Dashboard Global

ASERT Security Intelligence

Summary: A critical vulnerability in bash, the command line interpreter for Linux and Mac OS X, has been disclosed. Due to the prevalence of bash on servers, Mac’s and millions of poorly maintained Linux-based embedded devices such as home routers, some consider the vulnerability to be more significant than the Heartbleed vulnerability. The vulnerability is wormable and actively being exploited. Administrators are encouraged to patch as soon as possible. Updates for multiple Apple products were also released this week, including fixes for multiple security vulnerabilities. Although many OS X users may think their devices are not susceptible to attack, as OS X systems become more prevalent it is likely that these systems will increasingly be targeted. As the latest victim of point-of-sale attacks, Jimmy Johns has confirmed reports that it had suffered a payment card breach from June to September this year. The company has stated that this was a result of its POS vendor being compromised. In DDoS news, a Chinese toolkit ("Spike") has been compromising Linux and Windows devices to launch large-scale DDoS attacks. In addition to infecting PCs and servers, the Spike toolkit is also compromising embedded devices, including Internet of Things devices such as thermostats, to launch attack traffic. Lastly, the jQuery website was compromised in a wateringhole attack last week. It is likely that attackers were targeting IT personnel and developers, as these employees are frequently targeted due to their privileged accounts and access.

[more]

IETF Discusses Deprecating IPv6 Fragments

The IETF IPv6 maintenance working group has begun discussions about deprecating IPv6 fragmented packets, spurred by the IETF Internet-Draft, “IPv6 Fragment Header Deprecated”. As one can guess, this draft has generated a lot of discussion (Although the Internet Draft discusses deprecation of the IPv6 fragment header, deprecation of the header would effectively deprecate IPv6 fragmented packets).

As I noted in an earlier posting here, fragments in IPv6 can create havoc in networks from an operational and a security perspective, [...]
Wed, 10 Jul 2013 15:55:39 +0000

DirtJumper’s DDoS Engine Gets a Tune-Up with new “Drive” Variant

Over the last few months ASERT has been tracking what appears to be a new variant in the DirtJumper family (for more information on the history of the DirtJumper family see our previous posts [ 1 ] [ 2 ] [ 3 ] ) – that we have dubbed “Drive.” Drive is written in Delphi and sports a new and much more powerful DDoS engine than its predecessors. It has also changed the format of attack commands [...]
Wed, 19 Jun 2013 15:44:26 +0000

The Revolution Will Be Written in Delphi

Since it has been a little while since we profiled a DDoS botnet family on the blog, let’s take a look at Trojan.BlackRev (also known as the “Black Revolution” trojan.) It was named for the Mutex set in early versions of the malware. This family is interesting from a research perspective because there are at least four revisions in the wild showing its progression from a basic DDoS bot to a more advanced one.

RevMD5C&C URLC&C IP106d8da1e14cff81ca2fad02d2a878c72http://userhaos.ru/113/bot/gate.php91.105.232.1052c9c6aeacee9f973ca0ca5da101a12a16http://ergoholding.ru/rev/gate.php91.204.122.1002.57141cacc3f4a191015a176947a403b79http://clfrev.ru/rev/panel/gate.php93.170.130.1123eae553d72142f9dcb06c5c134015fe7ahttp://ergoholding.ru/ddd/gate.php91.204.122.100

The programming language used is [...]
Tue, 21 May 2013 17:57:06 +0000

Syria goes dark, once more

Last week, Syria was taken offline, as our ATLAS data showcased very clearly.

Today, Syria is once again in the dark, as highlighted by the following ATLAS data below.

Syria051513

We’re keeping an eye on the situation in Syria and will update this post with new information if and when it becomes available.


Wed, 15 May 2013 14:58:50 +0000

Syria taken offline

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing [...]
Wed, 08 May 2013 11:07:38 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 123.79 -65.6 %
23.5%
SNMP MS Windows getbulk request 109.00 +200.1 % CVE-2006-5583
20.7%
Microsoft Windows IIS Server Translate Header attempt 43.59 +50.0 % CVE-2000-0778
8.3%
DNS named version attempt 39.77 -21.0 %
7.5%
Setup.php access 36.94 +27.0 %
7.0%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
SNMP MS Windows getbulk request 109.00 +200.1 % CVE-2006-5583
20.7%
DROP Known Bot C&C Server Traffic (group 3) 13.59 +100.0 %
2.6%
MALWARE User Agent Containing http\:// - Suspicious - Likely Spyware/Trojan 2.09 +100.0 %
0.4%
RPC portmap mountd tcp request 2.04 +82.2 % CVE-2006-0900
0.4%
RPC portmap mountd request TCP 2.04 +82.2 %
0.4%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5060 (sip) 173.53 kB +6.7 % CVE-2006-0189
14.2%
UDP/3395 (dyna-lm) 114.10 kB +42.0 %  
9.3%
ICMP/8 106.06 kB +46.0 %  
8.7%
UDP/514 (syslog) 67.90 kB +0.4 %  
5.5%
UDP/4614 58.53 kB +65.6 %  
4.8%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
TCP/3389 (ms-wbt-server) 25.26 kB +inf % CVE-2005-1218
2.1%
UDP/123 (ntp) 19.45 kB +inf % CVE-2001-0414
1.6%
UDP/3393 (d2k-tapestry1) 14.29 kB +inf %  
1.2%
UDP/4614 58.53 kB +65.6 %  
4.8%
ICMP/8 106.06 kB +46.0 %  
8.7%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 61 170.21 kB 7 86123 4388
CA (Canada) 2 14 39.85 kB 2 26786 209
DE (Germany) 3 7 25.61 kB 6 19475 371
FR (France) 4 2 2.14 kB 8 11985 155
CN (China) 5 86 175.05 kB 4 5025 983
GB (Great Britain) 6 2 18.50 kB 2 8240 423
TR (Turkey) 7 0 2.16 kB 0 8328 167
NL (Netherlands) 8 12 63.40 kB 4 4543 457
RU (Russian Federation) 9 116 59.29 kB 6 3395 166
EU (European Union) 10 4 4.65 kB 1 5132 47
IT (Italy) 11 1 4.64 kB 1 4880 135
RO (Romania) 12 40 22.34 kB 0 4339 33
IR (Iran) 13 0 147.25 kB 0 398 42
PL (Poland) 14 0 391.08 B 1 4507 25
ZA (South Africa) 15 12 125.72 kB 0 684 66
CL (Chile) 16 0 1.18 kB 1 3919 33
KR (South Korea) 17 4 6.99 kB 3 1150 1272
BR (Brazil) 18 2 3.31 kB 0 2728 418
UA (Ukraine) 19 10 2.31 kB 0 2965 61
ID (Indonesia) 20 0 909.33 B 1 2768 71
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS15169 (GOOGLE) 1 0 0 B 0 15248 240
AS24940 (HETZNER-AS) 2 0 0 B 0 13254 50
AS16276 (OVH) 3 0 0 B 3 8788 36
AS46606 (UNIFIEDLAYER-AS-1) 4 0 0 B 0 7408 0
AS26496 (AS-26496-GO-DADDY-COM-LLC) 5 0 0 B 0 5692 37
AS4134 (CHINANET-BACKBONE) 6 55 91.42 kB 0 2364 330
AS47583 (HOSTINGER-AS) 7 0 0 B 0 5384 0
AS53665 (BODIS-1) 8 0 0 B 0 4915 0
AS17054 (AS17054) 9 0 0 B 0 4170 0
AS36351 (SOFTLAYER) 10 0 0 B 0 3372 29
AS13768 (PEER1) 11 0 0 B 1 3346 0
AS14259 (Gtd) 12 0 0 B 1 2531 0
AS12824 (HOMEPL-AS) 13 0 0 B 0 2454 0
AS12880 (DCI-AS) 14 0 85.73 kB 0 0 0
AS26347 (DREAMHOST-AS) 15 0 0 B 0 2368 0
AS3741 (IS,ZA) 16 10 79.46 kB 0 0 0
AS32244 (LIQUID-WEB-INC) 17 0 0 B 0 2137 0
AS12322 (PROXAD) 18 2 999.88 B 5 2065 0
AS30496 (COLO4) 19 0 0 B 0 2016 0
AS4837 (CHINA169-BACKBONE) 20 1 26.37 kB 2 833 204