Ending Soon! Online Training Special Offer: Get iPad Pro w/ Smart Keyboard, HP ProBook, or $350 Off through July 24!

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

July 26, 2012

@RISK: The Consensus Security Vulnerability Alert

Vol. 12, Num. 30

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.



MOST POPULAR MALWARE FILES 7/17/2012 - 7/24/2012

TOP VULNERABILITY THIS WEEK: A trivially exploitable remote root vulnerability exists in the Kindle Touch built-in browser. Based on its support for the NPAPI, commands can be injected with root-level privileges with no authentication, simply by visiting a web page. Exploits are presumed to already exist in the wild.



- --SANS San Francisco 2012 San Francisco, CA July 30-August 6, 2012
8 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.

- --SANS Boston 2012 Boston, MA August 6-11, 2012
8 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.

- --SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012

- --SANS Virginia Beach 2012 Virginia Beach, VA August 20-31, 2012
10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?

- --SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012

- --SANS Crystal City 2012 Arlington, VA September 6-11, 2012
6 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.

- --SANS Baltimore 2012 October 15-20, 2012
6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.

- --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012
45 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.

- --Looking for training in your own community?

- --Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Melbourne, Prague, Singapore, Dubai, and Seattle all in the next 90 days.

For a list of all upcoming events, on-line and live: www.sans.org


Title: Remote Root Exploit in Kindle Touch
Description: The built-in browser for the Kindle Touch integrates support for the Netscape Plugin API, a modern cross-browser scripting language. Unfortunately, it is implemented in such a way that it allows injection of commands into the browser with root privileges. While the API is poorly documented, and few public details about exploitation currently exist in the wild, exploits will be trivial to write and should be presumed to exist at this point.
Reference: http://vrt-blog.snort.org/2012/07/dont-panic.html
Snort SID: 23616, 23617
ClamAV: N/A

Title: Arbitrary Remote File Upload in Wordpress Invit0r Plugin
Description: The WordPress Invit0r plugin, which can be used to invite Yahoo contacts to visit your blog, has an arbitrary remote file include vulnerability. While it has been pulled from the official Wordpress plugins site, multiple public exploits exist and are being actively used in the wild. While this particular plugin is not especially notable, it highlights the ongoing challenge of securing Wordpress and other CMS systems, and the dangers created by such sites being exploited and used to host malware.
Reference: http://packetstormsecurity.org/files/113639/WordPress-Invit0r-0.22-Shell-Upload.html
Snort SID: 23484, 23485
ClamAV: N/A

Title: ZeroAccess Trojan Continues To Spread
Description: The ZeroAccess trojan/rootkit, a particularly nasty piece of malware that was first discovered in the wild in early 2012, is today considered by some to be one of the top threats to end-users in the wild. The Sourcefire VRT has been following this malware recently, and has new signatures for command-and-control traffic generated by infected systems. As this malware has been known to cause users to exceed bandwidth caps and be charged by their ISP directly, users both corporate and private are encouraged to check their systems for signs of infection regularly.
Reference: http://threatpost.com/en_us/blogs/report-bandwith-burning-malware-among-biggest-consumer-threats-071912
Snort SID: 23492, 23493
ClamAV: Trojan.ZeroAccess-1 - Trojan.ZeroAccess-693

Title: Use of XML Templates To Embed Malware In PDFs
Description: The Sourcefire VRT has received multiple reports of malicious PDFs being distributed in the wild that embed their malicious content inside of an XML tempalte within the PDF. After extensive testing across thousands of PDF files, both malicious and benign, the VRT has determined that the number of legitimate uses of this functionality in the field today is so low that detection of such documents generically is a useful way to detect new malware variants. As always, users are highly encouraged to keep their PDF parsing applications up-to-date at all times.
Reference: http://www.thebaskins.com/main/component/content/article/15-work/58-malicious-pdf-analysis-reverse-code-obfuscation
Snort SID: 23612
ClamAV: Exploit.PDF.Dropped-21, Exploit-JS.10


Inside VirusTotal's pants: VirusTotal += Behavioural Information

DoItQuick: Fast Domains for Dirty Deeds - Krebs on Security

New contact-stealing Android malware found in wild:

Calling all elite security experts: be among the first malware domain taggers:

How to root the Google Nexus 7:

Russian hacker battles Apple to keep in-app purchase exploit alive:

Online dating scam currently circulating in the wild:

Looking at mutex objects for malware discovery and indicators of compromise:


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2012-2974
Title: SMC SMC8024L2 Switch Web Interface Authentication Bypass
Vendor: SMC Networks
Description: The web interface on the SMC SMC8024L2 switch allows remote attackers to bypass authentication and obtain administrative access via a direct request to a .html file under (1) status/, (2) system/, (3) ports/, (4) trunks/, (5) vlans/, (6) qos/, (7) rstp/, (8) dot1x/, (9) security/, (10) igmps/, or (11) snmp/.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2012-2957
Title: Symantec Web Gateway LFI Remote ROOT RCE Exploit
Vendor: Symantec
Description: The management console in Symantec Web Gateway 5.0.x before allows local users to gain privileges by modifying files, related to a "file inclusion" issue.
CVSS v2 Base Score:4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)

ID: CVE-2012-0663
Title: Apple QuickTime TeXML Buffer Overflow Vulnerability
Vendor: Apple
Description: Multiple stack-based buffer overflows in Apple QuickTime before 7.7.2 on Windows allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TeXML file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2012-0664
Title: Apple QuickTime Heap Based Buffer Overflow Vulnerability
Vendor: Apple
Description: Heap-based buffer overflow in Apple QuickTime before 7.7.2 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted text track in a movie file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2012-1723
Title: Oracle Java SE Remote Code Execution Vulnerability / Blackhole Exploit Kit
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

MOST POPULAR MALWARE FILES 7/17/2012 - 7/24/2012:

SHA 256: 9A09BCC1402050E371E13056B606BBDE8DF15CD87732B28C8BDDB863B1C65302
MD5: 923c4d13bee966654f4fe4a8945af0ae
VirusTotal: https://www.virustotal.com/file/9A09BCC1402050E371E13056B606BBDE8DF15CD87732B28C8BDDB863B1C65302/analysis/
Malwr: http://malwr.com/analysis/923c4d13bee966654f4fe4a8945af0ae
Typical Filename:
Claimed Product: -
Claimed Publisher: -

SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Malwr: http://malwr.com/analysis/3291e1603715c47a23b60a8bf2ca73db
Typical Filename: 01.tmp
Claimed Product: -
Claimed Publisher: -

SHA 256: 358289754D01E20D564E39D79124AFA9BED4D35B3BC22F4E09210EC75E6461B2
MD5: b94b0c0efb6f33bddd2f16907a3a9cd1
VirusTotal: https://www.virustotal.com/file/358289754D01E20D564E39D79124AFA9BED4D35B3BC22F4E09210EC75E6461B2/analysis/
Malwr: http://malwr.com/analysis/b94b0c0efb6f33bddd2f16907a3a9cd1
Typical Filename: -
Claimed Product: Firefox
Claimed Publisher: Mozilla

SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Malwr: http://malwr.com/analysis/bf31a8d79f704f488e3dbcb6eea3b3e3
Typical Filename: -
Claimed Product: -
Claimed Publisher: -

SHA 256: D1857A4F3F2739FB64257A53D67F82800755ED4F4019DF760E5400DDAC42EFFA
MD5: 6d5483da06cb7b45f205c51d87eb6d1a
VirusTotal: https://www.virustotal.com/file/D1857A4F3F2739FB64257A53D67F82800755ED4F4019DF760E5400DDAC42EFFA/analysis/
Malwr: http://malwr.com/analysis/6d5483da06cb7b45f205c51d87eb6d1a
Typical Filename: -
Claimed Product: -
Claimed Publisher: -


(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account