Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-11-25 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

ebay.co.uk

Published: 2006-11-25
Last Updated: 2006-11-25 23:47:04 UTC
by Mark Hofman (Version: 2)
0 comment(s)

Sadie from the UK reported that a number of ebay groups are having issues, defacements, deletions etc. 

I've been unable to confirm this, however if any of our UK readers have any additional information please contact us
(specific links, screen shots etc).

Update 1
It looks like there is an issue at Liveworld/ebay with the groups.  There are now a number of groups which you would typically not find on an ebay site.  From the posts on the site Liveworld is looking at it.  In the mean time you may wish to steer clear of the site.
One of the more likely avenues is keyloggers on user accounts to grab the userid and password, but this has not yet been confirmed.

Mark Hofman
ISC Handler On Duty
shearwater.com.au

Keywords:
0 comment(s)

Report of possible Malware coming from Chinanet

Published: 2006-11-25
Last Updated: 2006-11-25 15:24:08 UTC
by Mark Hofman (Version: 1)
0 comment(s)

A reader has reported an instance of possible malware delivered to his machine from the Chinanet network.  A number of AV products have identified the code as possible Malware, i.e. suspicious file or possible Trojan.  Initial tests haven?t shown anything conclusive.


The file was an executable called ok.exe.

Mark H

ISC Handler On Duty

Keywords:
0 comment(s)

Interesting Potential Attack Vector

Published: 2006-11-25
Last Updated: 2006-11-25 08:08:12 UTC
by Mark Hofman (Version: 1)
0 comment(s)

One of the handlers found an interesting article on the net which raises some interesting questions and describes an interesting attack vector for the delivery of malware. 

Essentially it uses frames within word documents.  When using frames in the document you can link the content of the frame to a URL, which will be downloaded and displayed (if relevant) when the document is opened.  So this is similar to the URL links in the SPAM emails we all get.  However the email links require a click, whereas this requires you to open the document.  People nowadays are wary of clicking on links in emails, but will happily open a word document when it seemingly was sent by Aunty Joan, the boss, or someone else they know.

So in a few minutes of thinking we came up with a number of interesting uses of this feature, ranging from tracking documents being opened to malware being downloaded and installed and of course the original use as described in the article.

What to do about it?  Controls on web traffic would be  one defence, for example content scanning or URL blocking.  The payload has to be delivered, so if web traffic is controlled the risk is reduced.  To prevent email delivery, block word documents.  I know a number of sites where this is the norm and it works for them.  But still one of the best defences is an informed userbase, so awareness training.

Other products may have similar issues, so be aware.

The article can be found here.

Mark Hofman
ISC Handler On Duty
shearwater.com.au


Keywords:
0 comment(s)

First Shift !

Published: 2006-11-25
Last Updated: 2006-11-25 07:17:18 UTC
by Mark Hofman (Version: 1)
0 comment(s)

Wow first shift as the Handler of the Day. 

It started pretty ominously.  A few days ago I accidentally mentioned the q word and was promptly told that it would come back and bite me.  And bite it did.  This morning I logged on to get ready for the next 24 hrs when the power for my neighbourhood disappears.  My little UPS happily humming along and providing power, but alas my internet connection somewhere between my house and the ISP was not so lucky.

Anyway things are back, I'm ready for the day (sort of) and the cricket is on (Go Aussies).


Mark Hofman
ISC Handler On Duty
shearwater.com.au
Keywords:
0 comment(s)
Diary Archives