Online Training Special Offer: iPad Air w/ Smart KB, Surface Go, or $300 Off

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

March 7, 2013

@RISK: The Consensus Security Vulnerability Alert

Vol. 13, Num. 10

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.



MOST POPULAR MALWARE FILES 2/26/2013 - 3/5/2013

TOP VULNERABILITY THIS WEEK: Network administrators were given another reason to disable Java across their enterprises this week, as another new Java 0-day was publicly disclosed last Friday. While the vulnerability had been used for targeted attacks, and a patch was released on Monday, it is likely to become widely exploited, particularly in exploit kits, over the next few weeks.



- -- SANS 2013 Orlando, FL March 8-March 15, 2013
47 courses. Bonus evening sessions include Please keep Your Brain Juice Off My Enigma: A True Story; InfoSec in the Financial World: War Stories and Lessons Learned; and Finding Unknown Malware.

- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013
8 courses. Bonus evening presentations include Base64 Can Get You Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! - The Recon-ng Framework.

- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013
7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.

- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013
9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.

- --SANS Security West 2013 San Diego, CA May 7-May 16, 2013
32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.

- --Secure Canberra 2013 Canberra, Australia March 18-March 23, 2013
Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth.

- -- Critical Security Controls International Summit London, UK April 26-May 2 2013
Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.

- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013
Europe's only specialist pen test training and networking event. Five dedicated pen test courses and summit day.

- --Looking for training in your own community?

- --Save on On-Demand training (30 full courses) - See samples at

Plus Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live:

********************** Sponsored Link: *********************

1) Take the Mobile Application security Survey! Enter to Win an iPad!


Title: Fresh Java 0-day hits, Oracle releases patch
Description: Described as "Yet another Java 0-day" by the organization disclosing it, details emerged last Friday of a bug in the color management portion of Java applets that Oracle said was "easily exploitable" in the note it released on Monday to accompany its patches. Attacks in the wild have been targeted to date, and initially compromised sites were using C&C channels and malware samples associated to the recent Bit9 breach, suggesting a coordinated campaign by those using the exploit. Still, given the proliferation of exploit kits - including a new one announced Monday that uses nothing but Java vulnerabilities - it is only a matter of time before mass exploitation occurs, and users are urged to patch immediately.
Snort SID: 26025 26030
ClamAV: JAVA.Exploit.CVE_2013_1493 , WIN.Trojan.McRat

Title: MiniDuke malware targeting European governments, agencies
Description: A newly discovered piece of targeted malware dubbed "MiniDuke" has been using CVE-2013-0640 - a PDF vulnerability discovered in February - to drop particularly sneaky malware on European governments and their agencies at locations across the world. The malware uses Twitter to spread information about C&C channels, and authors left taunting clues inside their binaries, including a reference to the number 666 just before the decryption routine.
Snort SID: -
ClamAV: PDF.Exploit.CVE_2013_0640

Title: 0-day exploit in the wild for Japanese word processor Ichitaro
Description: Trend Micro recently discovered an exploit in the wild for popular Japanese word processing software Ichitaro. Similar to vulnerabilities in Microsoft Office discovered in 2011, the program used an improper path selection criteria for loading DLLs, and could easily be tricked into loading a malicious DLL and executing arbitrary code on the system. Patches for some versions of the software were made available on March 5, while fixes for other versions are scheduled for release on March 28.
Snort SID: 26070 26071 26072
ClamAV: Win.Exploit.CVE_2013_0707, Win.Trojan.Locati, Win.Trojan.Locati-1

Title: SAP NetWeaver remote code execution
Description: The SAP NetWeaver service is vulnerable to remote code execution via malformed messages taking advantage of the MSJ2EE_AddStatistics() function. Exploit code is publicly available, and attacks are presumed to be occurring in the wild. Users should patch their systems immediately.
Snort SID: 26073, 26074
ClamAV: N/A


New heapspray technique for Metasploit browser exploitation:

Oracle Java exploits and 0-days since 2012 - interactive timeline:

How much does it cost to buy 10,000 US-based malware-infected hosts?

Bound to fail: why cybersecurity risk cannot be "managed" away:

Finding hidden vHosts:

Debugging a debugger to debug a dump:

How mobile spammers verify the validity of harvested phone numbers:

Fixing XSS: A practical guide for developers:

Russian ransomware takes advantage of Windows Powershell:


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2013-1493
Title: Oracle Java SE JVM 2D Subcomponent Remote Code Execution Vulnerability (Oracle Security Alert for CVE-2013-1493)
Vendor: Oracle
Description: The color management (CMM) functionality in the 2D component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (crash) via an image with crafted raster parameters, which triggers (1) an out-of-bounds read or (2) memory corruption in the JVM, as exploited in the wild in February 2013.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2013-0431
Title: Java Applet JMX Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX, aka "Issue 52," a different vulnerability than CVE-2013-1490.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

ID: CVE-2013-0640, CVE-2013-0641
Title: Adobe Reader and Acrobat Unspecified Code Execution Vulnerability (APSB13-07)
Vendor: Adobe
Description: Unspecified vulnerability in Adobe Reader and Acrobat 9.x through 9.5.3, 10.x through 10.1.5, and 11.x through 11.0.1 allows remote attackers to execute arbitrary code via a crafted PDF document, as exploited in the wild in February 2013.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-0025
Title: Microsoft Internet Explorer SLayoutRun Use-After-Free (MS13-009)
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer SLayoutRun Use After Free Vulnerability."
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2012-3569
Title: VMWare OVF Tools Format String Vulnerability
Vendor: VMWare
Description: Format string vulnerability in VMware OVF Tool 2.1 on Windows, as used in VMware Workstation 8.x before 8.0.5, VMware Player 4.x before 4.0.5, and other products, allows user-assisted remote attackers to execute arbitrary code via a crafted OVF file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

MOST POPULAR MALWARE FILES 2/26/2013 - 3/5/2013:

SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
Typical Filename: Keygen.exe
Claimed Product: Keygen.exe
Claimed Publisher: Keygen.exe

SHA 256: 9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F
MD5: 3ff52cee72b936c56b4fbb9f970ece74
Typical Filename: wintdiyx.exe
Claimed Product: wintdiyx.exe
Claimed Publisher: wintdiyx.exe

SHA 256: B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3

Typical Filename: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Product: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Publisher: 573b6cc513e1b7cd9e35b491eacc38f3


(c) 2013. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit