Oracle Releases Security Bulletin

Original release date: October 18, 2016

Oracle has released its Critical Patch Update for October 2016 to address 247 vulnerabilities across multiple products. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review the Oracle October 2016 Critical Patch Update and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Password-Protected Attachment Serves Ransomware

Attacks by macro malware carrying ransomware are growing, as we have recently reported. Since early March we have seen macro malware using high-obfuscation algorithms to hide itself from static and traditional antimalware detection techniques. Macro malware continues to evolve and use new tricks to evade detection. In addition to these evasion techniques, McAfee Labs researchers have witnessed a new variant of macro malware. This version uses the password given in the email to open the malicious Word document. Password protection makes it harder to extract and scan the attachment for malicious code.

McAfee Labs has previously blogged about macro malware using high-obfuscation algorithms and several other layers of evasion to avoid detection. Previous variants have used fudging techniques such as virtual machine awareness, sandbox awareness, and others. The infection process follows this path:


Looking at the email body we can see that the attached document file is randomly named with a .dot extension and a document password is provided to open it. The email related to this spam looks like the following snippet:



Once the user provides the password to open the document, it prompts the user to “enable editing and enable content to read content.” If a user clicks “enable content,” macros will be enabled and will drop a malicious VBScript with a random name in %appdata%. We checked the hash on VirusTotal. This file has recently been submitted from several countries.


The macro and dropped VBScript both are highly obfuscated. Once deobfuscated, the VBScript downloads the encrypted payload with the file extension .jop. Next the payload is decrypted by a simple XOR operation. At first glance, it is difficult to guess the intentions of this VBScript. We further deobfuscated the code and found more readable strings. The obfuscated VBScript looks like this:


The obfuscation algorithm is not the same every time. For this variant we deobfuscated the content using a small Python script.


After deobfuscating, we found more readable strings—notably the malicious URLs that download the payloads. Different URLs may be present in different VBScripts. Currently these URLs are inactive.


Malware authors uses different techniques to delay the execution of any suspicious functionality for a certain time. Generally sandbox systems monitor execution for a limited time, and in the absence of malicious activity classify a program as legitimate. Attackers uses techniques such as onset delay, stalling code, and extended sleep calls to delay the execution in sandbox environments. This variant delays execution by running cmd.exe with the parameter “ping -n 250 > nul,” which pings the Google DNS server 250 times and ignores the results.


The final payload is Cerber ransomware, which encrypts the victim’s machine. We saw a spike in Cerber during week 41 (early October):


Malware authors continue to advance their sandbox-evasion techniques and make security efforts difficult for antimalware products. Intel Security advises all users to keep their antimalware products up to date. McAfee products detect the document file, VBScript, and final Payload as W97M/Downloader, VBS.Downloader, and Ransomware-FUN! [Partial hash].



Document files:

  • 7799b30cd33b7052701a2d8e91aeb99e (password: nOrCeBV)
  • b7220f3455d92615f25b8d9eca94fefc (password: TfsMoS)
  • 2552fb9ba6dfc97168bccde23763fb81 (password: 4nHTvIM1)


  • 7F86D6E9C030630EACE4952F25DE9364
  • 19C684BABFBEF9CA5C845492D5A0DE4F


  • 4df4dfbcf17f2b1f5bcab6210c54c251




The post Password-Protected Attachment Serves Ransomware appeared first on McAfee.

Windows Server 2003 in 2016: Trump’s mail servers are old and insecure

(credit: Gage Skidmore)

Hillary Clinton isn't the only one who may have had an e-mail security problem. A security researcher has discovered that the Trump Organization's mail servers all run on a version of Microsoft Windows Server that has been out of support for years, with minimal user security. The e-mail servers for Trump's hotels, golf courses and other businesses run on an unpatched version of Windows Server 2003 with Internet Information Server 6—making them a vulnerable target for anyone who might want to gain access to the organization's e-mails.

Security researcher Kevin Beaumont posted the finding on Twitter at 6:00pm on Monday:

Beaumont also found the Trump Organization's Web-based e-mail access page. Until this morning, the Trump Organization allowed Outlook Web Access (OWA) logins from Beaumont said he did not attempt to log into the e-mail system.

Read 1 remaining paragraphs | Comments