Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Bright(?) FUD, Heise bounty, Google thinks you are malware, Tom Liston sees his shadow, and more

Published: 2005-02-02
Last Updated: 2005-02-02 23:29:31 UTC
by Cory Altheide (Version: 1)
0 comment(s)

Dutch "news" exposes DNS spoofing



ISC reader Tony van der Togt sent us a link to (and translation of the salient portions) which is spreading rapidly through the Dutch media regarding a super secret group of k-rad organized hackers subtly herding innocent web surfers away from their intended targets.


Tony's translation is below, and is followed by a review of the article by ISC Handler Swa Frantzen (thanks Swa!)



----



AMSTERDAM - Criminals have taken control over the major arteries of Internet, and can do as they like. They do if they get paid for it. This is what the new tech glossy maganize, Brights, announces in its first number.


The hackingtechnique is called 'DNS spoofing' and has been made public by Toine Verheu, owner of an international porno search portal. He was approached by a ciminal who promised him a million visitors (hits) in a single day, for 1000 dollar. This is an unusually large number in such a timeframe, even for the most popular sites in the Netherlands.


The story was checked by Internet experts as Ted Lindgreen of NLnet Labs, Olaf Kolkman of RIPE-NCC and Jaap Akkerhuis who until recenty worked for the Stichting Internet Domeinregistratie Nederland who confirmed the hole in Internet's heart.


From the 'Bright'article: 'I can decide where the users of internet are pointed to, the American said. 'Give me your ip-number and go to Google. 'Verheul typed a specific search term and clicked 'search'. After that, he didn't get the usual list with searchresults, but was redirected to a porn site, just by clicking 'search'.



Bright ?



A brand new so called "tech glossy" to be in stores tomorrow in Holland gave a preview of an article called "Criminals manipulate the internet's arteries" (Our translation).
is in Dutch and rather long.



Aside from the content where an owner of a porn search engine claims to have seen his browser hijacked by some even more shady characters, the most interesting part of the story is that quite some reputable newspapers in Holland have copied the article in a shorter form.



The article itself claims people on the net offer shady sites traffic skimmed off of the normal flow, one hit a victim, one URL, inside a site like Google of CNN ... pretty advanced sounding scheme if it is true. However the article next jumps to DNS tricks like cache poisoning. True, DNs cache poisoning is real and they have plenty of experts to talk about DNS issues. But the thing is that no DNS trick will redirect just one URL of CNN.com. Something else will be needed to achieve that.



To us it sounds to good (or should I say bad) to be true.



Nice marketing campaign though, with that level of press coverage the magazines will be sold out much faster. But should we loose sleep over it ? Not yet.


Should we fix broken DNS servers, sure. Check for
every so often. Should newspapers do a bit more research themselves before reprinting material, even if it quotes half a dozen of experts ? Probably. To be clear -before our next handler has a full mailbox to handle-: the experts are right, there is just no link to the fancy story.



As for Bright, perhaps they are, perhaps not, time will tell.


Heise.de bounty



Today the ISC received news of a
for information leading to the capture of the perpetrator(s) of the DoS attack they suffered yesterday (as mentioned in the .



ISC Reader Jochen was kind enough to supply the ISC with a translation of the announcement.



----



Distributed search for heise-online attacker



The 'Heise Zeitschriften Verlag' asks network administrators to assist them in analysing the Denial-of-Service attacks against 'heise online' (www.heise.de). In particular we need concrete information about machines that actively took part in the attacks to acquire the malware program that has been used.



The main wave of the attacks took place on february 1st between 8:41am and 5:00pm CET. It consisted of TCP-SYN packets targeting port 80 with a size of 40 byte and a TCP header length of zero. The packets first targeted 193.99.144.71 and later 193.99.144.85. Sender addresses were spoofed, even addresses of unassigned networks were used. Simultaneously, between 1:14pm and 2:33pm CET, an attack of similar type hit the Heise mailserver 193.99.145.50 on port 25.



Many firewalls 'complain about' these packets due to the invalid IP header. The logs of routers may show accumulations of exactly 40-byte-long packets. Please send relevant information to hinweise@heise.de. The publisher is offering a reward of 10,000 Euro for information that leads to the capture of the perpetrator.



----



I'm not up on exchange rates but I think 10,000 Euro is approximately a zillion USD, so I expect to be cut in if any ISC readers collect the bounty.



To Google, you are malware



This just in - Google thinks I am malware! At first I thought it was just a case of radically good judgment, but other handlers have confirmed the report of an ISC reader who wishes to remain anonymous.



----


I noticed today that a simple search in Google using
inurl causes Google to display this message when you
try to access the second page:



===================================================



We're sorry...

... but we can't process your request right now. A
computer virus or spyware application is sending us
automated requests, and it appears that your computer
or network has been infected.



We'll restore your access as quickly as possible, so
try again soon. In the meantime, you might want to run
a virus checker or spyware remover to make sure that
your computer is free of viruses and other spurious
software.



We apologize for the inconvenience, and hope we'll see
you again on Google.



==================================================



No, i do not have a virus or spyware, tested that
already ;-)



This as been attempted from multiple Internet
connections.



Basicly, any name that as an entry in Google and ends
with "php" will cause this.



Ex: inurl:admin.php

inurl:test.php

inurl:whatever.php


I've tried it with cgi, html, asp, sh, pl and this
does not happen.



I find it odd that they would display a "panic" message not really knowing the actual facts :-(



What searches will they decide to restrict next ???



----


Our testing shows that this behavior isn't automatically triggered - there appears to be a sliding scale (searches per minute per IP?) that causes this to activate. This is an apparent reaction to recent PHP web-application based malware using Google to find targets, and I can't say I disagree with their tactics in this case. What do the ISC readers think?



The Future is 0-day(?)



There's been an interesting discussion on the
over the past couple of days in reaction to a by Dave Aitel (who puts the "Dave" in Dailydave). The point he's making is (and I'm sure I'll hear about it if I'm wrong) that nearly all current defense techniques and technologies are based on defending against known vulnerabilities. This model of the world is rapidly losing any relevance it may have once had, as 0-day reigns supreme from the attacker's side. I'd be interested in hearing any opinions the ISC readers have on this.



For the record, I think he's right. ;)


Critical Eudora Vulnerability



NGSSoftware has discovered several code-execution vulnerabilities in Eudora 6.2.0 and below. Eudora has released a fixed version, available
. NGGSoftware's advisory is available . Per their disclosure policy, details on the flaw will be will not be published until May 2nd.



But if you're running Eudora, go ahead and fix it now.


Tom Liston sees his shadow!



Today, in what I can only hope will become an ISC tradition, Tom Liston was blindfolded, transported to an undisclosed subterranean location (internally referenced as the Danger Burrow), and forced to run a horrific gauntlet of infosec challenges in order to return to the surface of the Earth.* Upon poking his head out of the burrow, he removed the blindfold only to be greeted by the giant orange ball in the sky, and a very very long shadow. Horrified onlookers shrieked at the realization that this could mean only one thing:



Six more weeks of IRC bot wars.



I'd like to sidestep any criticism about the previous piece with the following: we're the Internet Storm Center. If the Weather Channel gets to dedicate streaming video to rodent weather predictions, we get to put a handler underground.



**********************

Cory Altheide

caltheide@isc.sans.org

**********************


*No Tom Listons were harmed during the 1st Annual ISC Groundhog's Day Spectacular.
Keywords:
0 comment(s)
Diary Archives