Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: @RISK

@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

December 6, 2012
=============================================================

@RISK: The Consensus Security Vulnerability Alert

Vol. 12, Num. 49

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

=============================================================

CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 11/15/2012 - 11/21/2012
============================================================

TOP VULNERABILITY THIS WEEK: Multiple remotely exploitable 0-day attacks were released against MySQL this weekend, with proof of concept available for each issue. The bugs, which range from buffer overflows to user enumeration, are being actively exploited in the wild now, and no patches are available.

============================================================

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012
27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012
11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013
The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --SANS Secure Singapore 2013 Singapore, Singapore February 25-March 2, 2013
6 courses.
http://www.sans.org/event/singapore-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/onCyberdemand/discounts.php#current

Plus Barcelona, Cairo, Anaheim, New Delhi, and Brussels all in the next 90 days.

For a list of all upcoming events, on-line and live: www.sans.org

********************* Sponsored Links: *********************

1) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/118965

2) Learn results of the SANS Survey on Application Security in the Enterprise with SANS instructor Frank Kim, Thur. Dec. 13, 1PM EDT: http://www.sans.org/info/118970

============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Multiple Remote 0-Day Attacks Against MySQL Databases
Description: A slew of remotely exploitable bugs in MySQL were released by security researcher KingCope on the Full-Disclosure mailing list over the weekend, with exploits including buffer overflows, user enumeration techniques, and denial-of-service attacks. As no patches are currently available, some of the issues target default configurations, and exploits are already circulating in the wild, system administrators are urged to lock down access to their database systems to only authorized users wherever possible as a mitigation until patches become available.
Reference:
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089025.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089027.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089023.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089022.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089026.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089024.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089020.html
Snort SID: 24897
ClamAV: N/A

Title: Dump of Syrian Ministry of Foreign Affairs' Email Reveals Targeted Malware
Description: After Anonymous published a dump of email from the Syrian Ministry of Foreign Affairs on the site "Par:AnoIA", researchers noted that a message sent on December 5, 2011 contained targeted malware, which entered the system via a PDF exploit using CVE-2010-0188. A similar attack has been used in targeted campaigns over the course of the last year, according to Kaspersky.
Reference:
http://vrt-blog.snort.org/2012/12/quarian.html
http://www.securelist.com/en/blog/774/A_Targeted_Attack_Against_The_Syrian_Ministry_of_Foreign_Affairs
http://par-anoia.net/releases.html#mofa
Snort SID: 24858, 24859
ClamAV: Win.Trojan.Quarian

Title: Windows AutoRun Malware Makes A Comeback
Description: Several security vendors have noted recently that malware known alternately as W32/Autorun or W32/Changeup - which spreads via the AutoRun feature on Windows when removable media is plugged into a system - - has been spreading again in the wild, after having been largely dormant this year. System administrators should disable the AutoRun feature wherever feasible, in addition to deploying AV and IDS signatures as appropriate.
Reference:
http://isc.sans.edu/diary.html?storyid=14584&rss
Snort SID: 17042 - 17044, 19290, 24842 - 24856, 24500
ClamAV: WIN.Trojan.Changeup

Title: Exploit Kit Market Continues To Expand
Description: New exploit kits are continuing to emerge in the wild, as that model of online criminal economics becomes more dominant by the day. Kits such as Sweet Orange and the Cool Exploit Kit, released within the last few months, are nowhere near as dominant as established players like Blackhole or Phoenix, but are equally dangerous, and network defenders need to be paying attention to them as well as the heavy hitters of the industry.
Reference:
http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html
http://malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html
Snort SID: 24837 - 24840, 24778 - 24784
ClamAV: N/A

============================================================
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Romanian hackers responsible for $30 million Australian credit card theft:
http://www.abc.net.au/news/2012-11-29/afp-uncovers-romanian-card-hacking-scheme/4397954

China Mafia-style hack drives California firm to brink:
http://www.bloomberg.com/news/2012-11-27/china-mafia-style-hack-attack-drives-california-firm-to-brink.html

Syria cut off from the Internet: http://www.renesys.com/blog/2012/11/syria-off-the-air.shtml

Angry Birds Star Wars SMS sender: http://www.gfi.com/blog/the-fail-is-strong-with-this-one-angry-birds-star-wars-android-sms-sender/

Forex site targeted: did cybercrooks find the weakest link in online money management? http://community.websense.com/blogs/securitylabs/archive/2012/11/28/Forex-website-targeted-_1320_-did-cybercrooks-find-the-weakest-link-in-online-money-management-services_3F00_-.aspx

Brute-force PHP session IDs in 8 minutes using Amazon's GPU farm: http://www.slideshare.net/DefconRussia/reutov-yunusov-nagibin-random-numbers-take-ii

Incident response with NTFS INDX buffers: https://www.mandiant.com/blog/archives/3560

=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: : Not Available
Title: SSH Tectia Authentication Bypass Remote
Vendor: SSH Communications
Description: A remote authentication bypass vulnerability was disclosed which affects the current Unix/Linux versions of Tectia SSH Server. The vulnerability exploits a bug in the SSH USERAUTH CHANGE REQUEST function.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

ID: : CVE-2012-5615
Title: MySQL Remote User Enumeration
Vendor: Oracle
Description: MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

ID: : CVE-2012-3752
Title: Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack Buffer Overflow
Vendor: Apple
Description: Multiple buffer overflows in Apple QuickTime before 7.7.3 allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted style element in a QuickTime TeXML file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-4964
Title: Samsung Printer Firmware Contains A Backdoor Administrator Account
Vendor: Samsung
Description: Samsung printers contain a hardcoded account that could allow a remote attacker to take control of an affected device.
CVSS v2 Base Score: 9.0 (AV:N/AC:M/Au:N/C:C/I:C/A:P)

ID: : CVE-2012-4956
Title: Novell File Reporter Vulnerabilities
Vendor: Novell
Description: Heap-based buffer overflow in NFRAgent.exe in Novell File Reporter 1.0.2 allows remote attackers to execute arbitrary code via a large number of VOL elements in an SRS record.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

=========================================================
MOST PREVALENT MALWARE FILES 11/29/2012 - 12/5/2012:
COMPILED BY SOURCEFIRE

SHA256: 1dd140c8d5dd1c32294f31d1784ce3553af63a0d054a0bea9423b1978fcd693f
MD5:9e180cdfa4869b8dd15b7b06771c5838
VirusTotal: https://www.virustotal.com/file/1DD140C8D5DD1C32294F31D1784CE3553AF63A0D054A0BEA9423B1978FCD693F/analysis/
Typical Filename: -
Claim Product: -
Claim Publisher: -

SHA256: 611a1be1c5637480b0b8decc45f959ade2d73aa26a28a0fc70c6de050ed8f5a7
MD5: a273babaefcff8f5fe61992a54e3ef1d
VirusTotal: https://www.virustotal.com/file/611A1BE1C5637480B0B8DECC45F959ADE2D73AA26A28A0FC70C6DE050ED8F5A7/analysis/
Typical Filename: -
Claim Product: -
Claim Publisher: -

SHA256: a3a7b80ce839360b3f50206b7381827e6257c851010328ca8043e38ee970afbd
MD5: 4852bc9f12a0d9d4125ca3f91d93647b
VirusTotal: https://www.virustotal.com/file/A3A7B80CE839360B3F50206B7381827E6257C851010328CA8043E38EE970AFBD/analysis/
Typical Filename: GOLAYA-RUSSAKAYA.exe
Claim Product: -
Claim Publisher: -

SHA 256: b7b28e855b8c6225c605330760ff4dc407efc83f72f1a04e974a72189d0f1d96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal: https://www.virustotal.com/file/B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/
Typical Filename: winkgts.exe
Claimed Product: winkgts.exe
Claimed Publisher: winkgts.exe

SHA256: 04005e3b053e8f8465cf45fddf5856cd6ed67cbcaf908bd5eeaddd76785ca574
MD5: 0265A6D07D7D03E657B694ECEE310FA5
VirusTotal: https://www.virustotal.com/file/04005E3B053E8F8465CF45FDDF5856CD6ED67CBCAF908BD5EEADDD76785CA574/analysis/
Typical Filename: -
Claim Product: -
Claim Publisher: -

=============================================================

(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account