CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 7/15/2013 - 7/22/2013

TOP VULNERABILITY THIS WEEK: A trivially exploitable remote code

execution vulnerability was recently announced in the popular Apache
Struts2 framework, and it is being exploited in the wild already with
automated tools. Administrators are urged to patch immediately.

1) In-depth, hands-on technical courses led by top SCADA experts.
Industrial Control Systems Training in Washington DC
http://www.sans.org/info/135977

2) Retina is a web-based console that simplifies and centralizes
vulnerability management and patching. With Retina, decrease time,
effort, and cost of managing security risks.
http://www.sans.org/info/135982

3) Jane Lute former Deputy Secretary of the DHS to keynote Critical
Security Controls Summit! Register today.
http://www.sans.org/info/135987

NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Apache Struts vulnerability being exploited in the wild
(CVE-2013-2251)
Description: A remote code execution vulnerability was announced two
weeks ago in the popular Apache Struts2 framework, and the Sourcefire
VRT has directly observed exploitation in the wild in multiple locations
since the announcement. Attacks appear to be highly automated, and are
thus likely to be widespread in the field. Administrators are urged to
ensure their systems are patched immediately.
Reference:
http://struts.apache.org/release/2.3.x/docs/s2-016.html
Snort SID: 27243 - 27245
ClamAV: N/A

Title: Remote command execution on many SIM cards via binary SMS
Description: German group Security Research labs has pre-announced a
weakness in the cryptographic algorithms used by as many as 1/8 of the
world’s SIM cards, which can be used to spoof over-the-air update
packets, in order to run arbitrary commands and thus deploy malware.
Details are scarce at this time, but the group is slated to present
their research at Black Hat in Las Vegas next week.
Reference:
https://srlabs.de/rooting-sim-cards/
Snort SID: N/A
ClamAV: N/A

Title: “Cookiebomb” attacks discovered in the wild
Description: A new obfuscation technique by the authors of popular
exploit kits such as Blackhole dubbed “Cookiebombing” has been recently
observed in the wild. The concept - which separates the obfuscated code
into a separate file by stuffing it into a cookie instead of directly
into the infected JavaScript - is an interesting new development in the
perpetual arms race between kit authors and security vendors, and may
present complications for certain types of detection devices.
Reference:
http://malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html
Snort SID: 27229
ClamAV: N/A

Title: FBI-themed ransomware hitting Mac OS X users
Description: A recent campaign of malware targeting OS X users with
threat of federal prosecution and a locked computer unless they pay $300
uses an interesting new technique - a popup that takes 150 clicks to
make vanish and the browser’s “restore from crash” feature to guarantee
that even a force-quit of the browser won’t fix the problem. Infected
sites do not actually attempt to drop a binary on the user’s system,
presumably because such a level of complexity is not necessary to get
users to fall for the scam.
Reference:
http://blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/
Snort SID: 27246
ClamAV: N/A

USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Cisco + Sourcefire - Now Bigger, Faster, Stronger:
http://blog.sourcefire.com/Post/2013/07/23/1374581400-cisco--sourcefire--now-bigger-stronger-faster/

Visualizations of world’s biggest data breaches:
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

DHS scales back cybersecurity programs for critical infrastructure:
http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-281988/?mod=wsj_streaming_latest-headlines

Ubuntu forums hacked, 2 million users’ information leaked:
http://ubuntuforums.org/announce.html

‘Hangover’ persists, more Mac malware found:
http://www.darkreading.com/attacks-breaches/hangover-persists-more-mac-malware-found/240158537

How I found CVE-2013-1310 in IE6 and IE7:
http://yuhongbao.blogspot.ca/2013/07/how-i-found-cve-2013-1310.html

Research on Azure web security: process execution and folder browsing:
http://blog.diniscruz.com/2013/07/research-on-azure-website-security.html

Dissecting latest Kelihos peer exchange communication:
http://blog.fortinet.com/Dissect-Latest-Kelihos-Peer-Exchange-Communication/

New commercially available web-based Wordpress/Joomal brute-forcing tool
spotted in the wild:
http://blog.webroot.com/2013/07/17/new-commercially-available-web-based-wordpressjoomla-brute-forcing-tool-spotted-in-the-wild/

California Attorney General releases breach report:
http://www.csoonline.com/article/736530/california-attorney-general-releases-breach-report

Java obfuscation tutorial:
http://www.netspi.com/blog/2013/07/15/java-obfuscation-tutorial-with-zelix-klassmaster/

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

ID: CVE-2013-1017
Title: Apple Quicktime 7 Invalid Atom Length Buffer Overflow
Vendor: Apple
Description: Buffer overflow in Apple QuickTime before 7.7.4 allows
remote attackers to execute arbitrary code or cause a denial of service
(application crash) via crafted dref atoms in a movie file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2011-4166
Title: HP Managed Printing Administration jobAcct Remote Command Execution
Vendor: HP
Description: Directory traversal vulnerability in the
MPAUploader.Uploader.1.UploadFiles method in HP Managed Printing
Administration before 2.6.4 allows remote attackers to create arbitrary
files via crafted form data.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

ID: CVE-2013-3163
Title: Microsoft Internet Explorer CBlockElement Use-after-Free Vulnerability
Vendor: Microsoft
Description: Microsoft Internet Explorer 8 through 10 allows remote
attackers to execute arbitrary code or cause a denial of service (memory
corruption) via a crafted web site, aka “Internet Explorer Memory
Corruption Vulnerability,” a different vulnerability than CVE-2013-3144
and CVE-2013-3151.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-3660
Title: Microsoft Windows “win32k!EPATHOBJ::pprFlattenRec” Privilege
Escalation Vulnerability
Vendor: Microsoft
Description: The EPATHOBJ::pprFlattenRec function in win32k.sys in
Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista
SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8,
Windows Server 2012, and Windows RT does not properly initialize a
pointer for the next object in a certain list, which allows local users
to obtain write access to the PATHRECORD chain, and consequently gain
privileges, by triggering excessive consumption of paged memory and then
making many FlattenPath function calls.
CVSS v2 Base Score: 6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-2460
Title: Java Applet ProviderSkeleton Insecure Invoke Method
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK
7, allows remote attackers to affect confidentiality, integrity, and
availability via unknown vectors related to Serviceability. NOTE: the
previous information is from the June 2013 CPU. Oracle has not commented
on claims from another vendor that this issue allows remote attackers to
bypass the Java sandbox via vectors related to “insufficient access
checks” in the tracing component.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

MOST PREVALENT MALWARE FILES 7/15/2013 - 7/22/2013 COMPILED BY SOURCEFIRE

SHA 256: B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal:
https://www.virustotal.com/file/B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/

Typical Filename: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Product: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Publisher: 573b6cc513e1b7cd9e35b491eacc38f3

SHA 256: 9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F
MD5: 3ff52cee72b936c56b4fbb9f970ece74
VirusTotal:
https://www.virustotal.com/file/9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F/analysis/

Typical Filename: wintdiyx.exe
Claimed Product: wintdiyx.exe
Claimed Publisher: wintdiyx.exe

SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
VirusTotal:
https://www.virustotal.com/file/0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3/analysis/

Typical Filename: Keygen.exe
Claimed Product: Keygen.exe
Claimed Publisher: Keygen.exe

SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal:
https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/

Typical Filename: lmlkl.sys
Claimed Product: lmlkl.sys
Claimed Publisher: lmlkl.sys

SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal:
https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/

Typical Filename: File_0_2.ok
Claimed Product: File_0_2.ok
Claimed Publisher: File_0_2.ok