CONTENTS::

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 5/16/2013 - 5/21/2013

TOP VULNERABILITY THIS WEEK: Norwegian security vendor Norman released

a detailed technical report this week profiling an active APT group
based out of India, identifying IP addresses, domain names, MD5s, and
other relevant technical information throughout. While the existence of
such a group is not particularly surprising - APT groups exist worldwide

• • the report has been praised by members of the security community for

its thoroughness and the level of detection detail provided. Sourcefire
has observed this group in the wild over the past several months, and
customers are protected through a number of distinct Sourcefire
technologies as discussed below.

NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Norman releases detailed report on Indian-based APT
infrastructure
Description: A research report released this week by Norwegian company
Norman - most famous for tools of theirs such as Norman SandBox -
details the infrastructure used by a group similar to Mandiant’s APT1,
only this time based out of India, not China. The report, which is
quietly garnering praise among the research community, provided hundreds
of domain names, IP addresses, and binary indicators that could be used
to detect malware created by this group - which also appears to be
connected to targeted Mac malware found at the Oslo Freedom Forum last
week (details below). Detection for this group’s C&C infrastructure has
been in place in Sourcefire products since January with SID 25669, and
ClamAV users have been protected by the Trojan.Win32.Selasloot.A
definitions since that time as well.
Reference:
http://blogs.norman.com/2013/security-research/the-hangover-report
Snort SID: 25669
ClamAV: Trojan.Win32.Selasloot.A

Title: Mac spyware found at Oslo freedom forum
Description: During a demonstration of how to secure personal devices
against government monitoring, respected independent researcher Jacob
Appelbaum discovered a brand new piece of targeted Mac malware on an
African activist’s system - one signed with an Apple developer ID, no
less. The discovery is a reminder that targeted attacks abound on Mac
systems, and that users of that platform should be as diligent in their
patching as their PC counterparts. Further research by Norwegian company
Norman indicates that this particular piece of malware can be traced to
a professional organization inside of India, for example (details
above).
Reference:
http://www.f-secure.com/weblog/archives/00002554.html
http://www.virustotal.com/en/file/ 6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/
Snort SID: 26670, 26671
ClamAV: OSX.Trojan.KitM

Title: Adobe releases slew of patches
Description: Adobe released a number of new vulnerabilities during its
last patch cycle this past week. The vulnerabilities ranged from denial
of service through remote code execution. While none were confirmed to
be actively exploited in the wild at the time of publication, users
should still patch immediately, on the assumption that the longer since
the release of the patches, the more likely it becomes that exploits
will emerge, public or private.
Reference:
http://www.adobe.com/support/security/bulletins/apsb13-14.html
http://www.adobe.com/support/security/bulletins/apsb13-15.html
Snort SID: 26651, 26652, 26664, 26665, 26687, 26688, 26694
ClamAV: PDF.Exploit.CVE_2013_2729, Swf.Exploit.CVE_2013_3329

Title: Source code for Java exploit that won Pwn2Own released -
CVE-2013-1491
Description: Researcher Joshua Drake of Accuvant Labs this week released
source code for the Java exploit that won him this year’s Pwn2Own
contest. The vulnerability - which to date has not been exploited in the
wild - is startlingly simple, taking Drake only 68 lines of
well-commented Java to achieve. Users are urged to ensure they run
up-to-date Java installations at all times, and to assume that this
exploit will be weaponized in the near future.
Reference:
http://blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruption
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Snort SID: 26716 26717
ClamAV: Java.Exploit.CVE_2013_1491

USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Writing exploits with the Elderwood Kit, Part 2:
http://blog.trailofbits.com/2013/05/20/writing-exploits-with-the-elderwood-kit-part-2/

The Hangover Report: Unveiling an Indian cyberattack structure:
http://blogs.norman.com/2013/security-research/the-hangover-report

Technique to spoof the content of any Facebook app:
http://thehackernews.com/2013/05/facebook-hacking-technique-to-spoof.html

PenTesterLab.com - exercises to learn Pen Testing:
http://www.darknet.org.uk/2013/05/pentesterlab-com-excercises-to-learn-penetration-testing/

Ragebooter: “Legit” DDoS for hire, or Fed backdoor?
http://krebsonsecurity.com/2013/05/ragebooter-legit-ddos-service-or-fed-backdoor/

Introduction to Windows kernel security research:
http://blog.cmpxchg8b.com/2013/05/introduction-to-windows-kernel-security.html

How I “stole” $14M from a bank - a security tester’s tale:
http://money.cnn.com/2013/05/15/technology/security/bank-heist/index.html?iid=Lead

Exploiting a Go binary:
http://codearcana.com/posts/2013/04/23/exploiting-a-go-binary.html

The wonder of Sirefef plunder:
http://blogs.technet.com/b/mmpc/archive/2013/05/20/the-wonder-of-sirefef-plunder.aspx

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

ID: CVE-2013-3075
Title: Mitsubishi MX Component “ActUWzd.dll” ActiveX Control Heap
Buffer Overflow Vulnerability
Vendor: Mitsubishi Electronic Corporation
Description: Multiple buffer overflows in ActUWzd.dll 1.0.0.1 in
Mitsubishi MX Component 3, as distributed in Citect CitectFacilities
7.10 and CitectScada 7.10r1, allow remote attackers to execute arbitrary
code via a long string, as demonstrated by a long WzTitle property value
to a certain ActiveX control.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2013-1347
Title: Microsoft Internet Explorer 8 Use-After-Free Memory Corruption
Vulnerability
Vendor: Microsoft
Description: Microsoft Internet Explorer 8 does not properly handle
objects in memory, which allows remote attackers to execute arbitrary
code by accessing an object that (1) was not properly allocated or (2)
is deleted, as exploited in the wild in May 2013.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2013-3336
Title: Adobe ColdFusion Information Disclosure Vulnerability (APSB13-13)
Vendor: Adobe
Description: Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1,
9.0.2, and 10 allows remote attackers to read arbitrary files via
unknown vectors.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

ID: CVE-2013-2423
Title: Java Applet Reflection Type Confusion Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK
7, allows remote attackers to affect integrity via unknown vectors
related to HotSpot. NOTE: the previous information is from the April
2013 CPU. Oracle has not commented on claims from the original
researcher that this vulnerability allows remote attackers to bypass
permission checks by the MethodHandles method and modify arbitrary
public final fields using reflection and type confusion, as demonstrated
using integer and double fields to disable the security manager.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

ID: CVE-2013-0632
Title: Adobe ColdFusion APSB13-03 Remote Exploit
Vendor: Adobe
Description: Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote
attackers to bypass authentication and possibly execute arbitrary code
via unspecified vectors, as exploited in the wild in January 2013.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2013-1493
Title: Oracle Java SE JVM 2D Subcomponent Remote Code Execution
Vulnerability (Oracle Security Alert for CVE-2013-1493)
Vendor: Oracle
Description: The color management (CMM) functionality in the 2D
component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and
earlier, and 5.0 Update 40 and earlier allows remote attackers to
execute arbitrary code or cause a denial of service (crash) via an image
with crafted raster parameters, which triggers (1) an out-of-bounds read
or (2) memory corruption in the JVM, as exploited in the wild in
February 2013.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

MOST PREVALENT MALWARE FILES 5/16/2013 - 5/21/2013 COMPILED BY SOURCEFIRE

SHA 256: D14B66BD4C4C8F66A6EDF2820FD4162D09B326BEAF6A42014596571E81A1A503
MD5: 68b7f7a26b76805432e3d50009d2ab1f
VirusTotal:
https://www.virustotal.com/file/D14B66BD4C4C8F66A6EDF2820FD4162D09B326BEAF6A42014596571E81A1A503/analysis/

Typical Filename: winhghqv.exe
Claimed Product: winhghqv.exe
Claimed Publisher: winhghqv.exe

SHA 256: E83A61AE6CFED6861AFDFA73CA41B0000BFCFD4FF710B8C0067805024286CD07
MD5: 8bc3498a39fb2d290a8975fd5419eb55
VirusTotal:
https://www.virustotal.com/file/E83A61AE6CFED6861AFDFA73CA41B0000BFCFD4FF710B8C0067805024286CD07/analysis/

Typical Filename: 8bc3498a39fb2d290a8975fd5419eb55
Claimed Product: 8bc3498a39fb2d290a8975fd5419eb55
Claimed Publisher: 8bc3498a39fb2d290a8975fd5419eb55

SHA 256: 6DDD0C3C4CC0A59E91964177139E979EF2D47C6C4645AADAC6A7A99A0DB16D12
MD5: e6daf677556826186b78b03d035be182
VirusTotal:
https://www.virustotal.com/file/6DDD0C3C4CC0A59E91964177139E979EF2D47C6C4645AADAC6A7A99A0DB16D12/analysis/

Typical Filename: e6daf677556826186b78b03d035be182
Claimed Product: e6daf677556826186b78b03d035be182
Claimed Publisher: e6daf677556826186b78b03d035be182

SHA 256: BCA737045DD0E165313B3C53654532B6F0BE5D09A699B17525010F98432A298F
MD5: 5614eb6a8764ce3cb9054af371f03b55
VirusTotal:
https://www.virustotal.com/file/CA737045DD0E165313B3C53654532B6F0BE5D09A699B17525010F98432A298F/analysis/

Typical Filename: jar_cache5360035341921924744.rar
Claimed Product: jar_cache5360035341921924744.rar
Claimed Publisher: jar_cache5360035341921924744.rar

SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal:
https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/

Typical Filename: klplmq.sys
Claimed Product: klplmq.sys
Claimed Publisher: klplmq.sys