Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-10-28 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Adobe Releases Surprise Shockwave Player Patch

Published: 2015-10-28
Last Updated: 2015-10-29 00:18:21 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Adobe today released a surprise patch for Shockwave [1]. The patch fixes one vulnerability, CVE-2015-7649 and Adobe's Shockwave Player on Windows and OS X is affected. The vulnerability is used in targeted exploit and Adobe learned about it from Fortinet's Fortiguard Labs. The latest version of Shockwave Player is now 12.2.1.171 and it replaces version 12.2.0.162.

Update: We got an email from someone at Adobe stating this vulnerability has not yet been exploited in the wild. Our initial assessment was based on the priority rating of "1" which Adobe descripes as "This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours)." and the fact that Fortiguard is credited in the Advisory. Fortiguard does track exploitation attempts detected by Fortinet customers.

 

[1] https://helpx.adobe.com/security/products/shockwave/apsb15-26.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
0 comment(s)

Victim of its own success and (ab)used by malwares

Published: 2015-10-28
Last Updated: 2015-10-28 14:26:12 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

This morning, I faced an interesting case. We were notified that one of our computers was doing potentially malicious HTTP requests. The malicious URL was: api.wipmania.com. We quickly checked and detected to many hosts were sending requests to this API. It is a website hosted in France which provides geolocalisation services via a text/json/xml API. The usage is pretty quick and easy:

xavier@vps2$ curl http://api.wipmania.com/<ip_address>
BE

You provide an IP address and it returns its 2-letters country code. They provide also a paying version with more features. We investigated deeper and found that one request was indeed performed by a single host using a fake User-Agent. 

GET / HTTP/1.1
Host: api.wipmania.com
User-Agent: Mozilla/4.0

We also found that Snort signatures exist for this online service:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Attempt To Wipmania"; flow:established,to_server; content:"Host|3A 20|api.wipmania.com|0d 0a|"; http_header; reference:md5,b318988249cd8e8629b4ef8a52760b65; classtype:policy-violation; sid:2014304; rev:3;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dorkbot GeoIP Lookup to wipmania"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|Host|3a| api.wipmania.com|0d 0a|"; http_header; depth:49; fast_pattern:31,18; classtype:trojan-activity; sid:2015800; rev:7;)
sid-msg.map:2015800 || ET TROJAN Dorkbot GeoIP Lookup to wipmania

I found references to api.wipmania.com in the following malwares:

  • Dorkbot
  • Ruskill

​VT reported 97 occurrences of the domain wipmania.com in malicious files: https://www.virustotal.com/intelligence/search/?query=wipmania.com

Conclusion: if you provide online services and they become popular be careful to not be (ab)used by malwares! It could affect your overall reputation and make you flagged/blocked in black lists.  

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

Keywords:
1 comment(s)
Diary Archives