Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-11-08 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

VERITAS NetBackup (tm) Enterprise Server/Server 5.0 and 5.1 BO

Published: 2005-11-08
Last Updated: 2005-11-08 23:26:49 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Symantec/Veritas  has issued Advisory SYM05-024: Exploitation of a buffer overflow vulnerability in VERITAS NetBackup (tm) Enterprise Server/Server 5.0 and 5.1 could potentially lead to a remote Denial Of Service or remote code execution. The vulnerability was responsibly reported to Symantec by iDefense Labs.

CVE Candidate CAN-2005-3116
Keywords:
0 comment(s)

XML RPC worm - New Variant - ELF_LUPPER.B

Published: 0000-00-00
Last Updated: 2005-11-09 20:32:40 UTC
by Patrick Nolan (Version: 4)
0 comment(s)
Update: During the upcoming SANS Webcast Internet Storm Center: Threat Update, Wednesday, November 09 at 1:00 PM EST (1800 UTC/GMT), Johannes Ullrich will discuss the Lupii worm and XML-RPC, be sure to catch this "defense discussion in depth"

Update: Reported IP's include;
217.160.255.44
62.101.193.244
24.224.174.18
216.102.212.115
24.224.2.174
Thanks Ryan, Joel and Mike!
-------
We are receiving reports of malware that's an apparent relative of the lupii worm. The reported variant is named "listen".

Ivan Macalintal, Senior Threat Analyst, Trend Micro Inc., sent us the following information;

"LISTEN has a size of 443,364 bytes, but basically it still does the same thing.
MD5 Hashes (as compared with the previous LUPII variants):
5b1176a690feaa128bc83ad278b19ba8 *listen
df0e169930103b504081aa1994be870d *lupii
c9cd7949a358434bfdd8d8f002c7996b *lupii2

Trend has identified this variant as ELF_LUPPER.B, details of their analysis will be posted there shortly.

Additional information on "listen" has been submitted us by a contributors who wishes to remain anonymous. "Listen" is retrieved from 24.224.2.174 and 24.224.174.18

Thanks very much both of you!

We'll post other details as they develop.



Some people asked us about the possibility to scan their own networks to see if they have some servers vulnerable to exploits that lupii/lupper use.

Probably the easiest way is to do a nmap scan of your network to see which machines have services listening on port 80 and then to run a customized Nessus scan. Nessus has some plugins which can be used to detect various XML-RPC vulnerable packages.

Those plugins are:

19518 - phpAdsNew / phpPgAds < 2.0.6 Multiple Vulnerabilities
18600 - Serendipity XML-RPC for PHP Remote Code Injection Vulnerability
18601 - WordPress < 1.5.1.2 Multiple Vulnerabilities
18640 - Drupal XML-RPC for PHP Remote Code Injection Vulnerability
16189 - AWStats configdir parameter arbitrary cmd exec

Let us know how (un)successful your scans are.
Just a short update: all these plugins, but #16189, require a registered or direct plugin feed from Nessus - they are not GPLed.
Thanks to George for letting us know.

Keywords:
0 comment(s)

MS05-053 - More Graphic Rendering Buffer Overflow Vulnerabilities

Published: 2005-11-10
Last Updated: 2005-11-10 01:06:57 UTC
by Patrick Nolan (Version: 2)
0 comment(s)
Microsoft Security Bulletin MS05-053 has been released.

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

See Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424)
Published: November 8, 2005

Graphics Rendering Engine - CAN-2005-2123
Windows Metafile Vulnerability - CAN-2005-2124
Enhanced Metafile Vulnerability - CAN-2005-0803

The update replaces MS03-045 and MS05-002 on Windows XP Service Pack 1.

There is a workaround for "Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 or a later version", MS says their workaround is "Read e-mail messages in plain text format" ... "to help protect yourself from the HTML e-mail attack vector", as outlined in Article ID:307594 - Description of a new feature that users can use to read non-digitally-signed e-mail or nonencrypted e-mail as plain text in Office XP SP-1

I'll also note here that in the many previous instances of this type of buffer overflow it was common for protection to already exist in many environments. If you cannot deploy the patches rapidly please consult with your individual AV and security software vendors and ask if their security solution provides generic buffer overflow protection against these vulnerabilities.
Keywords:
0 comment(s)

Unencrypting Extortion Malware

Published: 2005-11-08
Last Updated: 2005-11-08 18:03:02 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
The good people at Kaspersky have once again provided a free utility to "unencrypt" extortion malware.  Trojan.Win32.Krotten  is used to extort cash from infected users. "Krotten differs from GPCode in that GPCode encrypted data saved to disk. Krotten corrupts the system registry." Details and a link to the utility are in their blog today.

Thanks Kaspersky!
Keywords:
0 comment(s)

Macromedia, XML-RPC, and Internet Crime

Published: 2005-11-08
Last Updated: 2005-11-08 02:59:16 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
The Internet Storm Center handlers sign up for what we call "Handler of the Day" (or HOD) well in advance of when we will actually be the HOD.  So you never know what will come your way during the 24 hours you are the guardian of cyberspace.  Normally Mondays are pretty busy so I was quite pleased that today was fairly quiet.  Since there are no major events to report on, here is a summary of what came to us in our mailbag.

Lyndon wrote in to tell us that Macromedia has a .msi installer that can be downloaded from their website.  This makes deployment of their updates much easier for closed networks and enterprises.

An anonymous reader said that they found a version of the XML-RPC attack with requests of

/adxmlrpc.php

This request belongs to a Typo3 or a T3 extention. The same reader wrote back later to tell us they found the connection between T3 and the script.   adxmlrpc.php belongs to phpAdsnew which has a Typo3 Adminmodul. The current version 2.0.6 of phpAdsnew should be safe to use according to this forum.  Our anonymous reader also told us that the product has another problem, it does not run on php4.4.1 because 4.4.1 has a small bug which is not present in 4.4.0.  More to follow as this unfolds.

A Dutch reader pointed us to a story (in Dutch) about the recent arrest of hackers involved in the mega-bot network uncovered last month.  The hackers have now been linked to Russian online criminal groups.  This should not come as a surprise to any of us as we watched young hackers over the past few years move from pranks like web site defacements to criminal acts of theft and fraud. 

Standing on my soapbox for a moment, I have to say that this trend was predictable.  The Internet is the perfect playground for organized criminal activity.  Near-total anonymity, multiple ways to launder money, enormous amounts of value and wealth, extreme complexity, few laws and fewer law enforcement experts, and millions of users who have no concept of what is going on inside their shiny new computer.  Such a shame, too.  We face the real possibility that the Internet may implode on itself in the coming years, and will ultimately be a nice history lesson for future generations.  I hope we can save it, but the current signs don't point in that direction.

Marcus H. Sachs
Handler of the Day

Keywords:
0 comment(s)
Diary Archives