Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-04-26 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS Update to MS06-015 and a Separate Fix for AEC.SYS Issue

Published: 2006-04-26
Last Updated: 2006-04-26 23:10:42 UTC
by Ed Skoudis (Version: 1)
0 comment(s)
Lots of folks have sent us e-mail wondering why their WinXP boxen have suddenly indicated that they have a new patch.  It is this update that fellow handler Toby Kohlenberg mentioned a couple days ago, which has now been pushed.  Look here for details.

In other Windows-patching news, Microsoft has also released a completely separate patch to fix an error associated with KB900485, which fixes, and I quote:

"Date last published: 4/25/2006
Install this update to prevent an issue in which you may receive a 'stop 0x7e in AEC.SYS' error message on a computer that is running Windows XP Service Pack 2.  The error may occur during startup, or after the system has started.  AEC.SYS is the acoustic echo canceling driver.  After you install this item, you may have to restart your computer."

Microsoft has told us that this patch is associated with the following:

"This is the ACE reliability update.   It has been available via download center for several months; when people do hit the crash the Watson/OCA site refers them to the download.  For non-security updates, especially things like this reliability update, we do try to have them posted on www.microsoft.com/downloads and available through Watson/OCA or other means for some period of time before pushing out through WU. This gives us additional confidence in the quality of the update before pushing out to several hundred million users.

This specific fix is a random timing bugcheck that can happen when using two-way audio (e.g. netmeeting, messenger, etc.)  It is a random event that could happen at any time.  If you hit it, and reboot, you might not ever hit it again; or you might hit it next month, or in a few months, or the next day.

We monitor the Watson/OCA crash data, and when we have a higher-volume hit in a Windows component that we can fix, we do so, and post it on download center.  Over time, we then move the higher-volume cases to Windows Update. This is just one such case.  Installing this update helps prevent people from crashing in the future."

Interesting insights into how things work inside the magic curtain.  Thanks, Microsoft!
--Ed Skoudis
Intelguardians.
Keywords:
0 comment(s)

Chernobyl Plus 7 Years

Published: 2006-04-26
Last Updated: 2006-04-26 21:56:20 UTC
by Ed Skoudis (Version: 1)
0 comment(s)
Reader JD mentions that today is the anniversary of Chernobyl... both the Nucular (sic) disaster from 1986 and the flash-garbage-into-your-BIOS virus from 1999.  I guess that's sort of an indication of how geeky you are.  When I saw the news headline mentioning Chernobyl, my first though was of the virus.  Our condolences to those impacted even to this day by the worst nuclear accident in history.

But, JD (who referred to yours truly as a post-hog ;) mentioned that it was this virus (also known as CIH) that got him involved with malware research in the first place.  Blowing away the BIOS rendered many systems in 1999 totally unusable resulting in a devastating infection.  It was indeed a watershed event for a lot of us in the handlerati.  JD asks for other readers who were significantly impacted by CIH to share their recollections of that event.  Got any interesting CIH stories that you care to share?

--Ed.
Intelguardians

UPDATE: Reader John Smith recalls wistfully:

"I remember that day, April 26th 1999. It was Monday. Since April 27th is a national holiday here in Slovenia (Day of Uprising against the Occupation), almost everyone took a day off and enjoyed a 4-day weekend. And schools were closed.  High school classmate, who worked in a bakery, called me sometime around 11h. He had a major problem with computers - one of the accountants came to work to finish some monthly report and every computer she turned on started to boot Windows, then went crazy. It simply did not start, if turned off and on, it was even worse - Windows did not boot. So she went around the office and started all other computers. And guess what, all 10 of them failed to work.

By starting the computers, when first CIH infected program started, junk data was written to the beginning of hard drives. Fortunately, the motherboards on those computers were not damaged.  He brought one computer to me and after some DiskEdit exploration, I discovered that FAT2 was intact. So I copied FAT2 to FAT1 and
re-calculated the master boot sector. After booting from floppy and disinfecting the files with F-PROT, computer was operational again. We were lucky and we managed to rescue data from all computers.

BTW, I wonder what CIH author Chen Ing-Hau is doing these days. Is he reading this?"

I wonder too....  By the way, is it just me, or did anyone else notice that if you Base-64 encode "Chen Ing-Hau" and then ROT-14 it, and XOR it with "Intelguardians", it actually spells "Ekim Roop"?  Maybe it's just me. --Ed Skoudis.
Keywords:
0 comment(s)

Windows Vista Firewall

Published: 2006-04-26
Last Updated: 2006-04-26 21:53:04 UTC
by Ed Skoudis (Version: 1)
0 comment(s)
In a somewhat related story, ZDNet has an interesting article that discusses the fact that Microsoft has decided that the Windows Vista firewall will include no outbound filtering by default.  Apparently, Microsoft was considering blocking outbound connections by default, but, in response to large enterprise customer requests, they won't be doing that.  Not breaking corporate apps is more important than security, I suppose is the reasoning.  This is a change from the original Plan (yes, note the capital P), which said that Vista would ship with a two-way firewall.  It still has that capability, but outbound filtering will be turned off by default.

I remember a recent fascinating rant from Marcus Ranum, saying (I paraphrase) that a firewall that doesn't block outbound traffic isn't worthy of the name firewall.  From the guy who popularized the term firewall so long ago (and the term script kiddie), that's an interesting point.

But, of course, the lack of outbound filtering isn't a problem, given that the client-side apps are so rock solid.  Also, with your Jedi-like Windows command-line Kung Fu, it won't matter if your box gets hit, because you'll be able to figure it out so quickly and respond...  Yeah, right!

To be fair, there are some arguments for not doing outbound filtering on a personal firewall.  I don't agree with them, but the arguments do exist.

Thanks to reader Tony van der Togt for the heads-up on the ZDNet article.

--Ed Skoudis.
Intelguardians.

UPDATE: Our readers are the best!  It seems that we have eyes everywhere.  Chris Gurley, one of said readers, told us that he was at a Microsoft Security Summit yesterday in Dallas, TX.  He said that a Microsoft security guru at this meeting mentioned that they still intend on shipping Vista with the outbound firewall filtering activated by default.  So, the ZDNet article may be incorrect.  We don't have an authoritative word on The Plan here... but we want to give you all the info we have.  This one will be interesting!

Keywords:
0 comment(s)

The Empire Hacks Back Challenge: Test Your Windows Command-Line Kung Fu

Published: 2006-04-26
Last Updated: 2006-04-26 12:06:43 UTC
by Ed Skoudis (Version: 1)
0 comment(s)
After a far-too-long hiatus, I'm back in the challenge writing swing of things, with a brand new hacking scenario for you to solve.
 
Without further adieu, I am happy to present...
 
 
In this challenge, you get to match wits with a bot-net-wielding Darth Vader, exercising some serious Windows command-line Kung Fu to save the Millennium Falcon and our heros from certain doom!  You are our only hope.

Compose your answers, send them into skillz0506@ethicalhacker.net, and win a fine prize.  Even if you cannot answer them all, send in what you can answer, because we'll be awarding three prizes.  The best technical answer wins, as does the most creative technically correct answer.  But, we'll also give a prize to a single winner drawn at random from all partially correct answers.  So, if you can only answer one or two of the questions, go for it!  You still might win.

By the way, if you like these challenges, I've got 16 other movie-themed challenges for you
here.

And finally, if you really like the challenges, I'm happy to also announce that other ISC and related folks are going to start writing one every other month.  Mike Poor will be writing a Tarantino-themed challenge for early July release.  Then, Jay Beale will do one for September.  Then, Tom "My-Spyware-Will-Be-Released-Next-Week" Liston will write one for November.  And, I'll do a Christmas-themed one at the end of the year.  Fun, fun, fun!

--Ed Skoudis
Intelguardians.
mF!
Keywords:
0 comment(s)

Yet Another IE Flaw (YAIEF)

Published: 2006-04-26
Last Updated: 2006-04-26 12:06:34 UTC
by Ed Skoudis (Version: 1)
0 comment(s)
Today, if you are plagued with farcical fulminations from Firefox fans or self-satisfied smirks from Safari sympathizers, it may be because of this, from Secunia:

"Michal Zalewski has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system.  The vulnerability is caused due to an error in the processing of certain sequences of nested 'object' HTML tags. This can be exploited to corrupt memory by tricking a user into visiting a malicious web site.  Successful exploitation allows execution of arbitrary code."

Thanks to diligent reader Karl Prince for the heads-up.

I remember back in the mid-90's, we used to joke about a bug-of-the-month club for Sendmail.  Well, Sendmail has gotten far better, but perhaps we need a bug-of-the-week club, or even a zero-day-of-the-week (ZDotW) club for IE?

--Ed Skoudis
Intelguardians.
Keywords:
0 comment(s)
Diary Archives