INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Analysis of RAR Exploit Files (CVE-2023-38831)
Published: 2023-08-28
Last Updated: 2023-08-28 07:44:29 UTC
by Didier Stevens (Version: 1)
My tool zipdump.py can be used to analyse the latest exploits of vulnerability CVE-2023-38831 in WinRAR.
The vulnerability is exploited with specially crafted ZIP files.
Here is the output of zipdump analyzing a PoC file I created...
What you want to look for, is:
a folder ending with a space character (" /")
a file with the same name as the folder (also ending with space character)
a file inside folder 1, starting with filename 2 and with an extra extension, like .bat
When this ZIP file is opened with a vulnerable version of WinRAR, and file 2 is double-clicked, file 3 is extracted and executed...
Read the full entry:
https://isc.sans.edu/diary/Analysis+of+RAR+Exploit+Files+CVE202338831/30164/
Python Malware Using Postgresql for C2 Communications
Published: 2023-08-25
Last Updated: 2023-08-25 08:54:25 UTC
by Xavier Mertens (Version: 1)
For modern malware, having access to its C2 (Command and control) is a crucial point. There are many ways to connect to a C2 server using tons of protocols, but today, HTTP remains very common because HTTP is allowed on most networks...
I found a malicious Python script that is pretty well obfuscated. The applied technique reduces its VT score to 6/60! It's based on a mix of Based64- and Hex-encoded data...
Read the full entry:
https://isc.sans.edu/diary/Python+Malware+Using+Postgresql+for+C2+Communications/30158/
Survival time for web sites
Published: 2023-08-29
Last Updated: 2023-08-29 08:35:20 UTC
by Bojan Zdrnja (Version: 1)
Many, many years ago we (SANS Internet Storm Center) published some interesting research about survival time of new machines connected to the Internet. Back then, when Windows XP was the most popular operating system, it was enough to connect your new machine to the Internet and get compromised before you managed to download and install patches. Microsoft changed this with Windows XP SP2, which introduced the host based firewall that was (finally) enabled by default, so a new user had a better chance of surviving the Internet.
We still collect and publish some information about survival time, and you can see that at https://isc.sans.edu/survivaltime.html.
Now, 20 years after, most of us do not have our workstations and laptops connected directly to the Internet, however new web sites get installed and put (on the Internet) every second. I recently had to put several web sites up and was surprised as how fast certain scans happened so I decided to do some tests on survival time of new web sites.
Read the full entry:
https://isc.sans.edu/diary/Survival+time+for+web+sites/30170/