Tip of the Day - If you don't need it on, turn it off.
The release of MS06-040 serves as the inspiration for today's Tip Of the Day.
Disable any and all un-needed services.
Removing any un-needed services greatly reduces your exposure to vulnerabilities as you now have fewer items running that could be vulnerable to attack.
Let's use the server service aka File and Printer Sharing as an example.
Chapter 7 of the Windows XP Threats and Countermeasures Guide (a must read for sysadmins IMHO) has a list of XP and Server 2003 services and a description of what each one does.
Threats and Countermeasures says the following about the Server service
If the system is a file and/or print server you need the server service running or you have nothing but an energy gulping, heat generating paperweight.
If the system is a web server only, you don't need the server service enabled. Other types of application servers may or may not need the service enabled depending on the nature of the application.
Corporate laptops and desktops typically don't need the server service enabled.
Corporate users/admins take note - disabling the server service will make some forms of remote administration and management difficult, if not impossible so carefully evaluate the risks before taking any action.
If you are a home user with no other systems on your local LAN, you don't need the server service enabled.
If you are a home user with other systems on your internal LAN, then you only need the server service enabled if you are sharing folders or printers with the other system(s) on your LAN.
Ok, so you've realized that you don't need the service ruinning and you want to know how to stop it.
**Warning - the changes described below could cause a negative impact on production systems. Testing is required to determine whether the server service and/or any dependant services can / should be stopped.
You can either manage the service through the GUI (right click 'My Computer', manage, Services and Applications, Services) or ...
From a command shell on the target machine.:
C:>net stop lanmanserver
The system may respond:
Stopping the Server service will also stop these services.
[List of Services Here]
Do you want to continue this operation? (Y/N) [N]:
These are services that are dependent on the server service. You should carefully evaluate the need for any listed services before stopping the server service.
Ok, so the server service is stopped and the network is still functioning. Unless you change the way the service starts up (it is set to start automatically), the next time the system is rebooted, the server service will start again.
From the same command shell:
C:>sc config lanmanserver start= disabled
(Make sure the there is no space between 'start' and '=')
Which when successfull will return:
[SC] ChangeServiceConfig SUCCESS
For those unfamilliar with sc.exe, a full description can be found here.
sc.exe (and Netsvc.exe) can also be used to stop services but I prefer net stop for local use as it provides (again IMHO) a cleaner method of stopping dependant services. SC and Netsvc are excellent tools (as are some of the free offerings available from reputable vendors) for use in scripting remote service management.
This is just one example of a service that is enabled by default that many users keep enabled thinking they need it, when in many cases, they do not.
Home users: Take a few minutes and look through your list of running services and compare them with the descriptions in the Threats and Countermeasures Guide. Turn off and disable whatever you don't need.
Administrators: Take some time and look at your systems. Determine what is running, and what needs to be running. Develop a plan (including testing) to make any needed changes, get the approval you need and implement your plan.
Disable any and all un-needed services.
Removing any un-needed services greatly reduces your exposure to vulnerabilities as you now have fewer items running that could be vulnerable to attack.
Let's use the server service aka File and Printer Sharing as an example.
Chapter 7 of the Windows XP Threats and Countermeasures Guide (a must read for sysadmins IMHO) has a list of XP and Server 2003 services and a description of what each one does.
Threats and Countermeasures says the following about the Server service
"The Server service provides RPC support, file, print, and named pipe sharing over the network. It allows local resources to be shared, such as disks and printers, so that other users on the network can access them. It also allows named pipe communication between applications that run on other computers and your computer, which is used to support RPC. Named pipe communication is memory that is reserved for the output of one process to be used as input for another process. The input-acceptance process does not need to be local to the computer. This service is installed and runs automatically by default on Windows XP and Windows Server 2003.
If the Server service stops or if you disable it, the computer will not be able to share local files and printers with other computers on the network, and it will not be able to satisfy remote RPC requests."
Ok, so, why would you need this service enabled on your system? That depends on what role the system is playing.If the system is a file and/or print server you need the server service running or you have nothing but an energy gulping, heat generating paperweight.
If the system is a web server only, you don't need the server service enabled. Other types of application servers may or may not need the service enabled depending on the nature of the application.
Corporate laptops and desktops typically don't need the server service enabled.
Corporate users/admins take note - disabling the server service will make some forms of remote administration and management difficult, if not impossible so carefully evaluate the risks before taking any action.
If you are a home user with no other systems on your local LAN, you don't need the server service enabled.
If you are a home user with other systems on your internal LAN, then you only need the server service enabled if you are sharing folders or printers with the other system(s) on your LAN.
Ok, so you've realized that you don't need the service ruinning and you want to know how to stop it.
**Warning - the changes described below could cause a negative impact on production systems. Testing is required to determine whether the server service and/or any dependant services can / should be stopped.
You can either manage the service through the GUI (right click 'My Computer', manage, Services and Applications, Services) or ...
From a command shell on the target machine.:
C:>net stop lanmanserver
The system may respond:
Stopping the Server service will also stop these services.
[List of Services Here]
Do you want to continue this operation? (Y/N) [N]:
These are services that are dependent on the server service. You should carefully evaluate the need for any listed services before stopping the server service.
Ok, so the server service is stopped and the network is still functioning. Unless you change the way the service starts up (it is set to start automatically), the next time the system is rebooted, the server service will start again.
From the same command shell:
C:>sc config lanmanserver start= disabled
(Make sure the there is no space between 'start' and '=')
Which when successfull will return:
[SC] ChangeServiceConfig SUCCESS
For those unfamilliar with sc.exe, a full description can be found here.
sc.exe (and Netsvc.exe) can also be used to stop services but I prefer net stop for local use as it provides (again IMHO) a cleaner method of stopping dependant services. SC and Netsvc are excellent tools (as are some of the free offerings available from reputable vendors) for use in scripting remote service management.
This is just one example of a service that is enabled by default that many users keep enabled thinking they need it, when in many cases, they do not.
Home users: Take a few minutes and look through your list of running services and compare them with the descriptions in the Threats and Countermeasures Guide. Turn off and disable whatever you don't need.
Administrators: Take some time and look at your systems. Determine what is running, and what needs to be running. Develop a plan (including testing) to make any needed changes, get the approval you need and implement your plan.
Keywords: ToD
0 comment(s)
MS06-042 and CA Unicenter Service Desk - Hotfix available
We've recieved a few reports (and independantly confirmed the problem) of IE crashing on systems with MS06-042 installed when accessing Unicenter Service Desk.
Microsoft updated MS06-042 (KB 918899) as follows:
Caveats: For some Internet Explorer 6.0 Service Pack 1 users, Internet Explorer may exit unexpectedly while attempting to access Web Sites using both the HTTP 1.1 protocol and compression. A hotfix and workaround for this issue is available, please see Knowledge Base Article 923762 for more information. A new version of KB918899 is currently in development and will be released to all Internet Explorer 6 Service Pack 1 customers on the Download Center and Windows Update by August 22nd, 2006. Customers not experience the issue described above are recommended to continue deploying MS06-042 in their environments to receive protection from the vulnerabilities documented in the Security Bulletin. The hot fix will be included in future Cumulative Security Updates for Internet Explorer 6.0 Service Pack 1. Microsoft Knowledge Base Article 918899 documents this and any other currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 918899.
Microsoft updated MS06-042 (KB 918899) as follows:
Caveats: For some Internet Explorer 6.0 Service Pack 1 users, Internet Explorer may exit unexpectedly while attempting to access Web Sites using both the HTTP 1.1 protocol and compression. A hotfix and workaround for this issue is available, please see Knowledge Base Article 923762 for more information. A new version of KB918899 is currently in development and will be released to all Internet Explorer 6 Service Pack 1 customers on the Download Center and Windows Update by August 22nd, 2006. Customers not experience the issue described above are recommended to continue deploying MS06-042 in their environments to receive protection from the vulnerabilities documented in the Security Bulletin. The hot fix will be included in future Cumulative Security Updates for Internet Explorer 6.0 Service Pack 1. Microsoft Knowledge Base Article 918899 documents this and any other currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 918899.
UPDATE:
Keywords:
0 comment(s)
Microsoft August 2006 Patches: STATUS
Overview of the known problems and publicly known exploits ofthe August 2006 Microsoft patches.
0 comment(s)
| # | Known Problems with this patch |
Known Exploits |
client rating | server rating |
|---|---|---|---|---|
| MS06-040 | Issue with:
|
Botnets actively exploiting this in the WILD Exploit available in easy to use package
read more... |
PATCH NOW |
PATCH NOW |
| MS06-041 | No reported problems |
Critical | Critical | |
| MS06-042 | Critical issue:
More info: Issue #1:
Issue #2:
|
Original MS06-42: fixes a.o. a FTP vulnerability that;s well-known since 2004 First revision of the MS06-042 patch's buffer overglow has details public.
|
PATCH NOW |
Important |
| MS06-043 | No reported problems | Important | Less urgent | |
| MS06-044 | No reported problems | Critical | Critical | |
| MS06-045 | No confirmed problems | Critical | Less urgent | |
| MS06-046 | No reported problems | Critical | Important | |
| MS06-047 | No reported problems | Trojan dropper reported in word document by Symantec, Trendmicro(1) and Trendmicro(2). The dropper loads a backdoor: Trendmicro, Symantec. See also diary. |
Critical | Less urgent |
| MS06-048 | No reported problems | Trojan dropper in Powerpoint | Critical | Less urgent |
| MS06-049 | Unconfirmed reports about corruption of files on compressed volumes. [Windows 2000 only patch] |
Important |
Less urgent | |
| MS06-050 | No reported problems | Critical | Important | |
| MS06-051 | Although unconfirmed by Microsoft so far, there seem to be problems related to Terminal Services and multiple users loading certain DLLs as part of some applications. Details and fixes or workarounds are too sketchy so far. See also the problem with .ini files and citrix at the citrix support forum. We're still lookign for a more detailed discription of the problems. |
Critical | Critical |
We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
New Malware for MS06-047
Juha-Matti dropped us a note regarding some new malware and the links for the Symantec and Trend Micro descriptions.
Shortly after, we heard from Sergio de los Santos from Virustotal who gave us some additional information:
We have detected a new malware for MS06-047 vulnerability.
It comes with a name syosetu.doc with 107.520 bytes. Hash MD5 is
7443358555983341CB9BB12BB0A0A191
Today, only a few AV can detect it (via virustotal):
W97M/ProjMod!exploit (eTrust-Vet), W32/Bgent.ZE!tr (Fortinet ),
Exploit-OleModule (McAfee), Exploit:Win32/Ponaml.gen (Microsoft),
Trojan.Mdropper (Symantec), TROJ_MDROPPER.BK (TrendMicro).
Thanks Juha-Matti and Sergio!
Shortly after, we heard from Sergio de los Santos from Virustotal who gave us some additional information:
We have detected a new malware for MS06-047 vulnerability.
It comes with a name syosetu.doc with 107.520 bytes. Hash MD5 is
7443358555983341CB9BB12BB0A0A191
Today, only a few AV can detect it (via virustotal):
W97M/ProjMod!exploit (eTrust-Vet), W32/Bgent.ZE!tr (Fortinet ),
Exploit-OleModule (McAfee), Exploit:Win32/Ponaml.gen (Microsoft),
Trojan.Mdropper (Symantec), TROJ_MDROPPER.BK (TrendMicro).
Thanks Juha-Matti and Sergio!
Keywords:
0 comment(s)
Vacation Rental Property Scam
From the mailbag
Dear ISC,
I run a vacation rental business whereby I represent approximately 600 vacation homes. We are often subject to phishing scams where the perpetrator appears to be a legitimate renter and does a last minute booking. Sometimes they claim to be making reservations for a friend as a gift or they are a bunch of doctors traveling to a convention and any property we pick for them would be wonderful, etc, etc. The story usually goes that the car rental company won't take credit cards so could we please charge $200 extra to the card and add $100 for our trouble and could we please send the car rental payment to the company directly. Then, something happens and they don't need the car rental so could we please just send them a return check for the money, and please take another $50 out for our trouble. The idea, obviously, is that the charge fails or gets contested, but we've sent them a legitimate check that can be cashed and not recovered.
Yesterday, I discovered a new one, and was alerted to this by a legitimate renter who found a listing of the property that they wanted to rent from my firm on a different website, only the pictures didn't match. What the bad guys had done was spliced together several pieces of copyrwritten material along with several pictures from several different ads and had taken out their own false ad that I assume they paid for. I purposely tried to flush them out, and contacted them to rent *their* property. The response I got back from <email address deleted> had no answers to any questions that I asked, and they urged me to send a check for the deposit immediately and they would courier the keys to my address. This is obviously a ruse since noone in the industry conducts business this way. I tried to coerce them into releasing something other than their bogus yahoo mail account such as a phone number or mailing address, but they wouldn't. I suspect they will disappear as soon as I report the ad as being fraudulent.
I don't know if this story is relevant to your audience, but this is the first time I've seen the bad guys trying to bilk larger sums of money out of legitimate renters instead of them trying to mess with the agencies. Obviously, this causes much damage to my business since renters aren't sure who they can trust since anyone can seemingly take an ad out for anything. I think it behooves these advertising companies to do a little more due diligence to verify the accuracy of the information they are displaying rather than just slapping up anything for anybody who has some cash.
Dear ISC,
I run a vacation rental business whereby I represent approximately 600 vacation homes. We are often subject to phishing scams where the perpetrator appears to be a legitimate renter and does a last minute booking. Sometimes they claim to be making reservations for a friend as a gift or they are a bunch of doctors traveling to a convention and any property we pick for them would be wonderful, etc, etc. The story usually goes that the car rental company won't take credit cards so could we please charge $200 extra to the card and add $100 for our trouble and could we please send the car rental payment to the company directly. Then, something happens and they don't need the car rental so could we please just send them a return check for the money, and please take another $50 out for our trouble. The idea, obviously, is that the charge fails or gets contested, but we've sent them a legitimate check that can be cashed and not recovered.
Yesterday, I discovered a new one, and was alerted to this by a legitimate renter who found a listing of the property that they wanted to rent from my firm on a different website, only the pictures didn't match. What the bad guys had done was spliced together several pieces of copyrwritten material along with several pictures from several different ads and had taken out their own false ad that I assume they paid for. I purposely tried to flush them out, and contacted them to rent *their* property. The response I got back from <email address deleted> had no answers to any questions that I asked, and they urged me to send a check for the deposit immediately and they would courier the keys to my address. This is obviously a ruse since noone in the industry conducts business this way. I tried to coerce them into releasing something other than their bogus yahoo mail account such as a phone number or mailing address, but they wouldn't. I suspect they will disappear as soon as I report the ad as being fraudulent.
I don't know if this story is relevant to your audience, but this is the first time I've seen the bad guys trying to bilk larger sums of money out of legitimate renters instead of them trying to mess with the agencies. Obviously, this causes much damage to my business since renters aren't sure who they can trust since anyone can seemingly take an ad out for anything. I think it behooves these advertising companies to do a little more due diligence to verify the accuracy of the information they are displaying rather than just slapping up anything for anybody who has some cash.
Keywords:
1 comment(s)
Tip of the Day - Turn the NICs off during installation
During one of those past weekends I was installing and configuring some honeypots.
I decided to try different Operating Systems to see which one would fit better for my needs.
As I already had a perfect NAT for one IP, nothing more natural that I already put the IP address on the OS during installation, right?
Yep, WRONG! The reason is that if you install an internet facing OS (like my NAT was providing me), maybe there will be not enough time to apply the patches (even offline patches, from CDs or Pen Drivers).
So, my Tip of the Day, is for whatever OS that you are installing, if you can't unplug physically the network, choose to not configure the NICs during installation. In this way, you will have enough time to check which Services will be running in your machine, and turn it down before someone explore your unpatched OS, because if you are installing a fresh OS, chances are that some applications/services are already outdated and you may be a victim of some bot of the day...
Don't trust me? Check this out...
-------------------------------------------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //&&// isc .sans .org )
I decided to try different Operating Systems to see which one would fit better for my needs.
As I already had a perfect NAT for one IP, nothing more natural that I already put the IP address on the OS during installation, right?
Yep, WRONG! The reason is that if you install an internet facing OS (like my NAT was providing me), maybe there will be not enough time to apply the patches (even offline patches, from CDs or Pen Drivers).
So, my Tip of the Day, is for whatever OS that you are installing, if you can't unplug physically the network, choose to not configure the NICs during installation. In this way, you will have enough time to check which Services will be running in your machine, and turn it down before someone explore your unpatched OS, because if you are installing a fresh OS, chances are that some applications/services are already outdated and you may be a victim of some bot of the day...
Don't trust me? Check this out...
-------------------------------------------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //&&// isc .sans .org )
Keywords: ToD
0 comment(s)
×
![modal content]()
Diary Archives
© 2024 SANS™ Internet Storm Center
Developers: We have an API for you! 
Comments