Microsoft December Patch Pre-Announcement
Microsoft released its pre-announcement for the upcoming patch Tuesday. The summary indicates 11 bulletins total, 5 are critical all with remote code execution and 6 Important with a mix of remote code execution, security feature bypass and elevation of privileges. The announcement is available here.
[1] http://technet.microsoft.com/en-us/security/bulletin/ms13-dec
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Suspected Active Rovnix Botnet Controller
We have received information about a suspected Rovnix botnet controller currently using at least 2 domains (mashevserv[.]com and ericpotic[.]com) pointing to the same IP address of 37.9.53.126 (AS 44050).
This is the information that we currently have available that should help identify if any hosts in your network is currently contacting this botnet:
- mashevserv[.]com/config.php?version=[value here]&user=[value here]&server=[value here]&id=[value here]&crc=[value here]&aid=[value here] is where the compromised clients send an HTTP GET request to when requesting a configuration file. If the correct values are inputted the server will return an encrypted configuration file.
- mashevserv[.]com/admin appears to be the admin console
- ericpotic[.]com/task.php has similar values appended to it an when the GET request is done it appears to be some sort of check-in to tell the server it is alive.
- Posts to ericpotic[.]com/data.php are use to exfiltrating data. All communications with C&C are unencrypted over TCP 80.
It also appears this malware has very little detection. This is all we currently have. If you can recover samples either on the host or via packets and are willing to share them with us, you can upload them to our contact page.
[1] https://www.robtex.com/dns/mashevserv.com.html#graph
[2] https://www.robtex.com/dns/ericpotic.com.html#graph
[3] https://www.robtex.com/ip/37.9.53.126.html#whois
[4] http://www.xylibox.com/2013/10/reversible-rovnix-passwords.html
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago