Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

August 1, 2013

@RISK: The Consensus Security Vulnerability Alert

Vol. 13, Num. 31

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.



MOST PREVALENT MALWARE FILES 7/23/2013 - 7/30/2013

TOP VULNERABILITY THIS WEEK: Microsoft announced the first-ever major update to its Microsoft Active Protections Program (MAPP) this week, dramatically expanding the list of potential members and providing several new levels of service in the process. The information-sharing program has been instrumental to high-quality detection for security vendors for years, and incident responders are the primary beneficiaries of the expansion.

******************** Sponsored By Bit9 *********************

Do you know if you are the target of an advanced threat or have unauthorized software in your organization? How can you trust what's running on your systems if you don't have answers to these questions? Download Bit9's Trust Assessment Tool to tell you exactly what is running on your system. Learn more /info/13657



- -- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.

- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013
7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!

- -- SANS Boston 2013 Boston, MA August 5-10, 2013
9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.

- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013
10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and APT: It is Time to Act.

- -- SANS Capital City 2013 Washington, DC September 3-8, 2013
6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers? http://www.sans.org/event/sans-capital-city-2013

- -- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013
50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.

- -- SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis. http://www.sans.org/event/baltimore-2013

- -- SANS Forensics Prague 2013Prague, Czech RepublicOctober 6-13 2013
SANS's European forensics summit and dedicated forensics training event. Four of SANS's most important forensics training courses and opportunities to network with leading digital forensics experts.

- -- SANS Dubai 2013Dubai, UAEOctober 26th - November 7th 2013
SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.

- -- Multi-week Live SANS training
Contact mentor@sans.org

- -- Looking for training in your own community?

- --Save on On-Demand training (30 full courses) - See samples at

Plus Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

********************** Sponsored Links: ********************

1) Jane Lute former Deputy Secretary of the DHS to keynote Critical Security Controls Summit! Register today http://www.sans.org/info/136577

2) In-depth, hands-on technical courses led by top SCADA experts. Industrial Control Systems Training in Washington DC http://www.sans.org/info/136582

3) WhatWorks Webcast: WhatWorks in Detecting and Blocking Advanced Threats at a Large Research Organization. Tuesday, August 06, 2013 at 1:00 PM EDT. http://www.sans.org/info/136587


Title: Microsoft announces major expansion of MAPP program
Description: For the first time since the inception of the Microsoft Active Protections Program (MAPP) in 2008, the firm is dramatically increasing its scope, with two new sub-programs designed to increase the number of people who can benefit from MAPP's information-sharing regime. The first, MAPP for Responders, will bring incident responders into the fold, with data focused on identifying and remediating live exploitation in the wild. The second, MAPP Scanner, is a cloud-based tool that will allow an even broader range of organizations to submit files they suspect might be exploiting a vulnerability in Microsoft software, with both information on known vulnerabilities and details of suspicious information being supplied in return. In addition, program benefits are being expanded for current MAPP members, which will be re-branded as MAPP for Security Vendors. This expansion of the program comes on the heels of its dramatic success over the last several years, helping to validate the strategy of open information-sharing among network defenders worldwide.
Snort SID: N/A
ClamAV: N/A

Title: Dovecot + Exim remote code execution attack spotted in the wild
Description: A trivially exploitable remote code execution vulnerability in the Dovecot mail server, when paired with Exim as a local delivery agent, was announced in May, with only a workaround being released to date. Recent notes from the ISC Storm Center show that the attack, which has several publicly available proofs of concept, is now being exploited in the wild. Administrators of these systems are urged to check their configurations and take appropriate mitigation immediately.
Snort SID: 27532
ClamAV: N/A

Title: Internet Explorer 9/10 information disclosure vulnerability
Description: In a post to the popular Full-Disclosure mailing list on Monday, an independent researcher provided information around a potential new Internet Explorer information disclosure vulnerability, which he claimed would be useful in bypassing ASLR. While confirmation of the vulnerability was pending as of the time of publication, and no signs of exploitation in the wild are available at this time, security researchers and incident responders should be paying close attention to systems they monitor until further information is released.
Snort SID: 27531
ClamAV: N/A

Title: Package using Android "Extra Field" vulnerability spotted in the wild
Description: Independent researcher Zhuowei Zang recently began distributing an APK on his Github site that used the recently disclosed "Extra Field" vulnerability in APK file parsing in order to gain root access on the Kobo Arc tablet. While his particular package contained no malicious code, and simply took advantage of system package permissions to install a superuser account, it shows how easy live exploitation of the vulnerability is, likely setting the stage for further use of it in the coming weeks.
Snort SID:
ClamAV: BC.Exploit.Andr.Extra_Field


Windows RT ARMv7-based shellcode development:

Styx cool exploit kit: one applet to exploit all vulnerabilities:

Spy agencies ban Lenovo PCs on security concerns:

MSI: the case of the invalid signature:

Security vendors: do no harm, heal thyself:

The evolution of Rovnix: private TCP/IP stacks:

Verizon announces Veris database - raw incident data:

Flush + Reload: a high resolution, low noise L3 cache side-channel attack:

Big poker player loses high-stakes Android scam game:

Haunted by the ghosts of ZeuS and DNSChanger:

Vulnerability disclosed all passwords of Barracuda Networks employees:

Advanced exploitation of Windows kernel privilege escalation / CVE-2013-3660: http://www.vupen.com/blog/20130723.Advanced_Exploitation_Windows_Kernel_Win32k_EoP_MS13-053.php

How I found my way into Instagram's Ganglia, and a bug with Facebook likes:

Dissecting a WordPress brute force attack:


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2013-3174
Title: Microsoft DirectShow GIF Parsing Memory Corruption Vulnerability
Vendor: Microsoft
Description: DirectShow in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 allows remote attackers to execute arbitrary code via a crafted GIF file, aka "DirectShow Arbitrary Memory Overwrite Vulnerability."
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-2251
Title: Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
Vendor: Apache
Description: Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-1017
Title: Apple Quicktime 7 Invalid Atom Length Buffer Overflow
Vendor: Apple
Description: Buffer overflow in Apple QuickTime before 7.7.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted dref atoms in a movie file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-3163
Title: Microsoft Internet Explorer CBlockElement Use-after-Free Vulnerability
Vendor: Microsoft
Description: Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3144 and CVE-2013-3151.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-2460
Title: Java Applet ProviderSkeleton Insecure Invoke Method
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "insufficient access checks" in the tracing component.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

MOST PREVALENT MALWARE FILES 7/23/2013 - 7/30/2013

SHA 256: CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
MD5: 7961a56c11ba303f20f6a59a506693ff
VirusTotal: https://www.virustotal.com/file/CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B/analysis/
Typical Filename: C8A787C22000AE378610003396E67500D587FA4E.exe
Claimed Product: My Web Search Bar for Internet Explorer and FireFox
Claimed Publisher: MyWebSearch.com

SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/
Typical Filename:
Claimed Product:
Claimed Publisher:

SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Typical Filename: avz00001.dta
Claimed Product: avz00001.dta
Claimed Publisher: avz00001.dta

SHA 256: 9A09BCC1402050E371E13056B606BBDE8DF15CD87732B28C8BDDB863B1C65302
MD5: 923c4d13bee966654f4fe4a8945af0ae
VirusTotal: https://www.virustotal.com/file/9A09BCC1402050E371E13056B606BBDE8DF15CD87732B28C8BDDB863B1C65302/analysis/
Typical Filename: winoaox.exe
Claimed Product: winoaox.exe
Claimed Publisher: winoaox.exe

SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Typical Filename: bf31a8d79f704f488e3dbcb6eea3b3e3
Claimed Product: bf31a8d79f704f488e3dbcb6eea3b3e3
Claimed Publisher: bf31a8d79f704f488e3dbcb6eea3b3e3


(c) 2013. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account