Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-03-11 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

peercast update and exploit

Published: 2006-03-11
Last Updated: 2006-03-11 23:00:20 UTC
by donald smith (Version: 1)
0 comment(s)

A Security Update: version v0.1217  has been released for peercast it addresses a serious vulnerability.


http://www.peercast.org/download.php
"PeerCast is a simple, free way to listen to radio and watch video on the Internet. It uses P2P technology to let anyone become a broadcaster without the costs of traditional streaming."

http://www.peercast.org/forum/viewtopic.php?t=3346
"This fixes a serious buffer overrun vulnerability discovered by Leon at INFIGO IS (http://www.infigo.hr/) many thanks to them for alerting us promptly."

An exploit for this vulnerability has been publicly released

Keywords:
0 comment(s)

acts of terrorism trojan

Published: 2006-03-11
Last Updated: 2006-03-11 19:54:39 UTC
by donald smith (Version: 1)
0 comment(s)
Don't open zips you get in the mail.
Today's gem claims to be video about new acts of terrorism.
Attached to the email was a 47KB zip file news.zip.
Inside news.zip is news.exe.
But its a trojan, of course.
Only about half of the av scanners recognized it.
Those that did identified it as a trojan downloader of some sort

TEXT of the virus message:

From: BBC World News [mailto:news@info.bbc.com]
Sent: Fri 3/10/2006 7:24 PM
To: Smith, Donald
Subject: New acts of terrorism in New York and London

Today FBI and SCOTLAND YARD has informed on set of new acts of terrorism
in New York and London. On a communique was lost more than two thousand person
and about ten thousand have received the wounds which were much of them are in
a grave condition.Police and MI5 identified an Al-Qaeda cell that had carried
out extensive research and video-recorded reconnaissance missions in preparation
for the attack. You can learn the detailed information in the attached file.

Keywords:
0 comment(s)

What crime is this?

Published: 2006-03-11
Last Updated: 2006-03-11 01:49:54 UTC
by Stephen Northcutt (Version: 1)
0 comment(s)
Thanks to Bob, Nathanial, Greg for the help and expert analysis. We received an email similar to this:

= = =
Hi there lovely,I was searching the net few days ago and 
saw your profile. I decided to email you cause I found you
attractive. I might come down to your city infew weeks.
Let me know if we can meet each other in person.I am
attractive girl. I am sure you won't regret it. Reply to
my personal email at ***.
= = =

It was clearly spam, but what is the crime? So a couple of us responded back via throwaway accounts. We each received emails with pictures of a pretty girl with text similar to this:

= = =
Hello my lonely boy,I am so happy to see that you have 
decided to reply. I don't want to live in Russia because
I have not any chances here. My best friend last year met
the man from the USA when she worked there for three months,
too. She had two jobs. From morning till 4 pm she worked in
amusement park and after it she worked as a waitress in some
bar till midnight. I will leave Russia in two weeks or so
(I can't tell you everything exactly right now) and I would
like to be sure that I have the man who waits for me there.
I will work all day and I want to find a man to spend all
free time together to get to know each other better. If you
have any interest to meet me I will be more than happy to
meet you too. Please send picture of you too!!! Now I write
you from my personal mailbox(***), please write me back here
and here only. I will be checking it often.

Kiss you your Elena, (this is my name)
= = =

The scam: get lonely gullible men to wire money so that beautiful Russian women can fly here to work hard by day and date them by night. And of course the money disappears and no girl. It might not hurt to update your awareness programs, or add this to your next awareness email blast. Other links the research team found include:

http://home.wi.rr.com/saruman/articles/articles_fromrussia.html
http://www.stopscammers.com/letter(s)_from1126_to_report1.asp
http://www.womenrussia.com/blacklist.htm

Perhaps the funniest thing, the pictures of the "pretty girl" apparently are Canadian, not Russian, but who can know. Thanks to everyone and we consider the case closed.

Stephen Northcutt - President
The SANS Technology Institute
Keywords:
0 comment(s)

McAfee/NAI rolls bad pattern

Published: 2006-03-11
Last Updated: 2006-03-11 01:29:45 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
NAI/McAfee today released pattern version 4716 only hours after 4715 had come out. Pattern 4715 triggered false positive virus alerts for "W95/CTX" on a number of files that are part of quite prominent third party products.  Good for you if you have your AV configured to "quarantine" bad files and not to delete them outright, this makes restoring the chewed up files after a false positive considerably faster. Nevertheless, things like this can get messy pretty quickly if the AV scanner starts to quarantine vital components of your environment.

If you weren't affected and/or are using a different AV product, it might still be worthwhile to spend a couple of minutes on the following questions:
  • How would you detect such a "bad pattern" in your environment, and, more importantly, how would you distinguish between "false positive" and "virus outbreak" ?
  • Would you have the capability to roll back to the last "known good" pattern if help from the vendor were not forthcoming ?  Where exactly do these patterns come from ?  Is the previous pattern version available there as well ?
Keywords:
0 comment(s)
Diary Archives