@RISK Newsletter for June 21, 2012
The consensus security vulnerability alert.
Vol. 12, Num. 25
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 6/6/2012 - 6/12/2012
Top Vulnerability this week: CVE-2012-1875 in Internet Explorer: patched
as of June 12, but Microsoft alerted already in the original advisory
of targeted attacks against the vulnerability. Since then a Metasploit
module has been released that will make the exploit accessible to a much
larger attacker base.
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Compromised WordPress Blogs Used For Active Phishing Campaigns
Description: WordPress is a popular blogging platform written in PHP.
There are numerous security issues in the software, particularly in the
myriad of plug-ins available for the system maintained by third-party
groups. Several active phishing campaigns have been observed recently
using compromised WordPress installations to host exploit kits.
Reference:
http://vrt-blog.snort.org/2012/06/compromised-wordpress-blogs-phishers.html
http://blog.trendmicro.com/compromised-wordpress-sites-drive-users-to-blackhole-exploit-kit
Snort SID: 21941, 23171
Title: CVE-2012-1889 Unpatched Microsoft XML Core Services Vulnerability
Description: A zero-day attack against the Microsoft XML Core Services
was released just after this month’s Patch Tuesday. Active exploitation
has been observed in the wild, including a Metasploit module that was
published on Friday, June 15. Users of Microsoft products, including
Internet Explorer and Office, are strongly urged to use Microsoft’s
Fix-It tool to mitigate the vulnerability pending a patch.
Reference:
http://technet.microsoft.com/en-us/security/advisory/2719615
Snort SID: 23142, 23143, 23144, 23145, 231426
ClamAV: Exploit.CVE_2012_1889-1 -> Exploit.CVE_2012_1889-10
Title: AV Bypass For Malicious PDFs Using XDP
Description: A controversy over responsible disclosure has erupted over
an antivirus evasion technique demonstrated this past weekend by
security researcher Brandon Dixon. The technique uses the XDP
specification, which allows PDF files to be wrapped in XML, to bypass
file type checking and evade multiple antivirus vendors. Dixon
discovered the technique while analyzing a live sample from the field,
so exploits using it are clearly in use by malicious actors today.
Reference:
http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp
Snort SID: 23166
ClamAV: PUA.Script.XDPBypass, PUA.Script.XDPBypass-1,
PUA.Script.XDPBypass-2, PUA.Script.XDPBypass-3
Title: Fake Android Security App Is Zeus
Description: An Android application by the name of “Android Security
Suite Premium” has been linked to the Zeus malware family by researchers
at Kaspersky Labs. The malware includes functionality such as forwarding
all SMS messages received by the phone to a C&C server and other
information-stealing techniques. As this application was found outside
of the official Android market, users are encouraged to install
applications only from trusted sources.
Reference:
http://www.securelist.com/en/blog/208193604/Android_Security_Suite_Premium_New_ZitMo
Snort SID: 23173
ClamAV: Android.Zitmo
Title: Nuclear Pack Exploit Kit
Description: An exploit kit from Eastern Europe known as the Nuclear
Pack has been observed in active use in the wild recently. This kit was
used in a major attack on a Dutch web site in March, and has been
detected on other networks that Sourcefire monitors.
Reference:
http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/
Snort SID: 23157
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
Reliable exploitation of CVE-2012-1889:
http://hi.baidu.com/inking26/blog/item/9c2ab11c4784e5aa86d6b6c1.html
Old tricks, new targets:
http://blog.ioactive.com/2012/06/old-tricks-new-targets.html
“Everybody with an activated Terminal Server could also sign code as Microsoft”:
http://trailofbits.files.wordpress.com/2012/06/flame-md5.pdf
Simple Kung Fu grep for finding common web vulnerabilities & backdoor shells:
http://pentestlab.org/simple-kung-fu-grep-for-finding-common-web-vulnerabilities-backdoor-shells/
MOST POPULAR MALWARE FILES 6/6/2012 - 6/12/2012:
(Compiled by Sourcefire)
SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Malwr: http://malwr.com/analysis/bf31a8d79f704f488e3dbcb6eea3b3e3
Typical Filename: pspprn.sys
Claimed Product: -
Claimed Publisher: -
SHA 256: E2C3896C24FD45DD8092AF10DE84B1A4FAF4FC37A1E9772C56148FE982B44181
MD5: cce8aeb6b86e89280e703608eb252e62
VirusTotal: https://www.virustotal.com/file/E2C3896C24FD45DD8092AF10DE84B1A4FAF4FC37A1E9772C56148FE982B44181/analysis/
Malwr: http://malwr.com/analysis/cce8aeb6b86e89280e703608eb252e62
Typical Filename: M3SKPLAY.EXE
Claimed Product: My Web Search Skin Tools
Claimed Publisher: MyWebSearch.com
SHA 256: 66BD42E633A781832314E6FA541287732A2B1F353D5636DDDF470E7D7C054BAD
MD5: a89e7c0a2c689cc38a7fbab355fe9837
VirusTotal: https://www.virustotal.com/file/66BD42E633A781832314E6FA541287732A2B1F353D5636DDDF470E7D7C054BAD/analysis/
Malwr: http://malwr.com/analysis/a89e7c0a2c689cc38a7fbab355fe9837
Typical Filename: bxumv.exe
Claimed Product: -
Claimed Publisher: -
SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
VirusTotal: https://www.virustotal.com/file/0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3/analysis/
Malwr: http://malwr.com/analysis/b3b9295385f4e74d023181e5a24f4d83
Typical Filename: KMS.exe
Claimed Product: -
Claimed Publisher: -
SHA 256: A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03
MD5: 8ac1e580cf274b3ca98124580e790706
VirusTotal: https://www.virustotal.com/file/A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03/analysis/
Malwr: http://malwr.com/analysis/8ac1e580cf274b3ca98124580e790706
Typical Filename: lpkjnn.sys
Claimed Product: -
Claimed Publisher: -