Blog

Archive for SANS

Microsoft December Patch Pre-Announcement, (Sat, Dec 7th)

Microsoft released its pre-announcement for the upcoming patch Tuesday. The summary indicates 11 bulletins total, 5 are critical all with remote code execution and 6 Important with a mix of remote code execution, security feature bypass and elevation of privileges. The announcement is available here.

[1] http://technet.microsoft.com/en-us/security/bulletin/ms13-dec

———–

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Suspected Active Rovnix Botnet Controller, (Sat, Dec 7th)

We have received information about a suspected Rovnix botnet controller currently using at least 2 domains (mashevserv[.]com and ericpotic[.]com) pointing to the same IP address of 37.9.53.126 (AS 44050).

This is the information that we currently have available that should help identify if any hosts in your network is currently contacting this botnet:

  • mashevserv[.]com/config.php?version=[value here]&user=[value here]&server=[value here]&id=[value here]&crc=[value here]&aid=[value here] is where the compromised clients send an HTTP GET request to when requesting a configuration file.  If the correct values are inputted the server will return an encrypted configuration file.
  • mashevserv[.]com/admin appears to be the admin console

  • ericpotic[.]com/task.php has similar values appended to it an when the GET request is done it appears to be some sort of check-in to tell the server it is alive.
  • Posts to ericpotic[.]com/data.php are use to exfiltrating data. All communications with C&C are unencrypted over TCP 80.

It also appears this malware has very little detection. This is all we currently have. If you can recover samples either on the host or via packets and are willing to share them with us, you can upload them to our contact page.


[1] https://www.robtex.com/dns/mashevserv.com.html#graph
[2] https://www.robtex.com/dns/ericpotic.com.html#graph
[3] https://www.robtex.com/ip/37.9.53.126.html#whois
[4] http://www.xylibox.com/2013/10/reversible-rovnix-passwords.html

———–

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

VMware ESX 4.x Security Advisory, (Fri, Dec 6th)

VMware released an ESX 4.1 update to third party libraries. The complete advisory can be viewed here.

VMware updated advisory VMSA-2013-0007 for ESX 4.0 and 4.1 related to third party update for Service Console package sudo. Additional information on this update is can be viewed here.

ESXi isn't affected by these updates.

[1] VMSA-2013-0015 http://www.vmware.com/security/advisories/VMSA-2013-0015.html
[2] VMSA-2013-0007.1 http://www.vmware.com/security/advisories/VMSA-2013-0007.html

———–

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

facebook, gmail and twitter accounts breached, (Fri, Dec 6th)

Spiderlabs published an interesting article on this the other day. http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html

The list has now appeared on pastebin and is being sold for 0.05 bitcoins.  (last time I checked they made about $600 so far).  

If you haven't already you may want to start looking at the strong authentication options for some of these services. 

Mark H

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Windows "Support" calls, (Fri, Dec 6th)

One of our readers  received a "Microsoft Support" call, finally.  It was to funny not to put up.  Happy Friday
 
"Finally(!), I got one of those unsolicited telephone calls from the "Windows Service Centre".
Caller-ID information showed 'unavailable'.
 
The first caller identified himself as 'Dadge Miller' (or something like that).
He said he was calling from Microsoft headquarters in California.
I said that I thought that their headquarters was in Redmond, Washington.
He said that Microsoft has offices worldwide.
OK, I'll buy that. 🙂
 
He said that Microsoft has detected computer-viruses on my computer.
After helping me find the Windows key on my keyboard, he said "press Windows key and R key at the same time".
Then, enter 'eventvwr' and click OK.
When 'Event Viewer' opened, he had me click the 'Application' tab, and said that all the "errors" and "warnings" represented computer-viruses.
OK, I'll buy that. 🙂
He had me minimize the window, and back to Windows-R.
Then, enter: www.support.me and click OK.
That launched Internet Explorer, redirecting to: https://secure.logmeinrescue.com/Customer/Code.aspx
He had me enter '702814' and click 'Start Download' and then 'Run'.
Instead, I clicked 'Save' for file: 'Support-LogMeInRescue.exe'.
At this point, I said that my anti-virus software had flagged the download as "unsafe" and that it had deleted the download.
He believed me.  🙂
He passed the telephone call to "Randy Roberts", his supervisor, with an Bangledeshi accent ?!
Then, enter: www.support.me and click OK.
That launched Internet Explorer, redirecting to: https://secure.logmeinrescue.com/Customer/Code.aspx
He had me enter '352632' and click 'Start Download' and then 'Run'.
Again, I said that my anti-virus software had flagged the download.
Then, after a pause, he asked me if there was a Walmart nearby.
 
He offered me two levels of "support" — one year for 149 dollars (currency not specified) or lifetime for 249 dollars.
I chose the "lifetime" support.   🙂
He told me to go to Walmart, and say that I want to make a Moneygram Money Transfer, citing a "personal" reason.
Recipient name: Tapan Saha (over a dozen people by this name on LINKEDIN ! Lots on Facebook, too!)
Address: Nagaripur
City: Takerhat
Country: Bangladesh.
He said that Microsoft has contracted with this provider in Bangladesh.
He said that the fee will be $299 — $249 plus $50 for a technician to come to my home to fix my computer, if they cannot fix it over the telephone.
Nice bit of "up-selling".  🙂
 
I said that it would take me some time to get to Walmart, purchase the MoneyGram, and return home.
So, he agreed with my request to call at 1 PM local (70 minutes from the time we talked).
I have an appointment downtown at 1 PM — guaranteed not to be home at that time!
He said that Walmart will charge me $10 for the MoneyGram.
He confirmed my telephone-number, and gave me his: 727-498-0049,
and told me to ask for "Randy Roberts" if I called him.
 
They told me to turn my computer off before I went to Walmart.
 
While I was out, at my lunch-date, my voice-mail recorded 6 messages — all "empty" — two from "unavailable", two from a non-long-distance number, and two from Cincinatti (Ohio).
Obviously, they were spoofing the caller-ID information, repeatedly trying to contact me.
 
M

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Dec OUCH! is out – "Securing Your New Tablet". Download & share with family/friends. www.securingthehuman.org/ouch, (Thu, Dec 5th)

Dec OUCH! is out – "Securing Your New Tablet". Download & share with family/friends. www.securingthehuman.org/ouch

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Updated Standards Part 2 – PCI DSS/PA DSS, (Thu, Dec 5th)

Last week the PCI Security Standards Council released the next versions of the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA DSS), version v3.0.  The standards are updated over a three year cycle and are valid from the date of release.  The previous version can still be used for certifcation until 31 December 2014 giving companies plenty of time to adjust to the new requirements.  
 
The changes are mostly clarifications of the current requirements. A few have been combined and moved, but there really are no earth shattering changes.  
 
Unlike ISO 27001 there is a document of changes for each of the standards. These are available on the council's web site (www.pcisecuritystandards.org).  One of the more visible changes is that the standard, for each requirement, now provides a guidance statement that explains why the requirement is important.  In early 2014 the reporting requirements should be available which will provide insight as to what documentation and evidence needs to be available when facing an assessment. 
 
Mark H – Shearwater

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 290 of 312 «...260270280288289290291292...»