Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

What is your firewall log telling you - responses

Published: 2010-03-05
Last Updated: 2010-03-05 21:10:47 UTC
by Kyle Haugsness (Version: 1)
2 comment(s)

Responses to our earlier diary entries regarding firewall log parsing (story1 and story2) have been trickling in. 

Reader Matthias has some small awk/shell scripts for parsing iptables log files that he shared here: http://sister-shadow.de/hotlink/isc/log-scripts.tar.gz

And reader Christian recommends using Prelude LML (log monitor lackey): http://www.prelude-technologies.com/en/welcome/index.html

Update #1: An anonymous reader also suggests http://www.loganalysis.org/ .

-Kyle Haugsness

Keywords: firewall log
2 comment(s)

False scare email proclaiming North Korea nuclear launch against Japan

Published: 2010-03-05
Last Updated: 2010-03-05 21:08:31 UTC
by Kyle Haugsness (Version: 1)
3 comment(s)

Reader Jim informed us about a scare email tactic that is trying to entice users to open a malicious zip file. The email looks very well done and is supposedly written by the US Department of National Intelligence.  The email basically warns that North Korea has launched a missile at Japan (Okinawa) and that severe destruction has been reported.  At the end of a massive list of US agencies, there is a link to a report.zip file with an executable that doesn't seem to have much virus coverage at the moment.  Only Symantec is identifying it as Suspicious.Insight.  Here is another forum discussing this activity today: http://forums.malwarebytes.org/index.php?showtopic=42360.

It is a shame that Global Thermonuclear War is being used to drop lame viruses.

-Kyle Haugsness

 

3 comment(s)

Javascript obfuscators used in the wild

Published: 2010-03-05
Last Updated: 2010-03-05 16:43:23 UTC
by Kyle Haugsness (Version: 1)
2 comment(s)

I have been doing some research on Javascript obfuscators.  Various handlers have done stories in the past on how to reverse engineer obfuscated javascript that does evil things.  But I would be interested in hearing what kind of obfuscators people have been finding being used in the wild.  Are you able to identify the obfuscator just by looking at it?  What are the hardest off-the-shelf obfuscators to reverse-engineer?  I will collect responses and post them throughout the day (unless you wish the information to remain private).

-Kyle Haugsness

2 comment(s)

Unpatched Opera 10.50 and below code execution vulnerability

Published: 2010-03-05
Last Updated: 2010-03-05 16:03:04 UTC
by Kyle Haugsness (Version: 1)
1 comment(s)

Several mailing lists and readers (Juha-Matti) are reporting publicly available exploits for Opera 10.50 for Windows and below.  There actually seems to be at least two different vulnerabilities, both unpatched at this time.  One of them seems to be a DoS resulting in a browser crash, but the other looks like it will allow full code execution.  The vulnerability finders seem to indicate that these issues are known to exist in previous versions of the Opera also.  These are fairly serious and until Opera patches them, you may be well advised to stop using them for the time being.

http://secunia.com/advisories/38820/

http://www.vupen.com/english/advisories/2010/0529

 

-Kyle Haugsness

Keywords: opera
1 comment(s)
Diary Archives