 12:12 UTC
From: County Court ( [email protected] )
Subject: Notice to appear in Court #00336511
Attachment name: Notice_to_Appear_00336511.zip - 1,878 bytes - MD5 hash: 9efe9f44061259a53b32758c77ae8772
Extracted file: Notice_to_Appear_00336511.doc.js - 11,208 bytes - MD5 hash: d84a2d821108301077b681f4a93ecefc

Date/time: 2015-07-27 12:32 UTC
From: FedEx Standard Overnight ( [email protected] )
Subject: Courier was unable to deliver the parcel, ID00888397
Attachment name: 00888397.zip - 1,803 bytes - MD5 hash: 594f788933ab6dc05ffc03f528e11c58
Extracted file: 00888397.doc.js - 11,430 bytes - MD5 hash: 2a90f4866bc98479ab5b0c44c8add551

Date/time: 2015-07-27 12:56 UTC
From: E-ZPass Agent ( [email protected] )
Subject: Indebtedness for driving on toll road #00118934
Attachment name: E-ZPass_Invoice_00118934.zip - 1,883 bytes - MD5 hash: d0642234e722f9d9bcd9486c1c6bbb44
Extracted file: E-ZPass_Invoice_00118934.doc.js - 11,973 bytes - MD5 hash: 6af16117fe73ca903884c3684099c695

Date/time: 2015-07-27 14:39 UTC
From: E-ZPass Agent ( [email protected] )
Subject: Indebted for driving on toll road #0000161034
Attachment name: E-ZPass_0000161034.zip - 1,798 bytes - MD5 hash: c616720fa03b0238459830466657e80c
Extracted file: E-ZPass_0000161034.doc.js - 11,064 bytes - MD5 hash: 38f27b7a6c36762d75ea858134f3d5ea

The attachment

Extract the .js file from the zip archive, and youll find a highly obfuscated javascript. " />

Tools like jsdetox can deobfuscatethe scriptfor you. However, you can easily execute the .js file on a Windows virtual machine to find URLs for the malware. " />

The IP addresses and domains hosting the follow-up malware are:

  • 209.200.253.29 - avolonage.com
  • 67.195.61.46 - ayuso-arch.com
  • 205.144.171.10 - brigand-001-site2.smarterasp.net
  • 50.116.104.205 - ihaveavoice2.com
  • 205.144.171.57 - mes-sy.com
  • 67.195.61.46 - mrflapper.com
  • 205.144.171.28 - readysetgomatthew.com
  • 174.137.191.22 - selmaryachtmarket.com
  • 104.28.20.89 - www.alec.gr

The traffic

I infected a Windows host in a lab environment with one of the .js files,E-ZPass_0000161034.doc.js (MD5 hash: 38f27b7a6c36762d75ea858134f3d5ea). This provided a full infection chain oftraffic. Three EXE files were downloaded by the .js file. We then saw HTTP POST requests associated with Kovter malware. Traffic also triggered an alert for Miuref/Boaxxe. Later in the p" />

HTTP GET requests for the three EXE files happened first. All were identified as imagesin the HTTP response headers, but they were clearly executable files. " />

Below is an example of callback traffic from" />

The malware

Below are examples ofEXE files fromthe infected host:

  • Kovter - C:\Users\username\AppData\Local\Temp\36140203.exe - 508.1 KB ( 520,246 bytes ) - hybrid-analysislink
  • Miuref/Boaxxe - C:\Users\username\AppData\Local\Temp\50728360.exe - 84.0 KB ( 86016 bytes ) - hybrid-analysislink
  • Third executable - not found on host - 1.5 KB ( 1536 bytes ) - hybrid-analysislink

A pcap of the 2015-07-27 malspam infection traffic is available at:

A zip file of the associated malware and sanitized malspam examplesis available at:

The zip file is password-protected with the standard password. If you don">Final words

Malspam with zipped .js attachments has continued since I first looked into it earlier this year. Were fairly certain this style of malspam will remain an issue. Most spam filters keep these messages from getting to their intended recipients, but filters are never a full-proof method. As botnets continue to send malicious content to the worlds inboxes, we should always remain aware of the current threat landscape.

---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://isc.sans.edu/forums/diary/What+Happened+to+You+Asprox+Botnet/19435/
[2] https://www.trustwave.com/Resources/SpiderLabs-Blog/Cryptowall-and-phishing-delivered-through-JavaScript-Attachments/
[3] https://malwr.com/analysis/ODRiNDRlNDIxYmM0NDRmZThjYWExZTI1OGY5MDJkOWU/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Security researchers have refined a long-theoretical profiling technique into a highly practical attack that poses a threat to Tor users and anyone else who wants to shield their identity online.

The technique collects user keystrokes as an individual enters usernames, passwords, and other data into a website. After a training session that typically takes less than 10 minutes, the website—or any other site connected to the website—can then determine with a high degree of certainty when the same individual is conducting subsequent online sessions. The profiling works by measuring the minute differences in the way each person presses keys on computer keyboards. Since the pauses between keystrokes and the precise length of time each key is pressed are unique for each person, the profiles act as a sort of digital fingerprint that can betray its owner's identity.

The prospect of widely available databases that identify users based on subtle differences in their typing was unsettling enough to researchers Per Thorsheim and Paul Moore that they have created a Chrome browser plugin that's designed to blunt the threat. The plugin caches the input keystrokes and after a brief delay relays them to the website in at a pseudo-random rate. Thorsheim, a security expert who organizes the annual PasswordsCon conference, and Moore, an information security consultant at UK-based Urity Group, conceived the plugin after thinking through all the ways the typing profiles could be used to compromise online anonymity.

Read 6 remaining paragraphs | Comments

 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
LinuxSecurity.com: Bind could be made to crash if it received specially crafted networktraffic.
 
LinuxSecurity.com: Security Report Summary
 
[SECURITY] [DSA 3319-1] bind9 security update
 
LinuxSecurity.com: Updated qemu-kvm packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated chromium-browser packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Several security issues were fixed in QEMU.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Updated clutter packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]
 
LinuxSecurity.com: Several security issues were fixed in the Apache HTTP server.
 

An attack in early 2014 on Anthem, the No. 2 US health insurer, was by most measuring sticks a historic hack, leading to the biggest healthcare data breach ever. New evidence unearthed by researchers from security firm Symantec, however, shows it was business as usual for the hacking group, which over the past three years has carried out more than a dozen similar attacks.

Dubbed Black Vine, the group is well financed enough to have a reliable stream of weaponized exploits for zero-day vulnerabilities in Microsoft's Internet Explorer browser. Since 2012, the gang has brazenly infected websites frequented by executives in the aerospace, energy, military, and technology industries and then used the compromises to siphon blueprints, designs, and other intellectual property from the executives' organizations. The targeting of Anthem appears to reflect more of a secondary interest that was intended to further advance a primary interest in aerospace, energy, and other similar industries rather than to target healthcare information for its own sake.

"If someone just has Vikram's healthcare records, overall there's very little gain," Vikram Thakur, senior security researcher with Symantec, told Ars, as he described the motivations of the Black Vine group hacking Anthem. "But then you get healthcare information about a Vikram working for a government entity or a defense contractor, there is substantial value in that. This is the kind of data that's used in combination with something else to reach an entirely non-healthcare related goal."

Read 8 remaining paragraphs | Comments

 

[Guest Diary: Xavier Mertens] [Integrating VirusTotal within ELK]

Visualisation is a key when you need to keep control of whats happening on networks which carry daily tons of malicious files. virustotal.com is a key player in fighting malwares on a daily basis. Not only, you can submit and search for samples on their website but they also provide an API to integrate virustotal.com in your software or scripts. A few days ago, Didiers Stevens posted some SANS ISC diaries about the Integration of VirusTotal into Microsoft sysinternal tools (here, here and here). The most common API call is to query the database for a hash. If the file was already submitted by someone else and successfilly scanned, youll get back interesting results, the most known being the file score in the form x/y. The goal of my setup is to integrate virustotal.com within my ELK setup. To feed virustotal, hashes of interesting files must be computed. Im getting interesting hashes via my Suricata IDS which inspect all the Internet traffic passing through my network.

The first step is to configure the MD5 hashes support in Suricata. The steps are described here. Suricata logs are processed by a Logstash forwarder and MD5 hashes are stored and indexed via the field fileinfo.md5:

(Click to enlarge)

Note: It is mandatory to configure Suricata properly to extract files from network flows. Otherwise, the MD5 hashes wont be correct. Its like using a snaplen of 0">filter {
if ( [event_type] == fileinfo and
[fileinfo][filename] =~ /(?i)\.(doc|pdf|zip|exe|dll|ps1|xls|ppt)/ ) {
virustotal {
apikey = ">
field = [fileinfo][md5]
lookup_type = hash
target = virustotal
}
}
}

The filter above will query for the MD5 hash stored in fileinfo.md5com if the event contains file information generated by Suricata and if the filename contains an interesting extension. Of course, you can adapt the filter to your own environment and match only specific file format using fileinfo.magic or a minimum file size using fileinfo.size. If conditions match a file, a query will be performed using the virustotal.com API and results stored into a new virustotal field:

(Click to enlarge)

Now, its up to you to build your ElasticSearch queries and dashboard to detect suspicious activities in your network. During the implementation, I detected that too many requests sent in parallel to virustotal.com might freeze my Logstash (mine is 1.5.1). Also, keep an eye on your API key consumption to not break your request rate or daily/monthly quota.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Joshua J. Drake from ZimperiumzLabshas reported a number ofvulnerabilities in the Stagefright media playback system deployed in Android operating system devices. These vulnerabilities permit remote code executionwhen aspecially crafted multimedia message(MMS) is sent to an Android device which can result in the device beingcompromised and Trojaned often exposing all data stored on the device.On some devices it appears that the MMS exploit can be executed with no intervention from the user and in some cases can be exploited completely invisible to the user.
It looks like the issue affects all versions of Android 2.2 (Froyo, released 2010)and newer although there is some speculation thatexploit mitigation controlsin the Android Jelly Bean OS (version 4.1+) and newer may thwart some exploits, but the usefulness of these controls is unclear at this time.. It is also unclear from the information available today if patches are available. Google has released patched code to the smartphone vendors, but it appears mostdevice vendors have not yet released updated firmwareto the public at this time.

The CVEs for these vulnerabilities are:

CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829

It should be assumed that almost all Android devices are vulnerable, so please keep an eye out for updated firmware for your device and apply the firmware as soon as available.

Update: Ugo sent a link to a blog post by Greg Baugeswhich describes some configuration changes which can be made on the Android device which will disable the automatic loading of MMS messages. While these changes donot stop the vulnerability from being exploited it at least makes it so the device useris aware the malicious MMS was received and run.

Update: I have been having discussions about the potential of these vulnerabilities for weaponization into a worm. Bruce Schneierhas waded in with a similar idea.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Debian OpenJDK CVE-2014-8873 Remote Code Execution Vulnerability
 
Linux Kernel ASLR CVE-2015-1593 Integer Overflow Vulnerability
 
WordPress Swim Team Plugin 'download.php' Arbitrary File Download Vulnerability
 
SEC Consult SA-20150728-0 :: McAfee Application Control Multiple Vulnerabilities
 
Multiple unresolved vulnerabilities in Basware Banking/Maksuliikenne
 
Another Snorby 2.6.2 - Stored Cross-site Scripting Vulnerability
 
Internet Storm Center Infocon Status