[CERT-daily] Tageszusammenfassung - Donnerstag 28-11-2013

Thu Nov 28 18:02:53 CET 2013

=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 27-11-2013 18:00 − Donnerstag 28-11-2013 18:00
Handler:     Matthias Fraidl
Co-Handler:  n/a

*** Fake 'October´s Billing Address Code' (BAC) form themed spam campaign leads to malware ***
---------------------------------------------
Have you received a casual-sounding email enticing you into signing a Billing Address Code (BAC) form for October, in order for the Payroll Manager to proceed with the transaction? Based on our statistics, tens of thousands of users received these malicious spam emails over the last 24 hours, with the cybercriminal(s) behind them clearly interested in expanding the size of their botnet through good old fashioned 'casual social engineering' campaigns.
---------------------------------------------
http://www.webroot.com/blog/2013/11/27/fake-octobers-billing-address-code-bac-form-themed-spam-campaign-leads-malware/


*** Sharik Back for More After Php.Net Compromise ***
---------------------------------------------
Sharik is a Trojan which injects itself into legitimate processes and adds registry entries for an added level of persistence. The infection also sends information about the victims PC to a remote server. The threat can also receive commands from a known CnC server to download further malicious files.
---------------------------------------------
http://research.zscaler.com/2013/11/sharik-back-for-more-after-phpnet.html


*** ATM Traffic + TCPDump + Video = Good or Evil?, (Wed, Nov 27th) ***
---------------------------------------------
I was working with a client recently, working through the move of a Credit Union branch. In passing, he mentioned that they were looking at a new security camera setup, and the vendor had mentioned that it would need a SPAN or MIRROR port on the switch set up. At that point my antennae came online - SPAN or MIRROR ports set up a session where all packets from one switch ports are "mirrored" to another switch port.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17111


*** Microsoft Security Advisory (2914486): Vulnerability in Microsoft Windows Kernel Could Allow Elevation of Privilege - Version: 1.0 ***
---------------------------------------------
Microsoft is investigating new reports of a vulnerability in a kernel component of Windows XP and Windows Server 2003. We are aware of limited, targeted attacks that attempt to exploit this vulnerability.
---------------------------------------------
http://technet.microsoft.com/en-ca/security/advisory/2914486


*** THOUSANDS of Ruby on Rails sites leave logins lying around ***
---------------------------------------------
A security researcher has warned that a Ruby on Rails vulnerability first outlined in September is continuing to linger on the Web, courtesy of admins that don't realise a vulnerability exists in its default CookieStore session storage mechanism.
---------------------------------------------
http://www.theregister.co.uk/2013/11/28/thousands_of_ror_sites_leave_logins_lying_around/


*** FakeAV + Ransomware = Windows Expert Console ***
---------------------------------------------
During the last months we have been talking mainly about police virus infections, and more recently about CryptoLocker, the new major ransomware family. However that doesn´t mean that our good 'old friends' known as FakeAV aren´t around.
---------------------------------------------
http://pandalabs.pandasecurity.com/fakeav-ransomware-windows-expert-console/


*** Linux Worm Targeting Hidden Devices ***
---------------------------------------------
Symantec has discovered a new Linux worm that appears to be engineered to target the 'Internet of things'. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras.
---------------------------------------------
http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices


*** You have a Skype voicemail. PSYCHE! Its just some fiendish Trojan-flinging spam ***
---------------------------------------------
A spam run of fake Skype voicemail alert emails actually comes packed with malware, a UK police agency warns.
Action Fraud said the zip file attachments come contaminated with a variant of the notorious ZeuS banking Trojan.
---------------------------------------------
http://www.theregister.co.uk/2013/11/28/skype_voicemail_alert_spam_flings_zeus_trojan/


*** Microsoft Cybersecurity Report: Top 10 Most Wanted Enterprise Threats ***
---------------------------------------------
The latest report found that in the enterprise environment, on average about 11% of systems encountered malware, worldwide between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13). The "encounter rate" is defined as the percentage of computers running Microsoft real-time security software that report detecting malware - typically resulting in a blocked installation of malware.
---------------------------------------------
http://blogs.technet.com/b/security/archive/2013/11/25/microsoft-cybersecurity-report-top-10-most-wanted-enterprise-threats.aspx?Redirected=true


*** Quassel IRC Backlog Access Bypass Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/55640


*** DSA-2804 drupal7 ***
---------------------------------------------
http://www.debian.org/security/2013/dsa-2804


*** DSA-2803 quagga ***
---------------------------------------------
http://www.debian.org/security/2013/dsa-2803


*** HP Service Manager and ServiceCenter Unspecified Flaw Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1029400


*** Subversion mod_dontdothat Path Validation Flaw Lets Remote Users Bypass Security Restrictions ***
---------------------------------------------
http://www.securitytracker.com/id/1029402


*** Yahoo Open Redirect Vulnerability or "Designing vulnerabilities" ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110200


*** ownCloud Unspecified Security Bypass Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/55792