CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 11/29/2012 - 12/5/2012

TOP VULNERABILITY THIS WEEK: Multiple remotely exploitable 0-day attacks

were released against MySQL this weekend, with proof of concept
available for each issue. The bugs, which range from buffer overflows
to user enumeration, are being actively exploited in the wild now, and
no patches are available.

NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Multiple Remote 0-Day Attacks Against MySQL Databases
Description: A slew of remotely exploitable bugs in MySQL were released
by security researcher KingCope on the Full-Disclosure mailing list over
the weekend, with exploits including buffer overflows, user enumeration
techniques, and denial-of-service attacks. As no patches are currently
available, some of the issues target default configurations, and
exploits are already circulating in the wild, system administrators are
urged to lock down access to their database systems to only authorized
users wherever possible as a mitigation until patches become available.
Reference:
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089025.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089027.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089023.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089022.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089026.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089024.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089020.html
Snort SID: 24897
ClamAV: N/A

Title: Dump of Syrian Ministry of Foreign Affairs’ Email Reveals Targeted Malware
Description: After Anonymous published a dump of email from the Syrian
Ministry of Foreign Affairs on the site “Par:AnoIA”, researchers noted
that a message sent on December 5, 2011 contained targeted malware,
which entered the system via a PDF exploit using CVE-2010-0188. A
similar attack has been used in targeted campaigns over the course of
the last year, according to Kaspersky.
Reference:
http://vrt-blog.snort.org/2012/12/quarian.html
http://www.securelist.com/en/blog/774/ A_Targeted_Attack_Against_The_Syrian_Ministry_of_Foreign_Affairs
http://par-anoia.net/releases.html#mofa
Snort SID: 24858, 24859
ClamAV: Win.Trojan.Quarian

Title: Windows AutoRun Malware Makes A Comeback
Description: Several security vendors have noted recently that malware
known alternately as W32/Autorun or W32/Changeup - which spreads via the
AutoRun feature on Windows when removable media is plugged into a system

• • has been spreading again in the wild, after having been largely

dormant this year. System administrators should disable the AutoRun
feature wherever feasible, in addition to deploying AV and IDS
signatures as appropriate.
Reference:
http://isc.sans.edu/diary.html?storyid=14584&rss
Snort SID: 17042 - 17044, 19290, 24842 - 24856, 24500
ClamAV: WIN.Trojan.Changeup

Title: Exploit Kit Market Continues To Expand
Description: New exploit kits are continuing to emerge in the wild, as
that model of online criminal economics becomes more dominant by the
day. Kits such as Sweet Orange and the Cool Exploit Kit, released within
the last few months, are nowhere near as dominant as established players
like Blackhole or Phoenix, but are equally dangerous, and network
defenders need to be paying attention to them as well as the heavy
hitters of the industry.
Reference:
http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html
http://malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html
Snort SID: 24837 - 24840, 24778 - 24784
ClamAV: N/A

USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Romanian hackers responsible for $30 million Australian credit card theft:
http://www.abc.net.au/news/2012-11-29/afp-uncovers-romanian-card-hacking-scheme/4397954

China Mafia-style hack drives California firm to brink:
http://www.bloomberg.com/news/2012-11-27/china-mafia-style-hack-attack-drives-california-firm-to-brink.html

Syria cut off from the Internet:
http://www.renesys.com/blog/2012/11/syria-off-the-air.shtml

Angry Birds Star Wars SMS sender:
http://www.gfi.com/blog/the-fail-is-strong-with-this-one-angry-birds-star-wars-android-sms-sender/

Forex site targeted: did cybercrooks find the weakest link in online
money management?
http://community.websense.com/blogs/securitylabs/archive/2012/11/28/Forex-website-targeted-_1320_-did-cybercrooks-find-the-weakest-link-in-online-money-management-services_3F00_-.aspx

Brute-force PHP session IDs in 8 minutes using Amazon’s GPU farm:
http://www.slideshare.net/DefconRussia/reutov-yunusov-nagibin-random-numbers-take-ii

Incident response with NTFS INDX buffers:
https://www.mandiant.com/blog/archives/3560

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

ID: : Not Available
Title: SSH Tectia Authentication Bypass Remote
Vendor: SSH Communications
Description: A remote authentication bypass vulnerability was disclosed
which affects the current Unix/Linux versions of Tectia SSH Server. The
vulnerability exploits a bug in the SSH USERAUTH CHANGE REQUEST
function.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

ID: : CVE-2012-5615
Title: MySQL Remote User Enumeration
Vendor: Oracle
Description: MySQL 5.5.19 and possibly other versions, and MariaDB
5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates
different error messages with different time delays depending on whether
a user name exists, which allows remote attackers to enumerate valid
usernames.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

ID: : CVE-2012-3752
Title: Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack Buffer Overflow
Vendor: Apple
Description: Multiple buffer overflows in Apple QuickTime before 7.7.3
allow remote attackers to execute arbitrary code or cause a denial of
service (application crash) via a crafted style element in a QuickTime
TeXML file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-4964
Title: Samsung Printer Firmware Contains A Backdoor Administrator Account
Vendor: Samsung
Description: Samsung printers contain a hardcoded account that could
allow a remote attacker to take control of an affected device.
CVSS v2 Base Score: 9.0 (AV:N/AC:M/Au:N/C:C/I:C/A:P)

ID: : CVE-2012-4956
Title: Novell File Reporter Vulnerabilities
Vendor: Novell
Description: Heap-based buffer overflow in NFRAgent.exe in Novell File
Reporter 1.0.2 allows remote attackers to execute arbitrary code via a
large number of VOL elements in an SRS record.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

MOST PREVALENT MALWARE FILES 11/29/2012 - 12/5/2012 COMPILED BY SOURCEFIRE

SHA256: 1dd140c8d5dd1c32294f31d1784ce3553af63a0d054a0bea9423b1978fcd693f
MD5: 9e180cdfa4869b8dd15b7b06771c5838
VirusTotal: https://www.virustotal.com/file/1DD140C8D5DD1C32294F31D1784CE3553AF63A0D054A0BEA9423B1978FCD693F/analysis/
Typical Filename: -
Claim Product: -
Claim Publisher: -

SHA256: 611a1be1c5637480b0b8decc45f959ade2d73aa26a28a0fc70c6de050ed8f5a7
MD5: a273babaefcff8f5fe61992a54e3ef1d
VirusTotal: https://www.virustotal.com/file/611A1BE1C5637480B0B8DECC45F959ADE2D73AA26A28A0FC70C6DE050ED8F5A7/analysis/
Typical Filename: -
Claim Product: -
Claim Publisher: -

SHA256: a3a7b80ce839360b3f50206b7381827e6257c851010328ca8043e38ee970afbd
MD5: 4852bc9f12a0d9d4125ca3f91d93647b
VirusTotal: https://www.virustotal.com/file/A3A7B80CE839360B3F50206B7381827E6257C851010328CA8043E38EE970AFBD/analysis/
Typical Filename: GOLAYA-RUSSAKAYA.exe
Claim Product: -
Claim Publisher: -

SHA 256: b7b28e855b8c6225c605330760ff4dc407efc83f72f1a04e974a72189d0f1d96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal: https://www.virustotal.com/file/B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/
Typical Filename: winkgts.exe
Claimed Product: winkgts.exe
Claimed Publisher: winkgts.exe

SHA256: 04005e3b053e8f8465cf45fddf5856cd6ed67cbcaf908bd5eeaddd76785ca574
MD5: 0265A6D07D7D03E657B694ECEE310FA5
VirusTotal: https://www.virustotal.com/file/04005E3B053E8F8465CF45FDDF5856CD6ED67CBCAF908BD5EEADDD76785CA574/analysis/
Typical Filename: -
Claim Product: -
Claim Publisher: -