Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Scammer tying in on disasters

Published: 2006-10-03
Last Updated: 2006-10-03 22:44:53 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

We saw them before, scum trying to make money off of disasters in other people's lives. And an aircraft crash in Brazil is not different. Start with a spammed campaign promoting a website, the website promoting clicking on tiny thumbnail images that lead to malware. Not cool.

Find courtesy of Websense, who has an article about it.

Here is what the antivirus vendors think of the malware (virustotal):

[ file data ]
size 274462
md5 fca50b317ac7648b65c80a2f08ede9ef
sha1 bd85d52e616ab14bef3bfe42e9d44c0820d895cf

[ scan result ]
AntiVir 7.2.0.22/20061003 found [DR/Spy.Bancos.YT]
Authentium 4.93.8/20061002 found [W32/Banker.XCA]
Avast 4.7.892.0/20061003 found nothing
AVG 386/20061003 found nothing
BitDefender 7.2/20061003 found [Generic.Banker.VB.11DF9CB6]
CAT-QuickHeal 8.00/20061003 found nothing
ClamAV devel-20060426/20061003 found nothing
DrWeb 4.33/20061003 found [BackDoor.Generic.1437]
eTrust-InoculateIT 23.73.11/20061002 found nothing
eTrust-Vet 30.3.3113/20061003 found nothing
Ewido 4.0/20061003 found nothing
F-Prot 3.16f/20061002 found [security risk named W32/Banker.XCA]
F-Prot4 4.2.1.29/20061002 found [W32/Banker.XCA]
Fortinet 2.82.0.0/20061003 found [Spy/Bancos]
Ikarus 0.2.65.0/20061003 found [Backdoor.Win32.Radmin.w]
Kaspersky 4.0.2.24/20061003 found [Trojan-Spy.Win32.Bancos.yt]
McAfee 4865/20061003 found nothing
Microsoft 1.1603/20061003 found nothing
NOD32v2 1.1787/20061003 found [probably a variant of  Win32/Spy.Bancos.U ]
Norman 5.80.02/20061003 found [Bancos.KVY]
Panda 9.0.0.4/20061003 found nothing
Sophos 4.10.0/20061003 found nothing
Symantec 8.0/20061003 found nothing
TheHacker 6.0.1.090/20061003 found [Trojan/Spy.KeyLogger.bp]
UNA 1.83/20061003 found nothing
VBA32 3.11.1/20061003 found [Trojan-Spy.Win32.Bancos.yt]
VirusBuster 4.3.7:9/20061003 found nothing

IOW: a bank aware keylogging piece of malware that's not detected by some of the big name vendors.

The important lesson to learn is not to click on links in email or IM, or any other way you could be social engineered into doing things you don't want to do.  That however needs to be translated not just on the receiving end into not following links we're given, but also on the sending end by not offering friendly links to our friends.

e.g.:

--
Swa Frantzen -- Section 66
Keywords:
0 comment(s)

Firefox ...

Published: 2006-10-03
Last Updated: 2006-10-03 14:49:26 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Firefox seems to have its share of followers, just like the Mac community. I'm actually using both typing this so don't get on my case too much. Their supporters seem to react a lot when it comes to vulnerabilities being exposed at hacker venues. While fascinating from a social perspective, let's look at what we do know:

Over the weekend a conference called ToorCon was held in San Diego and one of the presentations by Mischa Spiegelmock and Andrew Wbeelsoi was (among other things?) about Firefox security.

None of us handlers at that point had seen the presentation(*) itself and the interaction with a Mozilla staffer, but we did see the Mozilla developers react to it like it was real (as they should) and we reported briefly about it ourselves. So there was something but none of us knew exactly what or how it was and the threat of having more exploits up their sleeve wasn't going to give a comfortable feeling any time soon.

Today we were pointed by numerous readers towards more news by Mozilla. While it seems to debunk the whole situation somewhat, do reread this one before calling it a hoax. There is a DoS in there and those have shown in the past this nasty habit of sometimes turning around and biting you with code execution (like the setslice thing did for MSIE).

All in all the whole thing obviously was hilarious to present and attend (see the video above), but it still leaves the rest of us with a foul taste.

(*): In a twisted way, you need javascript enabled and sit through the commercial before you can see it.

--
Swa Frantzen -- Section 66

Keywords:
0 comment(s)

Detecting attacks against servers

Published: 2006-10-03
Last Updated: 2006-10-03 12:32:02 UTC
by Swa Frantzen (Version: 2)
0 comment(s)

We all hear of servers getting hit on one of their exposed interfaces and then being used in phishing attacks, spreading malware, feeding warez and basically support all other things the bad guys out there do.

But how can you detect it with little to no fancy means?

Flows are a neat source of information. Basically it's the routers you already have telling you what IP address talked to what other IP address using what port during a relatively short interval. Now collecting flows from a high end router is no little feat, so you will need storage and processing resources but if you can do it, it allows for insights in traffic patterns on a large scale.

E.g. discovering machines scanning for SSH (port tcp/22) next starting to talk on port tcp/4000 to some of those machines is a sign of something spreading to the next server. If those already affected IP addresses are then also relatively high bandwidth and owned by companies that sound like they are in the hosting business, the impact of each and every of these machines getting owned is not insignificant. A shared hosting server can service many hundreds domainnames and each one of those might be adding the newest 0-day exploit towards its visitors.

So keep those applications such as openssl and openssh patched on your servers, they are being scanned for.

Update: Andrew provided a pointer to a list of netflow tools.

--
Swa Frantzen -- Section 66
Keywords: netflow server ssh
0 comment(s)
Diary Archives