[CERT-daily] Tageszusammenfassung - Freitag 25-10-2013

Fri Oct 25 18:11:15 CEST 2013

=======================
= End-of-Shift report =
=======================

Timeframe:   Donnerstag 24-10-2013 18:00 − Freitag 25-10-2013 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Periodic Links to Control Server Offer New Way to Detect Botnets ***
---------------------------------------------
A number of recent botnets and advanced threats use HTTP as their primary communications channel with their control servers. McAfee Labs research during the last couple of years reveals that more than 60 percent of the top botnet families depend on HTTP. These numbers have increased significantly over the last few quarters. The following pie […]
---------------------------------------------
http://blogs.mcafee.com/mcafee-labs/periodic-links-to-control-server-offer-new-way-to-detect-botnets


*** DDoS mitigation firm notes dramatic increase in reflection attack style ***
---------------------------------------------
Between Q3 2012 and Q3 2013, distributed reflection denial-of-service (DrDoS) attacks increased 265 percent, a global attack report found.
---------------------------------------------
http://www.scmagazine.com/ddos-mitigation-firm-notes-dramatic-increase-in-reflection-attack-style/article/317829/


*** LinkedIn Intro App Equivalent to Man in the Middle Attack, Experts Say ***
---------------------------------------------
LinkedIn’s release of its Intro app yesterday for Apple iOS mobile devices raised more than a few eyebrows for behaviors that are tantamount to a man-in-the-middle attack, experts said.
---------------------------------------------
http://threatpost.com/linkedin-intro-app-equivalent-to-man-in-the-middle-attack-experts/102683


*** Evasive Tactics: Terminator RAT ***
---------------------------------------------
FireEye Labs has been tracking a variety of APT threat actors that have been slightly changing their tools, techniques and procedures (TTPs) in order to evade network defenses. Earlier, we documented changes to Aumlib, the malware used in the attack...
---------------------------------------------
http://www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tactics-terminator-rat.html


*** Cybercriminals release new commercially available Android/BlackBerry supporting mobile malware bot ***
---------------------------------------------
Thanks to the growing adoption of mobile banking, in combination with the utilization of mobile devices to conduct financial transactions, opportunistic cybercriminals are quickly capitalizing on this emerging market segment. Made evident by the release of Android/BlackBerry compatible mobile malware bots. This site is empowering potential cybercriminals with the necessary ‘know-how’ when it comes to ‘cashing out’ compromised accounts of E-banking victims who have...
---------------------------------------------
http://www.webroot.com/blog/2013/10/25/cybercriminals-release-new-commercially-available-androidblackberry-supporting-mobile-malware-bot/


*** OSX/Leverage.a Analysis ***
---------------------------------------------
A few days ago, a new OSX malware was detected in the wild. It looks like a picture and behaves like it when you click on it. Everything looks fine when the clicked picture is opened on the screen, but the malware also performs some other actions. After the first look, we saw that the malware copies itself to /Users/Shared/UserEvent.app with the ditto command, and creates a LaunchAgent to load itself when the computer starts with these shell commands: mkdir ~/Library/LaunchAgents echo 
---------------------------------------------
http://www.alienvault.com/open-threat-exchange/blog/osx-leveragea-analysis


*** PHP.net zur Verbreitung von Malware missbraucht ***
---------------------------------------------
Entgegen früherer Aussagen der Administratoren wurde die Projektseite von PHP doch Opfer eines Hackerangriffs. Zwei Server wurden gekapert und zur Verteilung von Schadcode eingesetzt.
---------------------------------------------
http://www.heise.de/security/meldung/PHP-net-zur-Verbreitung-von-Malware-missbraucht-1985687.html


*** ProSoft Technology RadioLinx ControlScape PRNG Vulnerability ***
---------------------------------------------
RadioLinx ControlScape is prone to a predictable random number generator weakness. Attackers can leverage this weakness to aid in brute-force attacks. Other attacks are also possible.
---------------------------------------------
http://www.securityfocus.com/bid/62238/
http://ics-cert.us-cert.gov/advisories/ICSA-13-248-01


*** Vuln: OpenStack Keystone Tokens Validation CVE-2013-4222 Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/61725


*** Vuln: OpenStack Nova CVE-2013-4261 Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/62200


*** Vuln: OpenStack Nova CVE-2013-4278 Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/62016


*** CA SiteMinder Input Validation Flaw Permits Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1029237


*** libvirt API Access Control Flaw Lets Remote Authenticated Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1029241


*** Vuln: GnuTLS CVE-2013-4466 libdane/dane.c Remote Buffer Overflow Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63326


*** Vuln: VICIDIAL manager_send.php CVE-2013-4468 Command Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/63288


*** Security Bulletin: Tivoli Netcool/OMNIbus Web GUI - IBM WebSphere Application Server PM44303 security bypass (CVE-2012-3325) and Hash denial of service (CVE-2011-4858) ***
---------------------------------------------
CVE-2012-3325: After installing an Interim Fix for PM44303 or a Fix Pack containing PM44303, there is a potential security exposure with IBM WebSphere Application Server. CVE-2011-4858: Potential Denial of Service (DoS) security exposure when using web-based applications due to Java HashTable implementation vulnerability.
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_tivoli_netcool_omnibus_web_gui_ibm_websphere_application_server_pm44303_security_bypass_cve_2012_3325_and_hash_denial_of_service_cve_2011_4858?lang=en_us