@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
August 2, 2012=============================================================
@RISK: The Consensus Security Vulnerability Alert
Vol. 12, Num. 31
Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.
=============================================================CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 7/25/2012 - 7/31/2012
============================================================TOP VULNERABILITY THIS WEEK: Ubisoft, makers of popular video games for PCs, included a method to run arbitrary code inside of its Uplay DRM tool. Google researcher Tavis Ormandy this weekend discovered a way to exploit this via a web page with no authentication necessary. Exploits are presumed to exist in the wild.
******************** Sponsored By SANS ********************Enter to win one of TWO $200 American Express Cards by taking SANS 2nd Survey on Mobility/BYOD Policy and Management.
http://www.sans.org/info/110960
Results released in October.
http://www.sans.org/info/110965
TRAINING UPDATE
- --SANS Boston 2012 Boston, MA August 6-11, 2012
8 courses. Bonus evening presentations include SIFT Workstation: The Art
of Incident Response; and Everything I Know is Wrong! How to Lead a
Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/
- --SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012
http://www.sans.org/scada-sec-training-2012/
- --SANS Virginia Beach 2012 Virginia Beach, VA August 20-31, 2012
10 courses. Bonus evening presentations include Information Assurance
Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/
- --SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/
- --SANS Crystal City 2012 Arlington, VA September 6-11, 2012
6 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.
http://www.sans.org/crystal-city-2012/
- --SANS Baltimore 2012 October 15-20, 2012
6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/
- --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012
45 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation
Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/
- --SANS Seattle 2012 Seattle, WA October 14-19, 2012
6 courses. Bonus evening presentations include What's New in Windows 8
and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/
- --SANS Chicago 2012Chicago, IL October 27-November 5, 2012
10 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus San Antonio, Melbourne, Prague, Singapore, Dubai, and Johannesburg all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
********************** Sponsored Link: *********************1) Webinar presented by Ping Identity: My Name is....SCIM, 8/9/12 at 11:00 AM ET.
Register: http://www.sans.org/info/110970
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Ubisoft Uplay DRM Backdoor
Description: Ubisoft S.A., makers of popular games such as Assassin's
Creed, uses a DRM system called Uplay to combat piracy. Widely respected
Google security engineer Tavis Ormandy discovered this weekend that the
Uplay system is vulnerable to remote command execution via standard API
calls that can be accessed through a web page, with no authentication
required. While Ubisoft has issued an official patch, exploitation is
trivial, and is likely to occur in the wild before users update their
systems.
Reference: http://seclists.org/fulldisclosure/2012/Jul/375
http://www.slashgear.com/major-security-vulnerability-discovered-in-ubisoft-uplay-drm-30240879/
Snort SID: 23624
ClamAV: PUA.HTML.TROJAN
Title: Obfuscated Iframe Tags Being Used In Malvertising Campaigns
Description: The Sourcefire VRT has recently observed a pair of large
campaigns in the wild, where malicious files are planted via advertising
campaigns and/or SQL injections and then redirect users to Blackhole and
other exploit kits. The first campaign's hallmark is an HTML iframe tag
with positioning and sizing designed specifically to make it invisible
to any browser on the planet; the second can be identified by the fact
that the iframe tag is placed on the page before the doctype tag, which
is illegal per WC3 specifications.
Reference: http://urlquery.net/report.php?id=90530
Snort SIDs: 23618, 23620
ClamAV: N/A
Title: RunForestRun Kit Infecting Plesk Panel Services, Improves Obfuscation Routines
Description: A malicious piece of software known as "RunForestRun" due
to the structure of the URL used to contact command and control servers
post-compromise, has been targeting the Plesk Panel control suite - a
popular management interface for web hosting providers - since June. The
kit was originally easily detectable due to static comment strings and
other obvious indicators, but an update was released last week that uses
a well-known and legitimate encoder routine to hide all malicious code.
Based upon a study of samples in the field, the Sourcefire VRT has found
a way to differentiate encoded RunForestRun files from legitimate
encoded files, and will provide updated detection if the kit changes
further.
Reference: http://blog.unmaskparasites.com/2012/07/26/runforestrun-now-encrypts-legitimate-js-files/
Snort SID: 23473, 23621
ClamAV: Exploit.JS.Obfuscation
Title: Olympics-Themed Phish Observed in the Wild
Description: As with any high-profile event, phishers are using the 2012
London Olympics to lure unsuspecting users into drop malware onto users
throughout the world. The Sourcefire VRT has observed multiple
campaigns, including one which uses an attached file that exploits
CVE-2010-3333 (a stack overflow in Microsoft Office via RTF files), and
another which uses the currently popular technique of compromised
WordPress sites that lead to Blackhole exploit kits. While this specific
campaign has a limited lifetime, users should be constantly on guard for
any email related to recent news events.
Reference: http://vrt-blog.snort.org/2012/07/phishing-games.html
Snort SIDs: 21041, 21964, 22095, 22101, 22102, 23171
ClamAV: BC.Exploit.CVE_2010_3333
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
Android takeover with the swipe of a smartphone:
http://www.darkreading.com/mobile-security/167901113/security/vulnerabilities/240004387/android-takeover-with-the-swipe-of-a-smartphone.html
ELF metadata abuse to run arbitrary code before memory protections are loaded:
http://cs.dartmouth.edu/~bx/elf-bf-tools/slides/elf-defcon20.pdf
Email-based malware attacks, July 2012:
http://krebsonsecurity.com/2012/07/email-based-malware-attacks-july-2012/
How malware employs anti-debugging, anti-disassembly, and anti-virtualization technologies:
https://community.qualys.com/blogs/securitylabs/2012/07/30/how-malware-employs-anti-debugging-anti-disassembly-and-anti-virtualization-technologies
GPS spoofing:
http://erratasec.blogspot.com/2012/07/gps-spoofing.html
Easy local Windows kernel exploitation:
https://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernal_Slides.pdf
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2010-3964
Title: Scrutinizer Default Password Security Bypass Vulnerability
Vendor: Plixer
Description: The MySQL component in Plixer Scrutinizer (aka Dell
SonicWALL Scrutinizer) 9.0.1.19899 and earlier has a default password
of admin for the (1) scrutinizer and (2) scrutremote accounts, which
allows remote attackers to execute arbitrary SQL commands via a TCP
session.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2010-3964
Title: Microsoft Office SharePoint Server 2007 Remote Code Execution
Vendor: Microsoft
Description: Unrestricted file upload vulnerability in the Document
Conversions Launcher Service in Microsoft Office SharePoint Server
2007 SP2, when the Document Conversions Load Balancer Service is
enabled, allows remote attackers to execute arbitrary code via a
crafted SOAP request to TCP port 8082, aka "Malformed Request Code
Execution Vulnerability."
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: : CVE-2012-2974
Title: SMC SMC8024L2 Switch Web Interface Authentication Bypass
Vendor: SMC Networks
Description: The web interface on the SMC SMC8024L2 switch allows
remote attackers to bypass authentication and obtain administrative
access via a direct request to a .html file under (1) status/, (2)
system/, (3) ports/, (4) trunks/, (5) vlans/, (6) qos/, (7) rstp/, (8)
dot1x/, (9) security/, (10) igmps/, or (11) snmp/.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: : CVE-2012-2957
Title: Symantec Web Gateway 5.0.3.18 LFI Remote ROOT RCE Exploit
Vendor: Symantec
Description: The management console in Symantec Web Gateway 5.0.x
before 5.0.3.18 allows local users to gain privileges by modifying
files, related to a "file inclusion" issue.
CVSS v2 Base Score:4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2012-1723
Title: Oracle Java SE Remote Code Execution Vulnerability / Blackhole Exploit Kit
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32
and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows
remote attackers to affect confidentiality, integrity, and
availability via unknown vectors related to Hotspot.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
MOST POPULAR MALWARE FILES 7/25/2012 - 7/31/2012:
COMPILED BY SOURCEFIRE
SHA 256: CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
MD5: 7961a56c11ba303f20f6a59a506693ff
VirusTotal: https://www.virustotal.com/file/CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B/analysis/
Malwr: http://malwr.com/analysis/7961a56c11ba303f20f6a59a506693ff
Typical Filename: C8A787C22000AE378610003396E67500D587FA4E.exe
Claimed Product: My Web Search Bar for Internet Explorer and FireFox
Claimed Publisher: MyWebSearch.com
SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/
Malwr: http://malwr.com/analysis/25aa9bb549ecc7bb6100f8d179452508
Typical Filename: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Product: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Publisher: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Malwr: http://malwr.com/analysis/3291e1603715c47a23b60a8bf2ca73db
Typical Filename: avz00001.dta
Claimed Product: avz00001.dta
Claimed Publisher: avz00001.dta
SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Malwr: http://malwr.com/analysis/bf31a8d79f704f488e3dbcb6eea3b3e3
Typical Filename: bf31a8d79f704f488e3dbcb6eea3b3e3
Claimed Product: bf31a8d79f704f488e3dbcb6eea3b3e3
Claimed Publisher: bf31a8d79f704f488e3dbcb6eea3b3e3
SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
VirusTotal: https://www.virustotal.com/file/0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3/analysis/
Malwr: http://malwr.com/analysis/b3b9295385f4e74d023181e5a24f4d83
Typical Filename: Keygen.exe
Claimed Product: Keygen.exe
Claimed Publisher: Keygen.exe
(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account
