Safe - Tools, Tactics and Techniques

Published: 2013-05-20
Last Updated: 2013-05-20 23:14:40 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Trend Micro published a report last week on a spear-phishing emails campaign that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158).

This paper identified specific targets:

  • Government ministries
  • Technology companies
  • Media outlets
  • Academic research institutions
  • Nongovernmental organizations

According to the report, "While we have yet to determine the campaign’s total number of victims, it appears that nearly 12,000 unique IP addresses spread over more than 100 countries were connected to two sets of command-and-control (C&C) infrastructures related to Safe.[1]" Another fact of interest is the author of the malware is probably a professional software developer that reused legitimate source code from an Internet services company. Based on the information collected, they found "One key indicator that can be used to detect this network communication is the user-agent, Fantasia."[1] Additional information is available in the report.

If you have collected some malware matching this description, we would be interested to get some samples. You can submit them via our contact form.



Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

0 comment(s)

Ubuntu Package available to submit firewall logs to DShield

Published: 2013-05-20
Last Updated: 2013-05-20 20:16:53 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

I put together a simple .deb package to install our DShield iptables client on Ubuntu. The package is our standard perl client to submit iptables logs, but it is pre-configured for Ubuntu 12.04 LTS. It will submit IPv4 as well as IPv6 logs. Please give it a try and let me know if you run into any issues. For details, see

use our contact form for feedback or send it directly to me at jullrich - at - 

The client will install the perl script in /opt/dshield, and all configuration files in /etc/dshield. It will also add an hourly cron job to check /var/log/ufw.log for new logs and mail them to DShield. All parameters can still be further configured via /etc/dshield/dshield.cnf.

To submit logs, we recommend you setup an account. But if you would like to submit anonymous reports, just use "0" as userid.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: dshield ipv6 ubuntu
3 comment(s)
ISC StormCast for Monday, May 20th 2013


Diary Archives