
We believe we may be infected with malware - marcopolis
http://isc.org
======
yourad_io
Disclosure is great and all, but.. which malware?

I searched a few of the *-announce lists and didn't find anything obvious. Is
there a discussion somewhere that I'm missing?

~~~
jacquesm
[http://www.cyphort.com/isc-org-infected/](http://www.cyphort.com/isc-org-
infected/)

paragraph 2: > Angler Exploit Kit

~~~
yourad_io
Thank you.

------
rattle1337
Technical Details: [http://www.cyphort.com/isc-org-
infected/](http://www.cyphort.com/isc-org-infected/)

~~~
ThatGeoGuy
Based on this article, it appears that the exploit is something that takes
advantage of IE / Flash / Silverlight. Does this mean if you run Firefox with
Flash disabled and no Silverlight, you have nothing to worry about? In any
case, if you had accessed the site recently, then it is probably prudent to
check just in case, but still, I'm curious if anyone who knows more about the
Angler Exploit Kit can explain.

~~~
userbinator
JavaScript off will also quite effectively prevent this exploit (and many
others), even in IE.

(I've been slowly converting people to use JS whitelists, with mixed results.
Several times I've accidentally linked someone to an infected site, which had
no effect on my system.)

------
ams6110
_Until this site is restored, you can download your ISC software from our ftp
site._

How do we know the ftp site is clean?

~~~
tokenizerrr
It's ftp, not http. You cannot serve scripts over ftp, so unless there is a
completely seperate exploit for ftp clients out there it should remain
unaffected. Note that most browsers include an ftp client which is why you are
able to browse it.

It's possible the binaries you download may have been modified, but I assume
digital signatures are available.

~~~
jacquesm
The signatures are available but they are distributed through the same channel
as the binaries. If the one was modified it stands to reason that the other
has been too.

~~~
tokenizerrr
That only works for hashes. Signatures are produced by a private key which
will not be available anywhere, so they can be verified by the public key
which is already know.

------
mosselman
Great idea to link to a potentially infected site. "Please scan any machine
that has accessed this site recently for malware." OK, thanks, now I have to
scan for malware.

~~~
jacquesm
'view source'.

Every site you visit is a potentially infected site, this one right now is
probably one of the safer ones.

That said it contains a surprising amount of cruft for such a simple homepage.

~~~
nandhp
Looks like it was thrown together with WINWORD.

------
ramigb
The source says this temp page is made by Microsfot Word, i am pretty sure
there is a clue here but i can't sniff it, and i am being serious.

------
unethical_ban
I thought it was the Internet Storm Center at first, which was going to blow
my mind.

------
magoon
Please explain how "this is a WordPress issue"

Given that WordPress runs over 20% of the internet, it would be prudent to
elaborate.

~~~
jerf
WordPress is a large and soft target, security-wise, and the malware targeting
it has become fairly sophisticated. Note both "large" and "soft" are
important, which is why I said both.

If you are implying that you're going to try to claim that WordPress is not a
large and soft target, all I can do is really strongly recommend against
dashing yourself against those rocks voluntarily. If you'd like some light
evening reading, you can try browsing through:
[http://osvdb.org/search?search[vuln_title]=wordpress&search[...](http://osvdb.org/search?search\[vuln_title\]=wordpress&search\[text_type\]=alltext)

~~~
jcrawfordor
Although check this search out:
[http://osvdb.org/search?search[vuln_title]=wordpress+-plugin...](http://osvdb.org/search?search\[vuln_title\]=wordpress+-plugin+-theme&search\[text_type\]=titles)

And my filtering isn't that thorough, a number of results are still in plugins
or themes.

My point is that the majority of WordPress problems are not actually WordPress
problems but problems with the enormous set of third-party content produced
for it. WordPress's security engineering is generally pretty good now, but the
plugins are very much a mixed bag.

------
voidz
isc.org also has the DLV registry... should users be worried?

------
curiously
so basically,

uninstall adobe flash and silverlight and never use IE.

*I just uninstalled adobe flash and reader. Probably will never install it again. Adobe is the new Java Applet.

~~~
arthurfm
> uninstall adobe flash and silverlight and never use IE.

Alternatively turn on ActiveX Filtering [1] in IE, whitelist [2] any websites
that you need to run ActiveX controls on, make sure your plug-ins are up-to-
date and install IE11 if you haven't already.

According to the Cyphort article linked above:

> Cyphort Labs researchers are still in the process of analyzing the
> Silverlight and flash exploits which exploit a known IE vulnerability
> (CVE-2013-2551). Angler EK is known to perform file-less injection (memory-
> based malware where nothing is written to disk).

As you can tell from the CVE number, the exploit used by Angler EK is quite
old and doesn't affect IE11 [3] or older versions of the browser that have
installed the KB2829530 hotfix [4].

> Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10
> allows remote attackers to execute arbitrary code via a crafted web site
> that triggers access to a deleted object, as demonstrated by VUPEN during a
> Pwn2Own competition at CanSecWest 2013, aka "Internet Explorer Use After
> Free Vulnerability," a different vulnerability than CVE-2013-1308 and
> CVE-2013-1309.

[1]
[http://ie.microsoft.com/testdrive/browser/activexfiltering/a...](http://ie.microsoft.com/testdrive/browser/activexfiltering/about.html)

[2] [http://withinwindows.com/blog/2011/02/10/short-manage-
your-i...](http://withinwindows.com/blog/2011/02/10/short-manage-your-
internet-explorer-9-activex-filtering-exceptions)

[3] [http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2013-2...](http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2013-2551)

[4]
[https://technet.microsoft.com/library/security/ms13-037](https://technet.microsoft.com/library/security/ms13-037)

------
luxyluxy
Friends don´t let friends run bind...

