Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Santa IM Worm (bot) update

Published: 2005-12-22
Last Updated: 2005-12-22 20:06:28 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
More details came to us on the Santa IM worm discussed earlier.  We were able to capture and examine the malware and found that 69.56.129.67 is hosting it.  When executed, gift.com resolves smtp.girlsontheblock.com to 38.118.133.241 and attempts connections to tcp/53.  If we discover more details we will issue further updates.

Further info:  gift.com renames itself to c:\windows\winrpc.exe, and sets itself up as the service "Windows RPC Services".  There is no rootkit built in, it is totally dependant on download instructions from the command and control site.  Rather than calling it a "worm" as was reported in the press, a more accurate description is that it's a bot with replicating capabilities.  Digging a bit deeper into the code, we found that it was also likely compiled/pushed to the distro point on 2005-12-18 18:09:11.000000000 -0500.

Keywords:
0 comment(s)

Exploits in the wild for several PHP-based web apps

Published: 2005-12-22
Last Updated: 2005-12-22 17:14:37 UTC
by Jim Clausing (Version: 3)
0 comment(s)
Those of you that run web servers have probably noticed in your logs that there is a lot of scanning activity looking for vulnerabilities in PHP or web applications that are written in PHP.  Even after all these months there are still scans for the old awstats vulnerability and the XML-RPC vulnerabilities in PHP itself from a few months back.  Well, there are a couple of new ones in the last week or so that I thought deserved a mention.

Several days ago Secunia issued a bulletin discussing a new vulnerability in phpBB-2.0.18 (which is the latest one and which, unfortunately, has been a pretty popular target over the last year or so).  Fortunately, the vulnerability can only be exploited if a couple of settings are changed from the default to values that will open your web server to a lot more problems than just this one.  Having said that, the exploit is now in the wild, so if you are running phpBB, make sure that you follow the recommendations and that "Allow HTML" and register_globals are both disabled.  On a sort of related note (in so far as it has to do with phpBB-2.0.18, too), one of our intrepid readers also noticed that an exploit has been posted in several places that will do brute force dictionary attacks to get the passwords of phpBB users.  The disabling of those settings above will protect against the first issue, but not the second.  There are a number of possible solutions to the second problem including temporary lockouts after several unsuccessful login attempts.

Also, a couple of days ago a worm started making the rounds exploiting a vulnerability in the genealogy application PhpGedView.  The authors have posted patches here which users are encouraged to apply as soon as possible.

Update: Frank Knobbe pointed out to me that there is a snort signature available from BleedingSnort (here) to detect the PhpGedView exploit.

---------------------
Jim Clausing, jac /at/ isc.sans.org
Keywords:
0 comment(s)

Update on the SUS issues

Published: 2005-12-22
Last Updated: 2005-12-22 04:14:12 UTC
by Jim Clausing (Version: 1)
0 comment(s)
We told you about issues with Microsofts Software Update Service (SUS) version 1 last week.  Yesterday, Microsoft released yet another update to their Approval Analyzer Tool.  They also updated Knowledge Base article 912307 to version 5.  Anyone still having problems with SUS after this month's updates should take a look at the updated article and tool.  Note that version 2 was not affected by this issue.  Thanx to several of our faithful readers including Juha-Matti for bringing this latest update to our attention.

-----------------------------
Jim Clausing,  jclausing /at/ isc.sans.org
Keywords:
0 comment(s)

Help us out with a Christmas story

Published: 2005-12-22
Last Updated: 2005-12-22 04:05:57 UTC
by Jim Clausing (Version: 1)
0 comment(s)
With the holidays coming up this weekend, we're looking for some input from our readers on a story we'll publish on Saturday.  The question to you is, if your parents got a new computer for Christmas, what would you tell them to do?  Please send your ideas to the handlers through the contact page and we'll summarize.
Keywords:
0 comment(s)

Santa IM Worm

Published: 2005-12-22
Last Updated: 2005-12-22 04:03:59 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

One of our attentive readers sent us a note yesterday and we missed posting it in the diary.  There's a nasty present waiting under your IM tree if you have been naughty this past year.  Read on...

Techweb -

"A new worm posing as a come-on to a Santa Claus site is traveling across all the major instant messaging networks, a security firm warned Tuesday, and when recipients visit the bogus site, they're infected with a file hidden from sight by a rootkit. IMlogic said that the worm, dubbed "M.GiftCom.All," is circulating on the MSN, AOL, ICQ, and Yahoo instant messaging services, is a "Medium" threat, a relatively rare classification for the Waltham, Mass.-based company. Most IM worms and Trojans listed on its Threat Center receive only a "Low" classification. Like virtually all IM worms, M.GiftCom.All includes a URL in messages it spams out to contacts hijacked from previously-infected PCs. When users naively visit that site -- which is billed as a harmless Santa site -- a file is automatically downloaded to their computers. The file, usually named "gift.com" includes rootkit elements that cloaks it from security software. In addition, the downloaded executable tries to disable a number of anti-virus programs, adds a keylogger to the system to capture confidential information, and then spreads to others by snatching names from the user's IM client contact list..."

IM Logic

"...Description: This worm broadcasts a URL out over IM clients which downloads an executable file, often named gift.com. When this file is executed, it hides itself and scans the registry, file system, and internet cache. By operating as a rootkit, the process is hidden from all tools and anti-virus software. It also attempts to shut down anti-virus software and makes several networking calls. Also it does keystroke logging and may attempt to propagate itself over IM clients..."


Keywords:
0 comment(s)
Diary Archives