Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Windows HIDS; Port 80, IP-hopping scan;Why old exploits are still popular; A Simple Phishing Investigation Tip

Published: 2005-06-06
Last Updated: 2005-06-07 13:31:15 UTC
by Kevin Liston (Version: 1)
0 comment(s)

Windows HIDS

Simon wrote in to ask about available Windows HIDS systems. He currently uses AIDE and Tripwire on his Linux/Solaris boxes. Personally, I don't run HIDS on windows boxes. I find that running HIDS on a system that isn't subject to any change control to be a noisy, time-consuming process. This applies to my environment, so your mileage will vary. Of course, some may consider running an instance of SNORT on each server as HIDS, and Tripwire/AIDE as file-integrity checkers. So, let's restrict our comments to windows-based open- and closed- source file-integrity checkers. What are your favorites, other than Tripwire for windows? (UPDATE: I'm getting a lot of comment on things other than file-integrity checkers. Now, I agree that the term HIDS is confusing, but I guess I wasn't clear. To reiterate: So, let's restrict our comments to windows-based open- and closed- source file-integrity checkers. :-) )

Some of the file-integrity-style HIDS suggested by the readers are:

Dragon (which has a file-integrity option) ( ($$)

Osirus ( (open-source)

Samhain and Beltain can be used if you are running cygwin (

Tripwire ( ($$)

Harlan likes to "roll-his-own" using the Perl Win32::AdvNotify module--espeically for protecting "critical" files such as web-pages.

For more fully-featured HIDS solutions:

eEye's Blink ( ($$)

IIS Server Sensor ( ($$)

Port 80, IP-hopping scan

One of the handlers is seeing scanning port 80 hitting random IPs in his logs. Has anyone captured what they could be looking for? (i.e. from your netcats, or webserver logs.)

So far, no one has provided a correlation to But there have been plenty of reports of elevated port 80 scanning activity and based on submitted captures appear to be ANS.1 overflow attempts (MS04-007)

Why old-exploits are still popular

The media has picked up on the Win32.Gleider.AK upgrading with Fantibag and Mitgleider event. While looking at the issue what kind of threat it poses to my "day-job" I see that symantec had signatures for Gleider.AK on March 1st, 2005. Naively one wonders, "what's the big deal? We have our signatures up to day, so we're golden." In a way, that opinion holds. But the target isn't your firm's managed servers and desktops. they're looking for the old servers in closets, or cable modem connections of uninformed users (this used to be uniformed users-- but some didn't like the mental polaroid that image developed :-) -Thanks Joel.) They're looking for a system that isn't maintained, so when they get control of it, they know they'll be able to control it for a long time to come. It's not a new idea that it's a protection strategy to use an older worm to get a foothold and let it sit for a while before the attacker "puts on their best warez." The idea is that by following this cautious strategy, the bad guys keep examples of their latest stuff out of the good-guys' hands. Is that what we're seeing here with this evolution?

A Simple Phishing Investigation Tip

I was performing followup investigation on a recent phishing attempt against a financial firm. It was set-up as a series of "bait" emails, that used images linked from a compromised webserver. The "bait" email pointed the user to a a redirector website. The redirector website pointed to a single "collector" site. It was a strange set-up, or it seemed that way to me, I mean, if you control a number of servers, why not use them all as collectors? Anyway, back to the investigation phase. One of the challenges in figuring it out was my concern to not use a real browser to explore the site, and my need to get the right redirect information. Simply browsing to the redirector site in lynx returned an error page. In order to get the redirector site to play-along, I needed to look like a real browser, so I cobbled together this simple (and in some circles criminally-bad) perl script to capture the collection site:

use strict;
use LWP 5.64;
my $url = 'http://a.b.c.d/target/';
my $browser = LWP::UserAgent->new;
$browser->agent('Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)');
my $response = $browser->get($url);
die "Can't get $url -- ", $response->status_line unless $response->is_success;
print $response->content;

Update: my favorite flame of the evening: "The only thing worse that criminally bad perl is reinventing the wheel." Thanks Simon, who provides three options:

lynx -useragent=NAME

wget -U NAME

curl -A NAME

(reminder: I'm not Tom "follow the bouncing malware" Liston, I'm the other Liston.)


Kevin Liston

Volunteer Incident Handler

0 comment(s)
Diary Archives