@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
December 13, 2012=============================================================
@RISK: The Consensus Security Vulnerability Alert
Vol. 12, Num. 50
Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.
=============================================================CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 12/6/2012 - 12/12/2012
============================================================TOP VULNERABILITY THIS WEEK: A theoretical implementation of a Tor-powered botnet described in a Reddit thread in April was discovered in the wild by researchers last week. Based on the wildly popular Zeus malware, this particular threat is designed for maximum evasion capabilities, and may prompt copycat bots using the widely deployed Tor anonymity software.
============================================================TRAINING UPDATE
- --SANS Security East 2013 New Orleans, LA January 16-23, 2013
11 courses. Bonus evening presentations include The Next Wave - Data
Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your
Friends and Neighbors for Fun. Special Event: NetWars Tournament of
Champions.
http://www.sans.org/event/security-east-2013
- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013
The Summit brings together the program managers, control systems
engineers, IT security professionals and critical infrastructure
protection specialists from asset owning and operating organizations
along with control systems and security vendors who have innovative
solutions for improving security. The Security Summit is an action
conference designed so that every attendee leaves with new tools and
techniques they can put to work immediately when they return to their
office. The Summit is the place to come and interact with top SCADA
experts, key government personnel, researchers and asset owners at the
multiple special networking events.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater
Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013
- --SANS Secure Singapore 2013 February 25-March 2, 2013
6 courses. Bonus evening presentation: Security of National eID
(smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013
- --SANS 2013 Orlando, FL March 8-March 15, 2013
46 courses. Bonus evening presentations include Why Our Defenses Are
Failing Us: One Click Is All It Takes ...; Human Nature and Information
Security: Irrational and Extraneous Factors That Matter; and
Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials
Plus Anaheim, New Delhi, Brussels, and Johannesburg all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
1) Take the SANS Survey on the Security Practices of SCADA System
Operators and register to win an iPad! http://www.sans.org/info/119195
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Tor-powered botnet jumps from a description on Reddit to reality
Description: After a popular Reddit thread in April of 2012 described
how a botnet could be built using the Tor anonymizing proxy system, in
order to reduce the likelihood of discovery and takedown, researchers
with the Metasploit project discovered a modified Zeus binary that used
Tor in a manner almost identical to what was discussed in the thread.
While such an operation has been discussed in theory for years,
including a 2010 Defcon talk on the subject, few, if any such botnets
have been observed in the wild to date. The success of this particular
botnet, however, is likely to spur imitators going forward.
Reference:
https://community.rapid7.com/community/infosec/blog/2012/12/03/skynet-a-tor-powered-botnet-straight-from-reddit
http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/?limit=500
https://www.defcon.org/images/defcon-18/dc-18-presentations/D.Brown/DEFCON-18-Brown-TorCnC.pdf
Snort SID: 9324, 13696 - 13698, 16439 - 16442, 17917, 24169
ClamAV: Trojan.Spy.Zbot*, Trojan.Spy.Zeus*, Win.Trojan.Agent-20928
Title: ExploitHub site compromised, private exploit database stolen
Description: IDS and Antivirus testing firm NSS Labs, whose ExploitHub
site was set up in 2010 as a marketplace for private exploits used
(ostensibly) in penetration tests and other defense-validating
scenarios, had that project's server compromised by the more black hat
group 1337day, whose site offers a competing database of exploits. The
compromise is likely to produce turmoil within the industry, public
release of some of the ExploitHub bugs, and/or other related fallout.
Additionally, it serves as a warning that even security vendors should
be vigilant in securing their systems, as no one is immune to attack on
improperly managed servers.
Reference: http://priv8.1337day.com/exploitHUB.txt
Snort SID: N/A
ClamAV: N/A
Title: Targeted malware using CVE-2012-0158 persists
Description: Multiple researchers have lately discovered new targeted
attacks circulating in the wild that target CVE-2012-0158, an RTF file
format vulnerability which was patched in April of this year. Thanks to
their relatively simple format and the large number of sample exploits
available in the wild, RTFs have been a favorite of targeted attackers
in 2012, with targets ranging from Tibetan protesters to defense
contractors worldwide.
Reference:
http://krebsonsecurity.com/2012/12/chinese-espionage-attacks-against-ruskies/
http://blogs.mcafee.com/mcafee-labs/cve-2012-0158-exploit-in-the-wild
http://blog.fireeye.com/research/2012/12/to-russia-with-apt.html
Snort SID: 21797-21801,21896-21906,21937,20486,23305,24976
ClamAV: Win.Trojan.Agent
Title: Microsoft releases monthly patch update
Description: Microsoft released patches for vulnerabilities in a number
of components this Tuesday. While none are known to have exploits
currently circulating in the wild, several should be straightforward to
exploit, including a new RTF vulnerability that is likely to be used in
targeted attacks going forward. Users should, as usual, patch as soon
as feasible.
Reference:
http://technet.microsoft.com/en-us/security/bulletin/ms12-dec
Snort SID: 24956,24957-24970,24971,24972,24973,24974,24975
ClamAV: Win.Exploit.CVE_2012_1537, RTF.Exploit.CVE_2012_2539, BC.Exploit.CVE_2012-2556
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
A peek inside a cybercrime-friendly e-shop, part 5:
http://blog.webroot.com/2012/12/10/a-peek-inside-a-boutique-cybercrime-friendly-e-shop-part-five/
SHA1 weakness benefits password crackers:
http://www.h-online.com/security/news/item/SHA1-weakness-benefits-password-crackers-1762353.html
Twitter and SMS spoofing:
http://engineering.twitter.com/2012/12/twitter-and-sms-spoofing.html
A closer look at two big-time botmasters:
http://krebsonsecurity.com/2012/12/a-closer-look-at-two-bigtime-botmasters/
Uncovering the "new" Eurograbber: really 36 million EUR?
http://eternal-todo.com/blog/uncovering-eurograbber-36-million-eur
Nine out of ten hospitals lost personal data in last two years:
http://www.scmagazine.com/nine-out-of-10-hospitals-lost-personal-data-in-last-two-years/article/271795/
Command execution on MS SQL server using Powershell:
http://labofapenetrationtester.blogspot.com/2012/12/command-execution-on-ms-sql-server-using-powershell.html
Hooked on mnemonics worked for me:
http://hooked-on-mnemonics.blogspot.com/2012/12/a-couple-of-days-ago-there-was-blog.html
Anon on the run: How Commander X jumped bail and fled to Canada:
http://arstechnica.com/tech-policy/2012/12/anon-on-the-run-how-commander-x-jumped-bai/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: : CVE-2012-5975
Title: SSH Tectia Authentication Bypass Remote
Vendor: SSH Communications
Description: A remote authentication bypass vulnerability was disclosed
which affects the current Unix/Linux versions of Tectia SSH Server. The
vulnerability exploits a bug in the SSH USERAUTH CHANGE REQUEST
function.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: : CVE-2012-5615
Title: MySQL Remote User Enumeration
Vendor: Oracle
Description: MySQL 5.5.19 and possibly other versions, and MariaDB
5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates
different error messages with different time delays depending on whether
a user name exists, which allows remote attackers to enumerate valid
usernames.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
ID: : CVE-2012-4964
Title: Samsung Printer Firmware Contains A Backdoor Administrator Account
Vendor: Samsung
Description: Samsung printers contain a hardcoded account that could
allow a remote attacker to take control of an affected device.
CVSS v2 Base Score: 9.0 (AV:N/AC:M/Au:N/C:C/I:C/A:P)
ID: : CVE-2012-6066
Title: FreeFTPD /FreeSSHD Remote Authentication Security Bypass Vulnerability
Vendor: freesshd
Description: freeSSHd.exe in freeSSHd through 1.2.6 allows remote
attackers to bypass authentication via a crafted session, as
demonstrated by an OpenSSH client with modified versions of ssh.c and
sshconnect2.c.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: : CVE-2012-5611
Title: Oracle MySQL Server Command Processing Buffer Overflow Vulnerability
Vendor: Oracle
Description: Stack-based buffer overflow in MySQL 5.5.19, 5.1.53, and
possibly other versions, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x
before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows
remote authenticated users to execute arbitrary code via a long argument
to the GRANT FILE command.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
MOST PREVALENT MALWARE FILES 12/6/2012 - 12/12/2012:
COMPILED BY SOURCEFIRE
SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/
Typical Filename: File_0_2.ok
Claimed Product: File_0_2.ok
Claimed Publisher: File_0_2.ok
SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Typical Filename: 3291e1603715c47a23b60a8bf2ca73db
Claimed Product: 3291e1603715c47a23b60a8bf2ca73db
Claimed Publisher: 3291e1603715c47a23b60a8bf2ca73db
SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
VirusTotal: https://www.virustotal.com/file/0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3/analysis/
Typical Filename: Keygen.exe
Claimed Product: Keygen.exe
Claimed Publisher: Keygen.exe
SHA 256: 01DF66ADC51D4BEA5E28DD4ED4A7F0130546FD1ABE03C6AA40AADD38DDBFDA87
MD5: f869010b28721110d7343f39ec3b6d60
VirusTotal: https://www.virustotal.com/file/01DF66ADC51D4BEA5E28DD4ED4A7F0130546FD1ABE03C6AA40AADD38DDBFDA87/analysis/
Typical Filename: f3PSSavr.scr.vir
Claimed Product: Popular Screensavers
Claimed Publisher: FunWebProducts.com
SHA 256: 409C8907E5074F9040A4F569180E7A3945FE2A8DB8070AD5C3961BBE6DFF34D1
MD5: 4faeae17485c16d6c131d02b0f54d61f
VirusTotal: https://www.virustotal.com/file/409C8907E5074F9040A4F569180E7A3945FE2A8DB8070AD5C3961BBE6DFF34D1/analysis/
Typical Filename: VideoDownloadConvert.exe
Claimed Product: VideoDownloadConvert.exe
Claimed Publisher: VideoDownloadConvert.exe
(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account
