Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Mass Infection of IIS/ASP Sites

Published: 2010-06-09
Last Updated: 2010-06-12 13:40:35 UTC
by Deborah Hale (Version: 1)
8 comment(s)

Sucuri.net has released a report about a large number of sites that have been hacked and contain a malware script.  A quick Google today indicates that
there are currently 111,000 sites still infected.  It appears that this  is only impacting websites hosted on Windows servers.  The situation is being investigated.

For those who are hosting there websites on Windows IIS/ASP you may find more information here.

 http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html

http://nsmjunkie.blogspot.com/2010/06/anatomy-of-latest-mass-iisasp-infection.html - link removed...it triggers some Anti-virus.

 Update: Paul  at Sophos logs has released some additional information regarding this exploit and Infection. Thanks Paul.

 http://www.sophos.com/blogs/sophoslabs/?p=9941

Deb Hale Long Lines, LLC

8 comment(s)

Adobe POC in the Wild

Published: 2010-06-09
Last Updated: 2010-06-10 21:41:55 UTC
by Deborah Hale (Version: 1)
5 comment(s)

On June 5th Handler Guy posted a diary about a Security Advisor for Adobe Products.  http://isc.sans.edu/diary.html?date=2010-06-05

We have received notification that a proof of concept (POC) has been found in malware taken from the wild and is currently being exploited. 
For those that are Adobe users please patch before it is too late.

Thanks to our readers who brought this to our attention. 

Update: For more information see US-CERT Technical Cyber Security Alert TA10-159A. http://www.us-cert.gov/cas/techalerts/TA10-159A.html

 Thanks to those of you who have pointed out that I made a mistake in the Diary.  It appears that there is not a patch available rather currently
just mitigation steps.  It looks like the patch will be released for Flash Player soon and for Reader and Acrobat later in the month.

 

Deb Hale Long Lines, LLC

It appears that the Security Update has been released by Adobe. Thanks to Juha-Matti for providing this information.

http://www.adobe.com/support/security/bulletins/apsb10-14.html

Keywords: POC Adobe
5 comment(s)

Best Practice to Prevent PDF Attacks

Published: 2010-06-09
Last Updated: 2010-06-09 19:51:40 UTC
by Deborah Hale (Version: 1)
4 comment(s)

I subscribe to Search Security at Tech Target and receive newsletters from them on a regular basis.  It just so happens the one that I received
today had an article about how Enterprise can prevent an attack due to PDF hacks. I just read through the article and found it a very good refresher
on best practices for protecting against any malware spread by using any number of compromised attachments.  

It is human nature I guess,  that we open attachments from folks we know and unfortunately even some we don't know.  Often times these attachments
contain more than we bargained for.  Because Adobe is on every computer in the world (ok - maybe an exaggeration) it is a really big target.  And
because it is a really big target there are a number of vulnerabilities associated with one component or another.  The article from Tech Target states:

"According to McAfee Inc. Avert Labs, as of Q1 2010, malicious malformed
PDF files are now involved with 28% of all malware directly connected to exploits."

Considering the number of different possible attack vectors this 28% is huge.  The article goes through some very common sense tips for protecting
your organization.  This article though focusing on misused PDF's can be used to protect against other potential attack vectors.  

Some may say this is old news and common sense and I won't disagree.  But sometimes the old makes things new again.

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1513908,00.html?track=NL-422&ad=769731&asrc=EM_NLT_11739094&uid=6115703

 

Deb Hale Long Lines, LLC

4 comment(s)
Diary Archives