Vol. 12, Num. 31
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 7/25/2012 - 7/31/2012
TOP VULNERABILITY THIS WEEK: Ubisoft, makers of popular video games for
PCs, included a method to run arbitrary code inside of its Uplay DRM
tool. Google researcher Tavis Ormandy this weekend discovered a way to
exploit this via a web page with no authentication necessary. Exploits
are presumed to exist in the wild.
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Ubisoft Uplay DRM Backdoor
Description: Ubisoft S.A., makers of popular games such as Assassin’s
Creed, uses a DRM system called Uplay to combat piracy. Widely respected
Google security engineer Tavis Ormandy discovered this weekend that the
Uplay system is vulnerable to remote command execution via standard API
calls that can be accessed through a web page, with no authentication
required. While Ubisoft has issued an official patch, exploitation is
trivial, and is likely to occur in the wild before users update their
systems.
Reference:
http://seclists.org/fulldisclosure/2012/Jul/375
http://www.slashgear.com/major-security-vulnerability-discovered-in-ubisoft-uplay-drm-30240879/
Snort SID: 23624
ClamAV: PUA.HTML.TROJAN
Title: Obfuscated Iframe Tags Being Used In Malvertising Campaigns
Description: The Sourcefire VRT has recently observed a pair of large
campaigns in the wild, where malicious files are planted via advertising
campaigns and/or SQL injections and then redirect users to Blackhole and
other exploit kits. The first campaign’s hallmark is an HTML iframe tag
with positioning and sizing designed specifically to make it invisible
to any browser on the planet; the second can be identified by the fact
that the iframe tag is placed on the page before the doctype tag, which
is illegal per WC3 specifications.
Reference:
http://urlquery.net/report.php?id=90530
Snort SIDs: 23618, 23620
ClamAV: N/A
Title: RunForestRun Kit Infecting Plesk Panel Services, Improves
Obfuscation Routines
Description: A malicious piece of software known as “RunForestRun” due
to the structure of the URL used to contact command and control servers
post-compromise, has been targeting the Plesk Panel control suite - a
popular management interface for web hosting providers - since June. The
kit was originally easily detectable due to static comment strings and
other obvious indicators, but an update was released last week that uses
a well-known and legitimate encoder routine to hide all malicious code.
Based upon a study of samples in the field, the Sourcefire VRT has found
a way to differentiate encoded RunForestRun files from legitimate
encoded files, and will provide updated detection if the kit changes
further.
Reference:
http://blog.unmaskparasites.com/2012/07/26/runforestrun-now-encrypts-legitimate-js-files/
Snort SID: 23473, 23621
ClamAV: Exploit.JS.Obfuscation
Title: Olympics-Themed Phish Observed in the Wild
Description: As with any high-profile event, phishers are using the 2012
London Olympics to lure unsuspecting users into drop malware onto users
throughout the world. The Sourcefire VRT has observed multiple
campaigns, including one which uses an attached file that exploits
CVE-2010-3333 (a stack overflow in Microsoft Office via RTF files), and
another which uses the currently popular technique of compromised
WordPress sites that lead to Blackhole exploit kits. While this specific
campaign has a limited lifetime, users should be constantly on guard for
any email related to recent news events.
Reference:
http://vrt-blog.snort.org/2012/07/phishing-games.html
Snort SIDs: 21041, 21964, 22095, 22101, 22102, 23171
ClamAV: BC.Exploit.CVE_2010_3333
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
Android takeover with the swipe of a smartphone:
http://www.darkreading.com/mobile-security/167901113/security/vulnerabilities/240004387/android-takeover-with-the-swipe-of-a-smartphone.html
ELF metadata abuse to run arbitrary code before memory protections are loaded:
http://cs.dartmouth.edu/~bx/elf-bf-tools/slides/elf-defcon20.pdf
Email-based malware attacks, July 2012:
http://krebsonsecurity.com/2012/07/email-based-malware-attacks-july-2012/
How malware employs anti-debugging, anti-disassembly, and
anti-virtualization technologies:
https://community.qualys.com/blogs/securitylabs/2012/07/30/how-malware-employs-anti-debugging-anti-disassembly-and-anti-virtualization-technologies
GPS spoofing:
http://erratasec.blogspot.com/2012/07/gps-spoofing.html
Easy local Windows kernel exploitation:
https://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernal_Slides.pdf
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2010-3964
Title: Scrutinizer Default Password Security Bypass Vulnerability
Vendor: Plixer
Description: The MySQL component in Plixer Scrutinizer (aka Dell
SonicWALL Scrutinizer) 9.0.1.19899 and earlier has a default password
of admin for the (1) scrutinizer and (2) scrutremote accounts, which
allows remote attackers to execute arbitrary SQL commands via a TCP
session.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2010-3964
Title: Microsoft Office SharePoint Server 2007 Remote Code Execution
Vendor: Microsoft
Description: Unrestricted file upload vulnerability in the Document
Conversions Launcher Service in Microsoft Office SharePoint Server
2007 SP2, when the Document Conversions Load Balancer Service is
enabled, allows remote attackers to execute arbitrary code via a
crafted SOAP request to TCP port 8082, aka “Malformed Request Code
Execution Vulnerability.”
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: : CVE-2012-2974
Title: SMC SMC8024L2 Switch Web Interface Authentication Bypass
Vendor: SMC Networks
Description: The web interface on the SMC SMC8024L2 switch allows
remote attackers to bypass authentication and obtain administrative
access via a direct request to a .html file under (1) status/, (2)
system/, (3) ports/, (4) trunks/, (5) vlans/, (6) qos/, (7) rstp/, (8)
dot1x/, (9) security/, (10) igmps/, or (11) snmp/.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: : CVE-2012-2957
Title: Symantec Web Gateway 5.0.3.18 LFI Remote ROOT RCE Exploit
Vendor: Symantec
Description: The management console in Symantec Web Gateway 5.0.x
before 5.0.3.18 allows local users to gain privileges by modifying
files, related to a “file inclusion” issue.
CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2012-1723
Title: Oracle Java SE Remote Code Execution Vulnerability / Blackhole
Exploit Kit
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32
and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows
remote attackers to affect confidentiality, integrity, and
availability via unknown vectors related to Hotspot.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
MOST PREVALENT MALWARE FILES 7/25/2012 - 7/31/2012: COMPILED BY SOURCEFIRE
SHA 256: CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
MD5: 7961a56c11ba303f20f6a59a506693ff
VirusTotal: https://www.virustotal.com/file/CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B/analysis/
Malwr: http://malwr.com/analysis/7961a56c11ba303f20f6a59a506693ff
Typical Filename: C8A787C22000AE378610003396E67500D587FA4E.exe
Claimed Product: My Web Search Bar for Internet Explorer and FireFox
Claimed Publisher: MyWebSearch.com
SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/
Malwr: http://malwr.com/analysis/25aa9bb549ecc7bb6100f8d179452508
Typical Filename: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Product: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Publisher: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Malwr: http://malwr.com/analysis/3291e1603715c47a23b60a8bf2ca73db
Typical Filename: avz00001.dta
Claimed Product: avz00001.dta
Claimed Publisher: avz00001.dta
SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Malwr: http://malwr.com/analysis/bf31a8d79f704f488e3dbcb6eea3b3e3
Typical Filename: bf31a8d79f704f488e3dbcb6eea3b3e3
Claimed Product: bf31a8d79f704f488e3dbcb6eea3b3e3
Claimed Publisher: bf31a8d79f704f488e3dbcb6eea3b3e3
SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
VirusTotal: https://www.virustotal.com/file/0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3/analysis/
Malwr: http://malwr.com/analysis/b3b9295385f4e74d023181e5a24f4d83
Typical Filename: Keygen.exe
Claimed Product: Keygen.exe
Claimed Publisher: Keygen.exe
OVERVIEW
CAPABILITIES
PLATFORM APPS
Use Cases
Segments
Resources
Research
Enterprise TruRisk Platform
Free Services