============================================================
TOP VULNERABILITY THIS WEEK: CVE-2012-2695, SQL injection in Ruby on Rails. Patched in June, this issue impacts such a large number of web applications that extensive exploitation is likely going forward, especially as developers frequently fail to patch the languages in which their programs are written.
============================================================
TRAINING UPDATE
- --Security Impact of IPv6 Summit, Washington, DC July 6, 2012
Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/
- --SANSFIRE 2012, Washington, DC July 6-15, 2012
45 courses. Bonus evening presentations include Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?, Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems, many more.
http://www.sans.org/sansfire-2012/
- --SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012
8 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/
- --SANS Boston 2012, Boston, MA August 6-11, 2012
8 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/
- --SANS Virginia Beach 2012, Virginia Beach, VA August 20-31, 2012
10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Bangkok, San Antonio, Melbourne, and Arlington, VA all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
============================================================
#1
Title: Targeted attacks on Macs using new backdoor
Description: A wave of targeted emails was recently detected dropping a Mac-specific backdoor. The malicious binary, which are installed after users fall victim to social engineering techniques, is related to previously observed Mac backdoors which were distributed by way of Java
exploits. As Mac attacks continue to grow in popularity, users are urged to patch frequently and exercise caution in running binaries from untrusted sources.
Reference:
http://www.securelist.com/en/blog/208193616/New_MacOS_X_backdoor_variant_used_in_APT_attacks
http://labs.alienvault.com/labs/index.php/2012/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-control-rat/
ClamAV: Trojan.MAC.Backdoor
#2
Title: Trojan uses new C&C obfuscation technique
Description: The Polish CERT has observed a new trojan spreading in the
wild via a number of different social media techniques. While not
particularly novel in that regard, this particular piece of malware is
interesting in the way that it contacts its command and control servers.
Instead of using the address provided in a DNS query response, the
malware takes that value and transforms it into a different IP address,
which is then used to contact the C&C. This technique, if it becomes
widespread, has interesting implications for malware detection at the
network level.
Reference: http://www.cert.pl/news/5587/langswitch_lang/en
Snort SID: 23261
ClamAV: Worm.Agent-394
#3
Title: Banking trojan spreading via phishing attacks
Description: The Sourcefire VRT has discovered a new trojan being
dropped on users via a large-scale UPS-themed phishing attack. The
trojan, which attempts to steal credentials for several major financial
institutions, also drops other malicious binaries on the infected
system. Its C&C communications are of particular interest, as its
authors chose to use the hexadecimal string "0xDEADBEEF" - which is
commonly used by attackers and researchers alike as a way to follow user
input through system memory - as a protocol marker of sorts.
Reference: http://vrt-blog.snort.org/2012/07/banking-trojan-spread-via-ups-phish.html
Snort SID: 23262
ClamAV: Trojan.Banker-8376
#4
Title: CVE-2012-2695 Ruby on Rails SQL Injection
Description: The Active Record component of Ruby on Rails does not
properly sanitize certain types of nested input, which allows for SQL
injection into applications using this component even when developers
believe they have sanitized input. Given the widespread use of this
component, attacks in the wild are extremely likely, if not already
occurring.
Reference: https://groups.google.com/forum/?fromgroups#!msg/rubyonrails-security/l4L0TEVAz1k/Vr84sD9B464J
Snort SID: 23213
ClamAV: N/A
============================================================
#5
Blackhole exploit kit gets an upgrade: pseudo-random domains:
http://www.symantec.com/connect/blogs/blackhole-exploit-kit-gets-upgrade-pseudo-random-domains
#6
Google Mail hacking - Gmail Stored XSS:
http://benhayak.blogspot.co.il/2012/06/google-mail-hacking-gmail-stored-xss.html
#7
Cybercriminals launch managed SMS flooding services:
http://blog.webroot.com/2012/07/02/cyberciminals-launch-managed-sms-flooding-services/
#8
BoNeSi - the DDoS Botnet Simulator:
http://code.google.com/p/bonesi/
==========================================================
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2012-0124
Title: HP Data Protector Create New Folder Buffer Overflow
Vendor: HP
Description: Unspecified vulnerability in HP Data Protector Express (aka
DPX) 5.0.00 before build 59287 and 6.0.00 before build 11974 allows
remote attackers to execute arbitrary code or cause a denial of service
via unknown vectors.
CVSS v2 Base Score :10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2011-3478
Title: Symantec PcAnywhere 12.5.0 Login and Password Field Buffer Overflow
Vendor: Symantec
Description: The host-services component in Symantec pcAnywhere 12.5.x
through 12.5.3, and IT Management Suite pcAnywhere Solution 7.0 (aka
12.5.x) and 7.1 (aka 12.6.x), does not properly filter login and
authentication data, which allows remote attackers to execute arbitrary
code via a crafted session on TCP port 5631.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2012-0469
Title: Mozilla Use-after-free vulnerability in the "IDBKeyRange"
Vendor: Mozilla
Description: Use-after-free vulnerability in the
mozilla::dom::indexedDB::IDBKeyRange::cycleCollection::Trace function
in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4,
Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and
SeaMonkey before 2.9 allows remote attackers to execute arbitrary code
via vectors related to crafted IndexedDB data.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2012-1493
Title: F5 BIG-IP SSH Private Key Exposure
Vendor: F5 Networks Inc
Description: Remote exploitation of a configuration error vulnerability
in multiple F5 Networks Inc. products could allow an attacker to gain
escalated "root" privileges.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2012-0677
Title: Apple iTunes 10 Extended M3U Stack Buffer Overflow
Vendor: Apple
Description: Heap-based buffer overflow in Apple iTunes before 10.6.3
allows remote attackers to execute arbitrary code or cause a denial of
service (application crash) via a crafted .m3u playlist.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
=========================================================
SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Malwr: http://malwr.com/analysis/bb74024a1d4e4808562c090980151653
Typical Filename: smona131831195112461260022
Claimed Product: -
Claimed Publisher: -
SHA 256: CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
MD5: 7961a56c11ba303f20f6a59a506693ff
VirusTotal: https://www.virustotal.com/file/CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B/analysis/
Malwr: http://malwr.com/analysis/7961a56c11ba303f20f6a59a506693ff
Typical Filename: m3SrchMn.exe
Claimed Product: My Web Search Bar
Claimed Publisher: MyWebSearch.com
SHA 256: A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03
MD5: 8ac1e580cf274b3ca98124580e790706
VirusTotal: https://www.virustotal.com/file/A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03/analysis/
Malwr: http://malwr.com/analysis/8ac1e580cf274b3ca98124580e790706
Typical Filename: lpkjnn.sys
Claimed Product: -
Claimed Publisher: -
SHA 256: E2C3896C24FD45DD8092AF10DE84B1A4FAF4FC37A1E9772C56148FE982B44181
MD5: cce8aeb6b86e89280e703608eb252e62
VirusTotal: https://www.virustotal.com/file/E2C3896C24FD45DD8092AF10DE84B1A4FAF4FC37A1E9772C56148FE982B44181/analysis/
Malwr: http://malwr.com/analysis/cce8aeb6b86e89280e703608eb252e62
Typical Filename: M3SKPLAY.EXE
Claimed Product: My Web Search Skin Tools
Claimed Publisher: MyWebSearch.com
SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Malwr: http://malwr.com/analysis/bf31a8d79f704f488e3dbcb6eea3b3e3
Typical Filename: pspprn.sys
Claimed Product: -
Claimed Publisher: -
=============================================================
(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account
