PLABS
softwareguideswar roomaboutgo-home
Internet Storm Center Infocon Status
A Malicious Word Document Inside a PDF Document, (Sat, Apr 25th)
Yesterday Steve Basford informed us of yet another type of malicious document (Sales Invoice 519658.pdf MD5 bfe397fb9b7907ab34ba83f0f086336d). It is a PDF docum…

Fileless Malware, (Fri, Apr 24th)
In previous diaries we have talked about memory forensics and how important is it . Malware that does not exist in the file system are one of the reasons why me…

ISC StormCast for Friday, April 24th 2015 http://isc.sans.edu/podcastdetail.html?id=4455, (Fri, Apr 24th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

When automation does not help, (Thu, Apr 23rd)
In a lot of web application penetration tests that Ive done in last couple of years I noticed that the amount of technical vulnerabilities (i.e. XSS or SQL inje…

ISC StormCast for Thursday, April 23rd 2015 http://isc.sans.edu/podcastdetail.html?id=4453, (Thu, Apr 23rd)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Dridex Redirecting to Malicious Dropbox Hosted File Via Google, (Tue, Apr 21st)
Thanks to Wayne for sending us in the latest Dridex sample. He observed them arriving this morning around 8am ET. According to Wayne, this malware may use Googl…

Packet Storm
Latest Security Tool Files
Fwknop Port Knocking Utility 2.6.6
fwknop implements an authorization scheme that requires only a single encrypted packet to communicate various pieces of information, including desired access through a Netfilt…

Packet Fence 5.0.1
PacketFence is a network access control (NAC) system. It is actively maintained and has been deployed in numerous large-scale institutions. It can be used to effectively secur…

MIMEDefang Email Scanner 2.78
MIMEDefang is a flexible MIME email scanner designed to protect Windows clients from viruses. Includes the ability to do many other kinds of mail processing, such as replacing…

tcpdump 4.7.4
tcpdump allows you to dump the traffic on a network. It can be used to print out the headers and/or contents of packets on a network interface that matches a given expression.

MIMEDefang Email Scanner 2.77
MIMEDefang is a flexible MIME email scanner designed to protect Windows clients from viruses. Includes the ability to do many other kinds of mail processing, such as replacing…

T35T-SSH Password Cracker / Scanner
This is a php script that uses a pre-defined set of possible passwords and tries them against a given ssh server.

Maligno 2.1
Maligno is an open source penetration testing tool written in python, that serves Metasploit payloads. It generates shellcode with msfvenom and transmits it over HTTP or HTTPS…

Lynis Auditing Tool 2.1.0
Lynis is an auditing tool for Unix (specialists). It scans the system and available software to detect security issues. Beside security related information it will also scan f…

Zed Attack Proxy 2.4.0 Windows Installer
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wi…


SecurityFocus
General Security Vulnerabilities
Vuln: OpenIPMI 'ipmievd' Daemon PID Files Insecure File Permissions Vulnerability
OpenIPMI 'ipmievd' Daemon PID Files Insecure File Permissions Vulnerability…

Vuln: python-fedora Open Redirection and Cross Site Scripting Vulnerabilities
python-fedora Open Redirection and Cross Site Scripting Vulnerabilities…

Vuln: Linux Kernel 'mpt2sas' Local Privilege Escalation and Information Disclosure Vulnerabilities
Linux Kernel 'mpt2sas' Local Privilege Escalation and Information Disclosure Vulnerabilities…

Vuln: X.Org libFS 'FSOpenServer()' Memory Corruption Vulnerability
X.Org libFS 'FSOpenServer()' Memory Corruption Vulnerability…

Bugtraq: Incorrect handling of self signed certificates in OpenFire XMPP Server
Incorrect handling of self signed certificates in OpenFire XMPP Server…

Bugtraq: SSH Network Security Assessment utility - Zeppelin - -=[Advanced Information Security Corp]=-
SSH Network Security Assessment utility - Zeppelin - -=[Advanced Information Security Corp]=-…

Bugtraq: Zeppelin - SSH script - Advanced Information Security Corporation
Zeppelin - SSH script - Advanced Information Security Corporation…


Helpful Stuff
DShield.org Recommended Block List
This list summarized the top 20 attacking class C (/24) subnets over the last three days. The number of 'attacks' indicates the number of targets reporting scans from this subnet.
DShield.org Suspicious Domain List
GRC ShieldsUP!
Internet Vulnerability Profiling
Geo IP Location Service
This Geo Ip Location service (IP Address Map lookup service) is provided for FREE by Geobytes, Inc. to assist you in locating the geographical location of an IP Address.
IANA Port Number List
The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports.
InterNIC Whois Search
A query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system.
Nessus
Latest Nessus Plugins Released
IBM WebSphere Portal Multiple Vulnerabilities (PI37356, PI37661)
Synopsis : The web portal software installed on the remote Windows host is affected by multiple vulnerabiliti…

Cisco IOS XR Typhoon-based Line Cards and Network Processor (NP) Chip DoS
Synopsis : The remote device is missing a vendor-supplied security patch. Description : The remote Cisco de…

WordPress < 4.1.2 Multiple Vulnerabilities
Synopsis : The remote web server contains a PHP application that is affected by multiple vulnerabilities. De…

Ubuntu 14.04 / 14.10 / 15.04 : wpa vulnerability (USN-2577-1)
<br /> Synopsis :<br /> <br /> The remote Ubuntu host is missing a security-related patch.&l…

Ubuntu 15.04 : usb-creator vulnerability (USN-2576-2)
<br /> Synopsis :<br /> <br /> The remote Ubuntu host is missing a security-related patch.&l…

Sourcefire
Vulnerability Research Team
Shellshock - Update Bash Immediately!
Shellshock is a serious vulnerability. Bash, arguably the most widely distributed shell on Linux systems, fail…

Looking Glasses with Bacon
This is my first post on the VRT blog and I would like to introduce myself. I am Mariano Graziano, an Italian…

Microsoft Update Tuesday September 2014: another generally light month but with a significant IE bulletin
This month’s Microsoft Update Tuesday is pretty light save for the Internet Explorer bulletin. While there 

Malware Using the Registry to Store a Zeus Configuration File
This blog was co-authored by Andrea Allievi. A few weeks ago I came across a sample that was reading from…

Discovering Dynamically Loaded API in Visual Basic Binaries
Performing analysis on a Visual Basic (VB) script, or when Visual Basic is paired with the .NET Framework, bec…

RHEL
Red Hat Errata
RHBA-2015:0887-1: Satellite 5.7 bug fix update
RHN Satellite and Proxy: Updated spacewalk-backend, spacewalk-java, spacewalk-web, and satellite-schema packa…

RHBA-2015:0877-1: devtoolset-3-dyninst bug fix and enhancement update
Red Hat Enterprise Linux: Updated devtoolset-3-dyninst packages that fix several bugs and add various enhance…

RHBA-2015:0878-1: devtoolset-3-ltrace bug fix update
Red Hat Enterprise Linux: Updated devtoolset-3-ltrace packages that fix one bug are now available for Red Hat…

RHBA-2015:0879-1: devtoolset-3-gdb bug fix update
Red Hat Enterprise Linux: Updated devtoolset-3-gdb packages that fix several bugs are now available for Red H…

RHBA-2015:0880-1: devtoolset-3-gcc bug fix and enhancement update
Red Hat Enterprise Linux: Updated devtoolset-3-gcc packages that fix several bugs and add various enhancement…

RHBA-2015:0885-1: Red Hat Enterprise Linux OpenStack Platform Bug Fix and Enhancement Advisory
Red Hat Enterprise Linux: Updated packages that resolve various issues are now available for Red Hat Enterpr…

Microsoft
Security Advisories
2755801 - Update for Vulnerabilities in Adobe Flash Player in Internet Explorer - Version: 39.0
Revision Note: V39.0 (April 15, 2015): Added the 3049508 update to the Current Update section.Summary: Microso…

3009008 - Vulnerability in SSL 3.0 Could Allow Information Disclosure - Version: 3.0
Revision Note: V3.0 (April 14, 2015): Revised advisory to announce with the release of security update 3038314…

3045755 - Update to Improve PKU2U Authentication - Version: 1.0
Revision Note: V1.0 (April 14, 2015): Advisory published.Summary: Microsoft is announcing the availability of…

3050995 - Improperly Issued Digital Certificates Could Allow Spoofing - Version: 2.0
Revision Note: V2.0 (March 26, 2015): Advisory rereleased to announce that the update for supported editions o…

3046310 - Improperly Issued Digital Certificates Could Allow Spoofing - Version: 2.0
Revision Note: V2.0 (March 19, 2015): Advisory rereleased to announce that the update for supported editions o…

Cisco
Security Advisories
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities t…

Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the ntpd package. Versions of this package are affected by on…

Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities t…

Cisco IOS XR Software BVI Routed Packet Denial of Service Vulnerability
A vulnerability in the packet-processing code of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation S…

Cisco Secure Desktop Cache Cleaner Command Execution Vulnerability
A vulnerability in a Cisco-signed Java Archive (JAR) executable Cache Cleaner component of Cisco Secure Deskto…

GNU glibc gethostbyname Function Buffer Overflow Vulnerability
On January 27, 2015, a buffer overflow vulnerability in the GNU C library (glibc) was publicly announced. This…

SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
On October 14, 2014, a vulnerability was publicly announced in the Secure Sockets Layer version 3 (SSLv3) prot…

ClamAV
Top 10 ClamAV Official Signatures
Suspect.DoubleExtension-zippwd-15
Count: 18895…
W32.Virut.Gen.D-163
Count: 12179…
Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net
Count: 7110…
Heuristics.Phishing.Email.SpoofedDomain
Count: 6804…
Heuristics.Phishing.Email.SSL-Spoof
Count: 5072…
Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net
Count: 4508…
Worm.Mydoom.I
Count: 4167…
PUA.Script.PDF.EmbeddedJS-1
Count: 3669…
HTML.Phishing.Card-52
Count: 3614…
Malware Domain List
www.thesparkmachine.com (2015/04/24_19:11)
Host: www.thesparkmachine.com/Antivirus.zip, IP address: 208.113.197.192, ASN: 26347, Country: US, Description: FakeAV…

gurde.tourstogo.us (2015/04/22_15:17)
Host: gurde.tourstogo.us/leefoohopt/ezussoadyz/utufegheer/files/GO49776M.vbs, IP address: 176.31.28.226, ASN: 16276, Country: FR, Description: VBS.Trojan.Downloader…

185.91.175.183 (2015/04/22_15:17)
Host: -, IP address: 185.91.175.183/sas/evzxce.exe, ASN: 42632, Country: RU, Description: Trojan.Backdoor…

web-sensations.com (2015/04/22_15:17)
Host: web-sensations.com/js/jquery-1.40.15.js, IP address: 192.186.238.40, ASN: 26496, Country: US, Description: JS.Exploit…

jstaikos.com (2015/04/22_15:17)
Host: jstaikos.com/51i70l/chbpy.html, IP address: 192.186.209.131, ASN: 26496, Country: US, Description: Script.Exploit…

agsteier.com (2015/04/22_15:17)
Host: agsteier.com/HSBC_BANK_STORAGE-DATA/new-payment.html, IP address: 173.254.28.44, ASN: 46606, Country: US, Description: Script.Exploit…

broadtech.co (2015/04/22_15:17)
Host: broadtech.co/HSBC_BANK-STORAGE_DATA/new-payment.html, IP address: 23.229.160.136, ASN: 26496, Country: US, Description: Script.Exploit…

bilbaopisos.es (2015/04/22_15:17)
Host: bilbaopisos.es/HSBC_BANK.STORAGE-DATA/secure.html, IP address: 216.119.143.194, ASN: 55293, Country: US, Description: Script.Exploit…

ajewishgift.com (2015/04/22_15:17)
Host: ajewishgift.com/HSBC_BANK_STORAGE_DATA/payment_document.html, IP address: 192.186.223.196, ASN: 26496, Country: US, Description: Script.Exploit…


© 2001-2015 Procyon Labs / Randal T. Rioux