Remote Code Execution Vulnerability Detected in Microsoft Windows

The vulnerability tally in Microsoft Windows continues to grow and this one is of the Remote Code Execution (RCE) variety. Known as the OpenType Font Driver vulnerability, its existence can be attributed to the inability of the Windows Adobe Type Manager Library to properly handle specially crafted OpenType fonts.

Unauthenticated attackers can exploit this vulnerability by either convincing users to open specially crafted documents or persuading them to visit a dubious webpage that contains embedded OpenType fonts. If attackers successfully exploit this vulnerability, they can take complete control of the affected system. Microsoft has issued a security bulletin regarding this vulnerability at https://technet.microsoft.com/en-us/library/security/ms15-078.aspx.

The following software versions are affected by this vulnerability:

  • Microsoft Windows Server 2012 R2 (Server Core installation)
  • Microsoft Windows Server 2012 (Server Core installation)
  • Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Microsoft Windows Windows 7 for x64-based Systems Service Pack 1
  • Microsoft Windows Windows 7 for 32-bit Systems Service Pack 1
  • Microsoft Windows 8.1 for x64-based Systems
  • Microsoft Windows 8.1 for 32-bit Systems
  • Microsoft Windows 8 for x64-based Systems
  • Microsoft Windows 8 for 32-bit Systems
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows RT 8.1
  • Microsoft Windows Server 2012
  • Microsoft Windows RT
  • Microsoft Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Microsoft Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Microsoft Windows Server 2008 for x64-based Systems Service Pack 2
  • Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2
  • Microsoft Windows Vista x64 Edition Service Pack 2
  • Microsoft Windows Vista Service Pack 2

Severity Details:

The severity classification of this vulnerability is HIGH (6).

The following factors were taken into consideration to determine its severity rating:

  • This vulnerability can be exploited only if the attacker can lure a victim to perform an unwanted action.
  • The assets affected by this vulnerability are estimated to be of MEDIUM value.
  • The vendor is a major enterprise software/equipment vendor.
  • The software is broadly deployed in enterprise environments.
  • The software affected by this vulnerability is very broadly deployed.
  • The vulnerability, if exploited, can enable non-privileged code execution.
  • This is a client compromise.
  • The technical details for this vulnerability are publicly available.

CVSS Scoring

  • CVSS Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
  • CVSS Temporal Score: 4.3 (E:U/RL:OF/RC:C)

Know more about Cyberoam network solutions at http://www.cyberoam.com/and for similar security alerts subscribe to Cyberoam Blogs.

References

https://technet.microsoft.com/en-us/library/security/ms15-078.aspx

Cyberoam products are secure against OpenSSL vulnerability “CVE-2015-1793″

Having issued a “high-alert” on a new vulnerability on July 9, which causes certificate forgery, OpenSSL team had businesses and IT products vendors around the world feeling a chill down their spine. OpenSSL bugs, in the aftermath of the Heartbleed vulnerability have gained increased notoriety, for they bring back the horrors of TLS / SSL compromise and how it impacted the online ecosystem, stabbing the heart of secure Internet. Labelled as “Alternative chains certificate forgery” by OpenSSL security advisory, the alert concerns a “high severity” rated patch affecting latest OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.

Cyberoam customers are secure

Cyberoam customers need not fret, for all Cyberoam products are completely secure against the vulnerability as there’s no dependency on affected OpenSSL versions.

What makes this vulnerability severe?

This vulnerability can compromise any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication. Since this vulnerability bypasses the Certificate Authority mechanism for validating endpoint services or clients, it gives attackers an opportunity to impersonate as DNS servers, gateway routers or legitimate websites by launching a man-in-the-middle (MITM) attack. As the advisory from OpenSSL states, “During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate.”

Offering a quick respite, OpenSSL has advised impacted users to upgrade to secure versions.

Reiterating the good news for Cyberoam customers, there’s no threat to Cyberoam security appliances, since no Cyberoam product uses the affected version of OpenSSL.

Trojan.Win32.Qudamah.Gen.24 Targets the Windows Platform

The Windows platform is in the firing line of Trojan.Win32.Qudamah.Gen.24. This backdoor contacts a remote server, identifies itself, and accepts commands from the remote server. After receiving commands from the attacker, the malware can be used to perform several non-agreeable activities including but not limited to gathering system information, executing arbitrary files, deleting files, stealing file contents, uploading files to the remote server, taking screen shots and obtaining a listing of processes.

FILE Details:

File name: zender1.exe
md5sum: 40f42b2e11e29d34f625da992cd545cf
SHA256: cdf001b739fa63cefd313dee6edb97b11adae698ded28c08c23bb93c11e1faa9

One can download the file by first uploading on OneDrive, and using Linux virtual machine to download the file; taking in notice that any accidental click would render the file to execute. On uploading the file to virustotal.com, CTRL (Cyberoam Threat Research Labs) found 8 % detection rate considering the list of antivirus vendors listed on Virustotal.

img1

On execution of EXE, it sends a request to find DNS records of various mail servers.

What are the various types of DNS records?

There are 5 types of DNS records:

A records

Address (A) records direct a hostname to a numerical IP address. For example, if a user X wants mycomputer.yourdomain.com to point to the home computer of user Y (which, for example is, 192.168.0.3), then user X will enter a record that looks like:

mycomputer.yourdomain.com. A 192.168.0.3

(Important: Put a period after the hostname. Do not put periods after IP addresses.)

CNAME records

CNAME allows a machine to be known by one or more hostnames. There should always be an A record first; this is known as the canonical or official name. For example:

yourdomain.com. A 192.168.0.1

Using CNAME, one can point other hostnames to the canonical (A record) address. For example:

ftp.yourdoman.com. CNAME yourdomain.com.
mail.yourdomain.com. CNAME yourdomain.com.
ssh.yourdomin.com. CNAME yourdomain.com.

CNAME records make it possible to access your domain through ftp.yourdomain.com, mail.yourdomain.com, etc. Without a proper CNAME record, you won’t be able to connect your server using such addresses.

NS records

NS records specify the authoritative nameservers for the domain.

(Important: Changing NS records may cause your site to stop working. There is generally no need to change NS records.)

Entering an NS record

First, delete the old NS records from the table above. Then, enter two new nameservers records. Ensure the nameserver hostname is followed by a period, for example:

yourdomain.com NS ns1.slamdot.com.

Always put a period after the nameserver hostname in an NS record (ns1.slamdot.com. and not ns1.slamdot.com ).

MX records

Free e-mail services such as everyone.net require MX changes be made in order for their software to work. This change allows mail destined for your domain to be directed to their server. Please note that changing MX records will prevent your current POP3 accounts, forwarders, autoresponders and mailing lists from functioning.

PTR records

Pointer records (PTR) are used for reverse lookups.

Upon execution, the malware sends multiple DNS MX record requests (shown in the screen captures below):

img1

img1

After that, it tries to send a fake email (shown in the screen captures below):

img1

img1

img1

It can be seen in the screen capture below, when the binary is uploaded in the Cuckoo Sandbox, some surprising results are received:

img1

Cyberoam Threat Research labs is currently studying this malware and shall announce a remedial solution soon. Cyberoam Intrusion Prevention System shields the network from various malicious runtime connections by matching the network traffic against the signatures in the IPS Signature Database. These signatures are developed to significantly increase detection performance and reduce false alarms. Know more about Cyberoam network solutions at www.cyberoam.com. For similar security alerts subscribe to Cyberoam Blogs.

Third Party Vendors – The Weak Links in Network Security

“Your cybersecurity is only as good or bad as that of your vendors.”

By 2019, the cyber security market will be worth a mammoth $155.74 billion. The market for next generation security appliances like firewalls could be worth between $15 billion to $20 billion over the next three years. These big numbers reflect the dawning realization on businesses about the need to fortify their mission critical systems from cyber threats. The cost of recovery from cyber fraud or data breaches is going up every year. According to Ponemon Institute’s 2014 Cost of Data Breach Study: Global Analysis, the average cost to company of recovering from such security breaches was $3.5 million; this is an increase of 15% from the previous year.

This is big money.

Businesses cannot afford to take cyber security lightly and to be fair, they aren’t. Organizations are getting serious about data, network security. There is a very perceptible focus on implementing IT security strategies and solutions; spending on security technologies is set to increase by 46% in 2015.

The availability of NGFWs and advanced UTMs has revolutionized network security as we know it. The deeper network security and application control that such appliances deliver is helping organizations combat ever evolving security threats.

But here’s a question for you – Does deploying high end security appliances with advanced detection and protection capabilities guarantee zero data breaches? Will it assure a complete clamp down on cyber theft and ingress of threat actors?

Unfortunately, the answer is no. Surprised! Don’t be. The sanctity of your data and security of your network is not just dependent on the nature of your security policies and deployment of future ready security appliances.

Think about it for a second. Your network might not be directly attacked by threat actors. If they find your perimeter security difficult to break into, they will not give up. Their next step will be to conduct a reconnaissance to identify an initial point of penetration into your network.

Third Party Vendors – Your Unlatched Backdoor

Third party vendors are turning out to be unlatched backdoors through which hackers are gaining entry even into well-protected IT networks. There are increasing incidences of attackers using third party vendors to compromise organizations and infiltrate their network and gain access to sensitive information.  As per findings of a research conducted by security ratings company BitSight Technologies, almost a third of breaches in the retail sector originated with a security breach at a third party vendor.

The problem is so serious that the New York State Department of Financial Services released a report focusing on potential cyber security vulnerabilities with banks’ third party vendors. The survey makes a clear case for proactively monitoring key threat vectors from third party vendors.

Think of your third party vendors as the weak links in your organization’s network security chain. There is a tendency amongst organizations to say they aren’t concerned with the security vulnerabilities of their third party vendors, but it is this apathy that can expose your network to vulnerabilities. It’s important to see such vendors as an extension of your enterprise; this allows you to insist they meet the same standard of security compliance as does your organization.

This is important because as a first party you cannot disown liability for the cyber security missteps of your third party vendor. You are as liable for third party cyber security missteps as you will be for your own errors.

A case in point is Target, which will wind up paying around $252 million in expenses related to a breach resulting from hackers stealing network credentials from a third party vendor.

Finding Solutions

Can you wait for realization to dawn on your vendors that their security protocols are found wanting? Or do you think, pure blind luck will carry the day for you and ensure your third party vendor doesn’t cause you security grief? If you are serious about securing your network and leaving nothing to chance, you can’t depend on providence to save the day. You must take proactive steps to ensure security black holes at your vendors’ end don’t suck you in. What you need to do, is guard yourself against oversight.

You must take preventive steps that will help you stop hackers from piggybacking on a security glitch at a third party vendor’s end, and breaching your network.

Here’s what you must do:

• Plan for Third Party Data Vulnerabilities

What if, in spite of your best efforts, you are still hit by a cyber-attack courtesy your third party vendor? If you don’t have a plan to manage such third party incidents, you’ll end up answering them with a knee jerk reaction. As can be imagined, such answers will not be sustainable over the long term. What you need is a well-planned incident response policy. You must not only implement this plan, but test it periodically to ensure its threat prevention and detection capabilities are in step with the evolving cyber-attacks landscape.

A key element of a mature and future proofed incident response plan is drawing up concrete SLAs with vendors that do two very important things:

  • In case of feedback on security vulnerabilities in their organization, they must guarantee, they’ll provide a fix.
  • In case the vendor finds a security compromise, this must be reported to your organization.

Establish a ‘security hot line’ with the vendor that clearly communicates security lacunae in vendor organizations, so that these can be fixed quickly.

• Due Diligence Before Signing them On:

Before you get third parties onboard, thoroughly research their credentials. Get a clear idea about their reputation on the market and ask for verifiable references that prove the vendor’s commitment towards cyber security. Investigate the vendor’s network security antecedents, IT security policy and its implementation to make sure you are comfortable with their privacy and security ecosystem.

The amount of due diligence you conduct should be directly proportional to task sensitivity. The more sensitive the task of the third party vendor, the more diligently you must pursue your investigation.

• Identify Points of Sensitive Convergence

Map vendor responsibilities vis-à-vis your organization. This will help identify points of convergence where a vendor’s system needs to access and/or interact with sensitive client information. Such points of contact must be clearly documented. Also find out if this interaction comes under the purview of any industry regulation your organization must adhere to.

The critical nature of the job the vendor is doing must be conveyed to them; what also needs to be conveyed is the adverse impact of not securing access and interaction points. You could even work out the liabilities with the third party by identifying the associated risks it brings to the table courtesy any missteps in its network security.

• Bolster Your Internal Security

Like it or not, you might not be able to impress upon third parties the need to address network security vulnerabilities in their organizations. As an enterprise organization that works with and stores sensitive client information, you cannot be ambiguous about securing your data and networks. This is why you must do everything possible to put in place data safeguards. Make sure the NGFW you’ve deployed offers you Deep Packet Inspection, complete visibility and controls over your users and applications, an effective IPS (Intrusion Prevention System), and powerful reporting, among other things.

Something else you must do is ensure users in the network don’t ignore data breach warnings. At the first sign of trouble, threat response should kick into gear. This cannot happen if you do not sensitize users on the importance of network security and what it means for the organization.

Third party vendors will be your weakest links only if you allow them to be. The key here is to try taking responsibility for their network as well as yours. Know more about Cyberoam network solutions at www.cyberoam.com. For similar security alerts subscribe to Cyberoam Blogs.

Moose might mess up your Home Router!


A new malware infecting series of Home based routers/modems running on MIPS and ARM architecture has been spotted. The said malware family specifically targets consumer devices based on Linux systems, and spreads by infecting other Linux based embedded systems in its path. The compromised devices are used to sniff unencrypted traffic and render proxy services to botnet operator.

Key Capabilities of the Moose Malware

  • The malware specifically targets Home routers
  • The malware is capable of sniffing the traffic and sending the capture packets to remote C&C. Any devices generating network traffic which passes through the infected Router or Modem can be sniffed.
  • Malware runs SOCKS and HTTP Proxy services allowing connection for the specified list of IPs (The list of IPs is hardcoded)
  • The possibility of Social network fraud cannot be neglected based on the research conducted by Researchers at ESET.
  • Unlike other malwares on Home based routers, this malware can also perform DNS Hijacking to give way for other attacks like Phishing and Man-In-The-Middle attack.

Infection Vector

Unlike other malwares, this specific malware doesn’t exploit any vulnerability to spread its arms. Neither does this malware have persistence mechanism nor does it provide a generic backdoor shell access to any other botnet operator (except hardcoded). However, this malware spreads itself by finding routers with weak credentials. This remains a sense of worry for the general users who haven’t configured their home based routers with strong password for admin access. Still the scope and prevalence of this malware is yet to be known; ESET explains in the research report:

“There is no peer-to-peer protocol, [the malware] uses a hardcoded IP address instead of DNS for C&C, and even though the backdoor is listening on the Internet on port 10073 to offer its proxy service, only IP addresses in a whitelist are allowed to connect. Another reason for our lack of success is the lack of security tools ecosystems (like Anti-Virus) on embedded systems. Finally, the hosting providers where the C&C are located were reluctant to cooperate, which didn’t help.”

Cyberoam Threat Research labs is currently studying this malware and shall announce a remedial solution soon. Cyberoam Intrusion Prevention System shields the network from various malicious runtime connections by matching the network traffic against the signatures in the IPS Signature Database. These signatures are developed to significantly increase detection performance and reduce false alarms. Know more about Cyberoam network solutions at www.cyberoam.com. For similar security alerts subscribe to Cyberoam Blogs.

Backdoor.MSIL.Kazybot Enters Windows

The Windows platform is at the crosshairs of Backdoor.MSIL.Kazybot. The Bot agent and Backdoor contacts remote servers, identifies itself and sends system information to the remote server. After receiving its instructions, the Bot is known to perform several activities of unagreeable nature such as initiating DoS attacks on specified targets, picking up clipboard data, downloading files and executing shell commands.

FILE Details:

File name: setup_530.exe
md5sum: 5148911d0281375e86f4201352bf473f04ffcfb4
SHA256: 04d36471db5668cc7972a3c986c46a5da8420d94186e138d134f7fa381e76e45

One can download the file by first uploading on OneDrive, and using Linux virtual machine to download the file; taking in notice that any accidental click would render the file to execute. CTRL (Cyberoam Threat Research Labs) Team on uploading the file to virustotal.com, found detection rate of 31% considering the list of antivirus vendors listed on Virustotal.

img1

On execution of EXE, it seeks a storage location (as shown in figure), and from that location malware contacts a remote server, identifying itself as that location, and sends system information. This is when it starts receiving instructions to perform various malicious activities.

img1

It may be noted that though this malware can create a file in the Startup folder or add Run Registry key to survive system reboots, the functionalities are somehow disabled in this variant. The malware is designed to collect and send system information to a remote server. Then it receives control commands which include run command shell, download & execute files, terminate, resume & suspend a process, capture screenshots and webcam pictures, perform DoS attacks, among others. In view of these abilities it is safe to consider this malware of high severity.

Initially, it sends notification message to the server, via POST request. Thereafter it sends GET request where it downloads “.ini” file from malicious host tjkaola.sulang.com

img1

img1

img1

It can be seen in the screen capture, on uploading the binary in Cuckoo Sandbox, some surprising results are received.

img1

Remote Detection

Signature Type: Runtime
Transport protocol: TCP
Application protocol: HTTP

The following checks need to be performed on the HTTP traffic:
- Transport Port: 80
- Malware Location: CLIENT
- Request Method: POST
- Request Path: /conf.php
- check for second request: GET /conf/kaola34conf1.ini
- check for third request: GET /install_save.php?

Request Body:
# Start=”BODYSTART” pattern=”&time=” offset=”0″ depth=”40″
# Start=”LASTMATCH” pattern=”&mac=” offset=”0″ depth=”40″
# Start=”LASTMATCH” pattern=”&ip=” offset=”0″ depth=”50″
# Start=”LASTMATCH” pattern=”HWID=” offset=”7″ depth=”64″
# Start=”LASTMATCH” pattern=”PROCESSOR=” offset=”0″ depth=”48″
# Start=”LASTMATCH” pattern=”RIGHTS=” offset=”0″ depth=”64″
# Start=”LASTMATCH” pattern=”&hash=” offset=”0″ depth=”60″
# Start=”LASTMATCH” pattern=”MEMORY=” offset=”0″ depth=”28″

Cyberoam Threat Research labs is currently studying this malware and shall announce a remedial solution soon. Cyberoam Intrusion Prevention System shields the network from various malicious runtime connections by matching the network traffic against the signatures in the IPS Signature Database. These signatures are developed to significantly increase detection performance and reduce false alarms. Know more about Cyberoam network solutions at www.cyberoam.com. For similar security alerts subscribe to Cyberoam Blogs.

SSL/TLS protocols hit by LogJam Vulnerability

SSL/TLS protocols are becoming an ungainly spectacle, yet again. Researchers at the University of Michigan and the French research institute Inria have together unveiled a new hidden vulnerability in the encryption procedures used in keeping communication secure for internet users. It is major flaw as it affects more than 8 percent of the Alexa top one million HTTPS domains, raising questions about the methods used for keeping user information safe on Internet.

The vulnerability is present in the way browsers communicate with web or email servers. Browsers usually rely on SSL or TLS protocols to create an encrypted connection, which includes sharing of Keys as the first stage of communication. A Key is nothing but a long series of hard-to-guess numbers that transform plain text data into meaningless or encrypted data before it is sent to the server. In theory, this data can only be decoded if the other person has the correct Key. However, it is well known that 512-bit keys can be decoded easily. Due to LogJam flaw it is possible to compromise stronger encryption procedure by introducing “weaker” Keys in the process; without the web browsers noticing that the Keys have been tampered with.

It has been reported that websites, mail servers and other services that rely on TLS and support DHE_EXPORT ciphers are vulnerable. Although, multiple proof of concept attacks have been proposed, LogJam vulnerability is not that easy for threat actors to exploit. The main constraint of being on the same network as the person they are trying to intercept, restricts its viability to a great extent for hackers.

Hence, there aren’t any reports of attacks based on this vulnerability in the wild. Still, the researchers do not deny the claim that NSA could have used this vulnerability to target VPNs. It may be noted that the vulnerability has been in the hiding for more than two decades now. Google, Mozilla and Microsoft are releasing patches to fix this vulnerability and users are advised to keep their browsers updated.

At the same time, patches released for a previously reported vulnerability – FREAK (CVE-2015-0204) also render this vulnerability benign. Cyberoam Threat Research Labs has already released signatures for the FREAK vulnerability:

Signature Name: SSL Request Export Ciphersuite Detection
Usage: To detect Export Ciphersuite being used on TLS communication
Default action: ALLOW (only to detect Export Ciphersuite)

This signature would allow administrators to identify unpatched client applications (for example, outdated browser versions). Further it identifies servers supporting Export Grade Ciphers aka 512-bit DHM ciphers (the ones known to be “easily breakable”).

Administrators handling a web or mail server are advised to disable support for Export Grade Ciphers and generate a unique 2048-bit DHM. In case SSH is being used, both the server and client installations need an update to most recent OpenSSH version, which relies on Elliptic-Curve Diffie-Hellman Key Exchange. Developers and sysadmins are further advised to update their TLS Libraries and ensure that DHM ciphers smaller than 1024-bit are rejected.

Know more about Cyberoam network solutions at www.cyberoam.com. For similar security alerts subscribe to Cyberoam Blogs.

References:

https://nakedsecurity.sophos.com/2015/05/21/anatomy-of-a-logjam-another-tls-vulnerability-and-what-to-do-about-it/
https://tools.keycdn.com/logjam
https://weakdh.org/

A lethal variant of Win32/AutoRun.IRCBot detected in the wild

Cyberoam Threat Research Labs (CTRL) recently reported a botnet (Win32/AutoRun.IRCBot) affecting Windows. Now another variant of this malware, named as Variant.Symmi, has come into the picture. This malware showcases improved capabilities and can spread via removable drives.

According to the CTRL Team, this malware is “similar to any Botnet”. A Botnet usually refers to a system or a network of computers which has been compromised by drive-by-downloads of a malicious software, providing hackers with partial or full control, without the users’ knowledge. Such drive-by-downloads are commonly spread by infected websites with hackers making use of vulnerabilities in Browsers, ActiveX controls, plug-ins, or any other vulnerable application installed on the users’ systems. Botnets are most commonly employed for sending Spam emails and for running DDOS (Distributed Denial-of-Service) attacks.

FILE Details:

File name: up.exe
md5sum: d3637696af867b9237b60fe5294cbd18
SHA256: 59d8d831712350dab4f7301334b30fe7cfd14e47bdf2142b7129983403d5d472

One can download the file by first uploading on OneDrive, and using Linux virtual machine to download the file; taking in notice that any accidental click would render the file to execute. On uploading the file to virustotal.com, the detection rate was 19% considering the list of antivirus vendors listed on Virustotal.

img1

On execution of EXE, it tries to download other binary, namely krw.exe binary from server (as shown in figure).

img1

This downloaded Binary gets stored in %temp% directory after it renames itself (svgniltsbk.exe in this example).

img1

On execution of EXE, it tries to connect with IRC server:

img1

Afterwards, it tries to connect with predefined server list via GET request, in this case Client system is used as a bot which sends multiple requests. It looks like brute force attack on various ftp as well as SMTP server.

img1

List of predefined server:
cinthyz.tumblr.com
sarahmilespoetryandprose.tumblr.com
deanartmanni.blogspot.com
chmop.skyrock.com
le-clan-kog.skyrock.com
team-kog-cod6.skyrock.com
helicow.olympiqueforum.com
pencilteststudios.com
kognederland.wordpress.com
kmvsansthan.com
peebles.boatverse.com
airs-kmv.ya.ru
kookieblehhh.tumblr.com
capetocape.blogspot.com
warmy-sun.blogspot.com
mikelouth.co.uk
artistesconseils.fr
marygrace-heenimkim.blogspot.com
tesa11.livejournal.com
jsportsnow.com
endouyumi.tumblr.com

img1
img1

Cyberoam Threat Research labs is currently studying this malware and shall announce a remedial solution soon. Cyberoam Intrusion Prevention System shields the network from various malicious runtime connections by matching the network traffic against the signatures in the IPS Signature Database. These signatures are developed to significantly increase detection performance and reduce false alarms. Know more about Cyberoam network solutions at www.cyberoam.com. For similar security alerts subscribe to Cyberoam Blogs.

Caution: Win32/AutoRun.IRCBot is on prowl

Cyberoam Threat Research Labs (CTRL) has detected a new malware which is capable of affecting all versions of Windows at present. Known as Win32/AutoRun.IRCBot, the bot agent has capabilities to spread via removable drives. It may also be dropped by Trojans such as Trojan.Win32.Buzus.cjdb. Cyberoam was one of the first vendors to detect this botnet in the wild.

According to the CTRL Team, this malware is “similar to any Botnet”. A Botnet usually refers to a system or a network of computers which has been compromised by drive-by-downloads of a malicious software, providing hackers with partial or full control, without the users’ knowledge. Such drive-by-downloads are commonly spread by infected websites with hackers making use of vulnerabilities in Browsers, ActiveX controls, plug-ins, or any other vulnerable application installed on the users’ systems. Botnets are most commonly employed for sending Spam emails and for running DDOS (Distributed Denial-of-Service) attacks.

FILE Details:

File name: krw.exe
md5sum: b0c1e532bc9561a689b7ccce891fe394
SHA256: fa4d0b29c5fde4be21e1665bed646e216095aeb7363946166fca1f74a6d51079

One can download the file by first uploading on OneDrive, and using Linux virtual machine to download the file; taking in notice that any accidental click would render the file to execute. On uploading the file to virustotal.com, the detection rate was 9% considering the list of antivirus vendors listed on Virustotal.

img1

On execution of EXE, it tries to connect with IRC server:

img1

Afterwards, it tries to connect with predefined server list via GET request, in this case Client system is used as a bot which sends multiple requests. It looks like brute force attack on various ftp as well as SMTP server.

img1

List of predefined server:
cinthyz.tumblr.com
sarahmilespoetryandprose.tumblr.com
deanartmanni.blogspot.com
chmop.skyrock.com
le-clan-kog.skyrock.com
team-kog-cod6.skyrock.com
helicow.olympiqueforum.com
pencilteststudios.com
kognederland.wordpress.com
kmvsansthan.com
peebles.boatverse.com
airs-kmv.ya.ru
kookieblehhh.tumblr.com
capetocape.blogspot.com
warmy-sun.blogspot.com
mikelouth.co.uk
artistesconseils.fr
marygrace-heenimkim.blogspot.com
tesa11.livejournal.com
jsportsnow.com
endouyumi.tumblr.com

img1
img1

Cyberoam Threat Research labs is currently studying this malware and shall announce a remedial solution soon. Cyberoam Intrusion Prevention System shields the network from various malicious runtime connections by matching the network traffic against the signatures in the IPS Signature Database. These signatures are developed to significantly increase detection performance and reduce false alarms. Know more about Cyberoam network solutions at www.cyberoam.com. For similar security alerts subscribe to Cyberoam Blogs.

Vulnerability in Microsoft HTTP.sys can lead to Remote Code Execution

A remote code execution vulnerability has been found in Microsoft HTTP.sys. The vulnerability is due to an issue with the processing of HTTP messages in the HTTP protocol stack. A remote unauthenticated user could exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable server. At present, the vulnerability affects MS Windows 8.1, MS Windows 8, MS Windows 7, MS Windows Server 2012 R2 and MS Windows Server 2012. Microsoft has released an advisory regarding this vulnerability:

CVE ID

CVE-2015-1635

CVSS Scoring

CVSS Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score: 7.8 (E:POC/RL:OF/RC:C)

The exploit code for this vulnerability is publicly available and on successful exploitation this it can lead to ROOT system level compromise. Users are advised to follow Microsoft advisory in this case and update their servers and systems accordingly. Cyberoam Threat Research Labs has released following IPS upgrade to address this vulnerability:

Name of IPS Signature: Microsoft HTTP.sys Remote Code Execution

Upgrade version: 3.12.26

Applicable from Version: 10.06.1 Build 631

Cyberoam Intrusion Prevention System shields the network from various malicious runtime connections by matching the network traffic against the signatures in the IPS Signature Database. These signatures are developed to significantly increase detection performance and reduce false alarms. Know more about Cyberoam network solutions at www.cyberoam.com. For similar security alerts subscribe to Cyberoam Blogs.

References:

http://www.exploit-db.com/exploits/36773/
https://technet.microsoft.com/library/security/MS15-034