Microsoft December Patch Pre-Announcement

Published: 2013-12-07
Last Updated: 2013-12-07 03:16:57 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Microsoft released its pre-announcement for the upcoming patch Tuesday. The summary indicates 11 bulletins total, 5 are critical all with remote code execution and 6 Important with a mix of remote code execution, security feature bypass and elevation of privileges. The announcement is available here.

[1] http://technet.microsoft.com/en-us/security/bulletin/ms13-dec

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

0 comment(s)

Suspected Active Rovnix Botnet Controller

Published: 2013-12-07
Last Updated: 2013-12-07 03:02:54 UTC
by Guy Bruneau (Version: 1)
3 comment(s)

We have received information about a suspected Rovnix botnet controller currently using at least 2 domains (mashevserv[.]com and ericpotic[.]com) pointing to the same IP address of 37.9.53.126 (AS 44050).

This is the information that we currently have available that should help identify if any hosts in your network is currently contacting this botnet:

  • mashevserv[.]com/config.php?version=[value here]&user=[value here]&server=[value here]&id=[value here]&crc=[value here]&aid=[value here] is where the compromised clients send an HTTP GET request to when requesting a configuration file.  If the correct values are inputted the server will return an encrypted configuration file.
  • mashevserv[.]com/admin appears to be the admin console

  • ericpotic[.]com/task.php has similar values appended to it an when the GET request is done it appears to be some sort of check-in to tell the server it is alive.
  • Posts to ericpotic[.]com/data.php are use to exfiltrating data. All communications with C&C are unencrypted over TCP 80.

It also appears this malware has very little detection. This is all we currently have. If you can recover samples either on the host or via packets and are willing to share them with us, you can upload them to our contact page.


[1] https://www.robtex.com/dns/mashevserv.com.html#graph
[2] https://www.robtex.com/dns/ericpotic.com.html#graph
[3] https://www.robtex.com/ip/37.9.53.126.html#whois
[4] http://www.xylibox.com/2013/10/reversible-rovnix-passwords.html

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

3 comment(s)

Comments


Diary Archives