Threat Level: green Handler on Duty: Richard Porter

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DHCP requests to and

Published: 2011-01-06
Last Updated: 2011-01-07 18:30:51 UTC
by donald smith (Version: 2)
7 comment(s)

We had one reader write in today stating that they are seeing dhcp requests to and

DHCP packets should be sent to the broadcast address

So if anyone has packets or an explanation for this traffic please write in to let us know your thoughts.



When I googled around for dhcp and and I found lots of links to cicso examples for dhcp and dhcp helper.

Several reader's wrote in pointing out those those two IP addresses appear in cisco DHCP examples.

So one current theory is someone was learning about DHCP and used the examples as is without changing the example ip addresses.

7 comment(s)

Fake Game Demo website

Published: 2011-01-06
Last Updated: 2011-01-06 21:10:19 UTC
by donald smith (Version: 1)
2 comment(s)

Lee informed us today that claims to have a video trailer for the new Dota 2 game but instead installs a keylogger to steal credentials from gamers.

The website warns that you need java script enabled so it may have some java exploits.

VirusTotal's url check didn't show any known maliciousness associated with that url.
Firefox Clean site
G-Data Clean site
Google Safebrowsing Clean site
Opera Clean site
ParetoLogic Clean site
Phishtank Clean site

 Looking at the code on the site it does try to use java to download "hxxp://"
CamPlug.exe isn't recognized as malicious by any antivirus vendor at VirusTotal however it is detected as packed/encrypted by two of the vendors as Gen.Variant.MSILKrypt!IK which by itself doesn't make this malware however that has been used in other keyloggers and trojans so I believe it is malicious.

2 comment(s)

Mac OS X v10.6.6 secuirty update

Published: 2011-01-06
Last Updated: 2011-01-06 20:52:56 UTC
by donald smith (Version: 1)
2 comment(s)

Mac OS X v10.6.6 is now available and addresses the following:

CVE-ID: CVE-2010-4013
Available for: Mac OS X v10.6 through v10.6.5,
Mac OS X Server v10.6 through v10.6.5
Impact: A man-in-the-middle attacker may be able to cause an
unexpected application termination or arbitrary code execution
Description: A format string issue exists in PackageKit's handling
of distribution scripts. A man-in-the-middle attacker may be able to
cause an unexpected application termination or arbitrary code
execution when Software Update checks for new updates. This issue is
addressed through improved validation of distribution scripts. This
issue does not affect systems prior to Mac OS X v10.6. Credit to
Aaron Sigel of for reporting this issue.

Mac OS X Server v10.6.6 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:

Information will also be posted to the Apple Security Updates
web site:

Thanks go out Dave who noticed the apple security update information to OS X v10.6 through v10.6.5 which was blank earlier today.

2 comment(s)
OS X 10.6.6 released. Probably some security content but Apple hasn't released details yet.

Flash Local-with-filesystem Sandbox Bypass

Published: 2011-01-06
Last Updated: 2011-01-06 04:52:41 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Flash is designed around the "sandbox" concept to only allow access to specific local files, in particular of course flash cookie files. All other local files are off limits to Flash, to prevent malicious Flash applets from exfiltrating information.

Billy Rios, a researcher with some history when it comes to Flash, was able to show how to not only bypass this restriction and allow flash to access local files.

The local file access is amazingly simple: Adobe does allow access to remote files, via the "getURL" function. As pointed out by Billy, the easiest version of this attack would just use "file://" and point to the local system. However, Adobe blacklists certain protocol handlers, so Billy had to find one that was not blacklisted and would provided the access needed. One he found is the "mhtml" handler, which works on modern Windows systems, and is not blacklisted. The user will not be prompted for permission in this case.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: adobe flash
2 comment(s)
Diary Archives