Hírolvasó

SANS · 14 perc 42 másodperc

VirusTotal Email Submissions, (Sun, Dec 15th)

I think it's a good idea to highlight VirusTotal's Email Submission feature, as I recently had to point this out to a couple of people.

In stead of using the VirusTotal's web interface or API, one can also send an email to scan@virustotal.com with the file to be scanned in attach (don't exceed 32MB) and subject SCAN (requesting plaintext report) or SCAN+XML (requesting XML report).

I usually get a reply after a couple of minutes. If I don't get a reply, it usually means that my attachment was detected and blocked by the email server I'm using, and that it never reached VirusTotal.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
SANS · 2019. december 14.

(Lazy) Sunday Maldoc Analysis: A Bit More ..., (Sat, Dec 14th)

At the end of my diary entry "(Lazy) Sunday Maldoc Analysis", I wrote that there was something unusal about this document.

Let's take a look at the content of the file and compare that with the file size:

A rough estimate: the total size of the streams is 120 kB. While the file size is around 10 MB. That's a huge difference!

In such cases, I take a look with olemap:

Here I can see that there is extra data appended to the file (position 0x25400) and it's about 10 MB in size.

Extracting the appended data and calculating some statistics gives me:

This tells me there's about 10 MB of 0x00 bytes appended.

Was this done by the malware authors? Or did it happen later, during transmission or storage?

I don't know.

Maybe it was done to bypass scanning, for example when there is a size-limit for files to be scanned. Just speculating ...

Please post a comment if you have an idea.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Linux security Advisories · 2019. december 14.

Debian: DSA-4584-1: spamassassin security update>

Two vulnerabilities were discovered in spamassassin, a Perl-based spam filter using text analysis. CVE-2018-11805
Linux security Advisories · 2019. december 14.

Debian LTS: DLA-2034-1: davical security update>

Multiple cross-site scripting and cross-site request forgery issues were discovered in the DAViCal CalDAV Server.
NVD: all CVE · 2019. december 14.

CVE-2019-5252

There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
NVD: all CVE · 2019. december 14.

CVE-2019-5235

Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
Linux security Advisories · 2019. december 14.

Debian LTS: DLA-2033-1: php-horde security update>

A vulnerability has been found in php-horde, the Horde Application Framework, which may result in information disclosure via cross-site scripting.
NVD: all CVE · 2019. december 14.

CVE-2019-5264

There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition. Successful exploit could cause information disclosure.
NVD: all CVE · 2019. december 14.

CVE-2019-5277

Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
NVD: all CVE · 2019. december 14.

CVE-2019-5254

Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board may send crafted messages from the internal network port or tamper with inter-process message packets to exploit this vulnerability. Due to insufficient validation of the message, successful exploit may cause the affected board to be abnormal.
NVD: all CVE · 2019. december 14.

CVE-2019-5255

Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have a DoS vulnerability. An attacker may send crafted messages from a FTP client to exploit this vulnerability. Due to insufficient validation of the message, successful exploit may cause the system out-of-bounds read and result in a denial of service condition of the affected service.
NVD: all CVE · 2019. december 14.

CVE-2019-5256

Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have a null pointer dereference vulnerability. The system dereferences a pointer that it expects to be valid, but is NULL. A local attacker could exploit this vulnerability by sending crafted parameters. A successful exploit could cause a denial of service and the process reboot.
NVD: all CVE · 2019. december 14.

CVE-2019-5257

Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace) have a resource management vulnerability. An attacker who logs in to the board may send crafted messages from the internal network.
NVD: all CVE · 2019. december 14.

CVE-2019-5258

Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have a buffer overflow vulnerability. An attacker who logs in to the board may send crafted messages from the internal network port or tamper with inter-process message packets to exploit this vulnerability. Due to insufficient validation of the message, successful exploit may cause the affected board to be abnormal.
Sophos virus alerts · 2019. december 14.

Troj/Mimikatz-M

Sophos virus alerts · 2019. december 14.

Troj/Mimikatz-K

Sophos virus alerts · 2019. december 14.

Troj/Mimikatz-I

Sophos virus alerts · 2019. december 14.

Troj/Mimikatz-G

Sophos virus alerts · 2019. december 14.

Troj/Mimikatz-F

Sophos virus alerts · 2019. december 14.

Troj/Agent-BDFH