Dashboard Global

ASERT Security Intelligence

Summary: Several important updates were released this week. Oracle has released its Critical Patch Update, including a patch for multiple Jave SE vulnerabilities. Meanwhile Microsoft has provided an emergency patch to address fraudulent certificates issued last week, impersonating Google and Yahoo web services. As certificates are sometimes used for malicious attacks such as spoofing content or conducting a man- in-the-middle attack, Abuse.ch has announced the creation of a new SSL blacklist to help aid the identification of bogus certificates. In malware activity news, the Gameover Zeus Trojan has resurfaced this week with a new active variant. This comes after the takedown of the original operation by law enforcement last month. While the variant has some differences, it appears that cybercriminals are still determined to use it despite temporary disruption. Another malware campaign, dubbed “Zombie Zero”, has been detailed this week: a Chinese-based threat group has reportedly installed malware onto handheld scanners in the factory, delivering them directly to organizations. Also published this week was news of an advisory from the U.S. Secret Service cautioning users against hotel business centers. These machines are frequently targeted with keyloggers to capture sensitive data. Individuals should avoid using public computers to access any personal or proprietary information.

[more]

IETF Discusses Deprecating IPv6 Fragments

The IETF IPv6 maintenance working group has begun discussions about deprecating IPv6 fragmented packets, spurred by the IETF Internet-Draft, “IPv6 Fragment Header Deprecated”. As one can guess, this draft has generated a lot of discussion (Although the Internet Draft discusses deprecation of the IPv6 fragment header, deprecation of the header would effectively deprecate IPv6 fragmented packets).

As I noted in an earlier posting here, fragments in IPv6 can create havoc in networks from an operational and a security perspective, [...]
Wed, 10 Jul 2013 15:55:39 +0000

DirtJumper’s DDoS Engine Gets a Tune-Up with new “Drive” Variant

Over the last few months ASERT has been tracking what appears to be a new variant in the DirtJumper family (for more information on the history of the DirtJumper family see our previous posts [ 1 ] [ 2 ] [ 3 ] ) – that we have dubbed “Drive.” Drive is written in Delphi and sports a new and much more powerful DDoS engine than its predecessors. It has also changed the format of attack commands [...]
Wed, 19 Jun 2013 15:44:26 +0000

The Revolution Will Be Written in Delphi

Since it has been a little while since we profiled a DDoS botnet family on the blog, let’s take a look at Trojan.BlackRev (also known as the “Black Revolution” trojan.) It was named for the Mutex set in early versions of the malware. This family is interesting from a research perspective because there are at least four revisions in the wild showing its progression from a basic DDoS bot to a more advanced one.

RevMD5C&C URLC&C IP106d8da1e14cff81ca2fad02d2a878c72http://userhaos.ru/113/bot/gate.php91.105.232.1052c9c6aeacee9f973ca0ca5da101a12a16http://ergoholding.ru/rev/gate.php91.204.122.1002.57141cacc3f4a191015a176947a403b79http://clfrev.ru/rev/panel/gate.php93.170.130.1123eae553d72142f9dcb06c5c134015fe7ahttp://ergoholding.ru/ddd/gate.php91.204.122.100

The programming language used is [...]
Tue, 21 May 2013 17:57:06 +0000

Syria goes dark, once more

Last week, Syria was taken offline, as our ATLAS data showcased very clearly.

Today, Syria is once again in the dark, as highlighted by the following ATLAS data below.

Syria051513

We’re keeping an eye on the situation in Syria and will update this post with new information if and when it becomes available.


Wed, 15 May 2013 14:58:50 +0000

Syria taken offline

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing [...]
Wed, 08 May 2013 11:07:38 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 467.34 +46.4 %
40.3%
SSH brute-force login attempts 215.12 +108.1 %
18.6%
Setup.php access 97.69 +44.2 %
8.4%
DNS named version attempt 70.67 -41.6 %
6.1%
Microsoft Windows IIS Server Translate Header attempt 59.08 +123.8 % CVE-2000-0778
5.1%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
HTTP Proxy Request attempt 56.38 +143.2 %
4.9%
ping attempt 12.09 +126.2 %
1.0%
Microsoft Windows IIS Server Translate Header attempt 59.08 +123.8 % CVE-2000-0778
5.1%
SSH brute-force login attempts 215.12 +108.1 %
18.6%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
TCP/5900 166.86 kB -11.2 % CVE-2006-4309
13.5%
UDP/5060 (sip) 148.82 kB +76.8 % CVE-2006-0189
12.0%
TCP/22 (ssh) 76.18 kB +87.9 % CVE-2002-0639
6.2%
ICMP/8 66.68 kB -40.4 %  
5.4%
TCP/23 (telnet) 64.94 kB +12.8 % CVE-2007-0956
5.3%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
TCP/443 (https) 22.78 kB +inf % CVE-2007-5135
1.8%
TCP/22 (ssh) 76.18 kB +87.9 % CVE-2002-0639
6.2%
UDP/5060 (sip) 148.82 kB +76.8 % CVE-2006-0189
12.0%
TCP/25 (smtp) 34.79 kB +48.9 % CVE-2008-0394
2.8%
ICMP/0 29.32 kB +44.2 %  
2.4%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 150 232.33 kB 217 89442 3700
CA (Canada) 2 68 39.62 kB 54 27640 172
DE (Germany) 3 6 35.46 kB 97 19906 360
CN (China) 4 235 239.94 kB 7 5910 791
FR (France) 5 0 5.57 kB 50 13426 93
RU (Russian Federation) 6 29 47.27 kB 44 9874 190
GB (Great Britain) 7 61 17.44 kB 42 8763 418
TR (Turkey) 8 12 4.65 kB 11 8209 152
NL (Netherlands) 9 158 84.98 kB 47 4784 257
ZA (South Africa) 10 13 199.58 kB 2 627 31
KR (South Korea) 11 11 3.79 kB 5 3638 1110
PL (Poland) 12 21 14.43 kB 6 5361 13
IT (Italy) 13 0 580.65 B 14 5347 57
BR (Brazil) 14 12 17.51 kB 0 4071 338
MY (Malaysia) 15 0 973.79 B 0 2458 812
CL (Chile) 16 13 3.89 kB 3 3634 29
RO (Romania) 17 1 1.31 kB 5 3575 43
EU (European Union) 18 7 6.69 kB 7 3339 0
AU (Australia) 19 1 620.96 B 7 2943 248
ID (Indonesia) 20 7 2.41 kB 2 2926 181
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS15169 (GOOGLE) 1 0 0 B 0 17697 183
AS24940 (HETZNER-AS) 2 5 1.64 kB 26 13166 36
AS46606 (UNIFIEDLAYER-AS-1) 3 0 0 B 0 8172 0
AS16276 (OVH) 4 0 0 B 53 7021 41
AS4134 (CHINANET-BACKBONE) 5 160 131.58 kB 0 2161 193
AS26496 (AS-26496-GO-DADDY-COM-LLC) 6 0 0 B 0 6184 0
AS25532 (MASTERHOST-AS) 7 0 0 B 0 5606 0
AS12322 (PROXAD) 8 0 5.22 kB 10 3980 0
AS36351 (SOFTLAYER) 9 0 0 B 5 3472 335
AS47583 (HOSTINGER-AS) 10 0 0 B 0 3966 0
AS30496 (COLO4) 11 0 0 B 0 3654 0
AS26347 (DREAMHOST-AS) 12 0 0 B 0 3419 0
AS36024 (COLO4-CO) 13 0 0 B 0 3266 0
AS19318 (NJIIX-AS-1) 14 0 0 B 0 3182 0
AS16509 (AMAZON-02) 15 0 0 B 9 3010 46
AS12824 (HOMEPL-AS) 16 0 0 B 0 2874 0
AS6245 (NETWORK-SOLUTIONS) 17 0 0 B 0 2840 0
AS14259 (Gtd) 18 13 3.68 kB 0 2521 0
AS29073 (ECATEL-AS) 19 157 84.25 kB 0 0 0
AS3741 (IS,ZA) 20 12 86.51 kB 0 0 0