Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-03-05 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Viruses, SSL Exploit, Juniper Update, New ISC Features

Published: 2004-03-05
Last Updated: 2004-03-06 03:42:36 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
Latest Virus Versions. New versions of MyDoom and NetSky were reported today. Here's the current scoreboard for the top three viruses:

NetSky (first observed on February 16th): Variant H

Bagel (first observed on January 18th): Variant K

MyDoom (first observed on January 26th): Variant H


Another SSL Exploit. A reader provided the Storm Center with the following information:


The basic attack: Get a certificate from a known and trusted CA server. *Any* certificate will work. Because the certificate is trusted, the user is never
prompted. In this example, we are pretending that "PayPal" is our hostile server. Use the URL "%01" defect to hide the actual server name. The phishing target in this example is "Microsoft".

When a user visits the site, they see "https://www.microsoft.com/" and an SSL lock. But the certificate and web contents actually come from the hostile server, and the user was never prompted about a problem.

The only way to tell if the certificate is valid is to actually double-click on the little lock and check the certificate manually. And you would need to do that for EVERY web page you visit and EVERY image you load. (HTML and images may come from other servers.)

If we used frames, then the key only corresponds with the main frame's certificate, not the web pages in each frame.

Proof of concept:

http://lab.securescience.net/exploits/ssl-phish.htm

(View using Internet Explorer)



Juniper Updates Juniper Networks has updated software available for registered users. Stay tuned for additional details as they are made public.



New at the Storm Center. We've added a new search box above the main chart where users can enter any UDP or TCP port and retrieve current data on that port. Also, we've added the ability to upload a file when using the online form at

http://isc.sans.org/contact.html

If you upload malware, please ZIP, RAR, or TAR it and if possible encrypt it with the password "infected". Also be sure to mention in your note that you've attached something evil. As you know, it's not nice to fool Mother Nature. :)



Marcus H. Sachs

The SANS Institute
Keywords:
0 comment(s)
Diary Archives