Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-11-18 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Recent Conference Keynote

Published: 2005-11-18
Last Updated: 2005-11-18 19:21:30 UTC
by Deborah Hale (Version: 1)
0 comment(s)
I recently attended a conference in Minneapolis where the Keynote Speaker was a gentleman by the name of Mark Minasi. His talk was excellent and very informative and humorous.  He talked about Windows Security, talked about the new OS offerings that are on the horizon and just gave an opportunity to laugh alot. 

Mark has a website and a newsletter that you can subscribe to.  I have now become a follower and subscriber to the Mark Minasi "World of Humor".  If you have not yet heard him speak and have an opportunity too, I suggest you do.  I have subscribed to his news letter and can't wait to read more of his wisdom and wit.
Home of technology writer and speaker Mark Minasi


Keywords:
0 comment(s)

Nameserver dynamic DNS abuse attack trend,

Published: 2005-11-18
Last Updated: 2005-11-18 18:05:33 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
I've received some feedback about yesterdays Diary item - the "Careerbuilder Job Application" email scam with Dynamic DNS.  And I've read F-secure's Money laundering blog report of an email scam with a similar pitch.

I'd like to thank Josh, Micha Pekrul, and Handlers Erik Ficthner and Donald Smith for their input on this Diary entry!

In summary, getting right to the point, skipping over the botnets abuse of dynamic DNS which was never the current issue, it's apparent that attackers can and are changing their DNS server IP's pretty much at will using dynamic DNS.

What's it mean? Well, since the DNS Server location is now also changing at will, taking down an attackers operation by contacting legitimate DNS providers will no longer work quickly, if at all. How effective is this attack methodology in the real world? Well, it isn't a "flash" attack, but it is very effective.

Will it affect you? Depends, building a slick malware distribution system from this setup may affect you. One response to yesterdays Diary item pointed out that ""DNS blackholing on customer facing resolvers can be used to block the domain name. One of the limititations is it blocks the domain NOT the url. If the malware is hosted on a large well known web site like geocities then blocking the malware would remove customers ability to access geocites." Think your RBL will stop this? Think again. Think asking Registrars to nuke the abuser will stop this? Who should be responsible for stopping this kind of abuse? One suggestion was that "dns blackholing by ISPs on their customer facing resolvers" would work, and it would be quite effective in most customer circumstances.

The question is also begged, "Who should be reporting this kind of abuse to Registrars?" Handler Erik Ficthner suggested that there be "More cooperation from registrars." .

And what about hosting service providers roles in combatting this? Well if I were a Registrar and I received a complaint from an ISP or hosting provider I might pay attention to it a tad faster than a complaint from other sources. As suggested by Erik, hosting providers and ISP's seem naturals to take this task on in a formalized network incident response effort. Is there already such a IR network out there?

Of course, in the past, we've seen hosting Service Providers unknowingly participate in this by hosting a domain named something like "ns.domainx.com" that forwarded DNS requests to legitimate dynamic DNS service providers. You could take that kind of network down with a little effort. Unfortunately, and in summary, I don't see that taking down this Nameserver dynamic DNS attack I'm writing about being easy to take down.
Keywords:
0 comment(s)

Emails Sent To The Handlers

Published: 2005-11-18
Last Updated: 2005-11-18 17:09:44 UTC
by Deborah Hale (Version: 1)
0 comment(s)
We received an email today from someone that is upset with a item that was covered in a previous diary. The email address that was sent was more than likely not legitimate.  It was also indicated that we could not use the information contained in the email for the diary or use the individuals name.  In a case like this it is very hard for us to respond to or comment on the content of the email.  This particular email contained a link to a web site that may contain good information.  However, call me paranoid, but if I don't know who really sent me the link - I am not going to click on it.  Therefore, the content of the website will remain a mystery to me.

Bottom line - if you want me - Handler Deb to look at the information you provide - you need to be upfront with me.  If you want me to take you seriously then provide me with a path to respond. Otherwise, I will consider you just another crackpot or complainer and disregard the information. I can guarantee you that information sent to and corresponse received by the Handlers is kept in confidence. We do not publish the information or the name in the diary unless we have your permission to do so.  We do not take criticism personally and are always open to receive new information on a subject that we have previously covered. So if you are concerned with being chastised or ridiculed because of your opinion, rest assured we won't do that.  So if you want us (Me) to take you seriously, be upfront with me.

I am only one of 40+ handlers, and this is solely my opinion.  If you disagree with this information it is me you are disagreeing with.  That is fine, let me know.  If  you want to correspond with me offline - let me know and I will be happy to do that  as well.
Keywords:
0 comment(s)

419 Scams Now In Chat Rooms

Published: 2005-11-18
Last Updated: 2005-11-18 16:25:24 UTC
by Deborah Hale (Version: 1)
1 comment(s)
We received an email from one of our faithful readers saying that he was approached in chat room with an attempt to proposition him in a 419 type scam. Steve says that he contacted the Webmaster for the room and the person has for now at least been banned from the room.  I am wondering how many more people have had this same experience.  
Keywords:
1 comment(s)

Amazon Recalling Sony CRM CD's

Published: 2005-11-18
Last Updated: 2005-11-18 16:16:42 UTC
by Deborah Hale (Version: 1)
0 comment(s)
The Handlers received an email this morning from Mike with information that he received from Amazon.  Mike had bought a CD from Amazon containing the Sony DRM Software.  The email stated in part:

"The Sony CD(s) listed above contain XCP digital rights management
(DRM) software. Due to security concerns raised about the use of CDs containing this software on PCs, Sony has recalled these CDs and has asked Amazon.com to remove all unsold CDs with XCP software from our store."

It appears that Sony is finally stepping up to the plate and attempting to take care of the problem. Problem is - how many people have the stuff already installed on their computers? How many even understand what the problem is?
And how many will actually take the time and/or spend the money to ensure that they completely get rid of the program?

I think that Sony needs to be held financially responsible and needs to help make sure that this problem is addressed. Of course, this is just my personal opinion. 

Keywords:
0 comment(s)
Diary Archives