End-of-Shift report
Timeframe: Dienstag 29-04-2014 18:00 − Mittwoch 30-04-2014 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
PHP Callback Functions: Another Way to Hide Backdoors
We often find new techniques employed by malware authors. Some are very interesting, others are pretty funny, and then there are those that really stump us in their creativity and effectiveness. This post is about the latter. Everyone who writes code in PHP knows what the eval() function is ..
http://blog.sucuri.net/2014/04/php-callback-functions-another-way-to-hide-backdoors.html
[papers] - Introduction to Android Malware Analysis
http://www.exploit-db.com/download_pdf/33093
Xen HVMOP_set_mem_type Page Transition Flaw Lets Local Users on the Guest System Cause Denial of Service Conditions on the Host System
http://www.securitytracker.com/id/1030160
"Bypassing endpoint protections" @ BSides London
This week I presented at BSides London. The talk is titled "Layers on layers: bypassing endpoint protection". The purpose of this talk is to reiterate on the (well-known) common weakness of most endpoint protection products - their reliance on kernel integrity. Once the attacker achieves arbitrary code execution in the kernel, there ..
http://labs.bromium.com/2014/04/29/bypassing-endpoint-protections-bsides-london/
Cisco WebEx Meetings Server Cross-Site Request Forgery Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2186
Be on the Lookout: Odd DNS Traffic, Possible C&C Traffic, (Wed, Apr 30th)
We got an email from one of our readers, including an interesting port 53 packet. While Wireshark and TCPDump try to decode it as DNS, it is almost certainly not DNS. The payload of the packet is ..
http://isc.sans.edu/diary.html?storyid=18047&rss
Mozilla Thunderbird Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Conduct Cross-Site Scripting Attacks and Local Users Gain Elevated Privileges
http://www.securitytracker.com/id/1030165
Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Conduct Cross-Site Scripting Attacks and Local Users Gain Elevated Privileges
http://www.securitytracker.com/id/1030163
[2014-04-30] SQL injection and XSS vulnerabilities in Typo3 si_bibtex extension
By exploiting the SQL injection vulnerability in the Typo3 extension "si_bibtex", an attacker is able to gain full access to the Typo3 database. Depending on the location where the extension is used in the web application, this may be possible by an unauthenticated attacker. Furthermore, it is affected by persistent XSS.
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140430-0_Typo3_si_bibtex_extension_SQL_injection_and_XSS_vulnerabilities_v10.txt
Symantec Encryption Desktop (PGP) Memory Access Flaws Let Remote Users Deny Service
http://www.securitytracker.com/id/1030170
Friends dont let friends use Internet Explorer - advice from US, UK, EU
IE 6 to 11 at risk of hijacking, patch coming - but not for XP Microsoft has warned of a new security flaw in all versions of its Internet Explorer web browser for Windows PCs. A patch has yet to be released for the crocked code.
www.theregister.co.uk/2014/04/27/oops_we_did_it_again_microsoft_warns_of_ie_zero_day/
Botnetz für Altcoin-Mining nutzt Lücke in Nagiosüberwachung aus
Eine kürzlich veröffentlichte Sicherheitslücke im Netzwerkmonitor Nagios wird offenbar bereits ausgenutzt. Betroffen sind weit über 1000 weltweit verteilte Server, die für Mining-Zwecke missbraucht werden.
http://www.heise.de/newsticker/meldung/Botnetz-fuer-Altcoin-Mining-nutzt-Luecke-in-Nagios-Ueberwachung-aus-2180129.html
Neuer Erpressungs-Trojaner verschlüsselt mit RSA-2048
Es häufen sich Berichte über infizierte Windows-Systeme, auf denen ein Schadprogramm Dateien verschlüsselt und nur gegen Zahlung eines Lösegelds von 500 Euro wieder freigibt. Die sind via Tor in Bitcoins zu entrichten.
http://www.heise.de/security/meldung/Neuer-Erpressungs-Trojaner-verschluesselt-mit-RSA-2048-2180482.html
Protection strategies for the Security Advisory 2963983 IE 0day
We've received a number of customer inquiries about the workaround steps documented in Security Advisory 2963983 published on Saturday evening. We hope this blog post answers those questions. Steps you can take to stay safe The security advisory lists several options customers can take to stay safe. Those options are ..
http://blogs.technet.com/b/srd/archive/2014/04/30/protection-strategies-for-the-security-advisory-2963983-ie-0day.aspx
Six infosec tips I learned from Game of Thrones
In Westeros - the land of dark knights, backstabbing royals, dragons, wildings, wargs, red witches, and White Walkers - even the youngest ones have to learn basic self-defense if they're to have any hope of surviving the cruel fictional world imagined by A Game of Thrones (GOT) author, George R. R. Martin. And so too, must every CISO and security pro learn the latest information security best practices if they're to survive today's Internet threat landscape.
http://www.net-security.org/article.php?id=2001&p=1