Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

AMD Forums Uh-Oh

Published: 2006-01-31
Last Updated: 2006-01-31 23:03:27 UTC
by Ed Skoudis (Version: 2)
0 comment(s)

Speaking of client-side sploits, it appears that AMD's forums website was used to distribute WMF exploit code the other day.  F-Secure has a write-up on the situation.  It's been resolved, but there is likely a very interesting story behind this one.  Again, client side exploits are the wave of the present.


Update: And now... the rest of the story (at least some of it).  A diligent reader forwarded us to this ZDNet story about what happened.  Seems that another company ran these fora for AMD, and they didn't update their software so they got whacked and turned into a wmf exploit dispenser.

Keywords:
0 comment(s)

Updated Malware Domain List

Published: 2006-01-31
Last Updated: 2006-01-31 22:24:11 UTC
by Ed Skoudis (Version: 1)
0 comment(s)
The folks at Bleeding Snort released an updated list of known malware-related domains yesterday, up to 9,400 entries now!  For those of you employing DNS black holes, proxy-based filtering, or doing other general research of malware based on domains, you should check out this exhaustive (and exhausting!) new list.  I frequently rely on this list to match against when doing research of spyware and related nasties.  Kudos to the Bleeding Snort guys for their hard work.
Keywords:
0 comment(s)

CME-24: It Has Begun

Published: 2006-01-31
Last Updated: 2006-01-31 20:21:32 UTC
by Ed Skoudis (Version: 1)
0 comment(s)
According to the folks at F-Secure, the CME-24 file deletions have begun for folks whose clocks are set wrong (remember, this puppy is set to fire up on Feb 3).  For those not keeping score, CME-24 is the one that is also called Blackworm, Nyxem, Blackmal, Mywife, etc.  It's going to be rough several days for some folks out there.  For more info on CME-24, here is the latest Internet Storm Center post on it.  Here is a Microsoft round-up on the issue as well. 

Just remember: Malware was created by man. It evolved. It rebelled.
Keywords:
0 comment(s)

Two-Way Firewall in Windows Vista and Microsoft OneCare

Published: 2006-01-31
Last Updated: 2006-01-31 19:59:20 UTC
by Ed Skoudis (Version: 1)
0 comment(s)

With client-side exploits so plentiful, it sure would be nice to have some form of serious outbound firewalling built into Windows, wouldn't it?  The XP firewall blocks inbound traffic, but is of little use in outbound defenses.  As Handler Queen Lorna Hutcheson points out, since Win2K, you can filter outbound using the so-called IPSec filters of Windows.  However, such filters are: 1) Really badly named -- they don't have to use IPSec crypto; 2) Really hard to define (what an ugly GUI); and 3) Not limiting to specific applications to use specific ports and protocols.  So, the existing outbound filtering of Windows is extremely limited.


But, here's a nice article about how Microsoft plans on including outbound filtering in the Windows Vista firewall. Let's see, we've had such features with free solutions for over a decade.  But only in 2006 will we get it standard in Windows. 

In Microsoft's defense, though, once an attacker infiltrates via a client-side exploit, their evil code can simply alter the firewall config.  True.  But, still, security is all about raising the bar.  We raise the bar, they jump over it.  We then raise it again.  It's the natural order of things.  I hear some arguments that say, "We shouldn't do this from a security perspective, because they'll jump over this bar."  But, if the cost of such solutions is miniscule, why not raise the bar anyway, knowing that it still can be jumped?  Let's make the bad guys work a little harder if it doesn't cost us anything.

A related story involves Microsoft's OneCare technology, an attempt at a comprehensive set of anti-virus/anti-spyware/firewall tools that help provide an envelope of protection around a user's PC.  A blog post here talks about ways to dodge the defenses of OneCare, primarily by using Java and/or signed code to bypass the firewall restrictions.  Some Microsoft personnel respond here, saying that their goals were to pull security configurations together in one place and offer protection while minimizing application breakage.  It's all about trade-offs.  And I, for one, welcome our new OneCare overlords.  There are many copies.  And they have a plan.

Keywords:
0 comment(s)

Client-Side Exploits - The Mother Lode?

Published: 2006-01-31
Last Updated: 2006-01-31 19:28:36 UTC
by Ed Skoudis (Version: 1)
0 comment(s)

As any stroll down the latest Metasploit exploit list will tell you, attacking client technologies is very hot right now, including browsers, mail readers, audio players, etc.  Here is an interesting article from Brian Krebs about a huge area likely to be very ripe with such exploits: ActiveX controls installed by third parties.  Krebs summarizes well the research of Richard M. Smith, who claims to have found a cornucopia of buffer overflow flaws in widely deployed ActiveX controls.  Handler extraordinaire Agent Tom Liston points out the possibility of using a known flaw in an ActiveX control to really help target a given population, such as a given ISP's customers or perhaps a given corporation or government known to use a given ActiveX control.

Keywords:
0 comment(s)

Winamp 5.x Remote Code Execution via Playlists

Published: 2006-01-31
Last Updated: 2006-01-31 16:58:57 UTC
by Ed Skoudis (Version: 3)
0 comment(s)
While we're on the topic of audio software, there's a 0-day exploit out today for Winamp 5.12 that allows
remote code execution via a crafted playlist (.pls) file.  The proof-of-concept exploit suggests using an
iframe to trigger a 'drive-by' attack on anyone unlucky enough to visit a website containing a malicious
iframe; say, third-party advertisers and forum websites--the usual vectors for this sort of thing.
Secunia's got a nice writeup of it here. 

Update 21:22 UTC : Now that's what I call service!  There's a new version of winamp out today, version 5.13,
which you can
download now.    Further research has shown that the workarounds can be bypassed, so don't
bother. Just update.

Update Jan 31: There's a sploit in the wild for this one.  Have you patched yet?  The kiddies will come a-callin' soon. --Ed.


Keywords:
0 comment(s)
Diary Archives