Newsletters: @RISK

@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

July 5, 2012
=============================================================

@RISK: The Consensus Security Vulnerability Alert

Vol. 12, Num. 27

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

=============================================================

CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 6/27/2012 - 7/3/20122
============================================================
Platform Number of Updates and Vulnerabilities
-------------------------- -------------------------------------
Cross Platform 4 (#2,#3,#5,#7)
Web Application - Cross Site Scripting 1 (#6)
Web Application - SQL Injection 1 (#4)
Mac OS X 1 (#1)
Denial of Service 1 (#8)
============================================================

TOP VULNERABILITY THIS WEEK: CVE-2012-2695, SQL injection in Ruby on Rails. Patched in June, this issue impacts such a large number of web applications that extensive exploitation is likely going forward, especially as developers frequently fail to patch the languages in which their programs are written.

============================================================

TRAINING UPDATE

- --Security Impact of IPv6 Summit, Washington, DC July 6, 2012
Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

- --SANSFIRE 2012, Washington, DC July 6-15, 2012
45 courses. Bonus evening presentations include Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?, Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems, many more.
http://www.sans.org/sansfire-2012/

- --SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012
8 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/

- --SANS Boston 2012, Boston, MA August 6-11, 2012
8 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/

- --SANS Virginia Beach 2012, Virginia Beach, VA August 20-31, 2012
10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangkok, San Antonio, Melbourne, and Arlington, VA all in the next 90 days.

For a list of all upcoming events, on-line and live: www.sans.org

============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

#1
Title: Targeted attacks on Macs using new backdoor
Description: A wave of targeted emails was recently detected dropping a Mac-specific backdoor. The malicious binary, which are installed after users fall victim to social engineering techniques, is related to previously observed Mac backdoors which were distributed by way of Java exploits. As Mac attacks continue to grow in popularity, users are urged to patch frequently and exercise caution in running binaries from untrusted sources.
Reference:
http://www.securelist.com/en/blog/208193616/New_MacOS_X_backdoor_variant_used_in_APT_attacks
http://labs.alienvault.com/labs/index.php/2012/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-control-rat/
ClamAV: Trojan.MAC.Backdoor

#2
Title: Trojan uses new C&C obfuscation technique
Description: The Polish CERT has observed a new trojan spreading in the wild via a number of different social media techniques. While not particularly novel in that regard, this particular piece of malware is interesting in the way that it contacts its command and control servers. Instead of using the address provided in a DNS query response, the malware takes that value and transforms it into a different IP address, which is then used to contact the C&C. This technique, if it becomes widespread, has interesting implications for malware detection at the network level.
Reference: http://www.cert.pl/news/5587/langswitch_lang/en
Snort SID: 23261
ClamAV: Worm.Agent-394

#3
Title: Banking trojan spreading via phishing attacks Description: The Sourcefire VRT has discovered a new trojan being dropped on users via a large-scale UPS-themed phishing attack. The trojan, which attempts to steal credentials for several major financial institutions, also drops other malicious binaries on the infected system. Its C&C communications are of particular interest, as its authors chose to use the hexadecimal string "0xDEADBEEF" - which is commonly used by attackers and researchers alike as a way to follow user input through system memory - as a protocol marker of sorts.
Reference: http://vrt-blog.snort.org/2012/07/banking-trojan-spread-via-ups-phish.html
Snort SID: 23262
ClamAV: Trojan.Banker-8376

#4
Title: CVE-2012-2695 Ruby on Rails SQL Injection
Description: The Active Record component of Ruby on Rails does not properly sanitize certain types of nested input, which allows for SQL injection into applications using this component even when developers believe they have sanitized input. Given the widespread use of this component, attacks in the wild are extremely likely, if not already occurring.
Reference: https://groups.google.com/forum/?fromgroups#!msg/rubyonrails-security/l4L0TEVAz1k/Vr84sD9B464J
Snort SID: 23213
ClamAV: N/A

============================================================
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

#5
Blackhole exploit kit gets an upgrade: pseudo-random domains:
http://www.symantec.com/connect/blogs/blackhole-exploit-kit-gets-upgrade-pseudo-random-domains

#6
Google Mail hacking - Gmail Stored XSS:
http://benhayak.blogspot.co.il/2012/06/google-mail-hacking-gmail-stored-xss.html

#7
Cybercriminals launch managed SMS flooding services:
http://blog.webroot.com/2012/07/02/cyberciminals-launch-managed-sms-flooding-services/

#8
BoNeSi - the DDoS Botnet Simulator:
http://code.google.com/p/bonesi/

==========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2012-0124
Title: HP Data Protector Create New Folder Buffer Overflow
Vendor: HP
Description: Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.00 before build 59287 and 6.0.00 before build 11974 allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors.
CVSS v2 Base Score :10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2011-3478
Title: Symantec PcAnywhere 12.5.0 Login and Password Field Buffer Overflow
Vendor: Symantec
Description: The host-services component in Symantec pcAnywhere 12.5.x through 12.5.3, and IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), does not properly filter login and authentication data, which allows remote attackers to execute arbitrary code via a crafted session on TCP port 5631.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2012-0469
Title: Mozilla Use-after-free vulnerability in the "IDBKeyRange"
Vendor: Mozilla
Description: Use-after-free vulnerability in the mozilla::dom::indexedDB::IDBKeyRange::cycleCollection::Trace function in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 allows remote attackers to execute arbitrary code via vectors related to crafted IndexedDB data.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2012-1493
Title: F5 BIG-IP SSH Private Key Exposure
Vendor: F5 Networks Inc
Description: Remote exploitation of a configuration error vulnerability in multiple F5 Networks Inc. products could allow an attacker to gain escalated "root" privileges.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2012-0677
Title: Apple iTunes 10 Extended M3U Stack Buffer Overflow
Vendor: Apple
Description: Heap-based buffer overflow in Apple iTunes before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted .m3u playlist.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

=========================================================
MOST POPULAR MALWARE FILES 6/19/2012 - 6/26/2012:
COMPILED BY SOURCEFIRE

SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Malwr: http://malwr.com/analysis/bb74024a1d4e4808562c090980151653
Typical Filename: smona131831195112461260022
Claimed Product: -
Claimed Publisher: -

SHA 256: CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
MD5: 7961a56c11ba303f20f6a59a506693ff
VirusTotal: https://www.virustotal.com/file/CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B/analysis/
Malwr: http://malwr.com/analysis/7961a56c11ba303f20f6a59a506693ff
Typical Filename: m3SrchMn.exe
Claimed Product: My Web Search Bar
Claimed Publisher: MyWebSearch.com

SHA 256: A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03
MD5: 8ac1e580cf274b3ca98124580e790706
VirusTotal: https://www.virustotal.com/file/A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03/analysis/
Malwr: http://malwr.com/analysis/8ac1e580cf274b3ca98124580e790706
Typical Filename: lpkjnn.sys
Claimed Product: -
Claimed Publisher: -

SHA 256: E2C3896C24FD45DD8092AF10DE84B1A4FAF4FC37A1E9772C56148FE982B44181
MD5: cce8aeb6b86e89280e703608eb252e62
VirusTotal: https://www.virustotal.com/file/E2C3896C24FD45DD8092AF10DE84B1A4FAF4FC37A1E9772C56148FE982B44181/analysis/
Malwr: http://malwr.com/analysis/cce8aeb6b86e89280e703608eb252e62
Typical Filename: M3SKPLAY.EXE
Claimed Product: My Web Search Skin Tools
Claimed Publisher: MyWebSearch.com

SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Malwr: http://malwr.com/analysis/bf31a8d79f704f488e3dbcb6eea3b3e3
Typical Filename: pspprn.sys
Claimed Product: -
Claimed Publisher: -

=============================================================

(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account