New

VMSA-2013-0007

http://www.vmware.com/security/advisories/VMSA-2013-0007.html

Updated

VMSA 2013-0001

http://www.vmware.com/security/advisories/VMSA-2013-0001.html

VMSA 2013-0004

http://www.vmware.com/security/advisories/VMSA-2013-0004.html

Chris Mohan --- Internet Storm Center Handler on Duty

The Drupal security teams have identified a breach in the environment that has disclosed passwords.  As their notification here --> https://drupal.org/news/130529SecurityUpdate  states most of the passwords were salted and hashed, older passwords were not (although common practice is to store the salt value in the same table as the password, so that might not actually help much).  According to the update they are still investigating what else may have been accessed.  If you have one of those accounts happy password changing.  If you use that password anywhere else (and of course you don't) you might want to change that whilst you are at it.  

From the perspective of letting people know I must say I'm quite impressed.  They notified fairly early on, they provide some details of the incident, steps to take, actions they are taking.  From the breach notifications I have seen recently this is one of the more complete and useful ones.  

Cheers

Mark H

This is a guest diary by Basil Alawi

One of the challenges that face security administrators is deploying IDS in modern network infrastructure. Unlike hubs, switches doesn't forward every packet to every port in the switch. SPAN port or network TAPS can be used as a workaround in the switched environment.

Fortunately with Vmware ESX/ESXi infrastructure we can configure a group of ports to see all network traffic traversing the virtual switch.

"Promiscuous mode is a security policy which can be defined at the virtual switch or portgroup level in vSphere ESX/ESXi. A virtual machine, Service Console or VMkernel network interface in a portgroup which allows use of promiscuous mode can see all network traffic traversing the virtual switch".

By default promiscuous mode policy is set to reject.

To enable promiscuous mode:

1. Log into the ESXi/ESX host or vCenter Server using the vSphere Client.
2. Select the ESXi/ESX host in the inventory.
3. Click the Configuration tab.
4. In the Hardware section, click Networking.
5. Click Properties of the virtual switch for which you want to enable promiscuous mode.
6. Select the virtual switch or portgroup you wish to modify and click Edit.
7. Click the Security tab.
8. From the Promiscuous Mode dropdown menu, click Accept.

Performance issues:

Using VMXNET 3 vNIC will provide better performance enhancement than other vNIC types.(Figure 1)

Figure 1(VMXNET 3)

Reserving memory and CPU resources is highly recommended to make sure that the resource will be available when it’s needed. (Figure 2)

Figure 2(Reserved Memory)

The test lab setup

The test lab consists of Vmware ESXi , Kali Linux, Security Onion and Metaspoitable. ESXi  5.1 will be the host system and  Kali VM will be the attack server, while Metaspoitable will be  the victim and Security Onion will run the snort instance.(See Figure 3)

Figure 3 (Test Lab)

Test Lab Network Diagram

The Network Configuration

For this experiment the vswicth has been configured with two ports groups. Virtual Machines port group which the default promiscuous mode is set to the default value "Reject" .The second port group is Promiscuous which the promiscuous mode is set to "Accept" ( See Figure 4) 

Figure 4 (Vswitch Configuration)

The Security Onion has been configured with two network interfaces, eth0 for management with IP 192.168.207.12 and eth1 without IP address. eth0 is connect to the "VM Network" port group and eth1 is connected to the "Promiscuous" port group.

Testing Snort:

The first test is scanning the metaspoitable vm with NMAP by running and snort detected this attempted successfully. (Figure 5)

Figure 5 (Snort alerts for Nmap scans)

The second test is trying to brute forcing metaspoitable root password using hydra (Figure 6):

Figure 6  (Hydra brute force alerts)

The third attempt was using metasploit to exploit metaspoitable (See Figure 7).

Figure 7  (metasploit alerts)

Following is a guest post from TJ O'Connor, @ViolentPython, (http://www.linkedin.com/pub/tj-oconnor/43/37/81b), author of Violent Python  SANS Technical Institute graduate, and GSE .

We have seen today a big rise of incoming packets of what appears to be a SQL Slammer attacks. Some of the detected packets are:

We have seen a sustained rate in many nodes  inside AS13489 and AS27989 nodes of  about 25 Mbps. Some very old SQL servers have been compromised, but the Internet speed has been compromised and navigation it's very slow.

Have you seen something like this today on your AS? Let us know!

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Volatility is a Python framework for performing memory forensics. If you haven't tried it yet I highly recommend it. The Volatility Month of Volatility Plugins II is on! As announced here: http://volatility-labs.blogspot.ca/2013/05/whats-happening-in-world-of-volatility.html Volatility 2.3 is entering beta and the second MoVP (Month of Volatility Plugins) has started and is actually in their second installment. Some very exciting new stuff:

1.1 - Mach-O Address Space
1.2 - VirtualBox ELF64 Core Dumps
1.3 - VMware Snapshot and Saved State Analysis
1.4 - New HPAK Address Space
1.5 - ARM Address Space (Volatility and Andriod / Mobile)
2.1 - RSA Private Keys and Certificates
2.2 - Unloaded Windows Kernel Modules

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

In my day job I spend about 90% of my time on the red team, performing vulnerability assessment and penetration testing. The rest is spent on threat research, incident response, and digital forensics. Interacting with clients as a consultant I often hear what I term 'interesting' responses. When a penetration tester calls something interesting you should probably pay attention :)

The IDS only listens external to the firewall? SharePoint is directly exposed to the Internet? The WAF protects against attacks therefore we don't have to fix the application? The VMs are all physically on the same host? The DMZ and the internal VLAN are physically on the same switch? You don't bother with privilege escalation patches? All quite interesting.

One of the responses I have heard multiple times is that privilege escalation vulnerabilities are a low priority because they require the attacker have local access. Meaning that that would be very difficult to pull off, therefore we don't have to worry about it. This also assumes that every single account holder is 100% gruntled all of the time, and that nobody ever makes a mistake. Meaning that we can trust everyone who accesses our networks and applications. Which I also find to be 'interesting' :)

There are multiple types of privilege attacks. The first is privilege escalation, where someone who has valid credentials or means to access a network or application can raise their level of access to a more privileged level. Like getting root on a Unix system for example, or becoming Domain admin before lunch on day 1, or assuming a higher role within an application. Impersonation attacks are similar however they entail becoming a different user, often with the same level of privilege, but with way more money in their account :) which soon finds its way to a non-extradition treaty country.

If the major difference between a remote exploit and a local one is that a network connection is required for the former, and not for the latter, does this mean that local priv escalation attacks cannot be performed across the network? Actually no. If an attacker can gain access to a system through a client side exploit, they may then effectively become the local user, and escalate to local system. Local system priv on a Windows computer is just a hop, skip, and jump away from being Domain administrator.

In a recent discussion about the priority to be assigned to patch one comment was "It's only a privilege escalation!". Yes, you are correct, and that is an interesting statement was my response.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

I find it sad that in times when people are facing disaster, many have died, others missing, and the survivors facing having lost everything that there are scumbags who will try to take advantage. Be very wary of any charity that is raising funds for victims of any disaster, particularly one that has not been around for very long. There are many legit charities, I would recommend sticking to ones you are already familiar with. The American Red Cross for example has been around for a long time, does amazing work, and is always in need of funding. They are just one example of a well established charity that does good work and is already involved in helping out in Moore, Oklahoma.

Routine monitoring of newly registered domain names shows a number of brand new ones that have words like Oklahoma, Moore, tornado, recovery, help, assistance, and similar. I am certain that a number are registered by well meaning people, however I am equally sure that many are fake or scams. It does not take long for any recent newsworthy topic to be the subject line of phishing, malware, and scammers.

Another handler remarked that the new trend seems to be crowd funding, hopefully the money raised will make its way to the charity where it belongs.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

Trend Micro published a report last week on a spear-phishing emails campaign that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158).

This paper identified specific targets:

• Government ministries
• Technology companies
• Media outlets
• Academic research institutions
• Nongovernmental organizations

According to the report, "While we have yet to determine the campaign’s total number of victims, it appears that nearly 12,000 unique IP addresses spread over more than 100 countries were connected to two sets of command-and-control (C&C) infrastructures related to Safe.[1]" Another fact of interest is the author of the malware is probably a professional software developer that reused legitimate source code from an Internet services company. Based on the information collected, they found "One key indicator that can be used to detect this network communication is the user-agent, Fantasia."[1] Additional information is available in the report.

If you have collected some malware matching this description, we would be interested to get some samples. You can submit them via our contact form.

[1] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf
[2] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

I put together a simple .deb package to install our DShield iptables client on Ubuntu. The package is our standard perl client to submit iptables logs, but it is pre-configured for Ubuntu 12.04 LTS. It will submit IPv4 as well as IPv6 logs. Please give it a try and let me know if you run into any issues. For details, see

http://isc.sans.edu/clients/ubuntu.html

use our contact form for feedback or send it directly to me at jullrich - at - sans.edu 

The client will install the perl script in /opt/dshield, and all configuration files in /etc/dshield. It will also add an hourly cron job to check /var/log/ufw.log for new logs and mail them to DShield. All parameters can still be further configured via /etc/dshield/dshield.cnf.

To submit logs, we recommend you setup an account. But if you would like to submit anonymous reports, just use "0" as userid.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

We're looking for any info or packets that target port 51616.   After witnessing a spike yesterday on his network and checking that our port data [1] corroborated his event, Andrew has written in asking what we know.    

The most useful snapshot of port activity can be seen in this graph image.  I ran the graphs as far back as 2006 and nothing more signifcant was illustrated.   The image below highlights yesterdays events as well as a more curious spike back in March.  These counts do not seem very significant at first look, but they could clearly be telling us something.   

So drop us a comment to share what you know.  We're interested to attribute this traffic to something useful.

[1] https://isc.sans.edu/port.html?port=51616

Currently, many public web sites that allow access via IPv6 do so via proxies. This is seen as the "quick fix", as it requires minimum changes to the site itself. As far as the web application is concerned, all incoming traffic is IPv4. 

The most obvious issue here is logging, in that the application only "sees" the proxies IP address, unless it inspects headers added by the proxy, which will no point to (unreadable?) IPv6 addresses.

But there is another issue: SSL Certificates. If only IPv6 connections are passed via the proxy, you will end up with two different certificate: One for the proxy, and one for the web application (or the IPv4 proxy). It may also happen that the IPv6 and IPv4 site are considered two different hosts on the web server, requiring distinct configurations.

For example, at this point, "www.socialsecurity.gov" uses two different certificates. One for IPv6 and one for IPv4. The IPv6 certifiate is expired, while the IPv4 certificate is valid. This is in particularly painful as some simple comand line tools, like "openssl s_client' are still not able to work over IPv6. For my test, I used gnutls-cli, which works similar to openssl s_client but supports IPv6.

Excerpt from the result:

gnutls-cli -p 443 --x509cafile /opt/local/share/ncat/ca-bundle.crt www.socialsecurity.gov
Processed 291 CA certificate(s).
Resolving 'www.socialsecurity.gov'...
Connecting to '2001:1930:c01::aaaa:443'...
[...]
- subject `C=US,ST=maryland,L=baltimore,O=social security administration,OU=diias,OU=Terms of use at www.verisign.com/rpa (c)05,CN=www.socialsecurity.gov', issuer `C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)10,CN=VeriSign Class 3 Secure Server CA - G3', RSA key 1024 bits, signed using RSA-SHA1, activated `2012-04-05 00:00:00 UTC', expires `2013-04-29 23:59:59 UTC', SHA-1 fingerprint `3286afd908f256947b396dbae88d37b111c9aaaf'
[...]
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate. 
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
	 

Next, lets try IPv4. A disadvantage of gnutls-cli is that you are not able to force an IPv4 connection, so I will just fall back to openssl here:

$ openssl s_client -connect www.socialsecurity.gov:443 -CAfile /opt/local/share/ncat/ca-bundle.crt
[....]
subject=/C=US/ST=maryland/L=baltimore/O=social security administration/OU=diias/OU=Terms of use at www.verisign.com/rpa (c)05/CN=www.socialsecurity.gov
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
[...]

$ openssl x509 -in /tmp/ssa.gov -text
[...]
Validity
        Not Before: Apr 22 00:00:00 2013 GMT
        Not After : Apr 30 23:59:59 2017 GMT
        Subject: C=US, ST=maryland, L=baltimore, O=social security administration, OU=diias, OU=Terms of use at www.verisign.com/rpa (c)05, CN=www.socialsecurity.gov

------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter

Like with .biz, I sometimes have the impression that .su and .cc could be sinkholed in their entirety, because the bad domains seem to vastly outnumber whatever (if any) good is running under these TLDs as well.

Earlier today, ISC reader Michael contacted us with information that several PCs on his network had started to communicate with iestats.cc, emstats.su, ehistats.su, e-protections.su and a couple other domains. I was pretty sure that I had seen the latter domain on an earlier occasion in a malware outbreak, but I couldn't find it in our records .. until I only searched for "e-protections", and found e-protections.cc. This domain had been implicated back in October 2012 in a malware spree that was linked to the nasty W32.Caphaw, a backdoor/information stealer. The similarity of the names was too much of a coincidence, and it meant bad news for Michael.

Looking at what was captured by some of our network sensors allowed to reconstruct a (partial) picture of the IPs and ASN's involved in today's malware wave

The host name portion for some of the domains looks like it is time dependent (incrementing ascii) whereas other domains use (apparently) random names like d3acofzi7hjft.e-protections.su. Name servers involved today include ns1.abercrombienfr.net (currently 199.68.199.178 - AS1426) and ns1.semi-spa.net (currently 91.227.220.104 - AS50300). I doubt the former has anything to do with the clothing store, the domain was created four months ago.

Closer inspection of Michael's PCs revealed that each infected box was apparently running a slightly different version of the EXE. Anti-Virus coverage is still thin (Virustotal) , but the Heuristics of some products seem to be catching on. This sample looks more like a ransomware trojan than Caphaw, but we'll know more once we analyze all the information gathered so far.

If you have information to add on this particular malware or the domains mentioned, please comment below, or use our contact form.

As an add-on to ISC Handler Lenny Zeltser's earlier diary on extracting certificates from signed Windows binaries, here's how to do the same on a Mac. Given that today's blog over at F-Secure documents a screenshot-taking Mac spyware that is signed with a developer ID, signed bad .apps might actually be more prevalent than expected.

To verify and extract signatures and certificates on an Apple .app, you can do (example Mail.app)

codesign -dvvvv --extract-certificates  /Applications/Mail.app

This will save the certificates in DER format, named codesign0, codesign1, etc. These can then be displayed as usual with OpenSSL

openssl x509 -inform DER -in codesign0 -text

Cisco TelePresence Supervisor MSE 8050 contains a vulnerability that may allow an unauthenticated, remote attacker to cause high CPU utilization and a reload of the affected system.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130515-mse

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

http://computer-forensics.sans.org/blog/2013/05/15/sans-eu-dfir-summit-in-prague-call-for-speakers-now-open/

The 4th annual Forensics and Incident Response Summit EU will take place on October 6-13 in Prague, one of the most historical European cities, in the context of the SANS Forensics Prague conference, the biggest Incident Response and Digital Forensics event in Europe to date.

The Summit will focus on high quality and extremely relevant content as well as panel discussions in Digital Forensics and Incident Response. In addition, we encourage you to take every opportunity to make the most of this event from attending the Summit to registering for one or more of the post-summit training classes taught by SANS' top-rated instructors and course authors. Additional events such as DFIR Netwars, evening talks and the SANS Community Night will be taking place during that week too. This event promises to bring together the leading minds in digital forensics and incident response in the EU, as well as many other practitioners from a wide cross section of industries and company sizes. You will be able to share with all of them your challenges and find out new solutions that work, techniques and approaches you didn't even know existed. Call for Speakers - Now Open The 4th annual Forensics and Incident Response Summit Call for Speakers is now open.

If you are interested in presenting or participating on a panel we are looking for user-presented case studies with communicable lessons. The Forensics Summit offers speakers opportunities for exposure and recognition as an industry leader. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

Benefits of Speaking

• Promotion of your speaking session and company recognition via the Forensic conference website and all printed materials
• Visibility via the Forensic post-conference presentation email link for many months following the conference
• Full conference badge to attend all Summit sessions
• Private speaker lunch

Submission Guidelines

• Title
• Author Name(s)
• Author Title
• Company
• Speaker Contact Information: Address, phone number, email address
• Biography
• Your biography should be approximately 160 words. You may include your current position, titles, areas of professional expertise, experience, awards, degrees, personal information, etc.
• Abstract
• The presentation abstract should outline your presentation and what attendees will learn. All content must be strictly educational.
• The presentation should be relevant to: Media Exploitation Analysts, Legal, Incident Response Teams, Security Operations and Law Enforcement professionals.

Speaking Options:

• Presentation: 45 minutes
• Question & Answer: 10-15 minutes Submit your submissions to callforpapers-prague@sans.org by June 15, 2013 with the subject "SANS DFIR Summit EU CFP 2013."

Thank you for your interest in presenting

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

A vulnerability was discovered using fuzzing in linux kernels 2.6.37 till 3.8.9. The vulenrability requires the kernel to be compiled with PERF_EVENTS, but unfortunately that seems the case for quite some linux distributions. CentOS even backported the vulnerability to 2.6.32.

Impact is local privilege escalation, and exploit code is readily available.

More information: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2094

Hat tip: James for sending us some pointers to this.

--
Swa Frantzen -- Section 66

Microsoft today also release security advisory 2846338 indicating that they have update their Malware Protection Engine (used in a varierty of their anti malware products) to fix a vulnerability in said engine where an attacker would be able to execute random code in the context of LocalSytem. Micorosft claims the vulnerability was publicly disclosed as a DoS.

CVE: CVE-2013-1346

--
Swa Frantzen -- Section 66

Adobe released their May 2013 Black Tueday bulletins:

--
Swa Frantzen -- Section 66

Mozilla decided to join the mayhem on Black Tuesday this month and released Firefox and Thunderbird.

This updates to:

• Firefox 21.0
• Firefox ESR 17.0.6
• Thunderbird 17.0.6
• Thunderbird ESR 17.0.6

Release notes:

https://www.mozilla.org/security/known-vulnerabilities/firefox.html

Security content o fthe updates:

• MFSA 2013-48 Memory corruption found using Address Sanitizer
  CVE-2013-1676, CVE-2013-1677, CVE-2013-1678, CVE-2013-1679, CVE-2013-1680 and CVE-2013-1681
• MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent
  CVE-2013-1675
• MFSA 2013-46 Use-after-free with video and onresize event
  CVE-2013-1674
• MFSA 2013-45 Mozilla Updater fails to update some Windows Registry entries
  CVE-2013-1673 and CVE-2012-1942
• MFSA 2013-44 Local privilege escalation through Mozilla Maintenance Service
  CVE-2013-1672
• MFSA 2013-43 File input control has access to full path
  CVE-2013-1671
• MFSA 2013-42 Privileged access for content level constructor
  CVE-2013-1670
• MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)
  CVE-2013-0801 and CVE-2013-1669

--
Swa Frantzen -- Section 66

Overview of the May 2013 Microsoft patches and their status.

--
Swa Frantzen -- Section 66

If you run an ssh server (especially if you still run it on the default port), you've no doubt had plenty of folks scan your machine and do password guessing attacks against it.  BTW, you'll never get in mine that way, I only allow public/private key authentication, but that is beside the point here.  I've done a couple of other reports analyzing passwords, and I really like pipal by Robin Wood for much of the analysis (you can grab it from here).  I've been running a kippo ssh honeypot for the day job for about 2 years and I've done a couple of reports on the password guesses for the ThreatTraq webcast, but then I discovered that in addition to firewall logs and the 404 logs, we also collect kippo logs here at the SANS Internet Storm Center.  Ooh, more data!!  If you'd like contribute, please grab https://isc.sans.edu/kipposcript.pl.  So, without further ado, here is what I've found in our kippo data (as of about 15 April 2013).  I should note here, though, that these are the guesses the bad guys are making.  They've developed their lists most likely based on what has worked for someone at some point, so they will be somewhat different from what you find in analyzing passwords from breaches like my analysis of last year's Yahoo breach.

The Basics

Total entries = 15415314
Total unique entries = 46840
 

The Results

Top 10 passwords
123456 = 167854 (1.09%)
password = 113640 (0.74%)
cacutza = 99492 (0.65%)
__--_-__-_ = 79153 (0.51%)
123 = 63557 (0.41%)
root = 61560 (0.4%)
1234 = 58103 (0.38%)
123456789 = 57270 (0.37%)
12345 = 53445 (0.35%)
test = 52231 (0.34%)

Okay, the first thing to note, is that the default password for kippo is 123456, so that may skew the above a bit.  The one I personally find most interesting is the 4th one, '__--_-__-_'.

Top 10 base words
password = 295354 (1.92%)
test = 192825 (1.25%)
pass = 127086 (0.82%)
root = 121704 (0.79%)
cacutza = 99492 (0.65%)
temp = 97145 (0.63%)
p@ssw0rd = 92650 (0.6%)
p4ssword = 88344 (0.57%)
changeme = 74842 (0.49%)
p4ssw0rd = 74329 (0.48%)

So, some variation on password (with or without substitutions).

Password length (count ordered)
6 = 2708563 (17.57%)
8 = 2275062 (14.76%)
7 = 1550776 (10.06%)
9 = 1394644 (9.05%)
10 = 1234997 (8.01%)
4 = 1143617 (7.42%)
5 = 1025693 (6.65%)
12 = 766462 (4.97%)
11 = 647696 (4.2%)
3 = 437702 (2.84%)

The password guesses varied in length from 1 (do people actually allow 1 character passwords?) to 70 characters in length.  The longest ones being shown below

56 = 4504 (0.03%)
57 = 180 (0.0%)
58 = 465 (0.0%)
60 = 17 (0.0%)
62 = 800 (0.01%)
63 = 69 (0.0%)
64 = 369 (0.0%)
70 = 9 (0.0%)
71 = 908 (0.01%)

The mix

One to six characters = 5463941 (35.44%)
One to eight characters = 9289779 (60.26%)
More than eight characters = 6125535 (39.74%)

Only lowercase alpha = 5126974 (33.26%)
Only uppercase alpha = 140773 (0.91%)
Only alpha = 5267747 (34.17%)
Only numeric = 1906165 (12.37%)

First capital last symbol = 135964 (0.88%)
First capital last number = 958843 (6.22%)

One to six characters = 5463941 (35.44%)
One to eight characters = 9289779 (60.26%)
More than eight characters = 6125535 (39.74%)

Only lowercase alpha = 5126974 (33.26%)
Only uppercase alpha = 140773 (0.91%)
Only alpha = 5267747 (34.17%)
Only numeric = 1906165 (12.37%)

First capital last symbol = 135964 (0.88%)
First capital last number = 958843 (6.22%)

Last digit
3 = 1621502 (10.52%)
1 = 1394507 (9.05%)
0 = 620126 (4.02%)
4 = 593100 (3.85%)
6 = 548727 (3.56%)
2 = 478758 (3.11%)
5 = 420699 (2.73%)
9 = 407320 (2.64%)
8 = 318715 (2.07%)
7 = 303304 (1.97%)

Last 3 digits (Top 10)
123 = 1156095 (7.5%)
456 = 380369 (2.47%)
234 = 340074 (2.21%)
345 = 234638 (1.52%)
321 = 212258 (1.38%)
789 = 192424 (1.25%)
678 = 166984 (1.08%)
567 = 154030 (1.0%)
001 = 146204 (0.95%)
111 = 91160 (0.59%)

Character sets
loweralpha: 5126974 (33.26%)
loweralphanum: 4803721 (31.16%)
numeric: 1906165 (12.37%)
loweralphaspecialnum: 803707 (5.21%)
mixedalphanum: 768137 (4.98%)
mixedalphaspecialnum: 641067 (4.16%)
loweralphaspecial: 344881 (2.24%)
upperalphanum: 181283 (1.18%)
mixedalpha: 151523 (0.98%)
special: 149786 (0.97%)
upperalpha: 140773 (0.91%)
upperalphaspecialnum: 133340 (0.86%)
mixedalphaspecial: 91536 (0.59%)
upperalphaspecial: 81044 (0.53%)
specialnum: 66165 (0.43%)

Character set ordering
allstring: 5419270 (35.16%)
othermask: 3833967 (24.87%)
stringdigit: 2622232 (17.01%)
alldigit: 1906165 (12.37%)
stringdigitstring: 478523 (3.1%)
digitstring: 446101 (2.89%)
stringspecial: 184687 (1.2%)
allspecial: 149786 (0.97%)
stringspecialstring: 117368 (0.76%)
digitstringdigit: 114141 (0.74%)
stringspecialdigit: 101918 (0.66%)
specialstring: 25205 (0.16%)
specialstringspecial: 15951 (0.1%)
 

Some final thoughts

Okay, there is some interesting stuff there and if you are interested in the pieces of the standard pipal report that I didn't include there, I've put the full report up on my handler page.  One of the other thing I took a look at was how many in the mix satisfy the standard definition of a "complex" password [lower case, upper case, digits, special characters] (choose 3) and length >= 8.  620413 (4.02%) of the passwords satisfy this definition of complex.  However, when you look at unique passwords, only 1286 (2.75% of the 46840 unique ones) are complex.  So, at least one takeaway is that the more complex you make your crucial passwords the less likely you are to fall victim to this type of password guessing attack.  Of course, 173 of those 1286 were some variation on 'password' with subsitutions or digits and/or special characters tacked on the end.  So, what do you think?  Is there some other aspect of the passwords that I should have looked at?  Let us know in the comment section below or via our contact form.

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

The opinions expressed here are strictly those of the author and do not necessarily represent those of SANS, the Internet Storm Center, the author's spouse, kids, or pets (except maybe the ornery cat).

Sometimes attackers digitally sign their malicious software. Examining properties of the signature helps malware analysts understand the context of the incident. Moreover, analysts could use the signature as an indicator of compromise. Here are some tips and tools for determining whether a suspicious Windows executable has been signed and for extracting the embedded signature in a Linux environment. We'll look at Pyew, Disitool and get a bit of help from OpenSSL.

Microsoft's Windows Authenticode Portable Executable Signature Format document explains that the signatures can be embedded "in a Windows PE file, in a location specified by the Certificate Table entry in Optional Header Data Directories." The location of the signature is stored within the PE header's OptionalHeader structure's Security field.

One way to determine whether the file contains an embedded signature is to use Pyew, which is a command-line hex editor/disassembler for malware analysis. After loading the sample into Pyew, you can look at the size of the IMAGE_DIRECTORY_ENTRY_SECURITY field. A non-zero value indicates that the file probably includes an embedded signature.To do this, load the PE file into Pyew and enter the command "pyew.pe.OPTIONAL_HEADER.DATA_DIRECTORY". Then look at the size of IMAGE_DIRECTORY_ENTRY_SECURITY as shown below:

In the Pyew output above, we see that the size of IMAGE_DIRECTORY_ENTRY_SECURITY is non-zero. This indicates that kiwi.exe probably includes an embedded signature.

Disitool provides another way of determining whether a PE file includes a signature. This tool, created by Didier Stevens, can delete, copy, extract and add signatures. If you attempt to extract a signature from a non-signed file, Disitool will tell you "source file not signed."

In the example below, we see that the file has been signed. The author of this malicious file seems to have used a stolen certificate to sign the specimen. Disitool's "extract" command pulled out the signature, so we can examine it.

Disitool saves the extracted certificate in the binary DER format. You can look at the strings embedded in the DER file to examine its contents. Even better, you can use the following OpenSSL command to convert the DER file into a more informative text file:

openssl pkcs7 -inform DER -print_certs -text -in INPUT_FILE > OUT_FILE

Knowing how to spot signed files and extract signature details can be helpful for malware and forensic analysts. On Windows, you can gather some of these details by right-clicking on the PE file and looking at its properties, as well as with the help of Microsoft's Sign Tool and Sigcheck tools. On Linux, you can accomplish this with the help of Pyew, Disitool and OpenSSL, which are installed on REMnux for your convenience.

-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and Google+. He also writes a security blog.

Both Adobe and Microsoft released pre-anouncements for next week's patch Tuesday.

Microsoft is working on having a patch available for the Internet Explorer 8 0-day vulnerability. [1] There are two critical Internet Explorer patches, one specifically for Internet Explorer 8, and the other one for all current versions. The later (refered to as "Bulletin 1" by Microsoft) is likely the usual roll up patch. 

There are the only two critical bulletins next week. The rest covers "the usual" (Office, Windows, Lynx and Windows Essentials) and is rated important.

Adobe announced only one bulletin for Acrobat and PDF Reader. There is no patch scheduled for Cold Fusion at this point.

[1] http://blogs.technet.com/b/msrc/archive/2013/05/09/advance-notification-service-for-the-may-2013-security-bulletin-release.aspx
[2] http://technet.microsoft.com/en-us/security/bulletin/ms13-may
[3] http://www.adobe.com/support/security/bulletins/apsb13-15.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

You may have noticed that earlier today, I removed the flash player that we use to play audio files on our site. The trigger for this was a report that the particular flash player we use (an open source player usually used with Wordpress) is suscepible to cross site scripting [1][2]. Instead of upgrading to the newer (patched) version, we instead decided to remove the player. 

The other part of this is that pretty much all current browsers do have reasonable support for HTML 5 audio tags. We do offer our audio files, like the daily podcast, in MP3 as well as Ogg Vorbis format, which covers all major browsers. We also offer links to the direct files in case someone would like to play the files "offline" and we do offer via RSS feeds various MP3/Podcast players. 

So in short, the flash player wasn't worth maintaining. 

On the other hand, we will try to embrace some of the HTML5 features more as we move the site forward. The data will still be available in pretty much any browser (yup. ... lynx), but you will see our graphs and similar parts of the site take advantage of newer browser features to make it easier to navigate the data. For now, we still got a couple of flash movies on the site, but we are working on moving them either to youtube, or using our own (again HTML5 based) solution.

Big thanks to Rafay Baloch [3] for reporting the XSS vulnerability to us! 

Example exploit string to test your own player: player.swf ? playerID= \\%22))} catch(e){alert('Your%20cookies%20are%20mine%20now')} //    (remove spaces, but keep the // at the end)

[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1464
[2] http://wordpress.org/extend/plugins/audio-player/
[3] http://rafayhackingarticles.net twitter @rafaybaloch

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

There's been a number of reports that Internet connectivity to Syria has been broken or disabled and there is no official word on what has caused this.

Google's Transparency Report page [1] displays the drop off and a more comprehensive report is on Umbrella labs blog [2]

[1]  http://www.google.com/transparencyreport/traffic/#expand=SY

[2] http://labs.umbrella.com/2013/05/07/breaking-news-traffic-from-syria-disappears-from-internet/   

Chris Mohan --- Internet Storm Center Handler on Duty

Today was yet another day with lots of compromised websites, some notable others less.

This morning, a reader wrote in to notify us that the county government website of a county in Georgia was compromised. Sure enough, it appeared to serve malicious javascript, launching the usual exploit kit Java exploit (zeroaccess was the readers guess, and I think he was right). With smaller sites/organizations like this, I usually try to give them a call, and in this case, was pretty quickly sent to a person who was responsible for the web site content. Sadly, I don't think this person had any basic understanding of exploit kits or web applications to understand most of what I tried to explain, but she knew someone to contact. As of right now, the web site *appears* to be "clean". Which gets me to the next point, some of the difficulties one encounters in notifying sites:

- Frequently, like in this case, the exploit only shows up on some pages, and not all the time. Sometimes you need to visit with a specific browser, sometimes it is random, or in other cases, the miscreant appears to filter out requests from "administrators" showing them the unaltered site

- It is very hard to NOT get people to go to the URL right away as you talk about it being dangerous. It was relatively early in the morning, and I forgot my usual introduction not to go the site, so sure enough, as I explain which page I noticed as "infected", the person at the phone responded "but it look normal"...

- In particular for small sites like this, the standard blocklists don't work. Virus Totals URL Scanner showed the site as "safe" . Kaspersky Anti Virus on one of my Mac's flagged the javascript with a generic exploit signature and prevented access.

FWIW: My guess is that the site was infected via the Wordpress plugin "Super Cache" which was installed on the site. This plugin had some recent vulnerabilities.

The other compromisse, that created a larger news response, was the compromise of wtop. com and federalnewsradio. com. Both sides are related to each other, so I consider them one compromise. The interesting response in this case was that the site blocked access from users running Internet Explorer, but let others in to the site. I didn't see any exploit code when I retrieved the site, but I am not sure if it is safe to assume that an exploit is only going to attack one particular browsers, the miscreant appears to filter out requests from "administrators" showing them the unaltered site.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

One of our readers, Jim, wrote in earlier today to say he has noticed an increase in "working" typo squatting over the last 2 months or so.  That is, he's seen users accidently surfing to them or being redirected there by some sort of malicious javascript trickery.  His question for us (and the rest of you) is, is this a local phenomenon or are the bad guys making more use of this tactic?  I'm not currently setup to monitor this type of activity, so I figured I'd ask our loyal readers.  Do you monitor your proxy and DNS logs for this type of activity and have you seen an increase?  Leave a comment below or our contact form to let us know.  Below are just a few examples of the domains he has seen.

Bogus domains include:

• audilble.com
• boatrader.com
• charleesschwab.com
• chsse.com
• cnnmonet.com
• dilymail.co.uk
• loanadminstration.com
• myunh.com
• nydailnews.com
• nydailynew.com
• nyeater.com
• nylottory.org

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Thanks to our reader Juha-Matti for pointing out that a Metasploit module was released to exploit the recent Internet Explorer 8 vulnerability. The vulnerability has also been assigned CVE-2013-1347.

Please let us know if you are running into exploits for this vulnerability.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Thanks to some readers Ken and Paul, we've been supplied with some Zero-Day reading.   The best I can skim in short notice on these stories that developed yesterday is that Microsoft is looking into claims of an IE 8 vulnerability. [1]    IE 6,7,9,10 are claimed to be unaffected.

I suggest the pendulum analogy because one article cites a US Government website was hacked [2] by way of a 'watering hole' attack to exploit [3] with what is now believed to be 'zero-day' but was originally thought to be exploited by a slightly modifed version of a well known trojan named 'Poison-Ivy'.[4]

Too many links, too little time.  There is a lot of good reading out there right now, leaving much to review as this issue develops.   So please share your comments and knowledge on this issue with us and our community as it develops.

[1] http://technet.microsoft.com/en-us/security/advisory/2847140
[2] http://labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/
[3] http://arstechnica.com/security/2013/05/internet-explorer-zero-day-exploit-targets-nuclear-weapons-researchers/
[4] http://www.invincea.com/2013/05/part-2-us-dept-labor-watering-hole-pushing-poison-ivy-via-ie8-zero-day/

-Kevin
--
ISC Handler on Duty

 

--

John Bambenek

bambenek \at\ gmail /dot/ com

Bambenek Consulting

As Johannes mentions in yesterday's ISC StormCast, the city of Schwerin in Germany apparently decided to throw 170 PCs into the trash, because cleaning them from a Conficker worm infestation was estimated at around 130'000 Euros, whereas the replacement of the old PCs had already been budgeted for at 150'000 Euros. Our recent discussion aside on whether a modern malware infection can actually be "cleaned" or if wiping and reinstallation from scratch is always called for, "the cost of cleaning up" is actually  relevant in either case. Schwerin's 130kEuro estimate amounts to about 1000$ per PC. The report doesn't say if this calculation includes lost productivity of the employee who has to wait for his/her computer to be returned from scrubbing, or if this is just for the cleaning/reinstall itself.

Some Google searches gave me a going rate between 79$ and 299$ for a malware clean-up on a single home user PC, and several of the providers mention explicitly that they offer a "fresh install" for a lower price than the cleanup, which is one more indication that "re-install" seems to become the norm.

My search didn't result in any decent figures for virus cleanup costs in a mid-to-large corporate environment though. Companies of a certain size are likely set up to automatically provision and install new computers, so a replacement/re-stage should be a standard process for them, and relatively quick and cost effective. If you have any figures on the actual cost of cleanup/restage in a larger organization, or know any recent studies that have analyzed this in some depth, please let us know.