Home » Archives for 2016

Ryzerlo ransomware poses as Pokemon game

in - on 6:22 PM - 1 comment
The Dell SonicWall Threats Research team has received reports of a new Ransomware Trojan, Ryzerlo which encrypts the victim's files and leaves an email address to be contacted to unlock victim's files.
Infection cycle:
The Trojan comes across as Pokemon Go game with the icon
Once the victim installs the executable, the trojan adds the some changes to the registry.
The Trojan adds two autostart objects to enable startup after reboot:
  • %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[numbers].exe (copy of original)
It tries to connect to the C&C server and then the trojan encrypts all the victims documents with extensions * .txt, * .rtf, * .doc, * .pdf, * .mht, * .docx, * .xls, * .xlsx, * .ppt, * .pptx, * .odt, * .jpg, *. png, * .csv, * .sql, * .mdb, * .sln, * .php, * .asp, * .aspx, * .html, * .xml, * .psd, * .htm, * .gif, * .png with .locked extension. 
The trojan creates the following two files on the victim's desktop. One include random text and another one include email address to contact.
We urge our users to always be vigilant and cautious with any unsolicited attachments specially if you are not certain of the source. If you are responsible for your system and network security, it's time to patch your security devices.

Source : Dell SonicWall Center

Have a nice day.
(Be knowledgeable, pass it on then)


Read more
Labels:

QuadRooter - the flaw that can affect millions of Android devices

in - on 6:32 PM - No comments
A set of 4 critical Android vulnerabilities were recently published by CheckPoint. Successful exploitation of any of these exploits can give the attacker root privileges on the affected device. It is possible for an attacker to construct a malicious app that triggers these exploits with no need for special privileges making these vulnerabilities extremely dangerous. 

The vulnerabilities were found in the software drivers that accompany Qualcomm chipsets. Thereby any Android device using Qualcomm chipset is vulnerable, this counts to nearly 900 million smartphones and tablets.

The report by CheckPoint goes into the finer details about the vulnerabilities but below is a high level description of the same:

CVE-2016-2059:
The vulnerability is present in a kernel module introduced by Qualcomm called ipc_router that provides inter-process communication where it is possible to convert a regular socket (CLIENT_PORT) into a monitoring socket (CONTROL_PORT).

CVE-2016-5340:
Ashmem is Android's memory allocation sybsystem that enables processes to efficiently share memory buffers. Devices using Qualcomm chipsets use a modified version of ashmem, the vulnerability is in one of the functions in this version of ashmem.
Attackers can trick get_ashmem_file function to think that an arbitrary file called "ashmem" is actually an ashmem file.

CVE-2016-2503 and CVE-2106-2504 are related to Qualcomm's GPU component Kernel Graphics Support Layer:

  • CVE-2016-2503:
    One of the GPU components - Kernel graphic Support Layer - has a module kgsl_sync that is responsible for syncing between CPU and the apps. Within this module is a function that is prone to race condition flaw that can be exploited
  • CVE-2016-2504:
    A user space process can allocate and map memory to GPU, thereby it can create/destroy kgsl_mem_entry which represents an object that uses GPU memory. This object is bound to a process using GPU mapping mechanism or the "idr" mechanism. But since there is no access protection enforced, this object can be freed by another thread.

The report states that Qualcomm has released patches to OEM's (Original Equipment Manufacturers) and the open source community between April and end of July. Google has confirmed that its Verify Apps feature already blocks QuadRooter exploit.

At the moment there are no instances of malicious apps misusing these vulnerabilities in the wild. We will keep an eye on the Android landscape and provide protection against threats that exploit these vulnerabilities.

Source : Dell SonicWall Security Center

Have a good time.
(Be knowledgeable, pass it on then)
Read more
Labels:

Old browsers are still running behind your firewall

in - on 6:24 PM - 4 comments
On January 12th 2016, Microsoft announced it will stop supporting older versions of Internet Explorer.

It means from now on, Internet Explorer 10 and prior will not get security updates. However many people are still using older versions of Internet Explorer, and it has become a potential threat.

In July 2016, Dell SonicWALL observed that:
- 0.7% of firewalls reported use of Internet Explorer 5.x.
- 60.6% of firewalls reported use of Internet Explorer 6.x.
- 71.1% of firewalls reported use of Internet Explorer 7.x.
- 22.4% of firewalls reported use of Internet Explorer 8.x.
- 24.3% of firewalls reported use of Internet Explorer 9.x.
- 31.5% of firewalls reported use of Internet Explorer 10.x.

Unpatched Internet Explorer is insecure and can damage the system. So, we, ICT For Myanmar would like to urges all our customers to review their environment and stop using Internet Explorer 10 and prior.

Source : Dell SonicWall Security Center

Have a good time.

(Be knowledgeable, pass it on then)
Read more
Labels:

PHP TAR File Parsing Uninitialized Reference (CVE-2016-4343)

in - on 6:06 PM - No comments
A remote, unauthenticated vulnerability exists in PHP. The vulnerability allows an attacker to execute arbitrary code on the web server. CVE-2016-4343 is assigned to this vulnerability.
PHP is a server-side scripting language designed for web development but also used as a general-purpose programming language. PHP code may be embedded into HTML code, or it can be used in combination with various web template systems, web content management systems and web frameworks.
A remote code execution vulnerability exists in PHP due to lack of proper sanitation when parsing TAR files. It fails to properly validate the values inside the headers found in the file. This allows a remote attacker to create malicious TAR files to cause the vulnerable server to execute code.
The following versions of PHP are vulnerable:
  • PHP prior to 5.5.36
  • PHP prior to 5.6.22
  • PHP prior to 7.0.7
If your device haven't patch to prevent this vulnerable, this is time to patch now.

Source : Dell SonicWall Security Center

Have a good time.
(Be knowledgeable, pass it on then)
Read more
Labels:

You Might Not Know You Are Still Using SSLv2.0

in - on 8:53 PM - No comments
Netscape Communications invented Secure Sockets Layer (SSL) protocol in 1994. It has been de facto standard for cryptographic protocol since then. Over the years the protocol has evolved (SSLv2.0 -> SSLv3.0 -> TLSv1.0 -> TLSv1.1 -> TLSv1.2) to increase security.
Today, SSLv2.0 no longer provides a sufficiently high level of security. SSLv2.0 deficiencies include the following:
  • Message authentication uses MD5. Most security-aware users have already moved away from any use of MD5.
  • Handshake messages are not protected. This permits a man-in-the-middle to trick the client into picking a weaker cipher suite than it would normally choose.
  • Message integrity and message encryption use the same key, which is a problem if the client and server negotiate a weak encryption algorithm.
  • Sessions can be easily terminated. A man-in-the-middle can easily insert a TCP FIN to close the session, and the peer is unable to determine whether or not it was a legitimate end of the session.
It's been over 20 years since SSLv2.0 was published, and it's been over 5 years since RFC 6176 deprecated SSLv2.0. However many people are still using the protocol, even though they might not be aware of it.
In June 2016, less than 2% of firewalls reported receiving SSLv2.0 Server Hello message:


In June 2016, more than 40% of firewalls reported receiving SSLv2.0 Client Hello message:

SSLv2.0 is insecure and can damage the system. I would like to urges all our customers to review their (client/server) software settings and stop using SSLv2.0 immediately.

Source : Dell SonicWall Security Center

Have a good time.
(Be knowledgeable, pass it on then)
Read more
Labels:

NTP crypto-NAK DoS

in - on 9:15 PM - No comments
ntpd is an implementation of Network Time Protocol which sets and maintains the system time of day synchronized with Internet standard time servers or any local references. Many major servers and devices come with inbuilt ntpd.

NTP works with different variants like client/server, symmetric, and broadcast. Symmetric mode is used for time synchronization between the servers with authentication. It operates with two modes active and passive. Active mode packets are used when connection is already set. If connection is not set, passive mode packets are used to set up short passive connection for authentication. If packet which fails to authenticate is received, it responds with crypto-NAK packet.

While processing incoming packets findpeer() function is called to see if packet is from existing peer. It returns pointer to peer structure or NULL depending upon whether peer is found or not. To check whether packet is crypto-NAK, valid_NAK() function is called. One of the parameters for the function is pointer from findpeer() function. Without checking the pointer for NULL, valid_NAK() tries to access keyid and flags field of peer structure. Which causes NULL pointer dereference.


Remote attacker can send undesired crypto-NAK packet to exploit this vulnerability which can lead to Denial of Service.

So, it is time to update your Security Devices to prevent from this attack if you didn't do so yet.

Source : Dell SonicWall Security Center

Have a good time.
(Be knowledgeable, pass it on then)
Read more
Labels:

Unpatched, critical Flash vulnerability being exploited in the wild

in - on 6:53 PM - No comments
Adobe Flash Player is vulnerable to a critical vulnerability. It is reported to be exploited in the wild. The following CVE identifier has been assigned to this vulenrability:

  CVE-2016-4171

This vulnerability affects Flash Player versions running on Windows, Macintosh, Linux as well as Chrome OS. It is reported that any successful exploitabtion could cause a crash and potentially allow an attacker to take control of the affected system. Although, Adobe reports that the vulnerability is exploited on a limited but targeted basis in the wild.

Adobe is aware of the this vulnerability and expected to release the patch as early as June 16. 

It's time to patch you security devices and Adobe as well if you are not done yet.

Source : SonicWall Security Center

Have a good time.
(Be knowledgeable, pass it on then)
Read more
Labels:

Apache Struts Dynamic Method Invocation Remote Code Execution

in - on 9:01 PM - 2 comments
A remote, unauthenticated vulnerability exists in Apache Struts. The vulnerability allows an attacker to execute arbitrary code on the server with the privileges of the user running the Java Web Container process (e.g. JBoss, Tomcat etc). CVE-2016-3081 is assigned to this vulnerability.
Apache Struts is a MVC (model-view-controller) franework for building Java applications. It uses Java Servlet APIs to expose ActionServlet controller. Any requests coming from a client are sent to the controller in the form of 'actions'. These actions are outlined as a map in a configuration file. Accordingly, the corresponding method is invoked. An interface called ActionMapper is used to provide mapping between the request and the corresponding action. The default implemtation maps to DefaultActionMapper class.
A remote code exection vulnerability exists in Apache Struts 2 framework due to lack of proper santization inside the constructor of DefaultActionMapper. It fails to properly validate the values provided by the attacker. This allows a remote attacker to craft a malicious request to cause the vulnerable server to execute arbitrary code.
The following verions of Apache Struts are vulnerable:
  • Apache Struts 2

So, it is time to update the signature files of your security devices if you haven't done yet.

 Source : Dell SonicWall Security Center

Have a good time.
(Be knowledgeable, pass it on then)
Read more
Labels:

GD Library Buffer Overflow

in - on 6:54 AM - No comments
The GD Graphics Library (libgd) is an open-source graphics software library for dynamically manipulating images. It can create many formats of image files including GIFs, JPEGs, PNGs, and WBMPs. GD is extensively used with PHP, where a modified version supporting additional features is included by default as of PHP 4.3 and may be used in PHP 5.3 as well.
There is a heap buffer overflow vulnerability has been found in GD Library libgd 2.1.1 and prior. The vulnerability exists when a signed integer was claimed to store the size of chunked data, however, an unsigned integer was used for copying. When a negative integer was set to the size variable, the vulnerable codes will overwrite the heap buffer which may cause denial of service or remote code execution under the current user, which may be web application's privileges.
This vulnerability is referred as CVE-2016-3074.
So, it is time to patch you security devices with latest updates.
Have a good time.
(Be knowledgeable, pass it on then)
Read more
Labels:

Microsoft (CVE-2016-0189) and Adobe (CVE-2016-4117) Zero day

in - on 2:34 AM - No comments
Recent zero days discovered in Microsoft scripting engine and Adobe Flash player are being exploited in the wild.
The Microsoft JScript and VBScript engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability" (CVE-2016-0189)
Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors.(CVE-2016-4117)
If you haven't patch your Security Devices, it is time to patch to prevent from these.

Source : Dell SonicWall Security Center

Have a good time.
(Be knowledgeable, pass it on then)
Read more
Labels:

Edge vs Internet Explorer 11

in - on 6:29 AM - No comments
About an year ago Microsoft announced the plan to retire Internet Explorer. The new browser, Microsoft Edge, is now the default browser in Windows 10.

Edge has many security improvements. It does not support legacy technologies such as ActiveX and Browser Helper Objects. The new layout engine, EdgeHTML, is a fork of Trident (the layout engine of Internet Explorer) that has removed all legacy code of older versions of Internet Explorer. EdgeHTML is meant to be fully compatible with the WebKit (the layout engine used by Google Chrome).
Does Edge outperform Internet Explorer form a security perspective? We tried to find some clues here.
Since August 2015, Microsoft has released "Cumulative Security Update for Microsoft Edge" each month. Below is the number of total CVEs related to IE 11 and Edge in last 9 months:
Below is the number of critical CVEs related to IE 11 and Edge in last 9 months:
Over past years Microsoft has lost market share in web browser (source:StatCounter) and we think one of the reasons is that Internet Explorer is more prone to vulnerabilities.
Microsoft is taking right direction on improving security in Edge. We hope Microsoft keeps this effort that one day Edge will become a solid and integrated product.

Source : Dell SonicWall Security Center.

Have a good time.
(Be knowledgeable, pass it on then)
Read more
Labels:

Solving HCL 7.1.59 installation error

in - on 12:04 AM - 4 comments
I was encounter below error message when I tried to install HP Comware simulator (H3C cloud Lab).

"The virtualbox version is lower than the HCL needed."

My PC was installed with Virtualbox Version 5.0.16 and it is latest when I am writing this post.

Below is the resolve method to skip this error.

You just open registry editor and go to HKEY_LOCAL_MACHINE>SOFTWARE>Oracle>Virtualbox.
Then change the Data Value of Version and VersionExt to 4.2.18 and try to reinstall Simulator.
You will see no more error while installing it.
Do not forget to revert to correct version data value in registry value after Simulator installation done.

Have a good time.
(Be knowledgeable, pass it on then)
Read more
Labels:

Jigsaw Ransomware spotted in the wild

in - on 11:00 PM - No comments
The Dell SonicWall Threats Research team has received reports of a new Ransomware Trojan, Jigsaw (named after the fictional character) which encrypts the system files and also deletes them if the payment is not made on time.
Infection cycle:
The Trojan poses as firefox with the following properties:
The Trojan adds the following files to the filesystem:
  • %APPDATA%\Roaming\Frfx\firefox.exe (copy of original) [Detected as GAV: Jigsaw.A (Trojan)]

The Trojan creates the following key to the Windows registry to enable startup after reboot:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""%APPDATA%\Roaming\Frfx\firefox.exe""

It displays the following iconic image and the message while encrypting the files:
It starts countdown and threatens to delete the files mentioned each hour.
The trojan finds the following files on the victim's machine and encrypts them:
It copies the filenames before encrypting at the following location:
It encrypts all the victims files listed above with .fun extension.
When trying to close the ransom window, it displays the following message:
It checks for the payment contacting the C&C server:

It's time to update your security devices to avoid this kind of trojan.
Have  a good time.
(Be knowledgeable, pass it on then)
Read more
Labels:

Badlock: Windows SAM and LSAD Downgrade Vulnerability

in - on 6:07 PM - No comments
An elevation of privilege vulnerability exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols. Microsoft and SAMBA are vulnerable to these attacks. The vulnerability is triggered when these protocols accept authentication levels that do not protect them adequately. It is caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel. An attacker who successfully exploited this vulnerability could gain access to the SAM database. To exploit the vulnerability, an attacker could launch a man-in-the-middle (MiTM) attack, force a downgrade of the authentication level of the SAM and LSAD channels, and then impersonate an authenticated user. The attacker can access domain passwords as well. The security update addresses the vulnerability by modifying how the SAM and LSAD remote protocols handle authentication levels.
There are two different CVE identifiers associated with this vulnerability:
  • Microsoft: CVE-2016-0128
  • SAMBA: CVE-2016-2118
In addition to this, the vulnerability has been known by 'badlock'.
Microsoft has two protocols that are vulnerable to this attack:
  • Security Account Manager Remote Protocol(SAMR): This protocol provides management functionality for user account store and for user/group directries.
  • Local Security Authority (LSAD): This protocol provides management functionality for user account store and for user/group directries.
These protocols manintain security account manager database. They are supported by both Windows and Samba and they support all domain profiles.
In addition to these, SAMBA's following protocols are susceptible to this vulnerability:
  • Directory Replication Service Remote Protocol (DRSR): RPC protocol for replication and management of data in Active Directory
  • BackupKey Remote Protocol (BKRP): Encrypts and decrypts sensitive data (such as cryptographic keys)
Please patch your security systems (Gateway or Endpoint) to the latest one to prevent from this vulnerability.

Have a good time.

(Be knowledgeable, pass it on then)
Read more
Labels:

Petya Ransomware encrypts the MBR

in - on 6:28 PM - No comments
The Dell Sonicwall Threat Research team has received reports of yet another ransomware called Petya. Over the past year, Ransomware has proven to be an inceasingly lucrative business for cybercriminals and has become very widespread that victims have resorted to paying to get their data back. Petya is no different, but instead of just encrypting files it overwrites the system's master boot record (MBR) effectively locking the victim out and rendering the machine unusable unless payment is made.
Infection Cycle: 

Upon execution, Petya replaces the boot drive's MBR with a malicious loader which will cause Windows to crash. On reboot, it will display a fake CHKDSK screen. 
 

The victim is then greeted with a flashing skull. 
 

After pressing any key, the instructions on how to pay to get their data back is then displayed. 

 

At this point, the victim is locked out of their machine and renders it useless. Rebooting into safe mode is also not possible. Victims can reformat their computers but will obviously lose all of their data. 

Below are the screenshots from the cybercriminal's well crafted website on the onion network where further instructions are given on how to submit payment in bitcoins. It appears that the group behind Petya Ransomware is calling themselves "Janus Cybercrime Solutions" and are demanding victims to send them 0.95865300 Bitcoins or an equivalent to $395 with the current exchange rate. 

 

FPetya Ransomware Step 2


FPetya Ransomware Step 4

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly. 

 So it is time to check update for your Gateway Security/End point Security now to prevent this threat!

 Source : Dell SonicWall Security Center

 Have a good time.
(Be knowledgeable, pass it on then) 
Read more
Labels:

Microsoft Windows Media arbitrary code execution-CVE-2016-0101

in - on 6:17 PM - No comments

Microsoft Windows operating system provides Windows Media for playing audio, video and viewing images. Remote attacker can entice user to open malicious media file which can lead to remote code execution with security context of user.

Windows Media uses MPEG2 Transport Stream file format to store media and protocol data. Vulnerable dynamic library is MFDS because of boundary error in it. The function MPEG2_PMT_SECTION::Parse() is used to parse descriptors array in Program Map Table (PMT) in packets of MPEG2-TS file. The function calculates the number of descriptor elements according to the Elementary Info Length field, but function does not validate the Elementary Info Length field properly. Attacker can provide large value to this field which may lead to execution of arbitrary code in user context.

Unsuccessful attempts may lead to denial of service.

This vulnerability affects the following products:

  • Microsoft Windows 7
  • Microsoft Windows 8.1
  • Microsoft Windows RT 8.1
  • Microsoft Windows 10
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 R
So please update your security device to prevent from this.

Source:Dell SonicWall Security Center

Have a good time.
(Be knowledgeable,pass it on then)
Read more
Labels:

Runouce Trojan with IRC bot spreads via .eml files

in - on 6:27 PM - No comments
A Trojan that spreads via .eml files. The Trojan contains IRC functionality and also has the ability to infect pre-installed system executable files with malicious code:
Infection Cycle:
The Trojan makes the following DNS queries:
On our test system the following files were created:
  • %USERPROFILE%\kuelio.exe
  • %SYSTEM32%\runouce.exe ("runonce" with "n" changed to "u" (patched)) 
  • %SYSTEM32%\runonce.exe (patched)
The following files were also created:
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\enacoimjcgeinfnnnpajinjgmkahmfgb\0.65.0_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\enacoimjcgeinfnnnpajinjgmkahmfgb\0.65.0_0\tabs\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\focgpgmpinbadijfcdimbdkgnpndjnkl\0.54_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\focgpgmpinbadijfcdimbdkgnpndjnkl\0.54_0\changelogs\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\focgpgmpinbadijfcdimbdkgnpndjnkl\0.54_0\tabs\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions
    mmhkkegccagdldgiimedpiccmgmieda\0.1.1.0_0\html\readme.eml
  • %USERPROFILE%\Local Settings\Temp\readme.eml
  • %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\B4ZWX2C9\readme.eml
  • %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\FATM9A7M\readme.eml
  • %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\HE7GL0WO\readme.eml
  • %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\MDJBB39W\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\OFFICE12\1033\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\OFFICE12\HTML\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\OFFICE12\VS Runtime\1033\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\Smart Tag\1033\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\Stationery\readme.eml
  • %PROGRAMFILES%\Common Files\System\ado\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\1033\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\AccessWeb\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms3\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms4\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms5\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Stationery\1033\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Templates\12\MseNewFileItems\readme.eml
  • %PROGRAMFILES%\NetMeeting\readme.eml
  • %PROGRAMFILES%\WinRAR\readme.eml
  • %PROGRAMFILES%\Wireshark\readme.eml
The Trojan writes the following keys to the registry to enable continued infection activity after reboot:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kuelio "%USERPROFILE%\kuelio.exe /y"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Runouce "%SYSTEM32%\runouce.exe"
If there are shared folders or external drives attached the following file will be written to it:
The Trojan disables the ability to kill kuelio.exe.
NOTHING-6A527FE.eml and readme.eml are email files that contain an attachment called pp.exe :
The Trojan infects %SYSTEM32%\runonce.exe with additional malicious code. It modifies the PE section headers to extend the rsrc section and inject code. It then changes the OEP (entrypoint) so that the infected executable runs the malicious code first:
The Trojan joins an IRC server hosted at ircd.zief.pl and awaits further instructions:

So, please update your gateway security and/or endpoint security to prevent from this Trojan.

Source: Dell SonicWall Security Center

Have a good time.
(Be knowledgeable, pass it on then)
Read more
Labels:

Preventing DROWN Attack

in - on 12:33 AM - No comments
On March 1st 2016, OpenSSL released patches that disable the SSLv2 protocol by default, as well as removing SSLv2 EXPORT ciphers.

A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle.
Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server.
This vulnerability is known as DROWN.

The vulnerability is referred by CVE as CVE-2016-0800. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800)

So, please patch your system to prevent this attack if you are not done yet.

Have a good time.
(Be knowledgeable, pass it on then)Type your summary here. Type the rest of your post here.
Read more
Labels:

Oracle Application Testing Suite Directory Traversal Vulnerability

in - on 7:19 PM - No comments
A Directory Traversal Vulnerability was identified in Oracle Enterprise Manager Application Testing Suite. The vulnerability can be exploited over the HTTP protocol. A remote, unauthenticated attacker can exploit this vulnerability to download arbitrary files from the target server.

This vulnerability affects the following supported versions:

- Oracle Application Testing Suite 12.4.0.2
- Oracle Application Testing Suite 12.5.0.2

The vulnerability has been patched by the vendor, please find the details here. (http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html)

This vulnerability is referred by CVE as CVE-2016-0484.

It is time to patch you Security Device to prevent this.

Have a good time.
(Be knowledgeable, pass it on then)
Read more
Labels:

Microsoft NPS RADIUS DoS

in - on 5:33 PM - No comments
Remote Authentication Dial In User Service (RADIUS), a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) services to connect network resources. Attacker can use crafted username which could lead to Denial of Service.

To Authenticate and Authorize users, RADIUS server connects to Domain controller. Active Directory is queried for username upon incoming access request message. This involves establishing LDAP connection and passing LDAP query. LDAP filter tests the username for predefined special characters and normalize them except NUL character. If username string starts with NUL character it causes Active Directory Domain Controller server to return an error value. Multiple invalid requests cause RADIUS server to disassociated from Active Directory Domain controller. Causing Denial of further requests.

So if you aware on this and haven't patch you IPS signature yet? Please update it quickly to prevent your network.

Source : Dell SonicWALL Security Center
Read more
Labels: