CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 11/1/2012 - 11/8/2012

TOP VULNERABILITY THIS WEEK: Multiple trivially remotely exploitable

vulnerabilities were disclosed this week in Sophos antivirus products,
after researcher Tavis Ormandy had worked with the company to ensure
patches were in place prior to the release. As Ormandy included
proof-of-concept exploits in his disclosure notes, malicious activity
around them is expected to begin immediately. Users of Sophos products
should update their software immediately.

NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Researcher Tavis Ormandy releases multiple exploits for Sophos products
Description: In a scathing writeup that is a follow-on to a more
theoretical release last year, well-known security researcher Tavis
Ormandy released a series of practical attack techniques against common
Sophos antivirus deployments, including integer overflows, cross-site
scripting, heap overflows, denials of service, etc. As Ormandy disclosed
the vulnerabilities to Sophos in October, patches are available for all
but one of the attacks (a denial of service); customers are urged to
update as soon as possible, since with the detailed explanations of how
to exploit provided in Ormandy’s paper, exploits are likely to emerge
in the wild essentially immediately.
Reference:
https://lock.cmpxchg8b.com/sophailv2.pdf
http://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/
Snort SID: 24625, 24626
ClamAV: PDF.Exploit.Agent-3

Title: Anonymous celebrates Guy Fawkes Day with a slew of compromises
Description: Members of the Anonymous collective chose to celebrate Guy
Fawkes day (the historical figure from whom they draw the mask
associated with their logo) this year by defacing a slew of websites
worldwide, as well as dumping large chunks of data on PasteBin that were
part of alleged compromises of major targets such as ImageShack and
Symantec. While these claims are still being validated, the coordinated
activity shows the continuing power of this group to wreak havoc on the
Internet essentially at will, despite defenders’ best efforts to stop
them.
Reference:
http://pastebin.com/raw.php?i=jhLt7s83
http://www.technewsworld.com/story/Many-Hacks-Claimed-Few-Confirmed-on-Anons-Day-of-Mayhem-76555.html
Snort SID: N/A
ClamAV: N/A

Title: New Jersey allows last-minute email voting, invites security disaster
Description: With many of the state’s residents displaced or otherwise
impacted in their ability to vote by last week’s Hurricane Sandy, a
last-minute decision was made by the government of New Jersey to allow
voters to cast ballots by email. Confusion over procedures, which have
resulted in situations where officially-listed email addresses were
bouncing and government officials were using private accounts on
services such as Hotmail, has left a number of major security gaps open.
Not only are there potential issues with voter fraud, the follow-on to
this process will likely include phishing attacks referencing the need
to authenticate a ballot cast via e-mail. Whatever the final outcome,
the experiment will have major implications for distance online voting
in the future, as it will be America’s first major test of such a
system.
Reference:
http://www.state.nj.us/governor/news/news/552012/approved/20121103d.html
http://www.crypto.com/blog/njvoting/
http://www.businessweek.com/news/2012-11-06/security-of-n-dot-j-dot-e-mail-voting-after-storm-is-questioned
Snort SID: N/A
ClamAV: N/A

Title: Coke gets hacked, doesn’t tell anyone
Description: Bloomberg news service announced this week that Coca-Cola
company, which was considering purchasing Chinese-owned juice maker
Huiyuan in 2009, was compromised three days before that deal fell
through, with numerous sensitive files related to the acquisition having
been exfiltrated as a result of the breach. While the breach itself is,
sadly, not particularly newsworthy on its own, Coke’s failure to
disclose the breach - which might have been required under current SEC
guidelines surrounding breach disclosure had those rules been in place
three years ago - is sure to reignite the debate about the disclosure
responsibilities of organizations whose networks are breached.
Reference:
http://www.bloomberg.com/news/2012-11-04/coke-hacked-and-doesn-t-tell.html
Snort SID: N/A
ClamAV: N/A

USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

GDB quick reference:
http://www.stanford.edu/class/cs107/other/gdbrefcard.pdf

Reversing malware protocols with machine learning:
http://blog.hugogascon.com/2012/10/reversing-malware-protocols-with_28.html

Nuclear Exploit Pack goes 2.0:
http://blog.webroot.com/2012/10/31/nuclear-exploit-pack-goes-2-0/

Unencrypted bar codes on airline boarding passes pose threat:
http://www.techrepublic.com/blog/security/unencrypted-bar-codes-on-airline-boarding-passes-pose-threat/8589

Exploiting a MIPS stack overflow:
http://www.devttys0.com/2012/10/exploiting-a-mips-stack-overflow/

Final report on DigiNotar hack shows total compromise of CA servers:
http://threatpost.com/en_us/blogs/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112

iOS security: Objective-C and nil pointers:
http://blog.ioactive.com/2012/11/ios-security-objective-c-and-nil.html

Info disclosure with Apache server-status:
http://urlfind.org/?server-status

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

ID: : CVE-2012-0507
Title: Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30
and earlier, and 5.0 Update 33 and earlier allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to Concurrency.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-4969
Title: Microsoft Internet Explorer 7/8/9 contain a use-after-free vulnerability
Vendor: Microsoft
Description: Microsoft Internet Explorer versions 7, 8, and 9 are
susceptible to a use-after-free vulnerability that may result in remote
code execution.
CVSS v2 Base Score: 9.7 (AV:N/AC:L/Au:N/C:C/I:C/A:P)

ID: : CVE-2012-4681
Title: Java 7 Applet Remote Code Execution
Vendor: Oracle
Description: Oracle Java 7 Update 6, and possibly other versions, allows
remote attackers to execute arbitrary code via a crafted applet, as
exploited in the wild in August 2012 using Gondzz.class and
Gondvv.class.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

ID: : CVE-2012-2019
Title: HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow
Vendor: HP
Description: Unspecified vulnerability in HP Operations Agent before
11.03.12 allows remote attackers to execute arbitrary code via unknown
vectors, aka ZDI-CAN-1325.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-4501
Title: Citrix CloudStack and CloudPlatform Default Credentials Design
Error Vulnerability
Vendor: Citrix
Description: Citrix Cloud.com CloudStack, and Apache CloudStack
pre-release, allows remote attackers to make arbitrary API calls by
leveraging the system user account, as demonstrated by API calls to
delete VMs.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

MOST PREVALENT MALWARE FILES DDDD: COMPILED BY SOURCEFIRE

SHA 256: B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal: https://www.virustotal.com/file/B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/

Typical Filename: winhblmdx.exe
Claimed Product: winhblmdx.exe
Claimed Publisher: winhblmdx.exe

SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/

Typical Filename: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Product: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Publisher: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin

SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/

Typical Filename: 01.tmp
Claimed Product: 01.tmp
Claimed Publisher: 01.tmp

SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/

Typical Filename: lmlkl.sys
Claimed Product: lmlkl.sys
Claimed Publisher: lmlkl.sys

SHA 256: D7AFECB4CB054FFC200198369613F77682291BF2FD4F73BC8A6894050B1D92C2
MD5: be3d80a773482af1702eee7574e4eb7c
VirusTotal: https://www.virustotal.com/file/D7AFECB4CB054FFC200198369613F77682291BF2FD4F73BC8A6894050B1D92C2/analysis/

Typical Filename: deployJava[1].js
Claimed Product: deployJava[1].js
Claimed Publisher: deployJava[1].js