Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-02-25 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Samba vulnerability - Remote Code Execution - (CVE-2015-0240)

Published: 2015-02-25
Last Updated: 2015-02-26 02:51:02 UTC
by Chris Mohan (Version: 1)
0 comment(s)

The Red Hat security team has released an advisory on a Samba vulnerability effecting Samba version 3.5.0 through 4.2.0rc4. "It can be exploited by a malicious Samba client, by sending specially-crafted packets to the Samba server. No authentication is required to exploit this flaw. It can result in remotely controlled execution of arbitrary code as root." [1]

A patch [2] has been released by the Samba team to address the vulnerability.


[1] https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/

[2] https://www.samba.org/samba/history/security.html

Chris Mohan --- Internet Storm Center Handler on Duty

Keywords:
0 comment(s)
ISC StormCast for Wednesday, February 25th 2015 http://isc.sans.edu/podcastdetail.html?id=4371

Copy.com Used to Distribute Crypto Ransomware

Published: 2015-02-25
Last Updated: 2015-02-25 01:04:23 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Thanks to Marco for sending us a sample of yet another piece of crypto-ransom malware. The file was retrieved after visiting a compromised site (www.my- sda24.com) . Interestingly, the malware itself was stored on copy.com. 

Copy.com is a cloud based file sharing service targeting corporate users. It is run by Barracuda, a company also known for its e-mail and web filtering products that protect users from just such malware. To its credit, Barracuda removed the malware within minutes of Marco finding it.

At least right now, detection for this sample is not great. According to Virustotal, 8 out of 57 virus engines identify the file as malicious [1]. A URL blacklist approach may identify the original site as malicious, but copy.com is unlikely to be blocked. It has become very popular for miscreants to store malicious files on cloud services, in particular if they offer free trial accounts. Not all of them are as fast as Barracuda in removing these files.

[1] https://www.virustotal.com/en/file/1473d1688a73b47d1a08dd591ffc5b5591860e3deb79a47aa35e987b2956adf4/analysis/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
3 comment(s)
Diary Archives