Team CYMRU's Malware Hash Registry
Team Cymru has a new look-up service that launched recently.
The Malware Hash Registry (MHR) service allows you to
query their database of many millions of unique malware samples
for a computed MD5 or SHA-1 hash of a file. If it is malware
and they know about, they return the last time they have seen
it along with an approximate anti-virus detection percentage.
THERE IS NO COST FOR NON-COMMERCIAL USE OF THIS TOOL. ACCESS IS
PUBLICLY AVAILABLE TO ANYONE.
Upon submission of a malware hash, the output of the command will return
a date the sample was first seen as well as the detection rate they've
seen using up to 30 AV packages. The detection rate is based on the
first time they scanned the sample.
Queries, including reasonable bulk queries, may be made using the
command line only.
The MHR compliments an anti-virus (AV) strategy by helping to identify
unknown or suspicious files that they have already identified as
malicious. This enables you to take action earlier than you would
otherwise be able to.
Full details including command syntax and procedures can be found at
<http://www.team-cymru.org/Services/MHR/>.
This is one of several new (free) data sets and services they are
currently providing to the community; if you haven't visited their
(recently revamped) site recently please do so for details of the
extensive work they do for the security community as well as further
advice, data and tips to help you make your networks more secure:
<http://www.team-cymru.org/Services>
If you want to use this as an IDS like tool Seth Hall from osu.edu
released this bro script into the public.
http://github.com/sethhall/bro_scripts/tree/e9bdb2f6afce6c809e3434de33723639d3d43ca3/md5_hash_malware/http-cymru-malware-hash.bro
If you need to know which virus is being detected, you could use a
service like virustotal with an md5 hash lookup. Just go to this url
http://www.virustotal.com/buscaHash.html and enter the checksum
(md5,sha1 or sha256) into the search bar.
Virustotal.com and cymru.com are not related. So they won't have
all the same hashes. But there should be pretty good cross service hash matching.
UPDATE
Seth Hall wrote in and advised us that he has put a short wiki up about installing the necessary support for using his changes. http://github.com/sethhall/bro_scripts/wikis/the-malware-hash-registry-and-bro-ids
Internet Explorer 960714 is released
The Microsoft Security Bulletin MS08-078 - Critical
Security Update for Internet Explorer (960714) is available now. We covered this issue in several recent diaries.
http://isc.sans.org/diary.html?storyid=5497
http://isc.sans.org/diary.html?storyid=5479
http://isc.sans.org/diary.html?storyid=5458
http://isc.sans.org/diary.html?storyid=5464
http://isc.sans.org/diary.html?storyid=5503
Here is the link to the advisory.
http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx
As previously noted this is a critical update for IE 5.0.1, IE 6,
IE 6 SP1, IE 7 and IE 8 Beta 2. It is being exploited in the wild. It is being distributed via SQL injection.
So get your patches asap.
UPDATE
Just in case it wasn't obvious to everyone. ChrisM wrote in and reminded us that:
"The emergency IE patch that came out today (MS08-078), DOES NOT replace the IE security patch that came out earlier this month (MS08-073). Both of these patches have to be installed to make IE "secure"."
Opera 9.6.3 released with security fixes
Is this browser patch day?
We have a patch coming out for IE today.
http://isc.sans.org/diary.html?storyid=5506
Firefox released an upgrade yesterday that addressed several security issues
http://isc.sans.org/diary.html?storyid=5506
Opera has released a new version to address security issues.
http://www.opera.com/docs/changelogs/windows/963/
Opera 9.63 was just released. It addresses the following security issues.
Manipulating text input contents can allow execution of arbitrary code, as reported by Red XIII.
HTML parsing flaw can cause Opera to execute arbitrary code, as reported by Alexios Fakos.
Long hostnames in file: URLs can cause execution of arbitrary code, as reported by Vitaly McLain.
Script injection in feed preview can reveal contents of unrelated news feeds, as reported by David Bloom.
Built-in XSLT templates can allow cross-site scripting, as reported by Robert Swiecki of the Google Security Team.
Fixed an issue that could reveal random data, as reported by Matthew of Hispasec Sistemas.
SVG images embedded using <img> tags can no longer execute Java or plugin content, suggested by Chris Evans.
Firefox 3.0.5 fixes several security issues.
FireFox 3.0.5 has been released with several security fixes.
Fixed in Firefox 3.0.5
MFSA 2008-69 XSS vulnerabilities in SessionStore
MFSA 2008-68 XSS and JavaScript privilege escalation
MFSA 2008-67 Escaped null characters ignored by CSS parser
MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
MFSA 2008-65 Cross-domain data theft via script redirect error message
MFSA 2008-64 XMLHttpRequest 302 response disclosure
MFSA 2008-63 User tracking via XUL persist attribute
MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)
Thanks to John and Roseman for bringing this to our attention.
Comments