Tageszusammenfassung - Donnerstag 28-11-2013

End-of-Shift report

Timeframe: Mittwoch 27-11-2013 18:00 − Donnerstag 28-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a

Fake 'October´s Billing Address Code' (BAC) form themed spam campaign leads to malware

Have you received a casual-sounding email enticing you into signing a Billing Address Code (BAC) form for October, in order for the Payroll Manager to proceed with the transaction? Based on our statistics, tens of thousands of users received these malicious spam emails over the last 24 hours, with the cybercriminal(s) behind them clearly interested in expanding the size of their botnet through good old fashioned 'casual social engineering' campaigns.

http://www.webroot.com/blog/2013/11/27/fake-octobers-billing-address-code-bac-form-themed-spam-campaign-leads-malware/


Sharik Back for More After Php.Net Compromise

Sharik is a Trojan which injects itself into legitimate processes and adds registry entries for an added level of persistence. The infection also sends information about the victims PC to a remote server. The threat can also receive commands from a known CnC server to download further malicious files.

http://research.zscaler.com/2013/11/sharik-back-for-more-after-phpnet.html


ATM Traffic + TCPDump + Video = Good or Evil?, (Wed, Nov 27th)

I was working with a client recently, working through the move of a Credit Union branch. In passing, he mentioned that they were looking at a new security camera setup, and the vendor had mentioned that it would need a SPAN or MIRROR port on the switch set up. At that point my antennae came online - SPAN or MIRROR ports set up a session where all packets from one switch ports are "mirrored" to another switch port.

http://isc.sans.edu/diary.html?storyid=17111


Microsoft Security Advisory (2914486): Vulnerability in Microsoft Windows Kernel Could Allow Elevation of Privilege - Version: 1.0

Microsoft is investigating new reports of a vulnerability in a kernel component of Windows XP and Windows Server 2003. We are aware of limited, targeted attacks that attempt to exploit this vulnerability.

http://technet.microsoft.com/en-ca/security/advisory/2914486


THOUSANDS of Ruby on Rails sites leave logins lying around

A security researcher has warned that a Ruby on Rails vulnerability first outlined in September is continuing to linger on the Web, courtesy of admins that don't realise a vulnerability exists in its default CookieStore session storage mechanism.

http://www.theregister.co.uk/2013/11/28/thousands_of_ror_sites_leave_logins_lying_around/


FakeAV + Ransomware = Windows Expert Console

During the last months we have been talking mainly about police virus infections, and more recently about CryptoLocker, the new major ransomware family. However that doesn´t mean that our good 'old friends' known as FakeAV aren´t around.

http://pandalabs.pandasecurity.com/fakeav-ransomware-windows-expert-console/


Linux Worm Targeting Hidden Devices

Symantec has discovered a new Linux worm that appears to be engineered to target the 'Internet of things'. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras.

http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices


You have a Skype voicemail. PSYCHE! Its just some fiendish Trojan-flinging spam

A spam run of fake Skype voicemail alert emails actually comes packed with malware, a UK police agency warns. Action Fraud said the zip file attachments come contaminated with a variant of the notorious ZeuS banking Trojan.

http://www.theregister.co.uk/2013/11/28/skype_voicemail_alert_spam_flings_zeus_trojan/


Microsoft Cybersecurity Report: Top 10 Most Wanted Enterprise Threats

The latest report found that in the enterprise environment, on average about 11% of systems encountered malware, worldwide between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13). The "encounter rate" is defined as the percentage of computers running Microsoft real-time security software that report detecting malware - typically resulting in a blocked installation of malware.

http://blogs.technet.com/b/security/archive/2013/11/25/microsoft-cybersecurity-report-top-10-most-wanted-enterprise-threats.aspx?Redirected=true


Quassel IRC Backlog Access Bypass Vulnerabilities

https://secunia.com/advisories/55640


DSA-2804 drupal7

http://www.debian.org/security/2013/dsa-2804


DSA-2803 quagga

http://www.debian.org/security/2013/dsa-2803


HP Service Manager and ServiceCenter Unspecified Flaw Lets Remote Users Execute Arbitrary Code

http://www.securitytracker.com/id/1029400


Subversion mod_dontdothat Path Validation Flaw Lets Remote Users Bypass Security Restrictions

http://www.securitytracker.com/id/1029402


Yahoo Open Redirect Vulnerability or "Designing vulnerabilities"

http://cxsecurity.com/issue/WLB-2013110200


ownCloud Unspecified Security Bypass Vulnerability

https://secunia.com/advisories/55792