- %APPDATA%\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\[numbers].exe (copy of original)
Ryzerlo ransomware poses as Pokemon game
QuadRooter - the flaw that can affect millions of Android devices
The vulnerabilities were found in the software drivers that accompany Qualcomm chipsets. Thereby any Android device using Qualcomm chipset is vulnerable, this counts to nearly 900 million smartphones and tablets.
The report by CheckPoint goes into the finer details about the vulnerabilities but below is a high level description of the same:
CVE-2016-2059:
The vulnerability is present in a kernel module introduced by Qualcomm called ipc_router that provides inter-process communication where it is possible to convert a regular socket (CLIENT_PORT) into a monitoring socket (CONTROL_PORT).
CVE-2016-5340:
Ashmem is Android's memory allocation sybsystem that enables processes to efficiently share memory buffers. Devices using Qualcomm chipsets use a modified version of ashmem, the vulnerability is in one of the functions in this version of ashmem.
Attackers can trick get_ashmem_file function to think that an arbitrary file called "ashmem" is actually an ashmem file.
CVE-2016-2503 and CVE-2106-2504 are related to Qualcomm's GPU component Kernel Graphics Support Layer:
- CVE-2016-2503:
One of the GPU components - Kernel graphic Support Layer - has a module kgsl_sync that is responsible for syncing between CPU and the apps. Within this module is a function that is prone to race condition flaw that can be exploited
- CVE-2016-2504:
A user space process can allocate and map memory to GPU, thereby it can create/destroy kgsl_mem_entry which represents an object that uses GPU memory. This object is bound to a process using GPU mapping mechanism or the "idr" mechanism. But since there is no access protection enforced, this object can be freed by another thread.
At the moment there are no instances of malicious apps misusing these vulnerabilities in the wild. We will keep an eye on the Android landscape and provide protection against threats that exploit these vulnerabilities.
Old browsers are still running behind your firewall
PHP TAR File Parsing Uninitialized Reference (CVE-2016-4343)
- PHP prior to 5.5.36
- PHP prior to 5.6.22
- PHP prior to 7.0.7
You Might Not Know You Are Still Using SSLv2.0
- Message authentication uses MD5. Most security-aware users have already moved away from any use of MD5.
- Handshake messages are not protected. This permits a man-in-the-middle to trick the client into picking a weaker cipher suite than it would normally choose.
- Message integrity and message encryption use the same key, which is a problem if the client and server negotiate a weak encryption algorithm.
- Sessions can be easily terminated. A man-in-the-middle can easily insert a TCP FIN to close the session, and the peer is unable to determine whether or not it was a legitimate end of the session.


NTP crypto-NAK DoS
Unpatched, critical Flash vulnerability being exploited in the wild
CVE-2016-4171
This vulnerability affects Flash Player versions running on Windows, Macintosh, Linux as well as Chrome OS. It is reported that any successful exploitabtion could cause a crash and potentially allow an attacker to take control of the affected system. Although, Adobe reports that the vulnerability is exploited on a limited but targeted basis in the wild.
Adobe is aware of the this vulnerability and expected to release the patch as early as June 16.
It's time to patch you security devices and Adobe as well if you are not done yet.
Source : SonicWall Security Center
Have a good time.
(Be knowledgeable, pass it on then)
Apache Struts Dynamic Method Invocation Remote Code Execution
- Apache Struts 2
Source : Dell SonicWall Security Center
GD Library Buffer Overflow
Microsoft (CVE-2016-0189) and Adobe (CVE-2016-4117) Zero day
Source : Dell SonicWall Security Center
Have a good time.
(Be knowledgeable, pass it on then)
Edge vs Internet Explorer 11


.svg.png)
Solving HCL 7.1.59 installation error
"The virtualbox version is lower than the HCL needed."
My PC was installed with Virtualbox Version 5.0.16 and it is latest when I am writing this post.
Below is the resolve method to skip this error.
You just open registry editor and go to HKEY_LOCAL_MACHINE>SOFTWARE>Oracle>Virtualbox.
Then change the Data Value of Version and VersionExt to 4.2.18 and try to reinstall Simulator.
You will see no more error while installing it.
Do not forget to revert to correct version data value in registry value after Simulator installation done.
Have a good time.
(Be knowledgeable, pass it on then)
Jigsaw Ransomware spotted in the wild

- %APPDATA%\Roaming\Frfx\firefox.exe (copy of original) [Detected as GAV: Jigsaw.A (Trojan)]
The Trojan creates the following key to the Windows registry to enable startup after reboot:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""%APPDATA%\Roaming\Frfx\firefox.exe""
It displays the following iconic image and the message while encrypting the files:








Badlock: Windows SAM and LSAD Downgrade Vulnerability
-
Microsoft: CVE-2016-0128
-
SAMBA: CVE-2016-2118
-
Security Account Manager Remote Protocol(SAMR): This protocol provides management functionality for user account store and for user/group directries.
-
Local Security Authority (LSAD): This protocol provides management functionality for user account store and for user/group directries.
In addition to these, SAMBA's following protocols are susceptible to this vulnerability:
-
Directory Replication Service Remote Protocol (DRSR): RPC protocol for replication and management of data in Active Directory
-
BackupKey Remote Protocol (BKRP): Encrypts and decrypts sensitive data (such as cryptographic keys)
Petya Ransomware encrypts the MBR
Upon execution, Petya replaces the boot drive's MBR with a malicious loader which will cause Windows to crash. On reboot, it will display a fake CHKDSK screen.

The victim is then greeted with a flashing skull.

After pressing any key, the instructions on how to pay to get their data back is then displayed.

At this point, the victim is locked out of their machine and renders it useless. Rebooting into safe mode is also not possible. Victims can reformat their computers but will obviously lose all of their data.
Below are the screenshots from the cybercriminal's well crafted website on the onion network where further instructions are given on how to submit payment in bitcoins. It appears that the group behind Petya Ransomware is calling themselves "Janus Cybercrime Solutions" and are demanding victims to send them 0.95865300 Bitcoins or an equivalent to $395 with the current exchange rate.

![]() | |
![]() | |
Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.
So it is time to check update for your Gateway Security/End point Security now to prevent this threat!
Source : Dell SonicWall Security Center
Have a good time.
(Be knowledgeable, pass it on then)
Microsoft Windows Media arbitrary code execution-CVE-2016-0101
Microsoft Windows operating system provides Windows Media for playing audio, video and viewing images. Remote attacker can entice user to open malicious media file which can lead to remote code execution with security context of user.
Windows Media uses MPEG2 Transport Stream file format to store media and protocol data. Vulnerable dynamic library is MFDS because of boundary error in it. The function MPEG2_PMT_SECTION::Parse() is used to parse descriptors array in Program Map Table (PMT) in packets of MPEG2-TS file. The function calculates the number of descriptor elements according to the Elementary Info Length field, but function does not validate the Elementary Info Length field properly. Attacker can provide large value to this field which may lead to execution of arbitrary code in user context.
Unsuccessful attempts may lead to denial of service.
This vulnerability affects the following products:
- Microsoft Windows 7
- Microsoft Windows 8.1
- Microsoft Windows RT 8.1
- Microsoft Windows 10
- Microsoft Windows Server 2008 R2
- Microsoft Windows Server 2012
- Microsoft Windows Server 2012 R
Runouce Trojan with IRC bot spreads via .eml files
Infection Cycle:
The Trojan makes the following DNS queries:

- %USERPROFILE%\kuelio.exe
- %SYSTEM32%\runouce.exe ("runonce" with "n" changed to "u" (patched))
- %SYSTEM32%\runonce.exe (patched)
- %APPDATA%\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\readme.eml
- %APPDATA%\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\readme.eml
- %APPDATA%\Google\Chrome\User Data\Default\Extensions\enacoimjcgeinfnnnpajinjgmkahmfgb\0.65.0_0\readme.eml
- %APPDATA%\Google\Chrome\User Data\Default\Extensions\enacoimjcgeinfnnnpajinjgmkahmfgb\0.65.0_0\tabs\readme.eml
- %APPDATA%\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\readme.eml
- %APPDATA%\Google\Chrome\User Data\Default\Extensions\focgpgmpinbadijfcdimbdkgnpndjnkl\0.54_0\readme.eml
- %APPDATA%\Google\Chrome\User Data\Default\Extensions\focgpgmpinbadijfcdimbdkgnpndjnkl\0.54_0\changelogs\readme.eml
- %APPDATA%\Google\Chrome\User Data\Default\Extensions\focgpgmpinbadijfcdimbdkgnpndjnkl\0.54_0\tabs\readme.eml
- %APPDATA%\Google\Chrome\User Data\Default\Extensions
mmhkkegccagdldgiimedpiccmgmieda\0.1.1.0_0\html\readme.eml - %USERPROFILE%\Local Settings\Temp\readme.eml
- %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\B4ZWX2C9\readme.eml
- %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\FATM9A7M\readme.eml
- %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\HE7GL0WO\readme.eml
- %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\MDJBB39W\readme.eml
- %PROGRAMFILES%\Common Files\Microsoft Shared\OFFICE12\1033\readme.eml
- %PROGRAMFILES%\Common Files\Microsoft Shared\OFFICE12\HTML\readme.eml
- %PROGRAMFILES%\Common Files\Microsoft Shared\OFFICE12\VS Runtime\1033\readme.eml
- %PROGRAMFILES%\Common Files\Microsoft Shared\Smart Tag\1033\readme.eml
- %PROGRAMFILES%\Common Files\Microsoft Shared\Stationery\readme.eml
- %PROGRAMFILES%\Common Files\System\ado\readme.eml
- %PROGRAMFILES%\Microsoft Office\Office12\readme.eml
- %PROGRAMFILES%\Microsoft Office\Office12\1033\readme.eml
- %PROGRAMFILES%\Microsoft Office\Office12\AccessWeb\readme.eml
- %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\readme.eml
- %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms3\readme.eml
- %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms4\readme.eml
- %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms5\readme.eml
- %PROGRAMFILES%\Microsoft Office\Stationery\1033\readme.eml
- %PROGRAMFILES%\Microsoft Office\Templates\12\MseNewFileItems\readme.eml
- %PROGRAMFILES%\NetMeeting\readme.eml
- %PROGRAMFILES%\WinRAR\readme.eml
- %PROGRAMFILES%\Wireshark\readme.eml
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kuelio "%USERPROFILE%\kuelio.exe /y"
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Runouce "%SYSTEM32%\runouce.exe"

NOTHING-6A527FE.eml and readme.eml are email files that contain an attachment called pp.exe :



Source: Dell SonicWall Security Center
Have a good time.
(Be knowledgeable, pass it on then)
Preventing DROWN Attack
A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle.
Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server.
This vulnerability is known as DROWN.
The vulnerability is referred by CVE as CVE-2016-0800. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800)
So, please patch your system to prevent this attack if you are not done yet.
Have a good time.
(Be knowledgeable, pass it on then)Type your summary here. Type the rest of your post here.
Oracle Application Testing Suite Directory Traversal Vulnerability
This vulnerability affects the following supported versions:
- Oracle Application Testing Suite 12.4.0.2
- Oracle Application Testing Suite 12.5.0.2
The vulnerability has been patched by the vendor, please find the details here. (http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html)
This vulnerability is referred by CVE as CVE-2016-0484.
It is time to patch you Security Device to prevent this.
Have a good time.
(Be knowledgeable, pass it on then)
Microsoft NPS RADIUS DoS
To Authenticate and Authorize users, RADIUS server connects to Domain controller. Active Directory is queried for username upon incoming access request message. This involves establishing LDAP connection and passing LDAP query. LDAP filter tests the username for predefined special characters and normalize them except NUL character. If username string starts with NUL character it causes Active Directory Domain Controller server to return an error value. Multiple invalid requests cause RADIUS server to disassociated from Active Directory Domain controller. Causing Denial of further requests.
So if you aware on this and haven't patch you IPS signature yet? Please update it quickly to prevent your network.
Source : Dell SonicWALL Security Center