Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-12-19 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Malware samples

Published: 2005-12-19
Last Updated: 2005-12-19 23:47:18 UTC
by Swa Frantzen (Version: 2)
0 comment(s)
It seems there's somewhat of a peak of reports on malware that scans for vulnerabilities that is currently not detected by the Anti-Virus products.

We had a call for malware in this spot, and we got quite a set sent to us.

There's no way to get an overview of it in the short time we have but so far it's clear most people sending malware in aren't seeing the same stuff at all.

We do encourage readers to send samples to the anti-virus vendors as they are creating the signatures to protect us all. Personally I mostly use virustotal to submit samples in a vendor independent way. I can only try to encourage anti-virus vendors to participate in such initiatives.

One of the more troubling tings might be a worm that tries to inject code in popular open source packages.

--
Swa Frantzen
Keywords:
0 comment(s)

IIS 5.1 DoS exploit released

Published: 2005-12-19
Last Updated: 2005-12-19 22:13:17 UTC
by Swa Frantzen (Version: 3)
0 comment(s)
A Denial of Service (DoS) exploit against IIS 5.1 was brought to our attention. Source code of the exploit is being distributed from multiple sites. The claimed effect of the exploit is to stop the inetinfo.exe process.

We have advised Microsoft of the situation and got a reply they are aware and are investigating. We're eager to see more details from Microsoft.

The troubling part is the simplicity of the URL used in the exploit, so an understanding of what it causes on the server would be very interesting from a security perspective.

Vulnerable versions

Confirmation of the exact conditions where the exploit works will cause updates to this story.

IIS 5.1 comes with Windows XP Professional, but fortunately isn't enabled by default. Even if most professionals will try to avoid using Windows XP on a server, some other software installation might have decided it was a good idea to enable it.

Tests by fellow handler Kevin Liston indicate IIS 6.0 would not be vulnerable to the published exploit, the tests simply logged as 404 errors.

There currently are no indications (yet) to suspect IIS on Windows 2000 and 2003.

Mitigation

The smartest mitigation strategy at this point is to plan an upgrade to the most recent version of IIS.

Detection

A preliminary snort signature made by fellow handler Erik Fichtner :
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:2005121901; rev:1; 
        msg:"[ISC] FrSIRT ADV-2005-2963 IIS 5.1 DoS";
        flow:established;
        uricontent: "/|2e|dll/|2a|/|7e|0";
        content: "POST "; offset: 0; depth: 5;
        reference:url,www.frsirt.com/english/advisories/2005/2963;
        classtype:denial-of-service;)
Adapt it to your needs if you have other directories with execute permissions set to "Scripts & Executables"
Use at your own risk.

In log files the URLs of attempts should match /~[0-9]$/ . For those not familiar with regexps: end with a tilde followed by a digit.

--
Swa Frantzen
Keywords:
0 comment(s)

Wrap-up: What? No Link?

Published: 2005-12-20
Last Updated: 2005-12-20 00:21:40 UTC
by Johannes Ullrich (Version: 3)
0 comment(s)
Our handler Lorna Hutcheson, in her diary from December 7th, noted the dangers of posting URLs, in particular clickable URLs, on our site. To drive the point home, we added a "suspect" URL, and we tracked how many people clicked on it.We had about 1,000 users click on the link. 80% used the same browser they used to read the diary, so I consider them "production browsers". 10% used "safe browsers" like wget. The remainders are bots/search engines that followed the link.Most people who responded to the diary noted that they do need access to malicious code (and malicious URLs) in order to be able to block them at their web proxies, or that they use safe browsers to access suspicious links. We will continue to post links in our diaries. It is up to the particular handler to decide if it is appropriate to obfuscate the URL, post a partial URL, or not post it at all if it is deemed not appropriate or too risky.

About 20-40,000 users typically read a diary, so 1,000 is not all that large of a number, but still considerable.
Keywords:
0 comment(s)
Diary Archives