Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-11-07 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MSXML 4.0 exploit in the wild

Published: 2006-11-09
Last Updated: 2006-11-09 14:20:45 UTC
by Bojan Zdrnja (Version: 2)
0 comment(s)
We've received a report of the MSXML 0-day exploit being used in the wild. This is the exploit Johannes wrote a couple of days ago (http://isc.sans.org/diary.php?storyid=1825).

The exploit does not seem to be in wide use just yet, but that can, of course (and we expect it to), change very quickly.

For the exploit to work it *needs* Microsoft XML Core Services to be installed. Microsoft XML Core Services are not installed by default on Windows XP, but there seems to be a lot of packages using it, Visual Studio appears to be one common one. You can check in the Add or Remove Programs applet if you have it installed.

The exploit works in both IE6 and IE7, which makes sense since it's exploiting a vulnerability in an ActiveX object, not in the browser itself.

When executed the exploit creates an MSXML 4.0 ActiveX object (88d969c5-f192-11d4-a65f-0040963251e5). It then uses multiple setRequestHeader() method calls to execute shellcode which is included with the exploit.

Once executed the shellcode (of course) first downloads the first stage downloader. At the moment it's a file called tester.dat:

16ac9982d177a47a20c4717183493e95  tester.dat

This downloader then downloads subsequent files (yet to be analysed).

It looks like some AV vendors are beggining to detect the exploit. At this moment it is being detected by McAfee as Exploit-XMLCoreSrvcs and Symantec as Bloodhound.Exploit.96. Microsoft also detects it as Exploit:HTML/Xmlreq.A.

The best protection, is to prevent the XMLHTTP 4.0 ActiveX Control from running in Internet Explorer, as stated in Microsoft's advisory: http://www.microsoft.com/technet/security/advisory/927892.mspx.

Update:  Snort Rule: 8727 and 8728


Keywords:
0 comment(s)

Sophos Reveals the "Dirty Dozen"

Published: 2006-11-07
Last Updated: 2006-11-07 21:07:41 UTC
by Deborah Hale (Version: 1)
0 comment(s)
I came across an article today about spam and what Sophos calls the "Dirty Dozen".  This refers to the top 12 spam producing countries in the world.  What I find rather interesting and somewhat ironic is that the US leads the way with being responsible for 21.6 % of the spam that was distributed in the 3rd quarter. 

Sophos reveals "Dirty Dozen"

Sophos says that they believe the increase in spam may be attributed to the some 300 strains of Stration or Warezov worm.  What I have to wonder about is why we still have so many people clicking on attachments (especially ZIP files) in unsolicited email.  What will it take for people to get the message that if you didn't ask for it, don't open it? 

Another thing that I find interesting is this statement in the article:

"Most unsolicited emails are now sent from zombie PCs - computers infected with Trojans, worms and viruses that turn them into spam-spewing bots."

With all the programs available to help with removal of the spyware, viruses and the like why do we in the US still have so many home computers infected with various forms of parasitic programs.  I worked on a computer a few nights ago that had over 300 different viruses, spyware and trojan-esq programs on it.  After a format and reload and installing all of the appropriate software and updates, I explained to the owner of the computer exactly what it was that happened and how it happened.  I explained that virus software does expire so you do have to renew it annually or subscribe to a service such as SecureIT that takes care of all of that for you.

Eventually maybe we will get to the place where the bad guys can't do anymore damage to the Ma and Pa home and small business computer.  I guess until then we just have to live with the fact that we are as guilty as the rest of the world at not being good Netizens.


Keywords:
0 comment(s)

Malicious Trojan poses as McAfee alert

Published: 2006-11-07
Last Updated: 2006-11-07 20:29:51 UTC
by Deborah Hale (Version: 1)
0 comment(s)
It appears now that McAfee's name is now being used to spread a new trojan via email.  The email arrives presumably from McAfee with an attachment that actually spreads the trojan.  This mass mailing is unusual because it attempts to spoof the email address mcafee @ europe . com.  This trojan has been given the name Lafool.v by Kaspersky labs and is a password stealing program.

Vnunet article
Keywords:
0 comment(s)

Buyers Beware

Published: 2006-11-07
Last Updated: 2006-11-07 18:42:15 UTC
by Deborah Hale (Version: 1)
0 comment(s)

Once again we have a nasty little email circulating that is trying to scam the unsuspecting Internet users out of their hard earned dollars. The email purports to have a product that can ?guarantee that all of your banking transactions are completely secure?.  In reality this scumware does anything but?

They are selling a VPN solution and would love to have you fall for it er?  purchase it. (Adding to their little bot I am sure).

As a matter of fact when I tried to go to the web site I got a warning from my filter that the site was a known spammer site.  

As always use good common sense and extreme caution.  Don?t believe everything you receive in email or everything that you read online.  You never know when the website is from ?Russia with love? or some other far away place.
Keywords:
0 comment(s)

Abuse handling and the misfortunes of the good Samaritan

Published: 2006-11-07
Last Updated: 2006-11-07 09:24:37 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

The requirement for domain name holders to provide a working abuse@example.com email address comes not only from tradition, but also from RFC 2142. It's interesting to note that that RFC doesn't address itself to just ISPs, it goes for any entity on the Internet.

So do your postmaster, info, NOC, hostmaster, webmaster, abuse, security, ... email addresses actually work ?

Having been on both sides of the fence when it comes to abuse@isp.net let's look at some misconceptions:

  • "let's use an auto-reply": auto-replies are in my book evil. But they are also an insult to somebody trying to do their best in making the Internet a better place and reporting on such a thing. Sure submitters will appreciate a short note that their complaint has been dealth with and thanking them for their time, but do so after you processed it. Worse are auto-responders that give a whole bunch of instructions on how to submit things that just aren't relevant.
  • "filter the spam": I've seen an abuse departments demand a copy of the spam be attached to the email and running a spam filter that bounced the message due to it being detected as spam if the spam was attached. Guess how many valid spam reports they got.
  • "form letter reply": While I think form letters are in fact good for responding to abuse notifications, you need a bunch of them, not just one. E.g. I've received form letters asking for an attachment of the spam I was supposedly complaining about while submitting a defaced website hosting some malware to an ISP. The range of complaints is always wider than what your form letters can encompass and submitters have better things to do than wade trough overly long form letters anyway. So keep them short and to the point.
  • "automate it": While there are abuse reports that can be automated (e.g. the motion picture lawyers use a xml attachment that can easily be automated to trace back your peer2peer copyright abusers), trying to widen this to encompass all complaints just will not work for the same reason as your form letters don't always work.
  • "web form": The horror method for reporting entities. You write up everything they need in a neat email and get a rude auto-reply to please use http://obscure.web.example.com/silly.form instead.
  • "abuse is helping users/customers": Abuse is actually more the one wielding the whip, kicking out unwanted elements based on the AUP (Acceptable Use Policy) or ToS (Terms of Service) or other policies. Helpdesks typically are streamlined to help users to take care of customers. Mixing the two roles into one group can cause abuse to become very inefficient at kicking out the unwanted elements. Abuse helps the outsiders getting the users/customers under control.
  • "abuse kicks out our good customers": Yes, abuse will trigger processes to kick out misbehaving customers. But they aren't the nice customers and if you do not deal with those misbehaving customers your really nice customers as well as yourself will face consequences as your neighborhood is fast becoming a bad neighborhood on the Internet.
So what does work for both sides?
  • Handle the incidents, make sure the users/customers know you are strict as it leads to less abuse. Have policies that have teeth and can bite, and let them work even when external. This will result in a very short time in less incidents to handle as once you take a few harsh measures you eliminate the really bad apples and the word will spread so that the rest starts to behave a bit.
  • Have forms letters for:
    • Thanking submitters and letting them know it's been dealt with (where I live you cannot -legally- give details of what you did).
    • Asking for more details, but be specific what you need extra for the case at hand.
    • Warning users/customer they are breaching policy
    • Escalating incidents to be investigated further
  • If you get easy to automate requests: sure process them, but keep a human supervision to it to make sure it doesn't get abused itself.
  • Do not filter the abuse email with anti-spam software, people will forward spam messages originating from your users/customers, so you need to let it in. Yes, you'll have to delete the regular crop of spam.
  • Handle the queue manually. Somebody put time into writing up the compliant, you should too.
Some examples of bad replies:
  • Somebody reporting a defaced website spreading malware: "Thank you for submitting a report to the [X] Network Abuse Department. Unfortunately, your submission does not contain sufficient information to determine the nature of your issue.  Evidence to Abuse should always include at least the IP address of the offending party and a valid timestamp, which includes time, date and timezone."
    If you host the website or if your customer hosts it, they will have better timestamps then the submitter. You really need to accept incidents and work with them on a minimal basis, if you need more you can always ask for more later on, but e.g. in this case the website is defaced "now", just check it and act on it. [BTW: checking a website distributing malware: take care with that browser ...]
  • "Thank you for submitting a report to the [X] Network Abuse Department. Unfortunately, we are unable to investigate the email you forwarded because it does not appear to have originated from the [X] network." Well perhaps the automation missed the ball completely here. There was an attached email (actually an auto-reply from the organization itself). There are two problems however:
    • The assumption that any attached email is what is being complained about. What if it was (as in this case) a clarification of the failing reporting process.
    • The email did originate from the organisation itself. Interpreting email headers is not easy. If you cannot detect normal email headers reliably, don't even try to interpret spammed email headers (spoofed information).
With thanks to Chris, a very good Samaritan out there trying to make the Internet a better place and being plagued with well below par reponses from the big ISPs out there, yet still motivated enough to share his experiences.

Success!

--
Swa Frantzen -- Section 66
Keywords:
0 comment(s)

Substantial Increase in Infected System Numbers (is it real?)

Published: 2006-11-07
Last Updated: 2006-11-07 05:30:03 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Starting mid October, we did see a jump in the numbers of "source IPs" recorded by DShield. "Sources" are essentially the sources of packets dropped by firewalls and reported to DShield. While there are some false positives of course (so I wouldn't go as far as to say that all of these systems are exploited), the majority of these systems is typically part of a botnet or infected with the worm of the day.

For the last few months, he number of source IPs hovered at around 1 million per day. However, as of Oct. 18th, this number all for sudden surged to about 1.6-1.8 Million.This coincides with a dramatic increase in spam. While I haven't had a chance yet to exactly correlate this with spam numbers, the time looks suspiciously similar.

Note that the number of source IPs in our database not only correlates to the number of infected systems, but it is also related to how aggressively these systems scan. We did see one trend over the last year where infected systems scan less aggressively as they used to. This is somewhat part of the shift from random worms to more intelligent bots.

See below for a graph of source IPs vs. date for the last month. Note that this is still work in progress. We did not have a chance yet to eliminate all possible errors like a skewed submitter, an error in our data interpretation or the like. But the number of sources has been very steady since June (second graph shows the longer term numbers).

Update: A bit more analysis.... it looks like not all submitters are seeing the same increase. So either this is target, or there is some skew in the data. Some of the users seeing big increases are long time submitters.However, one particular new user reported from 900k sources! So this could very well cause issues.

Update(2): even after removing the suspect submitter, we still see a significant increase. So a lot of the 900k sources reported have also been reported by others. The total without the suspect submitter is about 1.2 Million sources post Oct. 16 (900k before).



Keywords:
0 comment(s)
Diary Archives