Get an 11" iPad Pro, Surface Go 2, or $300 Off with OnDemand Training

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

December 13, 2012

@RISK: The Consensus Security Vulnerability Alert

Vol. 12, Num. 50

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.



MOST POPULAR MALWARE FILES 12/6/2012 - 12/12/2012

TOP VULNERABILITY THIS WEEK: A theoretical implementation of a Tor-powered botnet described in a Reddit thread in April was discovered in the wild by researchers last week. Based on the wildly popular Zeus malware, this particular threat is designed for maximum evasion capabilities, and may prompt copycat bots using the widely deployed Tor anonymity software.



- --SANS Security East 2013 New Orleans, LA January 16-23, 2013
11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.

- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013
The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.

- --SANS Secure Singapore 2013 February 25-March 2, 2013
6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.

- --SANS 2013 Orlando, FL March 8-March 15, 2013
46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.

- --Looking for training in your own community?

- --Save on On-Demand training (30 full courses) - See samples at

Plus Anaheim, New Delhi, Brussels, and Johannesburg all in the next 90 days.
For a list of all upcoming events, on-line and live:

********************** Sponsored Link: *********************

1) Take the SANS Survey on the Security Practices of SCADA System
Operators and register to win an iPad!


Title: Tor-powered botnet jumps from a description on Reddit to reality
Description: After a popular Reddit thread in April of 2012 described how a botnet could be built using the Tor anonymizing proxy system, in order to reduce the likelihood of discovery and takedown, researchers with the Metasploit project discovered a modified Zeus binary that used Tor in a manner almost identical to what was discussed in the thread. While such an operation has been discussed in theory for years, including a 2010 Defcon talk on the subject, few, if any such botnets have been observed in the wild to date. The success of this particular botnet, however, is likely to spur imitators going forward.
Snort SID: 9324, 13696 - 13698, 16439 - 16442, 17917, 24169
ClamAV: Trojan.Spy.Zbot*, Trojan.Spy.Zeus*, Win.Trojan.Agent-20928

Title: ExploitHub site compromised, private exploit database stolen
Description: IDS and Antivirus testing firm NSS Labs, whose ExploitHub site was set up in 2010 as a marketplace for private exploits used (ostensibly) in penetration tests and other defense-validating scenarios, had that project's server compromised by the more black hat group 1337day, whose site offers a competing database of exploits. The compromise is likely to produce turmoil within the industry, public release of some of the ExploitHub bugs, and/or other related fallout. Additionally, it serves as a warning that even security vendors should be vigilant in securing their systems, as no one is immune to attack on improperly managed servers.
Snort SID: N/A
ClamAV: N/A

Title: Targeted malware using CVE-2012-0158 persists
Description: Multiple researchers have lately discovered new targeted attacks circulating in the wild that target CVE-2012-0158, an RTF file format vulnerability which was patched in April of this year. Thanks to their relatively simple format and the large number of sample exploits available in the wild, RTFs have been a favorite of targeted attackers in 2012, with targets ranging from Tibetan protesters to defense contractors worldwide.
Snort SID: 21797-21801,21896-21906,21937,20486,23305,24976
ClamAV: Win.Trojan.Agent

Title: Microsoft releases monthly patch update
Description: Microsoft released patches for vulnerabilities in a number of components this Tuesday. While none are known to have exploits currently circulating in the wild, several should be straightforward to exploit, including a new RTF vulnerability that is likely to be used in targeted attacks going forward. Users should, as usual, patch as soon as feasible.
Snort SID: 24956,24957-24970,24971,24972,24973,24974,24975
ClamAV: Win.Exploit.CVE_2012_1537, RTF.Exploit.CVE_2012_2539, BC.Exploit.CVE_2012-2556


A peek inside a cybercrime-friendly e-shop, part 5:

SHA1 weakness benefits password crackers:

Twitter and SMS spoofing:

A closer look at two big-time botmasters:

Uncovering the "new" Eurograbber: really 36 million EUR?

Nine out of ten hospitals lost personal data in last two years:

Command execution on MS SQL server using Powershell:

Hooked on mnemonics worked for me:

Anon on the run: How Commander X jumped bail and fled to Canada:


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: : CVE-2012-5975
Title: SSH Tectia Authentication Bypass Remote
Vendor: SSH Communications
Description: A remote authentication bypass vulnerability was disclosed which affects the current Unix/Linux versions of Tectia SSH Server. The vulnerability exploits a bug in the SSH USERAUTH CHANGE REQUEST function.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

ID: : CVE-2012-5615
Title: MySQL Remote User Enumeration
Vendor: Oracle
Description: MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

ID: : CVE-2012-4964
Title: Samsung Printer Firmware Contains A Backdoor Administrator Account
Vendor: Samsung
Description: Samsung printers contain a hardcoded account that could allow a remote attacker to take control of an affected device.
CVSS v2 Base Score: 9.0 (AV:N/AC:M/Au:N/C:C/I:C/A:P)

ID: : CVE-2012-6066
Title: FreeFTPD /FreeSSHD Remote Authentication Security Bypass Vulnerability
Vendor: freesshd
Description: freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-5611
Title: Oracle MySQL Server Command Processing Buffer Overflow Vulnerability
Vendor: Oracle
Description: Stack-based buffer overflow in MySQL 5.5.19, 5.1.53, and possibly other versions, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows remote authenticated users to execute arbitrary code via a long argument to the GRANT FILE command.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

MOST PREVALENT MALWARE FILES 12/6/2012 - 12/12/2012:

SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
Typical Filename: File_0_2.ok
Claimed Product: File_0_2.ok
Claimed Publisher: File_0_2.ok

SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
Typical Filename: 3291e1603715c47a23b60a8bf2ca73db
Claimed Product: 3291e1603715c47a23b60a8bf2ca73db
Claimed Publisher: 3291e1603715c47a23b60a8bf2ca73db

SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
Typical Filename: Keygen.exe
Claimed Product: Keygen.exe
Claimed Publisher: Keygen.exe

MD5: f869010b28721110d7343f39ec3b6d60
Typical Filename: f3PSSavr.scr.vir
Claimed Product: Popular Screensavers
Claimed Publisher:

SHA 256: 409C8907E5074F9040A4F569180E7A3945FE2A8DB8070AD5C3961BBE6DFF34D1
MD5: 4faeae17485c16d6c131d02b0f54d61f
Typical Filename: VideoDownloadConvert.exe
Claimed Product: VideoDownloadConvert.exe
Claimed Publisher: VideoDownloadConvert.exe


(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit