IP Addresses Triage
- Phase 1: collect information about the IP addresses
- Phase 2: analyze the gathered data and get interesting information
[>] Please enter a command: list gather
Shodan => Requests Shodan for information on provided IPs
GeoInfo => This script gathers geographical information about the loaded
IP addresses
DShield => This module checks DShield for hits on loaded IPs
Whois => This module gathers whois information
FeedLists => This module checks IPs against potential threat lists
MyWOT => Requests MyWOT for domain reputation information on provided domains
VirusTotal => This module checks VirusTotal for hits on loaded IPs
All => Invokes all of the above IntelGathering modules
[>] Please enter a command: list analysis TopNetBlocks => Returns the top "X" number of most seen whois CIDR netblocks Keys => Returns IP Addresses with shared public keys (SSH, SSL) FeedHits => Lists IPs being tracked in threat lists DShield => Returns IP addresses with results in DShield PortSearch => Returns the top "X" number of most used ports TopPorts => Returns the top "X" number of most used ports Country => Search for IPs by country of origin MyWOTDomains => Parse mywot domain reputation results GeoInfo => Analyzes IPs geographical/ISP information Virustotal => Returns IP addresses with results in VirusTotal All => Invokes all of the above Analysis modules
[>] Please enter a command: load ip.txt [*] Loaded 5 systems [>] Please enter a command: gather all Querying Shodan for information about 120.27.31.143 Querying Shodan for information about 77.247.182.246 Querying Shodan for information about 193.169.52.214 Querying Shodan for information about 46.4.120.238 Querying Shodan for information about 101.200.0.122 Getting info on... 120.27.31.143 Getting info on... 77.247.182.246 Getting info on... 193.169.52.214 Getting info on... 46.4.120.238 Getting info on... 101.200.0.122 Information found on 120.27.31.143 Information found on 77.247.182.246 No information within DShield for 193.169.52.214 No information within DShield for 46.4.120.238 Information found on 101.200.0.122 Gathering whois information about 120.27.31.143 Gathering whois information about 77.247.182.246 Gathering whois information about 193.169.52.214 Gathering whois information about 46.4.120.238 Gathering whois information about 101.200.0.122 Grabbing list of TOR exit nodes.. Grabbing attacker IP list from the Animus project... Grabbing EmergingThreats list... Grabbing AlienVault reputation list... Grabbing Blocklist.de info... Grabbing DragonResearch's SSH list... Grabbing DragonResearch's VNC list... Grabbing NoThinkMalware list... Grabbing NoThinkSSH list... Grabbing Feodo list... Grabbing antispam spam list... Grabbing malc0de list... Grabbing MalwareBytes list... Information found on 120.27.31.143 Information found on 77.247.182.246 Information found on 193.169.52.214 Information found on 46.4.120.238 Information found on 101.200.0.122 [>] Please enter a command: save State saved to disk at metadata03212016_150606.state
[>] Please enter a command: analyse dshield 10
**********************************************************************
IPs and Detected Counts
**********************************************************************
101.200.0.122: 832 count(s)
120.27.31.143: 596 count(s)
77.247.182.246: 186 count(s)
**********************************************************************
IPs and Attacked Targets
**********************************************************************
101.200.0.122: 270 target(s)
120.27.31.143: 119 target(s)
77.247.182.246: 7 target(s)
**********************************************************************
IPs and Detected Risk
**********************************************************************
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key
Apple Updates Everything (Again)
As part of today's product announcements, Apple released new operating systems across its different products. In addition to new features, these updates do address a number of security issues as well.
OS X Server 5.1 ( for Yosemite 10.10.5 )
This update improves warnings in case the administrator stores backups insecurely and removes old SSL ciphers (RC4). Also, authentication bypass issues are addressed in the Wiki.
Safari 9.1
The Safari update is available for OS X back to 10.9 (Mavericks). It fixes a total of 12 vulnerabilities, some can be used to execute arbitrary code.
OS X El Capitan 10.11.4 (Security Update 2016-002)
A total of 59 vulnerabilities are patched (I hope I counted them right). Here are some of the highlights:
Apple USB Networking (CVE-2016-1734): This vulnerability could lead to arbitrary code execution if a malicious USB devices is connected to the computer.
Bluetooth (CVE-2016-1735/1736): Bluetooth can be used to execute arbitrary code. It isn't clear (but likely) that you first need to pair with the device which would mitigate the problem somewhat.
Messages (CVE-2016-1788): This vulnerability, which would allow the interception of iMessage messages has gotten a lot of press in the last couple days.
OpenSSH (CVE-2016-0777,0778): The roaming vulnerablity that could lead to a leak of the private key is fixed in this patch.
Wi-Fi (CVE-2016-0801/0802): A malicious WiFi frame could be used to execute arbitrary code. Since this requires an unspecified ether type, I am assuming that this requires that the victim first associates with the network. But the advisory doesn't provide sufficient details to tell for sure.
XCode 7.3:
Two vulnerabilities. One in otool (a tool to display object files) and another two vulnerabilities in subversion.
WatchOS 2.2:
A lot of overlap here with the OS X and Safari patches. Note that the Watch is also vulnerable to the WiFi exploits, but not the Bluetooth issues.
iOS 9.3:
A total of 36 vulnerabilities, many of which are also patched for OS X. The Wifi vulnerability applies to iOS just as for the WatchOS and OS X.
TVOS 9.2
Again a lot of overlap with the other updates.
In short: patch...
For details from Apple, please refer to the usual security bulletin page: https://support.apple.com/en-us/HT201222
Why Users Fall For Ransomware
We got the following message from our reader Steven:
"Yesterday I received an email regarding "STEVEN, Notice to Appear in Court on March 28", which included a ZIP folder attached. I am actually scheduled to appear in court on March 28th, so I assumed it was legit. I scanned the ZIP folder with Avast, and it said there was no problem.
I un-zipped the folder and scanned the .doc.js file with Avast, and it said there was no problem. So I double clicked on the .doc.js file. Nothing happened. I then changed the file name, removing .js from the extension. I clicked on the file and it opened in Word. Upon seeing the mess of text letters, I became alarmed and then found your webpage: https://isc.sans.edu/forums/diary/Malicious+spam+with+zip+attachments+containing+js+files/20153/
"
I think the message does make some important points: Malicious spam does work. It just has to hit the right person. Just like Steven had a court appointment, others may be waiting for a shipping confirmation or are waiting for an airplane ticket they just booked. Attacks do not have to work every time, and even a relatively small success rate is still a "win" for the attacker.
In this case, I ran the script in a Windows 8.1 virtual machine. Windows Defender blocked it (the only anti-Malware I have on the system). The javascript then as expected downloaded crypto-ransomware. The ransomware went ahead and renamed various files by adding the .crypted extension, and went ahead encrypting files.
Anti-Virus coverage was pretty decent for the unzipped attachment according to Virustotal. But it looks like Steven's copy of Avast did let this sample slip past.
Doing a quick analysis of the PCAP, it looks like the actual malware was downloaded from
http://wambofantacalcio.it / counter/?ad=1N....[long string]&dc=[6 digit number]
Anti-Virus coverage on the binary is mixed, with Symantec identifying it as Cryptolocker:
Comments