Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-11-17 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Patching Observations

Published: 2006-11-17
Last Updated: 2006-11-18 15:21:21 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
One of our readers applied all of the Microsoft patches that came out on Tuesday, then sent us a rather detailed note about his observations in response to our request for comments.  I sanitized it a bit to remove any personal details, otherwise it is pretty close to what he sent us.  By the way, there's a nice exploit of MS06-070 available on a popular security site in case you need a reason to get your patching done before you go home tonight.


You wanted 'em, you got 'em. Toyota... as the saying goes. Mystifying.

1. 'Went to the MS Update site, which called for 6 priority updates. I added one additional: KB920342 (for P2P). The ones called for as "Priority" updates were listed in this order:
- KB927978 MSXML 4.0 SP2 Security Update
- KB920213 MSAgent (MS06-068)
- KB923980 Netware... (MS06-066) [which is NOT installed on this machine (?)]
- KB924270 Workstation svc... (MS06-070)
- KB922760 IE[6?] (MS06-067)
- IEv7...

- KB920342 P2P (...the "extra" one I choose. Duh. 'Like I wasn't going to have enough trouble already.)
-----------------------------------------------------
2. They installed themselves in this order as I watched it, as I thought the MS Update site would prioritize them in the correct order (...duh, again.):
- KB920342 P2P
- IEv7 (...which, of course, you have to help with the prompts, the "OK" for WGA, etc.)
- KB920213 MSAgent (MS06-068)
- KB923980 Netware... (MS06-066)
- KB924270 Workstation svc... (MS06-070)
- KB922760 IE[6?] (MS06-067)
- KB927978 MSXML 4.0 SP2 Security Update ...then REBOOT, of course.
-----------------------------------------------------
3. After rebooting, went back to the Admin account (1 of 2 on this XP Home PC), tweaked IE7 a bit, found that it had installed this annoying "Language Toolbar", which I disabled via its own control options. OK, 'looks fairly clean.
'Went back and let MS Update check again, just to make sure I hadn't missed anything - 'looks good; checked the PC's "Update History", which I also printed ('glad I saved that). 'Cleaned up the temp files from the installs using "Easy Cleaner". 'Seemed like it did its' usual good job. Logged off the Admin account and went to check on the LUA accounts on this PC (4 of them). Dang it! The dopey "Language Toolbar" was installed on EVERY one of the LUA accounts - disabled them via the toolbar's own control options. 'Tweaked/checked settings in IE7, just like I had in the Admin account. Ahhh, 'seems like we're ready to go; wrong.
Now, I have an "extra" service running that I didn't before - "ctfmon.exe", even in ALL the LUA accounts.
- The "ctfmon.exe" (from MSOfficeXP, supposedly) info can be found at KB326526 and KB282599, and probably others. I am NOT going to jump through all the hoops listed in those articles - and I shouldn't have to call the MS eternal wait phone to get a hotfix for this. 'Not even sure it would fix the startup of that service, which -was not- starting before I did this bunch of patches. I found out I can "kill" this service using any number of utilities available, but it returns with just a logoff/logon, and of course with a reboot. WTF?
- Ran MSCONFIG from an Admin account, and saw that I could eliminate the startup of "ctfmon.exe"; did so. rebooted, and it stuck itself back in the startups again. Dang it! Blowing away the registry item (Run) MIGHT take care of it, but it might give me a BSOD, too. WTF?
- In running MSCONFIG, I also noted there was yet another new service started called "Remote Packet Protocol Capture (Experimental v0)" added, which I disabled, and it appears to stay that way (whew!). WTF?*
-----------------------------------------------------
Chapter 4 (now part of an "MS Updates for Dummies" book coming your way any day now). Further checking in the Control Panel led to more frustration and mysery - the list of patches supposedly shown under "Add/Romove programs" does NOT list "KB927978 MSXML 4.0 SP2 Security Update" on the list. Had I not -saved- the MS Update site's "Update History", I would be babbling in my sleep, but since I did, I know it installed because I watched it do so, -and- I have that list of the updates I let it install on 11.15.2006.
So, I did a KB search @ http://support.microsoft.com/search/?adv=1 to look for KB927978; 'tried that several times today and got "...not found" and "The Knowledge Base (KB) is currently not available". ARRGGHH!
-----------------------------------------------------
"Do not forget to report such trouble back to Microsoft as well..." - why? They really don't give a hoot.

I guess I'm lucky that the machine is still running at all, but all my forensic skills went in the dumper today, it seems. 'Just one of those days, I guess. I'm going to bed now, after a few Jameson's...

Wow.  Just when you thought patching was getting easier.  Thanks again, Reader, for your comments and thoughts!

Marcus H. Sachs
SANS Internet Storm Center

*Note: Two readers have already reported in that the "Remote Packet Protocol Capture (Experimental v0)" is typically installed with WinPCap.
Keywords:
0 comment(s)

Postini Spam Filter

Published: 2006-11-17
Last Updated: 2006-11-18 02:49:05 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
Reader David wrote to us with this comment and request:

We use Postini for SPAM and email filtering, and they've had a weird attack today. Emails are coming through from random sources, with TORA.OB written out in number characters.  I googled TORA.OB and found a company on the stock exchange using that name.  Just wondering if anyone else has seen this? Just a little unusual I think. Nothing else in it (ie no exploits, binary data, etc)

Anybody else seeing similar spam runs getting through Postini?  Let us know via the contact form.

UPDATE #1
Many readers are telling us that they've seen these spam messages today, so we've confirmed that they exist.  No need to write in and send us more samples.  Our cup runneth over...

Reader Conrad told us this:

Postini subscribers can email spam -at- postini.com with sample spam messages. This will enable Postini to adjust their filters to keep this sort of spam out.

Thanks, Conrad!

UPDATE #2
At the risk of drawing attention to this stock, handler Deb pointed me to a stock page where you can see the pump and dump scheme as it happens.  Looks like the value is already going down, so  no need to buy anymore.

UPDATE #3
We have multiple confirmations that the spam made it through many different spam filters in addition to Postini.  This is a typical pump-n-dump stock scheme just like the image-based spam that we are all so tired of.  If it feels like you've seen a dramatic rise in this category of spam over the past few weeks you are not alone.  eWeek has a pretty good article about it, and there's a lively debate about it over on Slashdot.

A reader gave us some ideas on how this type of spam might be blocked.  We have not tried this filter but offer it to the community for your consideration.

The following procmail recipe should catch the 'thin-line' ones:

    :0
    * ^Message-Id: <............\$........\$00000000\@

And the following should catch the 'fat-line' ones:

    :0
    * < 10000
    * ^Content-type: text/plain;
    * -100^0
    *     2^0 B [ ][0-9][0-9][0-9][0-9][0-9][ ]
    *     3^0 B [ ][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]

Thanks again to everybody who sent in samples and comments!

Marcus H. Sachs
SANS Internet Storm Center

Keywords:
0 comment(s)
Diary Archives