[CERT-daily] Tageszusammenfassung - Mittwoch 30-04-2014

Wed Apr 30 18:08:42 CEST 2014

=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 29-04-2014 18:00 − Mittwoch 30-04-2014 18:00
Handler:     Robert Waldner
Co-Handler:  Alexander Riepl


*** PHP Callback Functions: Another Way to Hide Backdoors ***
---------------------------------------------
We often find new techniques employed by malware authors. Some are very interesting, others are pretty funny, and then there are those that really stump us in their creativity and effectiveness. This post is about the latter. Everyone who writes code in PHP knows what the eval() function is ..
---------------------------------------------
http://blog.sucuri.net/2014/04/php-callback-functions-another-way-to-hide-backdoors.html


*** [papers] - Introduction to Android Malware Analysis ***
---------------------------------------------
http://www.exploit-db.com/download_pdf/33093


*** Xen HVMOP_set_mem_type Page Transition Flaw Lets Local Users on the Guest System Cause Denial of Service Conditions on the Host System ***
---------------------------------------------
http://www.securitytracker.com/id/1030160


*** "Bypassing endpoint protections" @ BSides London ***
---------------------------------------------
This week I presented at BSides London. The talk is titled "Layers on layers: bypassing endpoint protection". The purpose of this talk is to reiterate on the (well-known) common weakness of most endpoint protection products - their reliance on kernel integrity. Once the attacker achieves arbitrary code execution in the kernel, there ..
---------------------------------------------
http://labs.bromium.com/2014/04/29/bypassing-endpoint-protections-bsides-london/


*** Cisco WebEx Meetings Server Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2186


*** Be on the Lookout: Odd DNS Traffic, Possible C&C Traffic, (Wed, Apr 30th) ***
---------------------------------------------
We got an email from one of our readers, including an interesting port 53 packet. While Wireshark and TCPDump try to decode it as DNS, it is almost certainly not DNS.  The payload of the packet is ..
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=18047&rss


*** Mozilla Thunderbird Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Conduct Cross-Site Scripting Attacks and Local Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1030165


*** Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Conduct Cross-Site Scripting Attacks and Local Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1030163


*** [2014-04-30] SQL injection and XSS vulnerabilities in Typo3 si_bibtex extension ***
---------------------------------------------
By exploiting the SQL injection vulnerability in the Typo3 extension "si_bibtex", an attacker is able to gain full access to the Typo3 database. Depending on the location where the extension is used in the web application, this may be possible by an unauthenticated attacker. Furthermore, it is affected by persistent XSS.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140430-0_Typo3_si_bibtex_extension_SQL_injection_and_XSS_vulnerabilities_v10.txt


*** Symantec Encryption Desktop (PGP) Memory Access Flaws Let Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1030170


*** Friends dont let friends use Internet Explorer - advice from US, UK, EU ***
---------------------------------------------
IE 6 to 11 at risk of hijacking, patch coming - but not for XP Microsoft has warned of a new security flaw in all versions of its Internet Explorer web browser for Windows PCs. A patch has yet to be released for the crocked code.
---------------------------------------------
www.theregister.co.uk/2014/04/27/oops_we_did_it_again_microsoft_warns_of_ie_zero_day/


*** Botnetz für Altcoin-Mining nutzt Lücke in Nagiosüberwachung aus ***
---------------------------------------------
Eine kürzlich veröffentlichte Sicherheitslücke im Netzwerkmonitor Nagios wird offenbar bereits ausgenutzt. Betroffen sind weit über 1000 weltweit verteilte Server, die für Mining-Zwecke missbraucht werden.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Botnetz-fuer-Altcoin-Mining-nutzt-Luecke-in-Nagios-Ueberwachung-aus-2180129.html


*** Neuer Erpressungs-Trojaner verschlüsselt mit RSA-2048 ***
---------------------------------------------
Es häufen sich Berichte über infizierte Windows-Systeme, auf denen ein Schadprogramm Dateien verschlüsselt und nur gegen Zahlung eines Lösegelds von 500 Euro wieder freigibt. Die sind via Tor in Bitcoins zu entrichten.
---------------------------------------------
http://www.heise.de/security/meldung/Neuer-Erpressungs-Trojaner-verschluesselt-mit-RSA-2048-2180482.html


*** Protection strategies for the Security Advisory 2963983 IE 0day ***
---------------------------------------------
We've received a number of customer inquiries about the workaround steps documented in Security Advisory 2963983 published on Saturday evening. We hope this blog post answers those questions. Steps you can take to stay safe The security advisory lists several options customers can take to stay safe. Those options are ..
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2014/04/30/protection-strategies-for-the-security-advisory-2963983-ie-0day.aspx


*** Six infosec tips I learned from Game of Thrones ***
---------------------------------------------
In Westeros - the land of dark knights, backstabbing royals, dragons, wildings, wargs, red witches, and White Walkers - even the youngest ones have to learn basic self-defense if they're to have any hope of surviving the cruel fictional world imagined by A Game of Thrones (GOT) author, George R. R. Martin. And so too, must every CISO and security pro learn the latest information security best practices if they're to survive today's Internet threat landscape.
---------------------------------------------
http://www.net-security.org/article.php?id=2001&p=1