Vol. 12, Num. 50
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 12/6/2012 - 12/12/2012
TOP VULNERABILITY THIS WEEK: A theoretical implementation of a
Tor-powered botnet described in a Reddit thread in April was discovered
in the wild by researchers last week. Based on the wildly popular Zeus
malware, this particular threat is designed for maximum evasion
capabilities, and may prompt copycat bots using the widely deployed Tor
anonymity software.
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Tor-powered botnet jumps from a description on Reddit to reality
Description: After a popular Reddit thread in April of 2012 described
how a botnet could be built using the Tor anonymizing proxy system, in
order to reduce the likelihood of discovery and takedown, researchers
with the Metasploit project discovered a modified Zeus binary that used
Tor in a manner almost identical to what was discussed in the thread.
While such an operation has been discussed in theory for years,
including a 2010 Defcon talk on the subject, few, if any such botnets
have been observed in the wild to date. The success of this particular
botnet, however, is likely to spur imitators going forward.
Reference:
https://community.rapid7.com/community/infosec/blog/2012/12/03/skynet-a-tor-powered-botnet-straight-from-reddit
http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/?limit=500
https://www.defcon.org/images/defcon-18/dc-18-presentations/D.Brown/DEFCON-18-Brown-TorCnC.pdf
Snort SID: 9324, 13696 - 13698, 16439 - 16442, 17917, 24169
ClamAV: Trojan.Spy.Zbot, Trojan.Spy.Zeus, Win.Trojan.Agent-20928
Title: ExploitHub site compromised, private exploit database stolen
Description: IDS and Antivirus testing firm NSS Labs, whose ExploitHub
site was set up in 2010 as a marketplace for private exploits used
(ostensibly) in penetration tests and other defense-validating
scenarios, had that project’s server compromised by the more black hat
group 1337day, whose site offers a competing database of exploits. The
compromise is likely to produce turmoil within the industry, public
release of some of the ExploitHub bugs, and/or other related fallout.
Additionally, it serves as a warning that even security vendors should
be vigilant in securing their systems, as no one is immune to attack on
improperly managed servers.
Reference:
http://priv8.1337day.com/exploitHUB.txt
Snort SID: N/A
ClamAV: N/A
Title: Targeted malware using CVE-2012-0158 persists
Description: Multiple researchers have lately discovered new targeted
attacks circulating in the wild that target CVE-2012-0158, an RTF file
format vulnerability which was patched in April of this year. Thanks to
their relatively simple format and the large number of sample exploits
available in the wild, RTFs have been a favorite of targeted attackers
in 2012, with targets ranging from Tibetan protesters to defense
contractors worldwide.
Reference:
http://krebsonsecurity.com/2012/12/chinese-espionage-attacks-against-ruskies/
http://blogs.mcafee.com/mcafee-labs/cve-2012-0158-exploit-in-the-wild
http://blog.fireeye.com/research/2012/12/to-russia-with-apt.html
Snort SID: 21797-21801,21896-21906,21937,20486,23305,24976
ClamAV: Win.Trojan.Agent
Title: Microsoft releases monthly patch update
Description: Microsoft released patches for vulnerabilities in a number
of components this Tuesday. While none are known to have exploits
currently circulating in the wild, several should be straightforward to
exploit, including a new RTF vulnerability that is likely to be used in
targeted attacks going forward. Users should, as usual, patch as soon
as feasible.
Reference:
http://technet.microsoft.com/en-us/security/bulletin/ms12-dec
Snort SID: 24956,24957-24970,24971,24972,24973,24974,24975
ClamAV: Win.Exploit.CVE_2012_1537, RTF.Exploit.CVE_2012_2539,
BC.Exploit.CVE_2012-2556
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
A peek inside a cybercrime-friendly e-shop, part 5:
http://blog.webroot.com/2012/12/10/a-peek-inside-a-boutique-cybercrime-friendly-e-shop-part-five/
SHA1 weakness benefits password crackers:
http://www.h-online.com/security/news/item/SHA1-weakness-benefits-password-crackers-1762353.html
Twitter and SMS spoofing:
http://engineering.twitter.com/2012/12/twitter-and-sms-spoofing.html
A closer look at two big-time botmasters:
http://krebsonsecurity.com/2012/12/a-closer-look-at-two-bigtime-botmasters/
Uncovering the “new” Eurograbber: really 36 million EUR?
http://eternal-todo.com/blog/uncovering-eurograbber-36-million-eur
Nine out of ten hospitals lost personal data in last two years:
http://www.scmagazine.com/nine-out-of-10-hospitals-lost-personal-data-in-last-two-years/article/271795/
Command execution on MS SQL server using Powershell:
http://labofapenetrationtester.blogspot.com/2012/12/command-execution-on-ms-sql-server-using-powershell.html
Hooked on mnemonics worked for me:
http://hooked-on-mnemonics.blogspot.com/2012/12/a-couple-of-days-ago-there-was-blog.html
Anon on the run: How Commander X jumped bail and fled to Canada:
http://arstechnica.com/tech-policy/2012/12/anon-on-the-run-how-commander-x-jumped-bai/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: : CVE-2012-5975
Title: SSH Tectia Authentication Bypass Remote
Vendor: SSH Communications
Description: A remote authentication bypass vulnerability was disclosed
which affects the current Unix/Linux versions of Tectia SSH Server. The
vulnerability exploits a bug in the SSH USERAUTH CHANGE REQUEST
function.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: : CVE-2012-5615
Title: MySQL Remote User Enumeration
Vendor: Oracle
Description: MySQL 5.5.19 and possibly other versions, and MariaDB
5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates
different error messages with different time delays depending on whether
a user name exists, which allows remote attackers to enumerate valid
usernames.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
ID: : CVE-2012-4964
Title: Samsung Printer Firmware Contains A Backdoor Administrator Account
Vendor: Samsung
Description: Samsung printers contain a hardcoded account that could
allow a remote attacker to take control of an affected device.
CVSS v2 Base Score: 9.0 (AV:N/AC:M/Au:N/C:C/I:C/A:P)
ID: : CVE-2012-6066
Title: FreeFTPD /FreeSSHD Remote Authentication Security Bypass Vulnerability
Vendor: freesshd
Description: freeSSHd.exe in freeSSHd through 1.2.6 allows remote
attackers to bypass authentication via a crafted session, as
demonstrated by an OpenSSH client with modified versions of ssh.c and
sshconnect2.c.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: : CVE-2012-5611
Title: Oracle MySQL Server Command Processing Buffer Overflow Vulnerability
Vendor: Oracle
Description: Stack-based buffer overflow in MySQL 5.5.19, 5.1.53, and
possibly other versions, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x
before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows
remote authenticated users to execute arbitrary code via a long argument
to the GRANT FILE command.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
MOST PREVALENT MALWARE FILES 12/6/2012 - 12/12/2012 COMPILED BY SOURCEFIRE
SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/
Typical Filename: File_0_2.ok
Claimed Product: File_0_2.ok
Claimed Publisher: File_0_2.ok
SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Typical Filename: 3291e1603715c47a23b60a8bf2ca73db
Claimed Product: 3291e1603715c47a23b60a8bf2ca73db
Claimed Publisher: 3291e1603715c47a23b60a8bf2ca73db
SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
VirusTotal: https://www.virustotal.com/file/0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3/analysis/
Typical Filename: Keygen.exe
Claimed Product: Keygen.exe
Claimed Publisher: Keygen.exe
SHA 256: 01DF66ADC51D4BEA5E28DD4ED4A7F0130546FD1ABE03C6AA40AADD38DDBFDA87
MD5: f869010b28721110d7343f39ec3b6d60
VirusTotal: https://www.virustotal.com/file/01DF66ADC51D4BEA5E28DD4ED4A7F0130546FD1ABE03C6AA40AADD38DDBFDA87/analysis/
Typical Filename: f3PSSavr.scr.vir
Claimed Product: Popular Screensavers
Claimed Publisher: FunWebProducts.com
SHA 256: 409C8907E5074F9040A4F569180E7A3945FE2A8DB8070AD5C3961BBE6DFF34D1
MD5: 4faeae17485c16d6c131d02b0f54d61f
VirusTotal: https://www.virustotal.com/file/409C8907E5074F9040A4F569180E7A3945FE2A8DB8070AD5C3961BBE6DFF34D1/analysis/
Typical Filename: VideoDownloadConvert.exe
Claimed Product: VideoDownloadConvert.exe
Claimed Publisher: VideoDownloadConvert.exe
OVERVIEW
CAPABILITIES
PLATFORM APPS
Use Cases
Segments
Resources
Research
Enterprise TruRisk Platform
Free Services