SANS Internet Storm Center - Cooperative Cyber Security Monitor
Updated: 2 hours 59 min ago
Last week I researched how to detect signed VBA code in Word .doc files.
For some days, I collected a few samples of malicious MSI files. MSI files are Windows installer files that users can execute to install software on a Microsoft Windows system. Of course, you can replace “software” with “malware”. MSI files look less suspicious and they could bypass simple filters based on file extensions like “(com|exe|dll|js|vbs|…)”. They also look less dangerous because they are Composite Document Files:
I will update this diary as additional bulletins are released. Microsoft marked adobe's bulletin as "not yet exploited". However, according to Adobe and reports from the Korean Cert, one of the vulnerabilities has already been exploited, so I am marking it differently here, and assign it a "Patch Now" rating. Not much detail has been made public yet about this vulnerability, which is why I am leaving the "Disclosed" rating at "No".
I received a malicious RTF file with several stages (PowerShell commands), containing Gzip compressed shellcode.
One of my former students contacted me after reading my last diary entry "An autograph from the Dridex gang" with a question: how to detect Word documents with signed VBA code?
Reviewing the dashboards at the ISC today revealed an anomaly on port 2580. Over the last couple days the number of sources probing for port 2580 has increased by nearly 600x from near none historically.
Reader Wayne Smith submitted a PDF file attached to a malicious email.
SQL injections are my favorite vulnerabilities. Of course, every penetration tester loves them since they are (in most cases) critical, however what I like with them is that there are so many ways to exploit even the apparently-looking remote or unexploitable cases.