Safe - Tools, Tactics and Techniques

Published: 2013-05-20
Last Updated: 2013-05-20 23:14:40 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Trend Micro published a report last week on a spear-phishing emails campaign that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158).

This paper identified specific targets:

  • Government ministries
  • Technology companies
  • Media outlets
  • Academic research institutions
  • Nongovernmental organizations

According to the report, "While we have yet to determine the campaign’s total number of victims, it appears that nearly 12,000 unique IP addresses spread over more than 100 countries were connected to two sets of command-and-control (C&C) infrastructures related to Safe.[1]" Another fact of interest is the author of the malware is probably a professional software developer that reused legitimate source code from an Internet services company. Based on the information collected, they found "One key indicator that can be used to detect this network communication is the user-agent, Fantasia."[1] Additional information is available in the report.

If you have collected some malware matching this description, we would be interested to get some samples. You can submit them via our contact form.

[1] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf
[2] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

0 comment(s)

Ubuntu Package available to submit firewall logs to DShield

Published: 2013-05-20
Last Updated: 2013-05-20 20:16:53 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

I put together a simple .deb package to install our DShield iptables client on Ubuntu. The package is our standard perl client to submit iptables logs, but it is pre-configured for Ubuntu 12.04 LTS. It will submit IPv4 as well as IPv6 logs. Please give it a try and let me know if you run into any issues. For details, see

http://isc.sans.edu/clients/ubuntu.html

use our contact form for feedback or send it directly to me at jullrich - at - sans.edu 

The client will install the perl script in /opt/dshield, and all configuration files in /etc/dshield. It will also add an hourly cron job to check /var/log/ufw.log for new logs and mail them to DShield. All parameters can still be further configured via /etc/dshield/dshield.cnf.

To submit logs, we recommend you setup an account. But if you would like to submit anonymous reports, just use "0" as userid.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: dshield ipv6 ubuntu
3 comment(s)
ISC StormCast for Monday, May 20th 2013 http://isc.sans.edu/podcastdetail.html?id=3317

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives