Microsoft Announces New Container Technologies for the Next Generation Cloud

April 8, 2015, 1:46 pm

≫ Next: Cobalt Strike 2.4 – A Pittance for Post-Exploitation (Video Included)

≪ Previous: Dissecting Turla Rootkit Malware Using Dynamic Analysis

$

0

0

In today’s cloud-first world, businesses increasingly rely on applications to fuel innovation and productivity. As the cloud evolves, containers are emerging as an attractive way for developers to quickly and efficiently build and deploy these applications at the speed of business. Offering developers and IT professionals the ability to deploy applications from a workstation to a server in mere seconds, containers are taking application development to a whole new level.

As developers look to expand the benefits of containers to a broader set of applications, new requirements are emerging. For example, heightened levels of trust may be required for enterprise systems or in hosted environments. Furthermore, developers often deploy into mixed operational environments where they may not have control of the platform where the application is deployed. Virtualization has historically provided a valuable level of isolation that enables these scenarios but there is now opportunity to blend the efficiency and density of the container model with the right level of isolation.

more here...........http://blogs.technet.com/b/server-cloud/archive/2015/04/08/microsoft-announces-new-container-technologies-for-the-next-generation-cloud.aspx

---

Cobalt Strike 2.4 – A Pittance for Post-Exploitation (Video Included)

April 8, 2015, 1:53 pm

≫ Next: LG Split Screen Improves Usability and Reduces Security Drastically

≪ Previous: Microsoft Announces New Container Technologies for the Next Generation Cloud

$

0

0

Cobalt Strike 2.4 is now available. If you use Beacon for post-exploitation, you’ll find a lot to like in this release. Here’s the highlights............http://blog.cobaltstrike.com/2015/04/08/cobalt-strike-2-4-a-pittance-for-post-exploitation/

LG Split Screen Improves Usability and Reduces Security Drastically

April 8, 2015, 1:55 pm

≫ Next: THE UNOFFICIAL CHROME SHA1 DEPRECATION FAQ

≪ Previous: Cobalt Strike 2.4 – A Pittance for Post-Exploitation (Video Included)

$

0

0

Life is good (LG) is what you may say out loud when using LG stuff. Unfortunately, today I have to tell you that life is horrible. I recently upgraded to an ultra wide LG screen which comes with split screen software. While I am happy with the hardware, I am utterly disappointed how LG treats security. The TL;DR version is that instead of writing software properly, they just disable your security in order to make their software work.

more here.........http://www.developerscouch.com/lg-split-screen-improves-usability-and-reduces-security-drastically/

THE UNOFFICIAL CHROME SHA1 DEPRECATION FAQ

April 8, 2015, 1:57 pm

≫ Next: AST-2015-003: TLS Certificate Common name NULL byte exploit

≪ Previous: LG Split Screen Improves Usability and Reduces Security Drastically

$

0

0

Chrome is visually penalizing long-lived SHA1 HTTPS certificates. The information about it is a bit scattered around so I'm writing this to provide a complete and hopefully correct overview.

more here..........https://blog.filippo.io/the-unofficial-chrome-sha1-faq/

AST-2015-003: TLS Certificate Common name NULL byte exploit

April 8, 2015, 2:32 pm

≫ Next: TROOPERS15 Archive - Presentations

≪ Previous: THE UNOFFICIAL CHROME SHA1 DEPRECATION FAQ

$

0

0

Asterisk Project Security Advisory - AST-2015-003

         Product        Asterisk
         Summary        TLS Certificate Common name NULL byte exploit
    Nature of Advisory  Man in the Middle Attack
      Susceptibility    Remote Authenticated Sessions
         Severity       Major
      Exploits Known    None
       Reported On      12 January, 2015
       Reported By      Maciej Szmigiero
        Posted On       March 04, 2015
     Last Updated On    April 8, 2015
     Advisory Contact   Jonathan Rose <jrose AT digium DOT com>
         CVE Name       CVE-2015-3008

   Description When Asterisk registers to a SIP TLS device and and verifies the
               server, Asterisk will accept signed certificates that match a
               common name other than the one Asterisk is expecting if the
               signed certificate has a common name containing a null byte
               after the portion of the common name that Asterisk expected. For
               example, if Asterisk is trying to register to www.domain.com,
               Asterisk will accept certificates of the form
               www.domain.com\x00www.someotherdomain.com - for more information
               on this exploit, see
               https://fotisl.com/blog/2009/10/the-null-certificate-prefix-bug/

    Resolution  Asterisk has been patched to verify that the common name
                length of the certificate matches the common name that
                Asterisk actually reads. Asterisk will not accept
                certificates with common names that contain null bytes.

                               Affected Versions
                         Product                       Release
                                                       Series
                  Asterisk Open Source                  1.8.x   All versions
                  Asterisk Open Source                  11.x    All versions
                  Asterisk Open Source                  12.x    All versions
                  Asterisk Open Source                  13.x    All versions
                   Certified Asterisk                  1.8.28   All versions
                   Certified Asterisk                   11.6    All versions
                   Certified Asterisk                   13.1    All versions

                                  Corrected In
          Product                              Release
    Asterisk Open Source           1.8.32.3, 11.17.1, 12.8.2 13.3.2
     Certified Asterisk         1.8.28-cert5, 11.6-cert11, 13.1-cert2

                                      Patches
                                 SVN URL                               Revision
   http://downloads.asterisk.org/pub/security/AST-2015-003-1.8.28.diff Certified
                                                                       Asterisk
                                                                       1.8.28
   http://downloads.asterisk.org/pub/security/AST-2015-003-11.6.diff   Certified
                                                                       Asterisk
                                                                       11.6
   http://downloads.asterisk.org/pub/security/AST-2015-003-13.1.diff   Certified
                                                                       Asterisk
                                                                       13.1
   http://downloads.asterisk.org/pub/security/AST-2015-003-1.8.diff    Asterisk
                                                                       1.8
   http://downloads.asterisk.org/pub/security/AST-2015-003-11.diff     Asterisk
                                                                       11
   http://downloads.asterisk.org/pub/security/AST-2015-003-12.diff     Asterisk
                                                                       12
   http://downloads.asterisk.org/pub/security/AST-2015-003-13.diff     Asterisk
                                                                       13

    Links  https://issues.asterisk.org/jira/browse/ASTERISK-24847

    Asterisk Project Security Advisories are posted at
    http://www.asterisk.org/security

    This document may be superseded by later versions; if so, the latest
    version will be posted at
    http://downloads.digium.com/pub/security/AST-2015-003.pdf and
    http://downloads.digium.com/pub/security/AST-2015-003.html

                                Revision History
         Date          Editor                   Revisions Made
    19 March, 2015  Jonathan Rose  Initial creation of document
    08 April, 2015  Matt Jordan    Added CVE.

               Asterisk Project Security Advisory - AST-2015-003
              Copyright (c) 2015 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

TROOPERS15 Archive - Presentations

April 8, 2015, 2:38 pm

≫ Next: Phantom: Deadly Proxy Manipulating on iOS

≪ Previous: AST-2015-003: TLS Certificate Common name NULL byte exploit

$

0

0

Click here to access TROOPERS15 slide presentations.........https://www.troopers.de/archives/troopers15/presentations/

Phantom: Deadly Proxy Manipulating on iOS

April 8, 2015, 2:40 pm

≫ Next: Nvidia NULL Pointer Vulnerability - CVE-2015-1137

≪ Previous: TROOPERS15 Archive - Presentations

$

0

0

FireEye mobile researchers discovered a security vulnerability affecting nearly all the apps using network on iOS, including the system itself. Configuring HTTP proxy to abnormal values triggers multiple use-after-free (UAF) issues in libsystem_network.dylib. This vulnerability can lead to several undesired security consequences, e.g. most of networking apps will crash immediately, including system components; the system will respond sluggishly, and it is even not able to reboot successfully. We name this vulnerability as Phantom, saluting to the Ghost vulnerability in GNU C library.

more here...........https://www.fireeye.com/blog/threat-research/2015/04/phantom_deadly_prox.html

Nvidia NULL Pointer Vulnerability - CVE-2015-1137

April 8, 2015, 8:33 pm

≫ Next: Reversing Apple 80211

≪ Previous: Phantom: Deadly Proxy Manipulating on iOS

$

0

0

The Yahoo Pentest Team discovered a NULL pointer dereference flaw (CVE-2015-1137) in the nVidia GeForce (nvAccelerator) kernel driver which ships with OS X Yosemite. This bug was discovered and verified on Macbook models using the GeForce driver version “10.2.1 310.41.15f01".

The crash occurs when the affected service is opened via userclient type 1 and memory type 4. A CALL instruction at the end of the basic block executes an attacker controlled function pointer at an offset from NULL.

more here..........http://yahoo-security.tumblr.com/post/115874628495/nvidia-null-pointer-vulnerability-cve-2015-1137

---

Reversing Apple 80211

April 9, 2015, 2:44 am

≫ Next: A New Shellshock Worm on the Loose

≪ Previous: Nvidia NULL Pointer Vulnerability - CVE-2015-1137

$

0

0

The 2nd Edition of MOXiI delves deep into a realm I totally ignored in the 1st Ed - that of Apple's private frameworks. Most of the "cool" functionality in both OS X and iOS is provided by private frameworks, and their number far outweighs the public ones (359 vs 126 in OS X). I'm hoping to provide a tour of the private frameworks in MOXiI2. While it's true that Apple won't allow any store apps to link with private frameworks (which they can easily verify via jtool -L or jtool -S | grep dlopen), it's still interesting - especially for an internals book, and may be useful for Cydia(iOS) or DMG (OSX) based apps. The 2nd Ed aims to provide a reference which - though far from complete - will provide an unprecedented level of detail on these frameworks.

One example of "cool" functionality is everything to do with WiFi. Apple's wifi stack is quite powerful, and provides lots of useful functionality, but most of it well hidden. Case in point - Relative Signal Strength Indicator (RSSI) values, which can enable you to get a better idea of where the force is strong with WiFi, and where it's not. You can get those by pressing alt (option) while clicking the WiFi status icon, or by using the airport command, which is buried deep in /System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport. That makes Apple80211 pretty interesting. Or does it?

more here.........http://newosxbook.com/articles/11208ellpA.html

A New Shellshock Worm on the Loose

April 9, 2015, 2:45 am

≫ Next: Apple patches a vulnerability in iOS 8.3 used by TaiG Jailbreak Team

≪ Previous: Reversing Apple 80211

$

0

0

In a blog post from September last year, we described some of the early Shellshock activity we were seeing in the wild. Since then we have continued to observe periodic scanning, which have by in large not been particularly noteworthy. That remained the case until just a little bit ago. Starting late in the afternoon on April 8, 2015, the frequency and breadth of scanning observed by Volexity increased fairly dramatically. A closer look at the activity reveals that a worm (of sorts) has been set loose on the Internet looking for vulnerable hosts to exploit over HTTP.

more here.......http://www.volexity.com/blog/?p=118

Apple patches a vulnerability in iOS 8.3 used by TaiG Jailbreak Team

April 9, 2015, 2:50 am

≫ Next: Xen SMEP (and SMAP) bypass

≪ Previous: A New Shellshock Worm on the Loose

$

0

0

Apple released iOS 8.3 for iPhone, iPad and iPod touch, which includes a redesigned Emoji keyboard, CarPlay Wireless, , and a long list of bug fixes and improvements.

Apple has also published a new knowledge base document, which provides the security content of iOS 8.3.

more here.......http://www.iphonehacks.com/2015/04/apple-patches-vulnerability-in-ios-8-3-used-by-taig-jailbreak-team.html

Xen SMEP (and SMAP) bypass

April 9, 2015, 6:28 am

≫ Next: Electronic Voiceprints: The Crime Solving Power of Biometric Forensics

≪ Previous: Apple patches a vulnerability in iOS 8.3 used by TaiG Jailbreak Team

$

0

0

In a previous blog post [1] I talked about my experience exploiting the SYSRET bug on Xen. I noted that I was able to bypass SMEP, but was leaving the information for a future blog post because I wanted to do some additional research -- I thought the technique I found might be something that also affects Linux, which it does.

While I was unaware of it at the time, the technique was published in mid-2014, and called ret2dir (as in return-to-direct-mapped-memory). While the ret2dir technique is publicly known, what follows is a walkthrough of how Xen’s direct mapped memory can be abused to bypass SMEP and SMAP, and how I used it in my exploit both to bypass SMEP and to simplify the data tunnel between dom0 and domU.

To my knowledge, leveraging ret2dir for exploitation against Xen has not previously been discussed publicly.

more here........https://www.nccgroup.trust/en/blog/2015/04/xen-smep-and-smap-bypass/

Electronic Voiceprints: The Crime Solving Power of Biometric Forensics

April 9, 2015, 6:30 am

≫ Next: ESET Research: Operation Buhtrap

≪ Previous: Xen SMEP (and SMAP) bypass

$

0

0

Fingerprinting has been used for years to determine the individuality of a person. But, newer technology allows investigators to capture a person’s voice, a so-called “voiceprint.” Sometimes, a person’s voice is the only clue that police and forensic teams have to go on.

more here........http://articles.forensicfocus.com/2015/04/09/electronic-voiceprints-the-crime-solving-power-of-biometric-forensics/

ESET Research: Operation Buhtrap

April 9, 2015, 6:32 am

≫ Next: International Police Operation Targets Polymorphic Beebone Botnet

≪ Previous: Electronic Voiceprints: The Crime Solving Power of Biometric Forensics

$

0

0

Late in 2014, we noticed and started to track an undocumented malicious campaign targeting Russian businesses, and that has been active for well over a year. The malware used in this campaign is a mix of off-the-shelf tools, NSIS-packed malware and bespoke spyware that abuses Yandex’s Punto software, a program for Russian users which silently and automatically changes the keyboard language depending on what the user is typing. Once the cybercriminals have compromised a computer, they use custom tools to analyze its content, install a backdoor and finally deploy a malicious module that spies on the system and can enumerate smart cards.
The campaign targets a wide range of Russian banks, used several different code signing certificates and implements evasive methods to avoid detection.

more here......http://www.welivesecurity.com/2015/04/09/operation-buhtrap/

International Police Operation Targets Polymorphic Beebone Botnet

April 9, 2015, 6:34 am

≫ Next: More Negative Press on NQ Vault - NQ Vault pseudo-cryptoapp also silently makes pictures of its user

≪ Previous: ESET Research: Operation Buhtrap

$

0

0

On 8 April, Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), joined forces with the Dutch authorities and the FBI, and U.S-based representatives at the National Cyber Investigative Joint Task Force- International Cyber Crime Coordination Cell (IC4) along with private sector partners, to target the Beebone (also known as AAEH) botnet, a polymorphic downloader bot that installs various forms of malware on victims’ computers. Initial figures show that over 12 000 computers have been infected, however it is likely there are many more.

more here........https://www.europol.europa.eu/content/international-police-operation-targets-polymorphic-beebone-botnet

---

More Negative Press on NQ Vault - NQ Vault pseudo-cryptoapp also silently makes pictures of its user

April 9, 2015, 6:36 am

≫ Next: Facebook’s Parse – DOM XSS

≪ Previous: International Police Operation Targets Polymorphic Beebone Botnet

$

0

0

A rogue encryption tool for smartphones called NQ Vault obviously not encrypts the data. But that's not all: It also creates unasked photos of the user.

more here........http://www.golem.de/news/nq-vault-verschluesselungstool-verschluesselt-nicht-1504-113387.html


PS: Article in German so if you do not speak the language use software or human translation

Facebook’s Parse – DOM XSS

April 9, 2015, 6:45 am

≫ Next: Hidden backdoor API to root privileges in Apple OS X

≪ Previous: More Negative Press on NQ Vault - NQ Vault pseudo-cryptoapp also silently makes pictures of its user

$

0

0

These are just some simple bugs that were present in Parse site. Considering the ease of exploitation, I am posting this to make sure other people can scan the JS code more intensively and find more bugs, it’s very likely.

more here.....http://www.paulosyibelo.com/2015/04/facebooks-parse-dom-xss.html

Hidden backdoor API to root privileges in Apple OS X

April 9, 2015, 6:46 am

≫ Next: SEC Consult SA-20150409-0 :: Multiple XSS & XSRF vulnerabilities in Comalatech Comala Workflows

≪ Previous: Facebook’s Parse – DOM XSS

$

0

0

TL;DR

The Admin framework in Apple OS X contains a hidden backdoor API to root privileges. It’s been there for several years (at least since 2011), I found it in October 2014 and it can be exploited to escalate privileges to root from any user account in the system.

The intention was probably to serve the “System Preferences” app and systemsetup (command-line tool), but any user process can use the same functionality.

Apple has now released OS X 10.10.3 where the issue is resolved. OS X 10.9.x and older remain vulnerable, since Apple decided not to patch these versions. We recommend that all users upgrade to 10.10.3.

more here...........https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/

SEC Consult SA-20150409-0 :: Multiple XSS & XSRF vulnerabilities in Comalatech Comala Workflows

April 9, 2015, 6:47 am

≫ Next: US- CERT: AAEH Botnet

≪ Previous: Hidden backdoor API to root privileges in Apple OS X

$

0

0

SEC Consult Vulnerability Lab Security Advisory < 20150409-0 >
=======================================================================
              title: Multiple XSS & XSRF vulnerabilities
            product: Comalatech Comala Workflows
 vulnerable version: <= 4.6.1
      fixed version: 4.6.2 for Confluence 5.4+ and 4.5.4 for Confluence 4.3+
             impact: High
           homepage: https://marketplace.atlassian.com/plugins/com.comalatech.workflow
              found: 2015-02-16
                 by: J. Krautwald (Office Berlin)
                     M. Niederwieser (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Berlin - Frankfurt/Main - Montreal - Singapore
                     Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com
=======================================================================

Vendor & product description:
-----------------------------
"Build your Confluence content your own way through Comala Workflows
approvals, tasks, notifications and workflows.
Set customized workflows to create, review, approve and publish your content.
Assign page reviewers
Create team tasks
Publish approved content
Manage your documentation stages
Use Comala Workflows for:
Quality Management, Standards Compliance, Technical Documentation,
Editorial Publishing"

Source: https://marketplace.atlassian.com/plugins/com.comalatech.workflow


Business recommendation:
------------------------
Comala Workflows suffers from multiple vulnerabilities due to improper input
and output validation. By exploiting these vulnerabilities an attacker could:
    1. Attack other users of the web application with JavaScript code,
       browser exploits or Trojan horses, or
    2. perform unauthorized actions in the name of another logged-in user.


Vulnerability overview/description:
-----------------------------------
1. Multiple cross-site scripting issues
Comala Workflows suffers from multiple reflective & stored cross-site
scripting vulnerabilities, which allow an attacker to steal other user's
sessions, to impersonate other users and to gain unauthorized access to
documents hosted in the Confluence instance where the Workflows module is
embedded.
There are many parameters which are not properly sanitized and thus are
vulnerable to XSS.

2. Cross-site request forgery vulnerabilities
Comala Workflows does not implement the use of shared secrets (tokens)
to prevent cross-site request forgery (XSRF) attacks.
If an attacker is able to lure a user into clicking a crafted link or
by embedding such a link within web pages (e.g. discussion forums) he
could manipulate data or automatically inject XSS payloads to attack
other users.


Proof of concept:
-----------------
1. Multiple cross-site scripting issues
a) The input parameters for giving a workflow a name, appending a label to a
given workflow, or adding a new task for a given state are not properly
sanitized and thus susceptible to reflected cross-site scripting. The hereby
affected scripts alongside the vulnerable GET parameters are:
   Script                       GET Parameter(s)
   saveproperties.action        newLabelName, newWorkflowName
   newtask.action               taskName

When editing an existing workflow via the Markup functionality (accessible via
the workflowMarkup POST parameter of
/plugins/approvalsworkflow/saveworkflowmarkup.action) the attachment-macro is
also susceptible to reflected cross-site scripting.

b) When editing an existing workflow via the Markup functionality (accessible
via the workflowMarkup POST parameter of
/plugins/approvalsworkflow/saveworkflowmarkup.action) the workflow element
task does not sanitize the given input and is thus susceptible to
cross-site scripting. The application does not sanitize the given input before
printing it to the "Page Activity" popup which leads to the execution of the
permanently injected script. When assigning such a task to a co-worker, an
e-mail containing the actual payload is sent to the assigned person and when
opening the "My Comala Workflow Tasks", "Page Activity", or
"Page Activity Macro" page, it gets executed.

2. Cross-site request forgery vulnerabilities
The /plugins/approvalsworkflow/saveworkflowmarkup.action script for editing
an existing workflow via the Markup functionality, for example, is susceptible
to cross-site request forgery. If an attacker knows a valid project name
(key parameter) and the corresponding workflow name (workflowName parameter),
she might exploit this vulnerability to set the Markup code of the workflow
to an arbitrary value (e.g. a XSS payload via the task element, see 1. b)).


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in up to and including
version 4.6.1.


Vendor contact timeline:
------------------------
2015-03-17: Contacted vendor through email
2015-03-18: Vendor confirmed vulnerabilities, offered workaround and said
            they would fix the vulnerabilities asap
2015-04-08: Vendor released updated versions and advisory
2015-04-09: Coordinated release of security advisory


Solution:
---------
Upgrade Comala Workflows to version 4.6.2 for Confluence 5.4+ or
upgrade Comala Workflows to version 4.5.4 for Confluence 4.3+

See the following advisory by the vendor for further information:
https://wiki.comalatech.com/display/CW/Comala+Workflows+Security+Advisory+2015-04-08


Workaround:
-----------
Disable the legacy attachment and embed macros feature.
Disable page workflows.
Edit workflows to prevent tasks being created (taskable param on states).
Disable workflow tasks.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF J. Krautwald / @2015

US- CERT: AAEH Botnet

April 9, 2015, 6:50 am

≫ Next: Jailbreaking, China and Playing the Racial Discrimination Card

≪ Previous: SEC Consult SA-20150409-0 :: Multiple XSS & XSRF vulnerabilities in Comalatech Comala Workflows

$

0

0

National Cyber Awareness System:

TA15-098A: AAEH

04/09/2015 12:00 AM EDT

Original release date: April 09, 2015

Systems Affected

• Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
• Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012

Overview

AAEH is a family of polymorphic downloaders created with the primary purpose of downloading other malware, including password stealers, rootkits, fake antivirus, and ransomware.
The United States Department of Homeland Security (DHS), in collaboration with Europol, the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), released this Technical Alert to provide further information about the AAEH botnet, along with prevention and mitigation recommendations.

Description

AAEH is often propagated across networks, removable drives (USB/CD/DVD), and through ZIP and RAR archive files. Also known as VObfus, VBObfus, Beebone or Changeup, the polymorphic malware has the ability to change its form with every infection. AAEH is a polymorphic downloader with more than 2 million unique samples. Once installed, it morphs every few hours and rapidly spreads across the network.  AAEH has been used to download other malware families, such as Zeus, Cryptolocker, ZeroAccess, and Cutwail.

Impact

A system infected with AAEH may be employed to distribute malicious software, harvest users' credentials for online services, including banking services, and extort money from users by encrypting key files and then demanding payment in order to return the files to a readable state. AAEH is capable of defeating anti-virus products by blocking connections to IP addresses associated with Internet security companies and by preventing anti-virus tools from running on infected machines. 

Solution

Users are recommended to take the following actions to remediate AAEH infections:

• Use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).
• Change your passwords - Your original passwords may have been compromised during the infection, so you should change them (see Choosing and Protecting Passwords for more information).
• Keep your operating system and application software up-to-date - Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).
• Use anti-malware tools - Using a legitimate program that identifies and removes malware can help eliminate an infection.

Users can consider employing a remediation tool (examples below) that will help with the removal of AAEH from your system.
Note: AAEH blocks AV domain names thereby preventing infected users from being able to download remediation tools directly from an AV company. The links below will take you to the tools at the respective AV sites. In the event that the tools cannot be accessed or downloaded from the vendor site, the tools are accessible from Shadowserver (http://aaeh.shadowserver.org).
The below are examples only and do not constitute an exhaustive list. The U.S. Government does not endorse or support any particular product or vendor.

References

• F-Secure Online Scanner for Windows Vista, 7 and 8
• F-Secure Removal Tools for Windows XP
• McAfee Stinger for Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8
• Microsoft Safety Scanner for Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP
• Sophos Virus Removal for Windows XP SP2 and above
• Trend Micro Threat Detector for Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003/2008, and 2008 R2

Revision History

• April 9, 2015: Initial Release