Hello, welcome to the Monday, August 29th, 2016 edition.

Sandtonet Storm Center's Stormcast, my name is Johannes Ulrich, and today I'm recording from

Jacksonville, Florida.

I've got a couple diaries this weekend with obfuscated JavaScript.

First one was yet another Lockheye variant I wrote about on Friday. This one arrived in emails entitled

with a subject of office equipment and then it included a SIP file that was your usual

JavaScript file that then downloaded the actual malware. Sadly, a lot of antivirus still

does a bad job recognizing this,

even though if you have a very simple rule, just quarantine all-sipped JavaScript. You pretty

much can eliminate this threat from your environment.

In today, Guy reported about similar similar malicious email, also JavaScript, again,

that was heavily obfuscated.

He got a little bit more detail out of it with the JavaScript purifier, but still needs

a little bit more work to actually figure out what it is trying to accomplish.

I think a lot of individuals still have the perception that JavaScript is limited to some form of sandbox.

That's true if you download it in your browser, but once you have to file sitting on your system and you launch it locally,

that sandbox really doesn't apply anymore and JavaScript is able to just

download edition files.

And then we got an update for OpenSL, OpenSL 1.0.2H and 1.1.0.0.0.0.0.0.0. This is the first production

quality release of the 1.1 branch of OpenSL.

There is no need to immediately upgrade to 1.1.1.0.2 will continue to be supported for a while.

The big headline here is that this release does mitigate the Suite 32 attack.

...