Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

nslookup Issue?

Published: 2008-08-16
Last Updated: 2008-08-17 16:56:24 UTC
by Marcus Sachs (Version: 3)
0 comment(s)

Two readers pointed us to a SecurityFocus item concerning Microsoft's nslookup.exe.  Details are at:

http://www.securityfocus.com/bid/30636/

A video showing a crash analysis of nslookup.exe is at

http://www.nullcode.com.ar/ncs/crash/nsloo.htm

If anybody has experienced an nslookup.exe crash or knows more about this vulnerability please let us know via our contact page.

UPDATE: CVE-2008-3648 has been assigned to this issue. 

Commentary: As of Sunday (17-AUG-2008) the CVSS Base score for CVE-2008-3648 was 9.3.  I think this is a little high, and once more people look at the issue on Monday this will be reduced.  We have yet to determine if this actually can be leveraged to execute code, and it is unclear if the only exploit scenario is to use nslookup from the command line, or if simply visiting a website linking to a malicious domain is enough. (-KL)


Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
0 comment(s)

Another Infected Digital Photo Frame

Published: 2008-08-16
Last Updated: 2008-08-16 22:43:46 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

Reader Greg sent us a note today about a new issue with digital photo frames.  Here is what he said:

Bought a couple of Vuescape 1.4" Digital Picture Frames from Inkstop, to give to family members for Christmas.  Just tried to install the software on my PC, and found that the setup.exe file was infected with AdClicker-DF.  It seems impossible to find an installer for the device online that does not have this infection.  I found another version of the program needed to work with the photo frame - PhotoViewer.exe - but it does not seem to recognize this device.

The mini-CD that came with the frames (item# 61000090) is labelled Driver and Utilities version 2.3B.  The Photoviewer software is, according to the properties sheet, published by Hojy Tech Corp.

This is a bit different from the digital photo frame infections we reported earlier this year.  In that previous case, the frames themselves contained malware.  In this new case the setup.exe file on the CD is infected with adware.

If you have seen this same phenomena in consumer products you've purchased recently (setup.exe containing malware) please let us know what the item was, what the malware was, and where you bought it.  By the way, many products come with extra programs that are often detected as spyware or adware.  We don't need to know about that, just cases of the setup or installer program itself being infected.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: photo frames
0 comment(s)

Thoughts on the Russia vs Georgia Cyber War

Published: 2008-08-16
Last Updated: 2008-08-16 15:35:57 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

In the past week there has been a lot of media reporting on cyber attacks coming from Russia that are directed at Georgia.  Some examples are John Markoff's story in the New York Times, or Siobhan Gorman's story in the Wall Street Journal.  Others have been blogging about their experiences and many readers of our diaries have probably been called by local media outlets for comment.

Over the past years there have been a many of these "cyber wars" that infatuated the media.  Remember the Great Chinese-American cyber war of 2001 following the downing of a Chinese fighter plane and a US spy plane?  Also the Israeli-Palestinian cyber conflicts, the Indian-Pakistani sparing, Chinese-Taiwanese conflicts, and of course last year's episode with Estonia?

They seem to all follow a similar pattern:

  1. Some real-world event happens that focuses attention on a specific region
  2. The media goes looking for a new angle to report on and finds one in cyber space
  3. The online community, both sympathetic as well as curious, read the stories and get interested
  4. A "cyber war" starts
  5. The media has a field day

In the case of Georgia I think that a new pattern is emerging:

  1. Because of the large number of bots, botnets, and general level of criminal behavior on the Internet, a level of "background noise" is always present in every corner of cyberspace, including small countries like Georgia
  2. When the real-world event happens and the media starts looking for activity (steps one and two above) they immediately find it because of the "background noise" (this is like turning on the lights in the kitchen and seeing hundreds of cockroaches - you can acknowledge that you've got a roach problem and kill them or you can turn off the lights and PRESTO! they magically all go away, therefore no more roach problem)
  3. A story or two is published about a defaced website or the presence of botnets, or some other event that would normally occur because of the background noise, but it's tied to the developing real-world story
  4. The online community hears about the event and wants to go see for themselves, resulting in a massive denial of service attack against a small country that nobody ever visits but is now being overwhelmed by curious cyber tourists wanting to see what is going on
  5. The small country blames the DoS attack on their adversaries who of course deny wrong doing
  6. Citizens of the adversary country are also interested in seeing what is happening and so their IP addresses begin to show up in the logs, further lending credit to the growing theory that a cyber war is erupting from the larger and more aggressive country
  7. Citizens of other countries who want to "play" now jump into the frey and start launching real, no-kidding "attacks" against the small country just for kicks, but also to brag to their friends about how they are now Soldiers of Fortune in this brave new world
  8. Before you know it, the combination of media stories, tourists, vandals, criminals, and yes - there might even be a couple of "real" cyber warriors in all of this - all mix together in a torrent of hacking and wacking that reaches a cresendo before slowly tapering off into the history books
  9. Rinse and repeat

I realize that I'm being very cynical here, and that the future prospects of real, no-kidding, nation-state cyber warfare are very possible.  But folks, let's get real.  Is a botnet or a website defacement an act of war?  Is an overwhelming bunch of cyber tourists an act of war?  I think not.  But for the next few years I'm can predict with certainty that any time a physical-world invasion or conflict emerges that somebody will immediately go looking for the cyber angle.  And they will find one, and they will undoubtedly call it a cyber war.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
0 comment(s)
Diary Archives