Last Updated: 2012-06-21 22:05:01 UTC
by Russ McRee (Version: 1)
I thought I'd subtitle this diary more humorously as The Twelve Ways of Pwnmas in celebration of June-uary here in the Seattle area, where it really does rain all the time.
I am priviliged to be party to a wide variety of data and telemetry for malfeasance and evil. One source in particular in use at Microsoft is a list of drive-by attack URLs discovered via detection technology utilized by MSRC Engineering.
Please note: all URLS herein mentioned should be considered hostile and dangerous. Should you choose to explore, please do so at your own risk with the appropriate prophylactic measures. I will post domains here but not full exploit URLs; I'm glad to do so by request. I'm also glad to share samples as requested.
Such a story is better told with pictures, in keeping with the depth of my analysis skills, but first some notes of interest:
- Six of twelve samples exhibit signs of exact code reuse (Exploit:JS/AdoStream), and a seventh is a very slight variant (Exploit:JS/Mult.EA). Additional reference reading for the samples detected: Exploit:JS/AdoStream
The details on the domains of nefariousness are as follows:
|Domain||Analysis Links||VT detections (of 42)|
Because infographics are all the rage:
These samples also presented a great opportunity to use an ISC Handler favorite. When you suspect code reuse or matching, Jesse Kornblum's ssdeep is an ideal tool with which to validate your assumption. As seen above, I stated that the malicious JS from six of the twelve URLs was identical. Comparing the sample (Exploit:JS/AdoStream) from Germany against the sample from Brazil proved to be a 97% match.
The Exploit:JS/Mult.EA sample was also noted as a slight variant of Exploit:JS/AdoStream. Using the German sample to compare against the slight variant from Turkey showed a 94% match.
I found it interesting that the very slight difference in JS resulted in four less detections by AV vendors. Here's the VT detection for www.meydanoptik.com sample (Exploit:JS/Mult.EA) versus the VT detection for www.stubllanet.com sample (Exploit:JS/AdoStream).
The diff between the two files as seen below shows only that the www.meydanoptik.com sample sets a cookie while www.stubllanet.com does not.
You get the idea. There are clearly commonalities in vulnerabilities targeted, methods used for exploitation, and even country of origin.
Hopefully you've found this relevant and interesting. Please share any related insight or experience you may have via comments.
Last Updated: 2012-06-21 09:50:11 UTC
by Raul Siles (Version: 2)
A week ago we mentioned a "print bomb" malware specimen doing the rounds, with a gradually improving AV detection ratio. However, we are receiving reports (Thanks Conor!) with variants of what looks like the same malware, with a very reduced AV detection ratio (0/37), so do not relax your defenses.
This new sample, called "xpsp4ress.dll", is stored on C:\Windows\System32 and creates a scheduled task in Windows with what seems to be a random name (e.g. "UUSCPK"), running "C:\WINDOWS\system32\rundll32.exe 'C:\WINDOWS\system32\
Some of the domains that has been identified when the malware phones home (C&C) are:
Look for them in your logs. There is a related write up available from Symantec: http://www.symantec.com/business/support/index?page=content&id=TECH190982.
The beauty of this unexpected malware behavior is that it can easily be detected throughout the organization printers and print servers, although at the expense of wasting precious paper, and trees as a consequence. Let's save the planet! ... and don't forget this is a good opportunity to evaluate the security of your printing architecture (network isolation, access controls, printer management, etc).
Last Updated: 2012-06-21 03:40:30 UTC
by Russ McRee (Version: 1)
Cisco issued three security advisories today, 20 JUN 2012; two are new, one is an update.
- NEW: Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module Denial of Service Vulnerability
Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA) and Cisco Catalyst 6500 Series ASA Services Module (Cisco ASASM) contain a vulnerability that may allow an unauthenticated, remote attacker to cause the reload of the affected device.
- NEW: Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client
The Cisco AnyConnect Secure Mobility Client is affected by the following vulnerabilities:
Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability
Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability
Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop HostScan Downloader Software Downgrade Vulnerability
Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability
- UPDATED: Cisco Application Control Engine Administrator IP Address Overlap Vulnerability
A vulnerability exists in Cisco Application Control Engine (ACE) software. Administrative users may be logged into an unintended context (virtual instance) on the ACE when running in multicontext mode.