Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft February Patch Tuesday Advance Notification

Published: 2013-02-08
Last Updated: 2013-02-08 21:59:26 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Looks like next tuesday will be a busy patch tuesday. Expect 11 bulletins fixing 57 vulnerabilities. Most of the bulletins affect Windows, but we also got one for Office, two affecting Internet Explorer and one affecting server software. It is a bit odd to see two bulletins affecting Itnernet Explorere instead of just one "roll up patch". 5 of the bulletins are ratesd critical.

Also note that Microsoft released an update for the Flash Player for Internet Explorer 10 today, in sync with Adobe's update for flash player [2].

[1] http://technet.microsoft.com/en-us/security/bulletin/ms13-feb
[2] http://technet.microsoft.com/en-us/security/advisory/2755801

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

0 comment(s)
VMWare Advisories (ESX, Workstation, Fusion...) http://www.vmware.com/security/advisories/VMSA-2013-0002.html

Is it Spam or Is it Malware?

Published: 2013-02-08
Last Updated: 2013-02-08 13:53:27 UTC
by Kevin Shortt (Version: 1)
12 comment(s)

The Friend

Does anyone have a friend that regularly still sends you crap via email that usually includes a link or some pic's?  We are all IT security professionals here and know the preacher's drill on this topic. Really, we do not like wasting our time on the junk that is sent to us. Delete, Delete, Delete.

BUT, we are also human. We are the weakest link!  So, today that one friend sends something over to us.  This friend has a great knack for sending 'water cooler' stuff that can warrant a look see.  This friend always plants the seed of curiosity. Today, we check our email and there it is, in our inbox. Our guard is down and the flower of curiosity is opening up.  In an instant, we click...<wait>...No. Damn!.
 
 
The page loads...

Browser Shot



Now.  We Need To Know


Did we just infect our system?  

We need to know.  It is time to act fast.  Get to a shell and pull that page down with a text browser ala wget or curl.   It is possible for this page to disappear quickly.  This sample was sent in by a reader who acted fast.  By the time I got around to verifying some things on this sample, the below pasted code was gone.

There are many diaries posted about javascript obfuscation over the years.  The two that rise to the top are from Tom Liston [1] and Daniel Wesemann [2] .  If your interested in understanding this process further by diving in deeper, I recommend those diaries as required reading.
 


 

The Lazy Liston

 
I deployed a mixture of Tom's method and Daniel's lazy method. (see diaries mentioned above for more info)
 
I stripped the HTML, reformatted the Javascript, and added some useful lines for debugging. The image is highlighted with red showing my additions, blue showing unnecessary HTML, and black showing the javascript code that gets debugged.

prepared script

I used jsc to help me out with the prepared script above.  jsc is a command line utility that allows you to run javascript interactively.  I inserted a debug and a couple of readline statements to assist.  The readline allows me to pause the script to view the output.  Pressing enter continues it.  

Below is a snapshot of the jsc run of script.js.   I pasted and circled the obfuscated strings and the decoded pieces.  Note the url listed matches the browser shot up above.

In summary, my diagnosis of the original email and sample with the clickable link, is it is only a spoofed email and intended to be spam.  I humbly encourage all to offer any feedback to counter my assessment or offer any added value to it.  Many thanks to Lode V. for sending it in!

 


-Kevin

--
ISC Handler on Duty

12 comment(s)
ISC StormCast for Friday, February 8th 2013 http://isc.sans.edu/podcastdetail.html?id=3109
Diary Archives