Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DHCP requests to 1.1.1.1 and 3.3.3.3?

Published: 2011-01-06
Last Updated: 2011-01-07 18:30:51 UTC
by donald smith (Version: 2)
7 comment(s)

We had one reader write in today stating that they are seeing dhcp requests to 1.1.1.1 and 3.3.3.3.

DHCP packets should be sent to the broadcast address 255.255.255.255.

So if anyone has packets or an explanation for this traffic please write in to let us know your thoughts.

 

UPDATE

When I googled around for dhcp and 1.1.1.1 and 3.3.3.3 I found lots of links to cicso examples for dhcp and dhcp helper.

Several reader's wrote in pointing out those those two IP addresses appear in cisco DHCP examples.

So one current theory is someone was learning about DHCP and used the examples as is without changing the example ip addresses.

Keywords:
7 comment(s)

Fake Game Demo website

Published: 2011-01-06
Last Updated: 2011-01-06 21:10:19 UTC
by donald smith (Version: 1)
2 comment(s)

Lee informed us today that dota2trailer.tk claims to have a video trailer for the new Dota 2 game but instead installs a keylogger to steal credentials from gamers.

The website warns that you need java script enabled so it may have some java exploits.

VirusTotal's url check didn't show any known maliciousness associated with that url.
http://www.virustotal.com/url-scan/report.html?id=c6b23afaa80fb96f096cb9b9e6a25012-1294334566
Firefox Clean site
G-Data Clean site
Google Safebrowsing Clean site
Opera Clean site
ParetoLogic Clean site
Phishtank Clean site


 Looking at the code on the site it does try to use java to download "hxxp://NoS.fileave.com/CamPlug.exe"
CamPlug.exe isn't recognized as malicious by any antivirus vendor at VirusTotal however it is detected as packed/encrypted by two of the vendors as Gen.Variant.MSILKrypt!IK which by itself doesn't make this malware however that has been used in other keyloggers and trojans so I believe it is malicious.


http://www.virustotal.com/file-scan/report.html?id=ecb6e9b3a5c4aa9165a7725d6b28d22dae38c8a72fe10d25eec53de5189c54bf-1294338169

Keywords:
2 comment(s)

Mac OS X v10.6.6 secuirty update

Published: 2011-01-06
Last Updated: 2011-01-06 20:52:56 UTC
by donald smith (Version: 1)
2 comment(s)

Mac OS X v10.6.6 is now available and addresses the following:

PackageKit
CVE-ID: CVE-2010-4013
Available for: Mac OS X v10.6 through v10.6.5,
Mac OS X Server v10.6 through v10.6.5
Impact: A man-in-the-middle attacker may be able to cause an
unexpected application termination or arbitrary code execution
Description: A format string issue exists in PackageKit's handling
of distribution scripts. A man-in-the-middle attacker may be able to
cause an unexpected application termination or arbitrary code
execution when Software Update checks for new updates. This issue is
addressed through improved validation of distribution scripts. This
issue does not affect systems prior to Mac OS X v10.6. Credit to
Aaron Sigel of vtty.com for reporting this issue.

Mac OS X Server v10.6.6 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

Thanks go out Dave who noticed the apple security update information to OS X v10.6 through v10.6.5 which was blank earlier today.

Keywords:
2 comment(s)
OS X 10.6.6 released. Probably some security content but Apple hasn't released details yet.

Flash Local-with-filesystem Sandbox Bypass

Published: 2011-01-06
Last Updated: 2011-01-06 04:52:41 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Flash is designed around the "sandbox" concept to only allow access to specific local files, in particular of course flash cookie files. All other local files are off limits to Flash, to prevent malicious Flash applets from exfiltrating information.

Billy Rios, a researcher with some history when it comes to Flash, was able to show how to not only bypass this restriction and allow flash to access local files.

The local file access is amazingly simple: Adobe does allow access to remote files, via the "getURL" function. As pointed out by Billy, the easiest version of this attack would just use "file://" and point to the local system. However, Adobe blacklists certain protocol handlers, so Billy had to find one that was not blacklisted and would provided the access needed. One he found is the "mhtml" handler, which works on modern Windows systems, and is not blacklisted. The user will not be prompted for permission in this case.

http://xs-sniper.com/blog/2011/01/04/bypassing-flash%E2%80%99s-local-with-filesystem-sandbox/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: adobe flash
2 comment(s)
Diary Archives