[ciphershed] FWD: AEGIS current events & popular malware samples for July 1, 2014

  • From: Pid Zero <p1dz3r0@xxxxxxxxx>
  • To: "ciphershed@xxxxxxxxxxxxx" <ciphershed@xxxxxxxxxxxxx>
  • Date: Wed, 2 Jul 2014 13:03:58 +0100

Interesting to hear what MS is doing in regards no-ip.org


 *From:* Richard Harman Jr (rharmanj) [mailto:rharmanj@xxxxxxxxx]
*Sent:* 01 July 2014 22:00
*To:* aegis@xxxxxxxxxxxxxxxxxx
*Subject:* AEGIS current events & popular malware samples for July 1, 2014





============================================================



NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY
RESEARCH TEAM



Title: Microsoft Takes Legal Action to fight Malware: Bladabindi and
Jenxcus - impacting no-ip.org dyndns service

Description: On June 30, Microsoft positioned itself to receive all the
no-ip.org DNS requests; so that it could filter out DNS requests related to
the two malware families, Bladabindi and Jenxcus.

Reference:  http://sfi.re/TMWI4e

Snort SID: 31287-31288, 29837-29858

ClamAV: Win.Trojan.Bladabindi



Title: Duo Security researchers uncover bypass of paypal’s two-factor
authentication

Description: Researchers at Duo Security discovered the mobile application
for PayPal could bypass 2FA by using a token from an undocumented API
endpoint.

Reference:  http://sfi.re/1rUPzKK



Title: Raising Lazarus - The 20 Year Old Bug that Went to Mars

Description: Security Mouse researchers discovered a 20 year old bug in the
LZO compression algorythm

Reference:  http://sfi.re/1lPXMPS



============================================================



INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY



Apple releases security fixes for iOS, OS X, Safari and Apple TV

http://sfi.re/1pHJrIR



DHS Sharing Classified Threat Information With Service Providers

http://sfi.re/1o4SH4a



Exceptional behavior: the Windows 8.1 X64 SEH Implementation

http://sfi.re/1reqmxl



Isolated Heap for Internet Explorer Helps Mitigate UAF Exploits

http://sfi.re/1lPY3lR



Android KeyStore Stack Buffer Overflow: To Keep Things Simple, Buffers Are
Always Larger Than Needed

http://sfi.re/1rUPQNP



Setting up a dynamic Android testbed Part II: Inspecting and modifying
traffic

http://sfi.re/1iSeIGj



Lite Zeus - A New Zeus Variant

http://sfi.re/1kbjvgv



Analysis of Smoke Loader

http://sfi.re/1z5RktA





=========================================================



MOST PREVALENT MALWARE FILES 6/25/2014 - 7/1/2014:

COMPILED BY SOURCEFIRE



SHA 256: 97667487392ACA1D94C0043FB725FE31855D5B65B1BDEBE58E0AC7E147D05BE4

MD5: 466af3fbfdd028b3d90238425c367b7e

VirusTotal:
https://www.virustotal.com/file/97667487392ACA1D94C0043FB725FE31855D5B65B1BDEBE58E0AC7E147D05BE4/analysis/#additional-info

Typical Filename: 8hsrchmn.exe

Claimed Product: Mindspark Toolbar Platform SearchScope Monitor

Detection Name: W32.MindsparkA.17hd.1201



SHA 256: 8679C8E6388FD3F927F7AC8ADCEB2CFECD0CEC3B95EA98F79D54119EFBD68034

MD5: 2b76e26f8314246c2a0f7968f73f00bb

VirusTotal:
https://www.virustotal.com/file/8679C8E6388FD3F927F7AC8ADCEB2CFECD0CEC3B95EA98F79D54119EFBD68034/analysis/#additional-info

Typical Filename: 39SrchMn.exe

Claimed Product: Mindspark Toolbar Platform SearchScope Monitor

Detection Name: W32.MindsparkA.17hd.1201



SHA 256: F8EA2EFA24813F1159ADCEF510EA33DCCEE50A5EF9F9C98EAE840AFAAB8DE8F8

MD5: 2c0a45683112082493b1fb3c09c60184

VirusTotal:
https://www.virustotal.com/file/F8EA2EFA24813F1159ADCEF510EA33DCCEE50A5EF9F9C98EAE840AFAAB8DE8F8/analysis/#additional-info

Typical Filename: 1cbrmon.exe

Claimed Product: Mindspark Toolbar Platform SearchScope Monitor

Detection Name: W32.MindsparkA.17hd.1201



SHA 256: CD9B0B4A981F04BBEFA37400F8EED1B5D5187BBD8E38A5861B80916EE8CC411A

MD5: 59e9664cfa40c96b449d69ef4aa457a1

VirusTotal:
https://www.virustotal.com/file/CD9B0B4A981F04BBEFA37400F8EED1B5D5187BBD8E38A5861B80916EE8CC411A/analysis/#additional-info

Typical Filename: cltmngsvc.exe

Claimed Product: Conduit Search Protect

Detection Name: W32.CD9B0B4A98-100.SBX.VIOC



SHA 256: A1186DE10C5C0DF1E5D25B1F3A8EA4EDBB24838D455E3ED28E28FA50D0FB02EA

MD5: 660d435be4a48b8d941e5dcf30ac1974

VirusTotal:
https://www.virustotal.com/file/A1186DE10C5C0DF1E5D25B1F3A8EA4EDBB24838D455E3ED28E28FA50D0FB02EA/analysis/#additional-info

Typical Filename: AppIntegrator64.exe

Claimed Product: Mindspark Toolbar Platform SearchScope Monitor

Detection Name: W32.MindsparkA.17hd.1201



Richard Harman

rharmanj@xxxxxxxxx / rharmanj@xxxxxxxxxxxxxx

Threat Intelligence Team, Sourcefire VRT

Sourcefire, Inc (now a part of Cisco)








-- 
--
At the time of writing, no warrants have ever been served to me, nor am I
under any personal legal compulsion concerning the
CipherShed project. I do not know of any searches or seizures of my
assets.

Other related posts: