Jump to content


Member Since 18 May 2004
Offline Last Active Today, 11:17 AM

Posts I've Made

In Topic: SPAM frauds, fakes, and other MALWARE deliveries...

Today, 09:26 AM


Fake 'scanned from' SPAM - delivers Ransomware
- https://myonlinesecu...opier-messages/
23 Nov 2017 - "... It is almost as if they have timed the new version to spam out on Thanksgiving day in USA, where the AV companies and security teams are off on their long weekend holiday... downloaders from the Necurs botnet... an email with the subject of 'scanned from (printer or scanner name)' pretending to come from copier@ your own email address or company domain... definitely ransomware but doesn’t look like Locky. The ransom note is very different. These all have -blank- email bodies with just an attachment and the subject...
Update I am being told it is Scarab Ransomware... The new ransom note is called 'IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT'... The subjects in this vary but are all copier or scanner related:
    Scanned from Lexmark
    Scanned from HP
    Scanned from Canon
    Scanned from Epson

P_rek.zip: Extracts to: image2017-11-22-5864621.vbs - Current Virus total detections 4/57*. Hybrid Analysis**
| Anyrun Beta[3] | Joesecurity[/4] |
This downloads from (in this example, there will be -dozens- of other download sites)
 http ://pamplonarecados .com/JHgd476? (VirusTotal 8/66[5])
One of the  emails looks like:
From: copier@ victimsdomain .com
Date: Thu 23/11/2017 06:28
Subject: Scanned from HP
Attachment: image2017-11-23-4360760.7z
Body content:


The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1511423196/

** https://www.hybrid-a...vironmentId=100
DNS Requests

Contacted Hosts

3] https://app.any.run/...c6-8aead1ea33a8

4] https://jbxcloud.joe...s/445266/1/html

5] https://www.virustot...sis/1511422910/

pamplonarecados .com: https://www.virustot...79/information/
> https://www.virustot...f655f/analysis/

:ninja: :ninja:    :grrr:

In Topic: MS Security Updates - Nov 2017

Yesterday, 12:01 PM


November 21, 2017—KB4055038
- https://support.micr...-2017-kb4055038
Nov 21, 2017 - "Summary: This update addresses an issue that prevents some Epson SIDM (Dot Matrix) and TM (POS) printers from printing on x86-based and x64-based systems..."
Last Review: Nov 21, 2017 - Rev: 9
Applies to:
Windows 8.1, Windows 7 Service Pack 1, Windows Server 2012 Standard, Windows Server 2012 R2 Standard, Windows Server 2008 R2 Service Pack 1

November 14, 2017—KB4048957 (Monthly Rollup)
- https://support.micr...pdate-kb4048957
"... After installing this update, some Epson SIDM (Dot Matrix) and TM (POS) printers cannot print on x86 and x64-based systems. This issue has been resolved in KB4055038."
Last Review: Nov 22, 2017 - Rev: 24
Applies to:
Windows Server 2008 R2 Standard, Windows 7 Service Pack 1

> See: "Known issues in this update..."


November 14, 2017—KB4048954
(OS Build 15063.726 and 15063.728)
Windows 10 Version 1703
- https://support.micr...pdate-kb4048954
Last Review: Nov 22, 2017 - Rev: 31
Applies to:
Windows 10, Windows 10 Version 1703

> See: "Known issues in this update..."

DDEAuto Attacks Could Leave You at Risk
- https://windowssecre...ve-you-at-risk/
Nov 21, 2017 - "Office has long been used as a means to infiltrate our systems a means by which attackers get into our systems. Every month Office is patched for remote code execution attacks.
Microsoft patches what vulnerabilities it can. Take the November Office updates that fixed issues with older obsolete components in Office 2016 that impacted ODBC drivers. But as pointed out in this research blog post*, mitigation in addition to patching is probably wise.
* https://embedi.com/b...idnt-know-about
The view that mitigation may be better than patching is reinforced with the disclosure of another Office vulnerability that won’t be patched. It can’t be patched, as it impacts functionality of your system. You have to make the determination of how much at risk you want to be. Called the DDEAuto attacks** allows the execution of malicious code on an email without the use of attachments or macros. These macro-less attacks have been used in various attacks[3] such as malware campaigns such as Vortex ransomware and Hancitor.
** https://community.so...kb/en-us/127711
3] https://www.endgame....-cause-analysis
In the example noted in the Sophos blog, an attack can come from in the form of a calendar invite instead of an email. The attachment is in the form of a RTF – or rich text format – and is often not in the form of a traditional attachment. So what can one do if you want to protect yourself from these attacks? Stop opening emails? Don’t open Excel or Word documents? An admirable protection scheme but not realistic to most computer users — and especially not to small businesses.
Defining DDE
Microsoft has long built into its Office products the means to exchange data between applications and other platforms. Dynamic Data Exchange or DDE is one such method."

:ninja: :ninja:

In Topic: MS Security Updates - Nov 2017

20 November 2017 - 04:03 PM


Windows ASLR Vulnerability
> https://www.us-cert....R-Vulnerability
Nov 20, 2017 - "... released information on a vulnerability in Windows Address Space Layout Randomization (ASLR) that affects Windows 8, Windows 8.1, and Windows 10. A remote attacker could exploit this vulnerability to take control of an affected system..."

Windows 8 and later fail to properly randomize every application if system-wide mandatory ASLR is enabled via EMET or Windows Defender Exploit Guard
- https://www.kb.cert.org/vuls/id/817544
19 Nov 2017 - "Overview: Microsoft Windows 8 introduced a change in how system-wide mandatory ASLR is implemented. This change requires system-wide bottom-up ASLR to be enabled for mandatory ASLR to receive entropy. Tools that enable system-wide ASLR without also setting bottom-up ASLR will fail to properly randomize executables that do not opt in to ASLR.
Description: Address Space Layout Randomization (ASLR)
Starting with Windows Vista, a feature called ASLR was introduced to Windows that helps prevent code-reuse attacks. By loading executable modules at non-predictable addresses, Windows can help to mitigate attacks that rely on code being at predictable locations. Return-oriented programming (ROP) is an exploit technique that relies on code that is loaded to a predictable or discoverable location. One weakness with the implementation of ASLR is that it requires that the code is linked with the /DYNAMICBASE flag to opt in to ASLR.
Mandatory ASLR and Windows 8: Both EMET and Windows Defender Exploit Guard can enable mandatory ASLR for code that isn't linked with the /DYNAMICBASE flag. This can be done on a per-application or system-wide basis. Before Windows 8, system-wide mandatory ASLR was implemented using the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages registry value. By settings this value to 0xFFFFFFFF, Windows will automatically relocate code that has a relocation table, and the new location of the code will be different across reboots of the same system or between different systems. Starting with Windows 8, system-wide mandatory ASLR is implemented differently than with prior versions of Windows. With Windows 8 and newer, system-wide mandatory ASLR is implemented via the HKLM\System\CurrentControlSet\Control\Session Manager\Kernel\MitigationOptions binary registry value. The other change introduced with Windows 8 is that system-wide ASLR must have system-wide bottom-up ASLR enabled to supply entropy to mandatory ASLR.
The Problem: Both EMET and Windows Defender Exploit Guard enable system-wide ASLR without also enabling system-wide bottom-up ASLR. Although Windows Defender Exploit guard does have a system-wide option for system-wide bottom-up-ASLR, the default GUI value of "On by default" does not reflect the underlying registry value (unset). This causes programs without /DYNAMICBASE to get relocated, but without any entropy. The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems.
Impact: Windows 8 and newer systems that have system-wide ASLR enabled via EMET or Windows Defender Exploit Guard will have non-DYNAMICBASE applications relocated to a predictable location, thus voiding any benefit of mandatory ASLR. This can make exploitation of some classes of vulnerabilities easier.
Solution: The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workaround:
Enable system-wide bottom-up ASLR on systems that have system-wide mandatory ASLR
To enable both bottom-up ASLR and mandatory ASLR on a system-wide basis on a Windows 8 or newer system, the following registry value should be imported:
    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]

Note that importing this registry value will overwrite any existing system-wide mitigations specified by this registry value. The bottom-up ASLR setting specifically is the second 01 in the binary string, while the mandatory ASLR setting is the first 01. Also note that in the past, enabling system-wide mandatory ASLR could cause problems if older AMD/ATI video card drivers are in use. This issue was addressed in the Catalyst 12.6 drivers released in June, 2012."

> https://www.kb.cert.org/vuls/id/458153

> https://support.amd.com/en-us/download

> https://www.bleeping...res-how-to-fix/
Nov 17, 2017 - "... Optionally, Bleeping Computer has created an ASLR-fix registry fix file that users only need to download and double-click."
> https://download.ble...eg/ASLR-fix.reg

:ninja: :ninja: :ninja:

In Topic: cPanel advisories/updates

20 November 2017 - 03:50 PM


cPanel TSR-2017-0006 Announcement
- https://news.cpanel....6-announcement/
Nov 20, 2017 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv3 scores ranging from 2.0 to 8.8.
Information on cPanel’s security ratings is available at:
- https://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience...
RELEASES: The following cPanel & WHM versions address all known vulnerabilities:
68.0.15 & Greater
66.0.34 & Greater
64.0.42 & Greater
62.0.35 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at:
- http://httpupdate.cpanel.net
SECURITY ISSUE INFORMATION: The cPanel Security Team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time. Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 23 vulnerabilities in cPanel & WHM software versions 68, 66, 64, and 62. Additional information is scheduled for release on November 21, 2017.
For information on cPanel & WHM Versions and the Release Process, read our documentation at:
- https://go.cpanel.net/versionformat

cPanel TSR-2017-0006 Full Disclosure
- https://news.cpanel....ull-disclosure/
Nov 21, 2017

:ninja: :ninja:

In Topic: MS Security Updates - Nov 2017

17 November 2017 - 12:50 PM


Patch alert...
... Patch Tuesday problems roll out, with a new acknowledgment from Microsoft about a dot matrix printer bug, continued reports of Win10 1703-to-1709 upgrades, one unconfirmed report of a forced 1607-to-1709 upgrade, and a memory violation error with CDPUserSvc...
> https://www.computer...s-continue.html
Nov 17, 2017

> https://www.askwoody...h-tuesday-crop/
Nov 17, 2017

> https://www.ghacks.n...r-2017-updates/
Nov 17, 2017

... Nov patch bugs... see the URLs above...

i.e.: Nov 14, 2017—KB4048957 (Monthly Rollup)
> https://support.micr...pdate-kb4048957
"... After installing this update, some Epson SIDM and Dot Matrix printers cannot print on x86 and x64-based systems.
Microsoft and Epson have determined the cause of the issue and are working on a solution. This problem is not related to the printer driver, so installing current or older print drivers will not resolve the issue.
Microsoft will provide an update in an upcoming release."
Article ID: 4048957 - Last Review: Nov 17, 2017 - Rev: 19
Applies to: Windows Server 2008 R2 Standard, Windows 7 Service Pack 1

:ninja: :ninja: :ninja:

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!