The Skinny on CVE-2015-7547

While the DNS exploit CVE-2015-7547 was discovered a week ago, the code containing the flaw has been in use since May, 2008. CVE-2015-7547 works by allowing arbitrary code to execute on any system reliant on glibc by way of a malformed query response.  As discovered by Redhat Linux and Google, there are flaws in GNU C Library.  The GNU C Library connects to DNS to resolve names.  This problematic code effects all versions of glbc since 2.9 and allows for remote code execution.

We have seven signatures, the first of which was released the day after the exploit was discovered. We were able to push the beta version of the rule to our research partners immediately, and to all sensors during the normal daily signature update.

2022531 || ET EXPLOIT Possible 2015-7547 Malformed Server response || cve,2015-7547

2022542 || ET EXPLOIT Possible 2015-7547 PoC Server Response || cve,2015-7547

2022543 || ET EXPLOIT Possible CVE-2015-7547 Long Response to A lookup || cve,2015-7547

2022544 || ET EXPLOIT Possible CVE-2015-7547 Long Response to AAAA lookup || cve,2015-7547

2022545 || ET EXPLOIT Possible CVE-2015-7547 Malformed Server Response A/AAAA || cve,2015-7547

2022546 || ET EXPLOIT Possible CVE-2015-7547 A/AAAA Record Lookup Possible Forced FallBack(fb set) || cve,2015-7547

2022547 || ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query || cve,2015-7547

          Signature 2022547 is currently triggering on multiple customer sites, but at least for now it is in low volume.  However, according to Dan Kaminsky, this is a threat that could swiftly escalate as more and more adversaries improve their attack strategies to increase the damage made possible by CVE-2015-7547.  Patching this particular bug is paramount, as well as continually monitoring your system for the exploit.


Measured Antivirus Effectiveness

I wanted to share with you some insight from the data that originated from our customers’ networks last week. This time, we wanted to provide some information on how different antivirus vendors perform on the .exe, .dll, .pdf, and .zip files seen around the world.

This table shows the relative hit ratio of all the antivirus vendors hosted by Virus Total on 697 confirmed bad files. You will notice that 43% of the time none of the antivirus products detected anything. The top performer is McAfee-GW-Edition with a 37% detection rate.

Looking at the types of samples detected, one can also consider which Antivirus Vendors were able catch the worst malicious code. We assigned an Average Priority of 1 to spyware or unwanted software and an Average Priority of 100 to known Trojans or unclassified malware.  Then, we multiplyed the Average Priority by the Detection Rate, giving rise to the Severity column. This column shows which Antivirus Vendors found the most dangerous code. This week Arcabit wins with a Detection Rate of 29%, an Average Priority of 30.17, and a Severity of 8.96.

Antivirus VendorTrue PositivesAverage Priority Detection RateSeverity
None3000.430416 (mss)

Our sandbox was able to detect the remaining samples (the missing 43%).


The bubble graph above illusrates the Severity (Detection Rate * Average Priority) verses the Prevalence (Detection Rate * Total Priority). The detection rate is encoded in color and the size of the bubble is proportional to how many customers saw the malware.

If you are curious about more statistics like this, you can visit (best viewed on a desktop) for a ton of additional information. If you want a quick fix, watch some of our videos at

The Raw Data

We wanted to share with you some insight from the 50M+ security events that originated from our customers’ networks last week. We reported different security event invariants that were confirmed to be true positives and how they fit within a global, multi-domain context. The data and several interesting graphs can be obtained at (best viewed on a desktop).

12.14.15 Image 1

For example, the top OpenAppIDs that were the best predictors of a compromise last week are shown below. Interestingly, we also detected that the google_update OpenAppID predicts with fifty percent (50%) accuracy malware activity designed to evade application firewalls. Remember, these are actual measurements across 50M+ records. As a result, they should be relevant to any network.



Below is a visualization of the IDS rules with greater than 95% accuracy last week. Please visit our stats page at for more detailed information.

12.14.15 Image 2

MetaFlows offers a compelling product that will provide an unprecedented level of protection to any network. If you decide to run a trial, in addition to automated incident reports with extremely low false positive rates, you will also get a personalized multi-domain report for the events found on your network.

Command Line Interface Is Here!

As a new feature to the MetaFlows MSS, we have added the ability to query the MSS for both historical flow data (with payload coming from the sensor) and historical event data (coming from our data base). The flow data text output can be formatted to look like what Argus provides (-f -X) or what Bro provides (-c), depending on the options that are selected. We have also added JSON output (-J) for those of you that use Splunk, and want to do some integration work. The MetaFlows Wiki has been deeply revamped and the CLI documentation is at: Shot 2015-09-14 at 4.33.05 PM

The CLI client is written in Perl and can be copied to any system after initialization – so you may execute the CLI queries from any host. Also, if you dare, you can modify the Perl code to change the output formats or to add your own command line switches.

To wet your appetite, the following query will return all the latest malicious content from your sensors: -u api1:xxxx -B

This query, for example, shows all of the clients on your network attacking Chinese Web Servers: -E -u api1:xxxx -w 360000 -Q modsec_out | grep CRITICAL | grep :CN

We encourage you to invest some time in looking at this CLI interface. As always, do not hesitate to drop us a line at


The MetaFlows Team

Adobe’s Continuing Affair with Angler and Cryptowall

The latest Adobe Flash Player update has once again proven problematic.  We have discovered yet another revision of a pre-existing Angler Exploit Kit disseminating Cryptowall.  A customer’s host was compromised following Angler Exploit redirects, dated June 1, 2015, June 16, 2015, and June 30th, 2015, showing that as new adaptations of the kit are added, the older ones are still in use.  The latest, June 30th, is more recent than the most up to date patch for Adobe Flash Player 17, version  “Customers that are enrolled in “Allow Adobe to Install Updates (recommended)” but have not updated to Flash Player version 18 will receive a new and secure version of Flash Player 17 over the next 24 hours. ”

MetaFlows customers are encouraged to enable automatic blocking for Level 1 Events, which currently include the Angler Exploit rules (, or creating specific block rules to match Angler EK events.

The figure shows an example of the events that are triggered during an Angler Exploit attempt and infection with Cryptowall.


Adobe, Angler, and CryptoWall

3997730524_e6cb3e6954_oAdobe Flash is an extremely severe vulnerability when it comes to Crypto-locker/CryptoWall, It seems that every time Adobe comes up with a new patch, the Crypto hackers are quick to discover how to break it.  The latest CryptoWall bonanza was the security vulnerability discovered in an Adobe update that was released on May 18th.  This is not a singular occurrence, but is rather a part of a larger trend of exploiting security holes in Adobe software.

Just this week, Adobe’s last round of updates for Flash Player have proven problematic.  These are new vulnerabilities are being used by the Angler exploit kit, a kit that has been around for some time, a kit that has now found fresh ground.  These exploits are used to distribute Cryptowall, as well as other forms of malware.  The intent is to encrypt (steal or take data hostage), take over (root kit or remote access tools), or recruit (make it a part of a botnet).

MetaFlows catches these types of fresh exploits better than any other security tool (according to many of our customer).
Several analysts using our system praise us.  While they are running several other security products, MetaFlows was the only one to identify this threats.  We were able to identify the behavior patterns that were triggered when this exploit was seen on a live network:










As you can see, the IDS events identify the individual behaviors, and our correlation engine recognizes the use of Angler toolkit to infect the target with the intended payload.  In this case, it is Cryptowall, a ransomware program that has cost over an estimated $18 million from U.S. users alone. In some other cases odd behavior left undetected can cost the reputation of a brand and cause irreparable loss in intellectual property.

Criminals are swift to take advantage of any emerging opportunity that can penetrate the perimeter (it has become BIG money). You need to start monitoring the behavior of your internal hosts not only the perimeter. Our behavioral analysis and correlation engine are able to identify these threats, even when they occur across multiple sessions and employing zero-day techniques that make it through your perimeter defenses.

Our security professionals have identified the issue and are working to keep our subscriber’s networks and systems safe while Adobe has updated their Security Bulletin site with the appropriate information.  Users are advised to download the newest Adobe Flash update immediately.  As evidenced by our findings, criminals are swift to take advantage of any opportunity and so employing new advanced detection technologies like the one offered by MetaFlows is key to preventing expensive and sometimes irreparable IT disasters.

Which IDS System is Right for You?

There are so many IDS Systems out there, but how do you pick the right one? Here are some tips to help you get started!

How Do You Pick the Right IDS System?

If you’re a company CEO then you’re probably scared of malware, and if you aren’t, then you should be. The last thing you want is a virus leaking all of your company’s charts, data, and business plans everywhere on the internet or worse, stealing from your company. So in order to protect your company’s computers from viruses and malware you’ll need an IDS system. An IDS system is an Intrusion Detection System, which is a device or software that monitors your network for malicious activity or policy violations – or in other words, a virtual watchdog. So out of all the choices out there which IDS system do you choose? Here are some tips to help you decide:

  • First, perform a risk assessment of your company or organization. This will help you determine potential risks and gain an understanding of the IT environment. Understanding what risks you are vulnerable to will help with choosing which IDS system to use.
  • Have a thorough understanding of your technical environment. This will ensure that you know what your organization needs in terms of protection.
  • Do a cost-benefit analysis. Know what is worth your budget and what is not. Once you know which risks threaten your company, you will be able to better determine what your company can afford.
  • Now choose an IDS system that will protect your company from risks and that will also fit your budget.

MetaFlows is a great option for those who want to be protected from hidden malware. MetaFlows analyzes the behavior and content of your internet traffic to find and stop malware from infecting your network. Sometimes malware security systems are not enough and lack flow analysis, but observing network communication patterns is important for better security. MetaFlows embeds security event information within IDS, Log, and Service events for real-time event information. This allows you to gain better visibility into your network. The comprehensive protection and security MetaFlows offers is something that no company can afford to pass up.

Make sure your company is protected from malware. Act today and find your IDS system and malware security system.  MetaFlows offers a free of charge, fourteen-day trial in which you can actively use the system on your network. It comes complete with security updates, a web interface, as well as tech support to assist you in getting it up and running on your network.

Cyber Attacks Global Incident Report Statitstics

We are now generating weekly Global Incident Reports that provide statistics of the invariants present in our global detection infrastructure. The detection infrastructure receives approximately 8 million events per day from a variety of Institutions ranging from small commercial enterprises to very large multinational corporations.

The statistics below are from three main detection components.

The invariants from the events reported by these detection components are extracted and their relative contribution is compared. The contribution of the invariants is measured in three different dimensions:

  • The true positive rate  (tpr) of an invariant is measured by dividing the number of confirmed true positive hits by the number of occurrences of the same invariant (whether they are a true positives or not). The true positive rate implicitly also measures false positive rate (1-tpr). For clarity the tpr is called <strong>detection rate</strong> in the Network Anti-virus tables.
  • Severity ranges from 0 to 100 and measures the likelihood that an invariant in a cyber attack compromises the integrity or confidentiality of a system. The severity is scaled down by the tpr and is calculated by multiplying the average priority (0-100) of the invariant times its tpr (which is always less than 1). A low severity score (0-10) typically implies that the cyber attack may reduce security but the loss of security is minimal (for example detecting an ADWare plug-in in your browser). Higher severity scores imply that the cyber threat becomes increasingly important.
  • Prevalence measures how widespread a given cyber attack is across multiple networks. Prevalence is also weighted against the tpr of a given invariant. Prevalence does not have an upper limit because it depends on how many cyber attacks we find in a given time period.

Selection_020Here is an example bubble graph which visually represents the statistics of the top IDS rules which triggered a true positive.

Mousing over the bubbles reveal the actual invariant and its associated statistics.

How to access the statistics

  • The anonymized global report across all of our networks is at From this report there are some hyper-links that query you own database (if you are MetaFlows customer) to see if any of the invariants a re present in you event data.
  • If you are a MetaFlows customer, you can also access a specific report for your own domain which has both (1) links to the invariants found on your own domain and (2) links to the incident reports used to derive the invariants.

Note that both types of reports compare the invariants to the global counts; so, they both should help you understand how widespread and how serious the associated cyber- threats are.

OpenAppID Support



Cisco released OpenAppID, their answer to Palo Alto Networks’ AppID feature, which allows administrators to know exactly what applications are running in the network.
It has been released as a plugin of the Snort distribution. We have recently upgraded our sensor software to support this feature. OpenAppID results appear as an additional field in the IDS alerts to give better context for the alerts. We also gather this information to associate it with the internal host IP addresses, whether or not they generate an IDS event.

For example, when a user uses Facebook, it will trigger one or more of these:

Facebook Apps
Facebook Chat
Facebook Comment
Facebook Read Email
Facebook Send Email
Facebook Status Update
Facebook search
Facebook event
Facebook post
Facebook video chat
Facebook message
Facebook video

If your software has been upgraded, the file /nsm/bin/snort/src/.version should contain If it does not, you can upgrade by executing this command: /nsm/etc/ restart (Note: MetaFlows UTM appliances do not support OpenAppID yet).

To turn on this feature, check the OpenAppID checkbox in your sensor configuration page and reload or restart the sensor.

Once this feature is turned on, you can look at the daily reports and see the top AppID summary or look at the AppIDs in your IDS events. You can now create user-defined policies that match specific AppIDs!

This new feature requires 40% more memory and in some cases, even though we install it, the system automatically turns it off if you do not have enough memory. You need at least 2 GB RAM per core. For example, if your subscription is for 16 cores and your sensor has 24 GB RAM, the system would disable OpenAppID automatically.

If you do not process a lot of data and have a low memory system, you can force the loading of OpenAppID by adding the line export forceappid=1 at the top of the /nsm/etc/ script. Note that because it uses about 40% more memory, your sensor might slow down if you do not have enough RAM. Please monitor your drop rate closely if you force the OpenAppID functionality.

We highly recommend using this feature. If you have any questions, please do not hesitate to contact our engineers at for more information.

Throttle in Passive Mode

throttling in passive mode!?!?Sometimes users can knowingly, or unknowingly, abuse a network by using a lot of bandwidth. With the proliferation of video on demand services such as Netflix, Hulu, and Amazon Prime, some institutions are once again finding themselves battling bandwidth issues.

Until now, one needed an in-line device, such as a firewall, to throttle traffic by allocating certain bandwidth to certain flows or applications. Any in-line device also adds latency and reduces reliability, especially on high speed links. Wouldn’t it be nice to throttle specific traffic in a way that does not impact performance of the traffic you do care about? This has been an age-old conundrum for network engineers.

Well, continuing on our hot streak of innovations, MetaFlows recently developed (in collaboration with one of our university customers) an unprecedented technique to throttle traffic in passive mode! It works a bit like active response, where spoofed packets are injected into the traffic stream to shut down flows. In this case, we are not shutting down flows, we are forcing them to slow down.

The result is that you can identify any TCP flow using one or more of our 20,000 signatures (appID is coming very soon), and limit its bandwidth. This means you can have zero impact on performance and reliability of your production traffic while you can achieve very fine grain control of the traffic you do not care about!