Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Administrata; MS05-026 exploits in the field? No, not really; OpenRBL ist Kaput; Passive Reconnaissance and the Disaster Response threat-space; mod_jrun exploit sweep

Published: 2005-06-20
Last Updated: 2005-06-20 23:10:56 UTC
by Kevin Liston (Version: 1)
0 comment(s)

Adminstrata


This is the after-lunch update, I usually like to have a morning, afternoon, and closing commentary updates, but wanted to let Lorna?s fine overview on the risks of moving and Identity Theft get a bit more eye-ball time. One should go back and read the weekend?s Diaries as a part of their Monday morning exercises.

MS05-026 exploits in the field?


The first incident of my shift involved an active exploit of MS05-026 (ED: no, Kevin, it?s actually MS05-001 as we see below.) A spam message was blasted out to potential ?customers,? including the link to the poisoned website. It leveraged the MS05-026 (MS05-001, see above) (http://www.microsoft.com/technet/security/bulletin/MS05-001.mspx) HTML Help remote code execution (no, Security zone bypass) vulnerability to install a Haxdoor variant on the visitor (well, I got one part right.)

Update: The following AV tools detect the initial Help Control Exploit

Antivirus Version Update Result

ClamAV devel-20050501 06.20.2005 Exploit.Helpcontrol

eTrust-Iris 7.1.194.0 06.19.2005 HTML/HelpControl!Exploit!Trojan

eTrust-Vet 11.9.1.0 06.20.2005 HTML.HelpControl!exploit

Fortinet 2.35.0.0 06.20.2005 VBS/Phel.A-trM

Sybari 7.5.1314 06.20.2005 HTML/HelpControl!Exploit!Trojan


The following AV tools detect the Trojan dropped:

Antivirus Version Update Result

AntiVir 6.31.0.7 06.20.2005 BDS/Haxdoor.CW

Avira 6.31.0.7 06.20.2005 BDS/Haxdoor.CW

Fortinet 2.35.0.0 06.20.2005 W32/Haxdor.3048-tr

Kaspersky 4.0.2.24 06.20.2005 Backdoor.Win32.Haxdoor.cw

McAfee 4517 06.20.2005 BackDoor-BAC.gen.b

NOD32v2 1.1146 06.20.2005 a variant of Win32/Haxdoor

Sybari 7.5.1314 06.20.2005 Backdoor.Win32.Haxdoor.cw

Symantec 8.0 06.20.2005 Backdoor.Haxdoor.D

TheHacker 5.8.2.056 06.20.2005 Backdoor/Haxdoor.cw

VBA32 3.10.3 06.20.2005 Backdoor.Win32.Haxdoor.cw


I?d prefer to not post further details at this time to avoid false-positives or expose the readers to a real danger.

Update: If one were to do one?s job and follow-up on what Exploit.Helpcontrol really triggered on, a few minutes of effort would finally turn up a link to: http://www.microsoft.com/technet/security/bulletin/ms05-001.mspx
Ahh, such is the dangerous life of a volunteer incident handler, living on the edge of exposing your stupidity and suffering the wrath of readers. :-)

OpenRBL ist Kaput


Visitors to http:://openrbl.org are greeted with a message reporting the demise of this free service. They are reporting that one can find similar services from

http://moensted.dk/spam/ and

http://www.dnsstuff.com/tools/ip4r.ch

Passive Reconnaissance and the Disaster Response Threat-space


While shopping for a gift for my old man last week, my attention was grabbed by Michal Zalewski?s "Silence on the Wire: a Field guide to Passive Reconnaissance and Indirect Attacks". From a simple flip through it looks like some though-provoking chapters are in there. I picked up a copy?because I can?t resist another book to put on the bookshelf.

Recently, I participated in a disaster response drill with the State and Local Governments simulating a mass casualty accident. While managing my other duties in the drill, I took the opportunity to set up some passive sensors in the response centers to see what a potential attacker could pick-up on when a massive group of first- and second-responders converge on a disaster scene.

Remember to have a nice solstice, wether it be winter or summer in your area.
<hr>
Remember to send your kind comments to:

Kevin Liston

kliston@isc.sans.org

There were the expected open 802.11x WAPs, but I was pleased to not see a plethora of wide open bluetooth devices full of juicy government contact numbers. This may be simply been caused by a lack of funds by said Governments to equip their staff with spiffy new cell phones though.

Mod_jrun exploits spotted


Ben, a reader, has spotted an up-tick in exploit attempts against mod_jrun on his servers.
Specifically:
http://www.securityfocus.com/archive/1/377194

And as always, make sure you?ve patched Macromedia Jrun

Solstice Wishes


Remember to have a nice solstice, be it winter or summer in your area!

---------------------------------------------

Kevin Liston

kliston@isc.sans.org
Keywords:
0 comment(s)
Diary Archives