Monday, November 28, 2016

Cerber Spam: Tor All the Things!

This post authored by Nick Biasini and Edmund Brumaghin with contributions from Sean Baird and Andrew Windsor.

Executive Summary

Talos is continuously analyzing email based malware always looking at how adversaries change and the new techniques that are being added on an almost constant basis. Recently we noticed some novel ways that adversaries are leveraging Google and Tor2Web proxies to spread a ransomware variant, Cerber 5.0.1.

This particular campaign looks to have started on November 24th and has been ongoing for the past several days. This campaign did not use advanced techniques that we sometimes see used by adversaries that include well written, professional looking emails, with legitimate signature blocks or other identifying characteristics. In this campaign, the emails were anything but professional. However, they did vary significantly with what we typically see from a ransomware distribution perspective.

Today, spam based ransomware infections are heavily skewed toward Locky. The majority of spam messages we see today are affiliates producing large amounts of spam that leverage various types of script-based file extensions to download the Locky executable and infect systems. This campaign looked different in that the messages didn't contain an attachment and were extremely short and basic. What we found was a potential next evolution for ransomware distribution that relies more heavily on Tor to obfuscate their activity and hinder the ability to shut down servers that are hosting the malicious content.

Talos Responsible Disclosure Policy Update

Responsible disclosure of vulnerabilities is a key aspect of security research. Often, the difficulty in responsible disclosure is balancing competing interests - assisting a vendor with patching their product and notifying the general public to prevent a 0-day situation. It is uncomfortable to acknowledge that if a white hat team has discovered a vulnerability in a high value target, it stands to reason their adversaries may also be trying to exploit the same issue. Researchers must carefully balance the needs and capabilities of vendors to fix a product with the safety and security of our customers and the community as a whole.

Talos has been measuring the timelines, industry responsiveness, and end results with regard to our responsible disclosure policy and today, we are announcing a few changes. The full text of the Vendor Vulnerability Reporting and Disclosure Policy can be found here:

These changes include timeline adjustments based on vendor feedback and industry changes since we last addressed our Disclosure Policy.

Tuesday, November 22, 2016

Fareit Spam: Rocking Out to a New File Type

This post authored by Nick Biasini

Talos is constantly monitoring the threat landscape including the email threat landscape. Lately this landscape has been dominated with Locky distribution. During a recent Locky vacation Talos noticed an interesting shift in file types being used to distribute another well known malware family, Fareit.

We've discussed Fareit before, it's a trojan used to steal credentials and distribute multiple different types of malware. The focus of this post will not be on Fareit but on a new way attackers are working to distribute it via email. Locky has been a case study in how to leverage different file extensions in email to distribute malware. The use of various file types such as .js, .wsf, and .hta have been used quite successfully for Locky. We've already noted other threats making use of .js for distribution largely due to Locky's success. Recently we observed another uncommon file type associated with email and decided to dig a little further on the infection chain.

Email Campaign

Thursday, November 17, 2016

Vulnerability Spotlight: Multiple File Parsing Bugs in HDF5 File Library Patched

These vulnerabilities were discovered by the Talos Vulnerability Development Team.

Today, Talos is disclosing the discovery of four vulnerabilities which have been identified in HDF5. HDF5 is a file format that is designed to be used for storage and organization of large amounts of scientific data and is used to exchange data between applications. In the GIS industry it used via libraries such as GDAL, OGR, or as part of software like ArcGIS. HDF5 is maintained by The HDF Group, a non-profit organization which Talos coordinated with to ensure these vulnerabilities were disclosed in a responsible manner. These vulnerabilities were patched in the HDF5 1.8.18 release.

The following is a list of the vulnerabilities that have been identified and patched:

Vulnerability Details


A vulnerability exists in the way HDF fails to check the number of dimensions for an array read to verify the file is within the bounds of the space allocated for it. When reading elements from the file into this array, a heap-based buffer overflow will occur, potentially leading to arbitrary code execution in the context of the application using the library.


A buffer overflow vulnerability exists when the library is decoding data out of a dataset encoded with H5Z_NBIT. When calculating the precision of an encoded BCD number, the library will fail a bounds check leading the library to calculate an index outside the bounds of the space allocated for the BCD number. The library will then write outside the bounds of the buffer leading to a heap-based buffer overflow and possible code execution.


A vulnerability exists due to the library's failure to check if specific message types support a particular flag. When this flag is set, the library will cast the structure to an alternate structure and then assign to fields that aren't supported by the message type. The message type is not able to support this flag and the library will write outside the bounds of the heap buffer, which can lead to code execution.


This report details a heap based buffer overflow which manifests in the the H5O_dtype_decode_helper routine when parsing an HDF file. Due to an inadequate handling of certain values in memory while the file is being parsed, a user who opens a specifically crafted HDF file could exploit this flaw and achieve code execution in the context of the application using the library.

For the full details of each of these vulnerabilities, please visit our vulnerability reports here:


Talos has released rules that detect attempts to exploit these vulnerabilities to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or

Snort Rules: 40791-40794, 40801-40810

Tuesday, November 15, 2016

Crashing Stacks Without Squishing Bugs: Advanced Vulnerability Analysis

This post is authored by Marcin Noga with contributions by Holger Unterbrink


Crash triaging can be a long and complicated process; by using proper tools and having an optimal approach, we can make this a bit easier and less time consuming. In this post we describe a triaging strategy and toolset based on two examples of vulnerability classes:

  • Stack based buffer overflow
  • Heap based buffer overflow / Heap corruption

As examples we will use real vulnerabilities found by Marcin Noga of Talos earlier this year.

LexMark Perceptive Document Filters XLS Convert Code Execution Vulnerability
Lexmark Perceptive Document Filters CBFF Code Execution Vulnerability

The tools we intend to use:
  • Valgrind
  • Gdb
  • Peda
  • DUMA
  • IDA
  • RR debugger

Tuesday, November 8, 2016

Microsoft Patch Tuesday - November 2016

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. For a detailed explanaiton of each of the categories listed below, please go to

This month's release is packed full of goodies, but you don't want to wait to review them over Thanksgiving dinner as there are 14 unique bulletins addressing multiple vulnerabilities.

Critical bulletins address vulnerabilities in (alphabetically):

  • Adobe Flash Player
  • Edge
  • Graphics Component
  • Internet Explorer
  • Video Control
  • Windows

Thursday, November 3, 2016

Take the RIG Pill: Down the Rabbit Hole

This post is authored by Holger Unterbrink with contributions by Christopher Marczewski


Executive Summary

Talos is monitoring the big notorious Exploit Kits(EK) on an ongoing basis. Since Angler disappeared a few month ago, RIG is one EK which seems to be trying to fill the gap Angler has left. We see an ongoing development on RIG. This report gives more details about the complex infection process the adversaries behind RIG are using to infect their victims and how they attempt to bypass security software and devices.

The adversaries are leveraging Gates (e.g. EITest) to redirect the users to their Landing Page. This leads to a chain of redirects, before the victim finally gets on the landing page of the exploit kit. They are using different methods and stages to deliver the malware files. The same malware file often gets written and executed multiple times on the victim's PC. If one method doesn’t work or is blocked by an Anti-Malware solution, they have a couple of backup methods. All stages and methods are obfuscated, some more, some less.

Wednesday, November 2, 2016

Vulnerability Spotlight: Windows 10 Remote Denial of Service

Vulnerability discovered by Piotr Bania of Cisco Talos.


Talos is releasing an advisory for a remote denial of service attack vulnerability in Microsoft Windows 10 AHCACHE.SYS  (TALOS-2016-0191 / CVE-2016-3369)
An attacker can craft a malicious portable executable file, which if accessed causes AHCACHE.SYS to attempt to access out of scope memory. This triggers a bugcheck in the Windows kernel causing the system to crash, denying service to the user. Although AHCACHE.SYS is the driver that handles local cache compatibility information, if the vulnerability is exploited the attacker is unable to execute code or elevate user privileges.