Team CYMRU's Malware Hash Registry
Team Cymru has a new look-up service that launched recently.
The Malware Hash Registry (MHR) service allows you to
query their database of many millions of unique malware samples
for a computed MD5 or SHA-1 hash of a file. If it is malware
and they know about, they return the last time they have seen
it along with an approximate anti-virus detection percentage.
THERE IS NO COST FOR NON-COMMERCIAL USE OF THIS TOOL. ACCESS IS
PUBLICLY AVAILABLE TO ANYONE.
Upon submission of a malware hash, the output of the command will return
a date the sample was first seen as well as the detection rate they've
seen using up to 30 AV packages. The detection rate is based on the
first time they scanned the sample.
Queries, including reasonable bulk queries, may be made using the
command line only.
The MHR compliments an anti-virus (AV) strategy by helping to identify
unknown or suspicious files that they have already identified as
malicious. This enables you to take action earlier than you would
otherwise be able to.
Full details including command syntax and procedures can be found at
<http://www.team-cymru.org/Services/MHR/>.
This is one of several new (free) data sets and services they are
currently providing to the community; if you haven't visited their
(recently revamped) site recently please do so for details of the
extensive work they do for the security community as well as further
advice, data and tips to help you make your networks more secure:
<http://www.team-cymru.org/Services>
If you want to use this as an IDS like tool Seth Hall from osu.edu
released this bro script into the public.
http://github.com/sethhall/bro_scripts/tree/e9bdb2f6afce6c809e3434de33723639d3d43ca3/md5_hash_malware/http-cymru-malware-hash.bro
If you need to know which virus is being detected, you could use a
service like virustotal with an md5 hash lookup. Just go to this url
http://www.virustotal.com/buscaHash.html and enter the checksum
(md5,sha1 or sha256) into the search bar.
Virustotal.com and cymru.com are not related. So they won't have
all the same hashes. But there should be pretty good cross service hash matching.
UPDATE
Seth Hall wrote in and advised us that he has put a short wiki up about installing the necessary support for using his changes. http://github.com/sethhall/bro_scripts/wikis/the-malware-hash-registry-and-bro-ids
Internet Explorer 960714 is released
The Microsoft Security Bulletin MS08-078 - Critical
Security Update for Internet Explorer (960714) is available now. We covered this issue in several recent diaries.
http://isc.sans.org/diary.html?storyid=5497
http://isc.sans.org/diary.html?storyid=5479
http://isc.sans.org/diary.html?storyid=5458
http://isc.sans.org/diary.html?storyid=5464
http://isc.sans.org/diary.html?storyid=5503
Here is the link to the advisory.
http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx
As previously noted this is a critical update for IE 5.0.1, IE 6,
IE 6 SP1, IE 7 and IE 8 Beta 2. It is being exploited in the wild. It is being distributed via SQL injection.
So get your patches asap.
UPDATE
Just in case it wasn't obvious to everyone. ChrisM wrote in and reminded us that:
"The emergency IE patch that came out today (MS08-078), DOES NOT replace the IE security patch that came out earlier this month (MS08-073). Both of these patches have to be installed to make IE "secure"."
Opera 9.6.3 released with security fixes
Is this browser patch day?
We have a patch coming out for IE today.
http://isc.sans.org/diary.html?storyid=5506
Firefox released an upgrade yesterday that addressed several security issues
http://isc.sans.org/diary.html?storyid=5506
Opera has released a new version to address security issues.
http://www.opera.com/docs/changelogs/windows/963/
Opera 9.63 was just released. It addresses the following security issues.
Manipulating text input contents can allow execution of arbitrary code, as reported by Red XIII.
HTML parsing flaw can cause Opera to execute arbitrary code, as reported by Alexios Fakos.
Long hostnames in file: URLs can cause execution of arbitrary code, as reported by Vitaly McLain.
Script injection in feed preview can reveal contents of unrelated news feeds, as reported by David Bloom.
Built-in XSLT templates can allow cross-site scripting, as reported by Robert Swiecki of the Google Security Team.
Fixed an issue that could reveal random data, as reported by Matthew of Hispasec Sistemas.
SVG images embedded using <img> tags can no longer execute Java or plugin content, suggested by Chris Evans.
Firefox 3.0.5 fixes several security issues.
FireFox 3.0.5 has been released with several security fixes.
Fixed in Firefox 3.0.5
MFSA 2008-69 XSS vulnerabilities in SessionStore
MFSA 2008-68 XSS and JavaScript privilege escalation
MFSA 2008-67 Escaped null characters ignored by CSS parser
MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
MFSA 2008-65 Cross-domain data theft via script redirect error message
MFSA 2008-64 XMLHttpRequest 302 response disclosure
MFSA 2008-63 User tracking via XUL persist attribute
MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)
Thanks to John and Roseman for bringing this to our attention.
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago