(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Sometime within the past month, Rig exploit kit (EK) changed URL structure." />

Notice the PHPSSESID and ?req= patterns in the above example." />

Now, we dont see the PHPSSESID and ?req= patterns. Lets take a closer look at the more recent example of Rig EK." />

The data is gzip compressed, so you have to extract the file to see what it looks like." />

Finally, the exploit kit sends the malware payload. It" />

A copy of the decrypted malware payload can be found at: https://malwr.com/analysis/NzIwYjgwYTcyODhiNGUwNGIxOTRjMzllNjkwMGViMzc/

The malware payload didn" />

Keep in mind malware payloads differ among the criminal organizations that rent these exploit kits, and the payload can also change from day-to-day.

I havent heard too much yet about this recent change in URL patterns for Rig EK, but its certainly happening.

Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Researchers have uncovered an ongoing espionage campaign that uses custom-developed malware to siphon confidential data out of energy companies around the world.

Trojan.Laziok, as the malware has been dubbed, acts as a reconnaissance tool that scours infected computers for data including machine name, installed software, RAM size, hard disk size, GPU details, CPU details, and installed antivirus software, according to a blog post published Monday by researchers from security firm Symantec. The attackers then use the data to decide how to infect the computer with additional malware, including versions of Backdoor.Cyberat and Trojan.Zbot that are tailored for a specific compromised computer.

"The detailed information enables the attacker to make crucial decisions about how to proceed further with the attack, or to halt the attack," Symantec researcher Christian Tripputi wrote. "During the course of our research, we found that the majority of the targets were linked to the petroleum, gas and helium industries, suggesting that whoever is behind these attacks may have a strategic interest in the affairs of the companies affected."

Read 2 remaining paragraphs | Comments

[SECURITY] [DSA 3210-1] wireshark security update
The National Institute of Standards and Technology (NIST) is soliciting applications for funding pilot privacy-enhancing technologies that embrace and advance the National Strategy for Trusted Identities in Cyberspace. NSTIC seeks to ...

The massive denial-of-service attacks that have intermittently shut down GitHub for more than five days is the work of hackers with control over China's Internet backbone, according to two technical reports published Tuesday that build a strong case that government authorities are at least indirectly responsible.

GitHub officials have said the torrent of junk data pummeling their servers is the biggest they have ever seen. As previously reported, the two GitHub pages are constantly loaded and reloaded by millions of computer users inside and outside of China, an endless loop that left unmitigated outages not just on the two targeted pages but throughout GitHub's entire network. Exhibit A in the case in which China is involved are the two specific GitHub pages targeted: one hosts anti-censorship service GreatFire.org while the other hosts a mirror site of The New York Times' Chinese edition. The targets suggest the attackers are sympathetic to the vast censorship apparatus known as the Great Firewall of China.

Now researchers have unearthed additional evidence implicating China that goes beyond motive. Specifically, the computers hammering GitHub servers are all running a piece of malicious code that surreptitiously makes them soldiers in a massive DDoS army. The JavaScript gets silently injected into the traffic of sites that use an analytics service that China-based search engine Baidu makes available so website operators can track visitor statistics. About one percent of people visiting such sites don't receive the true Baidu analytics JavaScript but instead get code that forces their browser to constantly reload the two targeted GitHub pages.

Read 5 remaining paragraphs | Comments

[ MDVSA-2015:186 ] phpmyadmin
[ MDVSA-2015:185 ] dokuwiki

Survey: Security Pros Have 'Critical' Concerns About Infosec
Dark Reading
“Digital transformation means data center transformation and change is hard, especially when it comes to Information security,” said Demetrios “Laz” Lazarikos, two-time former CISO, former PCI QSA, and Founder of Blue Lava Consulting. “From the results ...
Third Annual Information Security Survey Finds Major Concerns Among Security ...Marketwired (press release)

all 3 news articles »
[security bulletin] HPSBGN03270 rev.1 - HP Operations Analytics, Remote Execution of Code
[SECURITY] [DSA 3209-1] openldap security update
[security bulletin] HPSBHF03271 rev.1 - HP PCs and Workstations Running Windows 7 with NVidia Graphics Driver, Elevation of Privileges
Internet Storm Center Infocon Status