6 Days Left to Save $400 on Cyber Threat Intelligence Summit 2017

Newsletters: @RISK


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

August 2, 2012
=============================================================

@RISK: The Consensus Security Vulnerability Alert

Vol. 12, Num. 31

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

=============================================================

CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 7/25/2012 - 7/31/2012
============================================================

TOP VULNERABILITY THIS WEEK: Ubisoft, makers of popular video games for PCs, included a method to run arbitrary code inside of its Uplay DRM tool. Google researcher Tavis Ormandy this weekend discovered a way to exploit this via a web page with no authentication necessary. Exploits are presumed to exist in the wild.

******************** Sponsored By SANS ********************

Enter to win one of TWO $200 American Express Cards by taking SANS 2nd Survey on Mobility/BYOD Policy and Management.
http://www.sans.org/info/110960

Results released in October.
http://www.sans.org/info/110965

============================================================

TRAINING UPDATE

- --SANS Boston 2012 Boston, MA August 6-11, 2012
8 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/

- --SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012
http://www.sans.org/scada-sec-training-2012/

- --SANS Virginia Beach 2012 Virginia Beach, VA August 20-31, 2012
10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/

- --SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/

- --SANS Crystal City 2012 Arlington, VA September 6-11, 2012
6 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.
http://www.sans.org/crystal-city-2012/

- --SANS Baltimore 2012 October 15-20, 2012
6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

- --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012
45 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

- --SANS Seattle 2012 Seattle, WA October 14-19, 2012
6 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

- --SANS Chicago 2012Chicago, IL October 27-November 5, 2012
10 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Melbourne, Prague, Singapore, Dubai, and Johannesburg all in the next 90 days.

For a list of all upcoming events, on-line and live: www.sans.org

********************** Sponsored Link: *********************

1) Webinar presented by Ping Identity: My Name is....SCIM, 8/9/12 at 11:00 AM ET.
Register: http://www.sans.org/info/110970

============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Ubisoft Uplay DRM Backdoor
Description: Ubisoft S.A., makers of popular games such as Assassin's Creed, uses a DRM system called Uplay to combat piracy. Widely respected Google security engineer Tavis Ormandy discovered this weekend that the Uplay system is vulnerable to remote command execution via standard API calls that can be accessed through a web page, with no authentication required. While Ubisoft has issued an official patch, exploitation is trivial, and is likely to occur in the wild before users update their systems.
Reference: http://seclists.org/fulldisclosure/2012/Jul/375
http://www.slashgear.com/major-security-vulnerability-discovered-in-ubisoft-uplay-drm-30240879/
Snort SID: 23624
ClamAV: PUA.HTML.TROJAN

Title: Obfuscated Iframe Tags Being Used In Malvertising Campaigns
Description: The Sourcefire VRT has recently observed a pair of large campaigns in the wild, where malicious files are planted via advertising campaigns and/or SQL injections and then redirect users to Blackhole and other exploit kits. The first campaign's hallmark is an HTML iframe tag with positioning and sizing designed specifically to make it invisible to any browser on the planet; the second can be identified by the fact that the iframe tag is placed on the page before the doctype tag, which is illegal per WC3 specifications.
Reference: http://urlquery.net/report.php?id=90530
Snort SIDs: 23618, 23620
ClamAV: N/A

Title: RunForestRun Kit Infecting Plesk Panel Services, Improves Obfuscation Routines
Description: A malicious piece of software known as "RunForestRun" due to the structure of the URL used to contact command and control servers post-compromise, has been targeting the Plesk Panel control suite - a popular management interface for web hosting providers - since June. The kit was originally easily detectable due to static comment strings and other obvious indicators, but an update was released last week that uses a well-known and legitimate encoder routine to hide all malicious code. Based upon a study of samples in the field, the Sourcefire VRT has found a way to differentiate encoded RunForestRun files from legitimate encoded files, and will provide updated detection if the kit changes further.
Reference: http://blog.unmaskparasites.com/2012/07/26/runforestrun-now-encrypts-legitimate-js-files/
Snort SID: 23473, 23621
ClamAV: Exploit.JS.Obfuscation

Title: Olympics-Themed Phish Observed in the Wild
Description: As with any high-profile event, phishers are using the 2012 London Olympics to lure unsuspecting users into drop malware onto users throughout the world. The Sourcefire VRT has observed multiple campaigns, including one which uses an attached file that exploits CVE-2010-3333 (a stack overflow in Microsoft Office via RTF files), and another which uses the currently popular technique of compromised WordPress sites that lead to Blackhole exploit kits. While this specific campaign has a limited lifetime, users should be constantly on guard for any email related to recent news events.
Reference: http://vrt-blog.snort.org/2012/07/phishing-games.html
Snort SIDs: 21041, 21964, 22095, 22101, 22102, 23171
ClamAV: BC.Exploit.CVE_2010_3333

============================================================
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Android takeover with the swipe of a smartphone:
http://www.darkreading.com/mobile-security/167901113/security/vulnerabilities/240004387/android-takeover-with-the-swipe-of-a-smartphone.html

ELF metadata abuse to run arbitrary code before memory protections are loaded:
http://cs.dartmouth.edu/~bx/elf-bf-tools/slides/elf-defcon20.pdf

Email-based malware attacks, July 2012:
http://krebsonsecurity.com/2012/07/email-based-malware-attacks-july-2012/

How malware employs anti-debugging, anti-disassembly, and anti-virtualization technologies:
https://community.qualys.com/blogs/securitylabs/2012/07/30/how-malware-employs-anti-debugging-anti-disassembly-and-anti-virtualization-technologies

GPS spoofing:
http://erratasec.blogspot.com/2012/07/gps-spoofing.html

Easy local Windows kernel exploitation:
https://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernal_Slides.pdf

=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2010-3964
Title: Scrutinizer Default Password Security Bypass Vulnerability
Vendor: Plixer
Description: The MySQL component in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) 9.0.1.19899 and earlier has a default password of admin for the (1) scrutinizer and (2) scrutremote accounts, which allows remote attackers to execute arbitrary SQL commands via a TCP session.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

ID: CVE-2010-3964
Title: Microsoft Office SharePoint Server 2007 Remote Code Execution
Vendor: Microsoft
Description: Unrestricted file upload vulnerability in the Document Conversions Launcher Service in Microsoft Office SharePoint Server 2007 SP2, when the Document Conversions Load Balancer Service is enabled, allows remote attackers to execute arbitrary code via a crafted SOAP request to TCP port 8082, aka "Malformed Request Code Execution Vulnerability."
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

ID: : CVE-2012-2974
Title: SMC SMC8024L2 Switch Web Interface Authentication Bypass
Vendor: SMC Networks
Description: The web interface on the SMC SMC8024L2 switch allows remote attackers to bypass authentication and obtain administrative access via a direct request to a .html file under (1) status/, (2) system/, (3) ports/, (4) trunks/, (5) vlans/, (6) qos/, (7) rstp/, (8) dot1x/, (9) security/, (10) igmps/, or (11) snmp/.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-2957
Title: Symantec Web Gateway 5.0.3.18 LFI Remote ROOT RCE Exploit
Vendor: Symantec
Description: The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows local users to gain privileges by modifying files, related to a "file inclusion" issue.
CVSS v2 Base Score:4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)

ID: CVE-2012-1723
Title: Oracle Java SE Remote Code Execution Vulnerability / Blackhole Exploit Kit
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

=========================================================
MOST POPULAR MALWARE FILES 7/25/2012 - 7/31/2012:
COMPILED BY SOURCEFIRE

SHA 256: CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
MD5: 7961a56c11ba303f20f6a59a506693ff
VirusTotal: https://www.virustotal.com/file/CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B/analysis/
Malwr: http://malwr.com/analysis/7961a56c11ba303f20f6a59a506693ff
Typical Filename: C8A787C22000AE378610003396E67500D587FA4E.exe
Claimed Product: My Web Search Bar for Internet Explorer and FireFox
Claimed Publisher: MyWebSearch.com

SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/
Malwr: http://malwr.com/analysis/25aa9bb549ecc7bb6100f8d179452508
Typical Filename: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Product: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin
Claimed Publisher: smona_df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c.bin

SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Malwr: http://malwr.com/analysis/3291e1603715c47a23b60a8bf2ca73db
Typical Filename: avz00001.dta
Claimed Product: avz00001.dta
Claimed Publisher: avz00001.dta

SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Malwr:
http://malwr.com/analysis/bf31a8d79f704f488e3dbcb6eea3b3e3
Typical Filename: bf31a8d79f704f488e3dbcb6eea3b3e3
Claimed Product: bf31a8d79f704f488e3dbcb6eea3b3e3
Claimed Publisher: bf31a8d79f704f488e3dbcb6eea3b3e3

SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
VirusTotal:
https://www.virustotal.com/file/0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3/analysis/
Malwr: http://malwr.com/analysis/b3b9295385f4e74d023181e5a24f4d83
Typical Filename: Keygen.exe
Claimed Product: Keygen.exe
Claimed Publisher: Keygen.exe

=============================================================

(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account