Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

FTP-Brute Force Attacks and Password Management

Published: 2006-07-17
Last Updated: 2006-07-18 13:15:52 UTC
by Scott Fendley (Version: 1)
0 comment(s)

In the past week I have seen what had appeared to be an uptick in FTP based brute force attacks on a few of the machines in my area.  According to the Dhsield Data, there has been a little increase in sources for a few days, but perhaps nothing out of the ordinary.  That was until last night when Ryan from the Phillipine Honeynet Project pointed out the same thing from their point of view. [Thanks for confirming this before I even asked :-)  ]

They issued an advisory located at http://www.philippinehoneynet.org/data.php which details a bit more of what they are seeing.   I am going to include a snipit of their advisory which includes some tips and reminders for administrators about password management.


"In light of this, here are some tips / guide for administrators:
  • force passwords to expire on a regular basis, be it monthly, quaterly, or on some other schedule - and force users to change their old passwords.
  • users should be forced to use their new password for a period of time before being allowed to change it again.
  • users should not be allowed to re-use an old password and the system should be able to keep or record previously used passwords for a given user.
  • a minimum password length should be enforce and also force the users to contain their selected password with some minimum number of upper-case characters, numbers, and non-alphanumeric characters.
  • passwords should be compared or checked against a "dictionary" of easily guessable passwords or strings that are commonly hit by the standard password "cracking" tools.
  • set a given account to be disabled after a certain number of failed logins except for administrative accounts.
  • user names should also be considered. deny "default" user names either with super (administrator, root, et.al.) or those with restricted privileges (nobody, et.al).
  • FTP server shouldn't verify the existence or non-existence of the user names entered as to hinder this guessing attack
  • check your network for FTP services that you're not aware about, especially those hardware with embedded OS.
This special advisory is just to remind administrators that sometimes, it is the small things that tend to make big holes. In this case, it is always a good idea to implement stricter measures in password usage particularly in setting up temporary passwords for new accounts."

---
Scott Fendley
ISC Handler
Keywords:
0 comment(s)

Microsoft Powerpoint Security Advisory Released

Published: 2006-07-17
Last Updated: 2006-07-18 13:15:06 UTC
by Scott Fendley (Version: 1)
0 comment(s)
Yesterday evening, Microsoft released a security advisory concerning the 0-day vulnerability reported on July 15. The advisory details some of the mitigating factors, and offers some work arounds that may help protect you until the release of an update in the August patch Tuesday.  The advisory is located at http://www.microsoft.com/technet/security/advisory/922970.mspx .


---
Scott Fendley
ISC Handler
Keywords:
0 comment(s)

McAfee EPO fix

Published: 2006-07-17
Last Updated: 2006-07-17 23:28:47 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)
eEye claim that the vulnerability allows for remote code execution as SYSTEM, McAfee seem to be saying it only allows for placement of arbitrary files on the vulnerable host. McAfee is acknowledging the vulnerability in their EPO product, and have posted a fix. Details at the URL below:

http://knowledge.mcafee.com/article/640/9925498_f.SAL_Public.html

http://www.eeye.com/html/research/advisories/AD20060713.html

Cheers,
Adrien
Keywords:
0 comment(s)

Reported Shockwave issue with Myspace.com

Published: 2006-07-17
Last Updated: 2006-07-17 23:17:35 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)
Scott wrote in to report that Myspace.com may be having security issues with embedded Shockwave files. A couple of websites contain some details of the 'hack'. Myspace.com did not return any emails that requested additional information from them. I have been unable to confirm the hack or the security issue.

Some information:
http://chaseandsam.com/
http://kinematictheory.phpnet.us/

I can't vouch for the content, and I don't have a Myspace.com account.

Cheers,
Adrien

Keywords:
0 comment(s)

Behavioral Analysis of Rootkit Malware

Published: 2006-07-16
Last Updated: 2006-07-17 23:36:24 UTC
by Lenny Zeltser (Version: 3)
0 comment(s)

Those who've taken my Reverse-Engineering Malware class know that I am a fan of a two-phased approach to malware analysis:

  1. The behavioral analysis phase examines how the malicious program interacts with its environment: the file system, the registry (if it's a Windows program), and the network.
  2. The code analysis phase examines the code of the malicious program to understand what capabilities are built into it.
Each phase produces findings that reinforce findings from the other phase, resulting in a comprehensive understanding of the malicious program that would be harder to obtain via a single phase. The analyst typically starts with the phase that he or she is most comfortable with.

The behavioral analysis phase can be tricky when the malicious specimen exhibits rootkit tendencies--hiding its processes or files, for instance. One way to deal with this is to patch the specimen so that the concealing subroutine never executes. This is not always easy. To ease the challenge of monitoring rootkit-concealed processes, we can employ programs that can detect concealment mechanisms such as function hooking. I'd like to describe two such programs: Helios and IceSword.

The authors of Helios call it an advanced malware detection system. It attempts to tackle the task of heuristically detecting and blocking malicious programs, even rootkits, before they can embed themselves deep in the system. The program is still in the alpha development phase, but it is available as a free download for those who want to experiment with it in a laboratory environment.

I took Helios for a spin today to see whether it could help with malware analysis. I think it can be a helpful addition to the reverse-engineer's toolkit, because it can detect when the malicious program attempts to hide itself via rootkit techniques. Helios can also unhide the malicious process to to make behavioral analysis a bit easier.

For example, consider a malicious program called malware.exe. Executing normally, it is visible in the task list, as you can see in the following Task Manager screen shot:



If this program had exhibited rootkit behavior, its process would be hidden. We can simulate this by hiding theĀ  malware.exe process using a rootkit, such as one called FU. By executing the command "fu -ph" and then supplying the process ID of the malicious program, we can hide the process from Task Manager.

If Helios is running in the background, it can detect the attempt to hide this process and alert you about it:



Helios can also allow you to unhide the concealed process with a click of a button:



Once unhidden, the malicious process is visible in Task Manager again.

Although Helios shows promise, it is still clearly a work a progress. For instance, I was unable to use Helios to detect a process concealed with FUTo, a newer version of the FU rootkit. Also, activating some features of Helios crashed my VMware virtual machine. I hope the program's authors continue their efforts to make it production-ready.

Another program that is definitely worth mentioning is IceSword, which offers a collection of utilities that can help locate rootkit-concealed programs. For example, even after I hid malware.exe using FU rootkit, IceSword listed the malicious process among the processes running on the infected system:



If you know of other helpful tools for analyzing rootkit-like malicious software, please let us know. We'll be glad to hear from you.

Lenny Zeltser
www.zeltser.com
Keywords:
0 comment(s)
Diary Archives