@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
July 26, 2012=============================================================
@RISK: The Consensus Security Vulnerability Alert
Vol. 12, Num. 30
Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.
=============================================================CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 7/17/2012 - 7/24/2012
============================================================TOP VULNERABILITY THIS WEEK: A trivially exploitable remote root vulnerability exists in the Kindle Touch built-in browser. Based on its support for the NPAPI, commands can be injected with root-level privileges with no authentication, simply by visiting a web page. Exploits are presumed to already exist in the wild.
============================================================TRAINING UPDATE
- --SANS San Francisco 2012 San Francisco, CA July 30-August 6, 2012
8 courses. Bonus evening presentations include All Your Hash Are Belong
to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing
and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/
- --SANS Boston 2012 Boston, MA August 6-11, 2012
8 courses. Bonus evening presentations include SIFT Workstation: The Art
of Incident Response; and Everything I Know is Wrong! How to Lead a
Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/
- --SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012
http://www.sans.org/scada-sec-training-2012/
- --SANS Virginia Beach 2012 Virginia Beach, VA August 20-31, 2012
10 courses. Bonus evening presentations include Information Assurance
Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/
- --SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/
- --SANS Crystal City 2012 Arlington, VA September 6-11, 2012
6 courses. Bonus evening presentations include SIFT Workstation: The Art
of Incident Response.
http://www.sans.org/crystal-city-2012/
- --SANS Baltimore 2012 October 15-20, 2012
6 courses. Bonus evening presentations include Infosec Rock Star: How
to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/
- --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012
45 courses. Bonus evening presentations include Evolving Threats; New
Legal Methods for Collecting and Authenticating Cyber Investigation
Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current
Plus San Antonio, Melbourne, Prague, Singapore, Dubai, and Seattle all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
============================================================NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Remote Root Exploit in Kindle Touch
Description: The built-in browser for the Kindle Touch integrates
support for the Netscape Plugin API, a modern cross-browser scripting
language. Unfortunately, it is implemented in such a way that it allows
injection of commands into the browser with root privileges. While the
API is poorly documented, and few public details about exploitation
currently exist in the wild, exploits will be trivial to write and
should be presumed to exist at this point.
Reference: http://vrt-blog.snort.org/2012/07/dont-panic.html
http://www.mobileread.com/forums/showthread.php?t=175368
Snort SID: 23616, 23617
ClamAV: N/A
Title: Arbitrary Remote File Upload in Wordpress Invit0r Plugin
Description: The WordPress Invit0r plugin, which can be used to invite
Yahoo contacts to visit your blog, has an arbitrary remote file include
vulnerability. While it has been pulled from the official Wordpress
plugins site, multiple public exploits exist and are being actively used
in the wild. While this particular plugin is not especially notable, it
highlights the ongoing challenge of securing Wordpress and other CMS
systems, and the dangers created by such sites being exploited and used
to host malware.
Reference: http://packetstormsecurity.org/files/113639/WordPress-Invit0r-0.22-Shell-Upload.html
Snort SID: 23484, 23485
ClamAV: N/A
Title: ZeroAccess Trojan Continues To Spread
Description: The ZeroAccess trojan/rootkit, a particularly nasty piece
of malware that was first discovered in the wild in early 2012, is today
considered by some to be one of the top threats to end-users in the
wild. The Sourcefire VRT has been following this malware recently, and
has new signatures for command-and-control traffic generated by infected
systems. As this malware has been known to cause users to exceed
bandwidth caps and be charged by their ISP directly, users both
corporate and private are encouraged to check their systems for signs
of infection regularly.
Reference: http://threatpost.com/en_us/blogs/report-bandwith-burning-malware-among-biggest-consumer-threats-071912
https://www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/
Snort SID: 23492, 23493
ClamAV: Trojan.ZeroAccess-1 - Trojan.ZeroAccess-693
Title: Use of XML Templates To Embed Malware In PDFs
Description: The Sourcefire VRT has received multiple reports of
malicious PDFs being distributed in the wild that embed their malicious
content inside of an XML tempalte within the PDF. After extensive
testing across thousands of PDF files, both malicious and benign, the
VRT has determined that the number of legitimate uses of this
functionality in the field today is so low that detection of such
documents generically is a useful way to detect new malware variants.
As always, users are highly encouraged to keep their PDF parsing
applications up-to-date at all times.
Reference: http://www.thebaskins.com/main/component/content/article/15-work/58-malicious-pdf-analysis-reverse-code-obfuscation
https://www.virustotal.com/file/ECA91825CA5CF6D8C06815CB471A0968F540878121CB13F971FD45C3EA3EBBAC/analysis/
Snort SID: 23612
ClamAV: Exploit.PDF.Dropped-21, Exploit-JS.10
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
Inside VirusTotal's pants: VirusTotal += Behavioural Information
http://blog.virustotal.com/2012/07/virustotal-behavioural-information.html
DoItQuick: Fast Domains for Dirty Deeds - Krebs on Security
http://krebsonsecurity.com/2012/07/service-secures-domains-for-black-deeds/
New contact-stealing Android malware found in wild:
http://www.zdnet.com/new-contacts-stealing-android-malware-spotted-in-the-wild-7000001296/
Calling all elite security experts: be among the first malware domain taggers:
http://blog.opendns.com/2012/07/19/calling-all-elite-security-experts-apply-to-be-among-the-first-malware-domain-taggers/
How to root the Google Nexus 7:
http://liliputing.com/2012/07/how-to-root-the-google-nexus-7-unlock-the-bootloader-install-custom-recovery.html
Russian hacker battles Apple to keep in-app purchase exploit alive:
http://www.bgr.com/2012/07/18/app-store-hack-in-app-purchases-apple-exploit/
Online dating scam currently circulating in the wild:
http://blog.webroot.com/2012/07/16/online-dating-scam-campaign-currently-circulating-in-the-wild/
Looking at mutex objects for malware discovery and indicators of compromise:
http://computer-forensics.sans.org/blog/2012/07/24/mutex-for-malware-discovery-and-iocs
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2012-2974
Title: SMC SMC8024L2 Switch Web Interface Authentication Bypass
Vendor: SMC Networks
Description: The web interface on the SMC SMC8024L2 switch allows remote
attackers to bypass authentication and obtain administrative access via
a direct request to a .html file under (1) status/, (2) system/, (3)
ports/, (4) trunks/, (5) vlans/, (6) qos/, (7) rstp/, (8) dot1x/, (9)
security/, (10) igmps/, or (11) snmp/.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2012-2957
Title: Symantec Web Gateway 5.0.3.18 LFI Remote ROOT RCE Exploit
Vendor: Symantec
Description: The management console in Symantec Web Gateway 5.0.x before
5.0.3.18 allows local users to gain privileges by modifying files,
related to a "file inclusion" issue.
CVSS v2 Base Score:4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2012-0663
Title: Apple QuickTime TeXML Buffer Overflow Vulnerability
Vendor: Apple
Description: Multiple stack-based buffer overflows in Apple QuickTime
before 7.7.2 on Windows allow remote attackers to execute arbitrary code
or cause a denial of service (application crash) via a crafted TeXML
file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2012-0664
Title: Apple QuickTime Heap Based Buffer Overflow Vulnerability
Vendor: Apple
Description: Heap-based buffer overflow in Apple QuickTime before 7.7.2
on Windows allows remote attackers to execute arbitrary code or cause a
denial of service (application crash) via a crafted text track in a
movie file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2012-1723
Title: Oracle Java SE Remote Code Execution Vulnerability / Blackhole Exploit Kit
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32
and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows
remote attackers to affect confidentiality, integrity, and availability
via unknown vectors related to Hotspot.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
MOST POPULAR MALWARE FILES 7/17/2012 - 7/24/2012:
COMPILED BY SOURCEFIRE
SHA 256: 9A09BCC1402050E371E13056B606BBDE8DF15CD87732B28C8BDDB863B1C65302
MD5: 923c4d13bee966654f4fe4a8945af0ae
VirusTotal: https://www.virustotal.com/file/9A09BCC1402050E371E13056B606BBDE8DF15CD87732B28C8BDDB863B1C65302/analysis/
Malwr: http://malwr.com/analysis/923c4d13bee966654f4fe4a8945af0ae
Typical Filename:
Claimed Product: -
Claimed Publisher: -
SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Malwr: http://malwr.com/analysis/3291e1603715c47a23b60a8bf2ca73db
Typical Filename: 01.tmp
Claimed Product: -
Claimed Publisher: -
SHA 256: 358289754D01E20D564E39D79124AFA9BED4D35B3BC22F4E09210EC75E6461B2
MD5: b94b0c0efb6f33bddd2f16907a3a9cd1
VirusTotal: https://www.virustotal.com/file/358289754D01E20D564E39D79124AFA9BED4D35B3BC22F4E09210EC75E6461B2/analysis/
Malwr: http://malwr.com/analysis/b94b0c0efb6f33bddd2f16907a3a9cd1
Typical Filename: -
Claimed Product: Firefox
Claimed Publisher: Mozilla
SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Malwr: http://malwr.com/analysis/bf31a8d79f704f488e3dbcb6eea3b3e3
Typical Filename: -
Claimed Product: -
Claimed Publisher: -
SHA 256: D1857A4F3F2739FB64257A53D67F82800755ED4F4019DF760E5400DDAC42EFFA
MD5: 6d5483da06cb7b45f205c51d87eb6d1a
VirusTotal: https://www.virustotal.com/file/D1857A4F3F2739FB64257A53D67F82800755ED4F4019DF760E5400DDAC42EFFA/analysis/
Malwr: http://malwr.com/analysis/6d5483da06cb7b45f205c51d87eb6d1a
Typical Filename: -
Claimed Product: -
Claimed Publisher: -
(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account
