Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-09-04 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Trojan.Mdropper.Q / Email Attachment Practices / Word 2000 0-day

Published: 2006-09-06
Last Updated: 2006-09-06 19:31:47 UTC
by Michael Haisley (Version: 4)
0 comment(s)
Thanks to frequent reader Juha-Matti Laurio for sending us a note about Trojan.Mdropper.Q and the previously undiscovered Microsoft Word 2000 vulnerability that comes with it.  Trojan.Mdropper.Q activates when a file containing it is opened, and then installs a backdoor on the machine.  Fortunatly as with most Office vulnerabilities a user has to actually open the file before the trojan can be activated.  Generally my advice to users is not to open files that they are not expecting even if they know the person that sent the file, but this one has made me curious, what do other system admins recommend to their users?   Do you have a policy on email attachments?  Is this policy automaticly enforced?

Update #1

It appears Symantec has updated their site to include the size of the Trojan: 79,265 bytes.    Happy Antivirus updating!

Update #2

Juha-Matti writes to tell us that Securiteam has posted an entry about this vulnerability on their blog.  Check out their post here.  Mcafee is calling this one W32/MoFei.worm.dr, and has a writeup about the Trojan here.  It is still unknown as to what vulnerability this is exploiting.

Update #3

Microsoft published some news about the "0-day" in MS Word here.  They offer two pieces of advice. 
1) Don't open Word files from people you don't know.  (This goes back to not eating candy until your parents look at it at Halloween, and not opening the door for strangers.)
2) Use Word 'viewer'

Of course Microsoft publishes great "Suggested Actions".

Protect your PC by enabling a firewall (which, btw, does not keep Word files out)

In fact one of Microsoft's suggested actions is: "Keep Windows Updated"...  we'd love to.  If there was a fix for the problem!

Let's hope they get it patched as soon as possible.
Keywords:
0 comment(s)

Browzar, the privacy that may not be

Published: 2006-09-04
Last Updated: 2006-09-04 18:57:23 UTC
by Joel Esler (Version: 3)
0 comment(s)
Browzar -- a 'wrapper' for IE is supposed to wipe all traces of the sites you have visited, cookies, and history files on your computer.  However, many experts have claimed that it is spyware.  This is due to Browzar setting the home page to their own search page which allows them to insert sponsored links intermixed with regular links.  We suggest you take a look at some of the recent articles about Browzar, like this one over at BBC News, and then make your own decision.

Browzar has received a lot of recent attention on mailing lists like Full-Disclosure, claiming the 'Browzar' leaves the last visited url in a file in the user's LocalSettings directory.  As well as items like cache misses, redirected urls, and click through urls are left on the machine.

Now of course, your ISP can still track you, netflows, IDS's on your network, and pieces of software that may be on your corporate network like Websense can still find where you go.  Let alone if Browzar leaves anything behind on your host system. 

We've looked at other programs like VMware's many free Virtual Browsing appliances or even Sandboxie, which runs programs inside of a virtual 'sandbox'.  Apparently leaving no traces behind on the local machine.

So for you privacy guys..  put your tin foil beenie on, and browse away.

Update #1

Another reader Chris wrote in to tell us about a browsing device he made on an external harddrive with Windows 3.11 as an OS, minimal install with a browser.  This reminds me of carrying a thumbdrive with a browser installed on it, in order to keep your cookies, passwords, and cache with you.



----------------
Joel Esler
jesler{at}isc.sans.org
Keywords:
0 comment(s)

UDP Port 47290

Published: 2006-09-04
Last Updated: 2006-09-04 16:28:16 UTC
by Brian Granier (Version: 2)
0 comment(s)

In reviewing recent DShield graphs I noticed a sharp and large increase in UDP port 47290 traffic. A quick review of Google and a few other resources left me with no logical conclusion as to the source.



I send this diary out as a call for packets or for any information that might lead to understanding where this traffic uptick comes from. Since this traffic started on 8/28/06, it is interesting to note that the number of reported packets is 226,660 records. The numbers of sources for this traffic is 134,673. The number of targets is 43. So it's possible we are looking at traffic reported from just one subscriber who sends logs into DShield. Nonetheless, this is a rather interesting and sudden increase and it would be useful to know where this is coming from.

Update: We looked further into this and discovered that 99.99% of this traffic is destined for a single target. This makes the call for packets a fairly moot point.

Keywords:
0 comment(s)

Bots looking for FlashChat App

Published: 2006-09-04
Last Updated: 2006-09-04 00:37:37 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
I dont know if you are familiar with FlashChat , but I wasn't until today. One of our readers, Rodrigo Freire, sent  some log traces of those perl based bots.
Tracking it, I was able to get into their botnet, on xx.xx.207.12, running on port 7001.
The default channel found on the perl code was #botnet , and was active at the time of this diary was written. The default command to list channels on IRC is /list.
Besides some dangerous of running commands on customized ircd servers, I run it and found another channel, called #scan .
Finally the FlashChat part...:) On the subject of the #scan channel, there was an instruction to scan on google for sites using FlashChat, ONLY on .co.uk domains!
So, my final instructions to you are:

1- If you run FlashChat, check for patches, security patches, APPLY THEM!
2- If you run FlashChat AND on a .co.uk,.uk, APPLY ANY PATCHES AVAILABLE IMMEDIATELY. Additionally, you might want to look through your system for signs of intrustion.
----------------------------------------------------------------------------------
Pedro Bueno ( pbueno //&&// isc. sans. org )


Keywords:
0 comment(s)
Diary Archives