Newsletters: @RISK

@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

June 21, 2012
=============================================================

@RISK: The Consensus Security Vulnerability Alert

Vol. 12, Num. 25

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

=============================================================

CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 6/6/2012 - 6/12/2012

Top Vulnerability this week: CVE-2012-1875 in Internet Explorer: patched as of June 12, but Microsoft alerted already in the original advisory of targeted attacks against the vulnerability. Since then a Metasploit module has been released that will make the exploit accessible to a much larger attacker base.

=============================================================

TRAINING UPDATE

--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012
Pre-Summit Courses: June 20-25, 2012
Summit: June 26-27, 2012
Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

--SANS Canberra 2012, Canberra, Australia July 2-10, 2012
5 courses. Bonus evening presentations include Penetrating Modern Defenses; and Tales From the Crypt: TrueCrypt Analysis.
http://www.sans.org/canberra-2012/

--Security Impact of IPv6 Summit, Washington, DC July 6, 2012
Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

--SANSFIRE 2012, Washington, DC July 6-15, 2012
44 courses. Bonus evening presentations include Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?, Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems, many more.
http://www.sans.org/sansfire-2012/

--SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012
9 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/

--SANS Boston 2012, Boston, MA August 6-11, 2012
9 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/

--Looking for training in your own community?
http://www.sans.org/community/

--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangkok, San Antonio, Melbourne, and Arlington, VA all in the next 90 days.

For a list of all upcoming events, on-line and live: www.sans.org

=============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Compromised WordPress Blogs Used For Active Phishing Campaigns
Description: WordPress is a popular blogging platform written in PHP. There are numerous security issues in the software, particularly in the myriad of plug-ins available for the system maintained by third-party groups. Several active phishing campaigns have been observed recently using compromised WordPress installations to host exploit kits.
Reference:
http://vrt-blog.snort.org/2012/06/compromised-wordpress-blogs-phishers.html
http://blog.trendmicro.com/compromised-wordpress-sites-drive-users-to-blackhole-exploit-kit
Snort SID: 21941, 23171

Title: CVE-2012-1889 Unpatched Microsoft XML Core Services Vulnerability
Description: A zero-day attack against the Microsoft XML Core Services was released just after this month's Patch Tuesday. Active exploitation has been observed in the wild, including a Metasploit module that was published on Friday, June 15. Users of Microsoft products, including Internet Explorer and Office, are strongly urged to use Microsoft's Fix-It tool to mitigate the vulnerability pending a patch.
Reference:
http://technet.microsoft.com/en-us/security/advisory/2719615
Snort SID: 23142, 23143, 23144, 23145, 231426
ClamAV: Exploit.CVE_2012_1889-1 -> Exploit.CVE_2012_1889-10

Title: AV Bypass For Malicious PDFs Using XDP
Description: A controversy over responsible disclosure has erupted over an antivirus evasion technique demonstrated this past weekend by security researcher Brandon Dixon. The technique uses the XDP specification, which allows PDF files to be wrapped in XML, to bypass file type checking and evade multiple antivirus vendors. Dixon discovered the technique while analyzing a live sample from the field, so exploits using it are clearly in use by malicious actors today.
Reference:
http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp
Snort SID: 23166
ClamAV: PUA.Script.XDPBypass, PUA.Script.XDPBypass-1,
PUA.Script.XDPBypass-2, PUA.Script.XDPBypass-3

Title: Fake Android Security App Is Zeus
Description: An Android application by the name of "Android Security Suite Premium" has been linked to the Zeus malware family by researchers at Kaspersky Labs. The malware includes functionality such as forwarding all SMS messages received by the phone to a C&C server and other information-stealing techniques. As this application was found outside of the official Android market, users are encouraged to install applications only from trusted sources.
Reference:
http://www.securelist.com/en/blog/208193604/Android_Security_Suite_Premium_New_ZitMo
Snort SID: 23173
ClamAV: Android.Zitmo

Title: Nuclear Pack Exploit Kit
Description: An exploit kit from Eastern Europe known as the Nuclear Pack has been observed in active use in the wild recently. This kit was used in a major attack on a Dutch web site in March, and has been detected on other networks that Sourcefire monitors.
Reference:
http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/
Snort SID: 23157

============================================================
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Reliable exploitation of CVE-2012-1889:
http://hi.baidu.com/inking26/blog/item/9c2ab11c4784e5aa86d6b6c1.html

Old tricks, new targets:
http://blog.ioactive.com/2012/06/old-tricks-new-targets.html

"Everybody with an activated Terminal Server could also sign code as Microsoft":
http://trailofbits.files.wordpress.com/2012/06/flame-md5.pdf

Simple Kung Fu grep for finding common web vulnerabilities & backdoor shells:
http://pentestlab.org/simple-kung-fu-grep-for-finding-common-web-vulnerabilities-backdoor-shells/

=========================================================
MOST POPULAR MALWARE FILES 6/6/2012 - 6/12/2012:

(Compiled by Sourcefire)

SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Malwr: http://malwr.com/analysis/bf31a8d79f704f488e3dbcb6eea3b3e3

Typical Filename: pspprn.sys
Claimed Product: -
Claimed Publisher: -

SHA 256: E2C3896C24FD45DD8092AF10DE84B1A4FAF4FC37A1E9772C56148FE982B44181
MD5: cce8aeb6b86e89280e703608eb252e62
VirusTotal: https://www.virustotal.com/file/E2C3896C24FD45DD8092AF10DE84B1A4FAF4FC37A1E9772C56148FE982B44181/analysis/
Malwr: http://malwr.com/analysis/cce8aeb6b86e89280e703608eb252e62

Typical Filename: M3SKPLAY.EXE
Claimed Product: My Web Search Skin Tools
Claimed Publisher: MyWebSearch.com

SHA 256: 66BD42E633A781832314E6FA541287732A2B1F353D5636DDDF470E7D7C054BAD
MD5: a89e7c0a2c689cc38a7fbab355fe9837
VirusTotal: https://www.virustotal.com/file/66BD42E633A781832314E6FA541287732A2B1F353D5636DDDF470E7D7C054BAD/analysis/
Malwr:
http://malwr.com/analysis/a89e7c0a2c689cc38a7fbab355fe9837

Typical Filename: bxumv.exe
Claimed Product: -
Claimed Publisher: -

SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
VirusTotal: https://www.virustotal.com/file/0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3/analysis/
Malwr: http://malwr.com/analysis/b3b9295385f4e74d023181e5a24f4d83

Typical Filename: KMS.exe
Claimed Product: -
Claimed Publisher: -

SHA 256: A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03
MD5: 8ac1e580cf274b3ca98124580e790706
VirusTotal: https://www.virustotal.com/file/A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03/analysis/
Malwr: http://malwr.com/analysis/8ac1e580cf274b3ca98124580e790706

Typical Filename: lpkjnn.sys
Claimed Product: -
Claimed Publisher: -

=============================================================

(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account