Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-03-10 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DST hype

Published: 2007-03-10
Last Updated: 2007-03-11 10:41:39 UTC
by Swa Frantzen (Version: 3)
0 comment(s)
With last minute -pun intended- patches for the DST change being released in the last few days, it's now too late to panic and go about breaking more than what you'll fix.

Let's look ahead at what's likely to be going to happen if you are in or are dealing with others in an affected area:
  • Machines that got patched, including patches for applications keeping their own independent timezone information will likely work without a hick-up.
  • Home machines missing an update, or not being supported likely will end up on the wrong time, just as the rest of the house, car and phone. Users know how to update the time (well those that aren't owners of VCRs with a perpetual blinking 00:00 on it anyway). Even so, the impact of this will be mostly negligible.
  • Businesses might have meetings, conf. calls etc where participants end up turning up on the wrong time. Simple reminders and rescheduling can fix this, nothing earth shattering will happen. And if you're working in large international businesses this mess happens more often at every DST change where the different continents don't sync the changes, where the southern hemisphere changes in the other direction etc.
  • Time sensitive applications in businesses that are still using local time might go wrong. The typical applications there would be logs and access control
    • Logs: If you're used to dealing with days that don't have the 2 to 3 hour hour, or -worse- days where 2:30 happens twice, you're well equipped to deal with a log that 's one hour off. Just record when it got straightened out and you'll be fine. If you do need to make changes, out best suggestion is to get rid of local time. UTC rules, it has much less changes (a leap second is about the worst that happens and that can be automated) and it is independent of location, politicians feeling the need to mess with time, and DST changes.
    • Access control: Time based access control can be a bit more tricky. But you know that if after all the media attention you still don't have a plan "B", you deserve the wrath of people being mad at you for having been waiting for an hour locked out of the building. Even then it's not going not to be all that huge of an issue.
  • Time critical systems. Well are you sure they are time critical if you're running them using local time? UTC rules here without a doubt!
That said, I'm sure many of you will enjoy fellow handler John Bambenek's appearance on Comedy Central's Daily Show. Sorry about the ad in front, and it's time limited, so if you want to see it in a few months, it'll likely be a broken link.

GEEKS USE UTC

UPDATED

I've posted a new poll where you can show us how it went for you. Compare it to those of you using their crystal ball skillz. Enjoy!

UPDATE

Jon wrote in with a story of  his supplier of punch-clocks that had needed firmware upgrades for the clocks due to the DST change and the pain he felt due to it: Not only was it hard to update the clocks, but worse the clocks started to skip an hour every day since they got update. Clearly his vendor didn't get the reasons for proper testing, or more likely ended up in that spot what I was trying to warn about in the first paragraph: "Now [it's] too late to panic and go about breaking more than what you'll fix". I feel Jon's pain and wish him a speedy recovery of his clocks and the data they collect.

--
Swa Frantzen -- NET2S
Keywords:
0 comment(s)

Firekeeper

Published: 2007-03-10
Last Updated: 2007-03-11 02:28:28 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Although it's labeled as an alpha release -and therefore should really be handled with care- the idea behind firekeeper makes it worth mentioning now.

We all love snort: it's basically free, pretty good -if not the best- and has a huge community supporting it. Jan Wrobel took the power of snort and inserted it in a plug-in for Firefox. Resulting in an IDS/IPS inside a browser. Jan kept the ability to use Snort's rules and reused part of Snort's engine. As it is running inside the browser it even gains the ability to look inside the https traffic that's now not encrypted anymore. Add the ability to pull in the rules remotely and it looks like something we should be watching for the future.

Note that we didn't say to go ahead an install it company wide, it's an alpha release. Test it in a controlled environment and give Jan some feedback so it'll get even better.

--
Swa Frantzen -- NET2S
Keywords:
0 comment(s)

New malware spreading through compromised sites

Published: 2007-03-10
Last Updated: 2007-03-10 18:31:05 UTC
by Maarten Van Horenbeeck (Version: 4)
0 comment(s)

Early this morning, Sanjoy wrote in that the airindia.com website contained a script-tag linking to a malicious Javascript hosted on a Chinese web server. We were able to confirm this and contacted Airindia to inform them their site had likely been compromised. At this point in time, the site is clean again.

Initial verification shows that this malicious link has been introduced into a large number of sites, both through script injection in forms as well as ways that look very much like web server compromise to us.

If you have a large installed base of Windows machines with browsing access, you may wish to review your proxy logs for requests for the following files. We removed the actual domain as to not to link directly to the actual malware.

[xxx] .cn/images/163.js
[xxx] .cn/images/sina.htm

The file downloaded upon successful execution is called 'install.exe' and has an md5 checksum of f9fc3189d619462f6c939bfbf36c90ab. Once executed, it installs three files on the system, 'winboot.exe', 'winroot.bat' and '1.exe', of which the latter remains resident in memory. The software seems to be a keylogger at this point in time. Anti-virus detection for this malware was non-existent this morning.

Currently, virustotal shows successful detection by:

AntiVir 7.3.1.41 03.09.2007 TR/Crypt.FKM.Gen
CAT-QuickHeal 9.00 03.10.2007 (Suspicious) - DNAScan
eSafe 7.0.14.0 03.08.2007 Suspicious Trojan/Worm
Kaspersky 4.0.2.24 03.10.2007 Trojan-PSW.Win32.WOW.pu
Sunbelt 2.2.907.0 03.10.2007 VIPRE.Suspicious
Symantec 10 03.10.2007 Infostealer.Wowcraft
VBA32 3.11.2 03.10.2007 suspected of Downloader.Dadobra.10 (paranoid heuristics)

F-Secure, Fortinet and Sophos confirmed to us by e-mail they would be adding detection shortly.

We're very interested in hearing more about this from you. If you notice the existence of this link on one of your sites and can provide us with more information on how the compromise occured in your instance, please let us know. This type of information could prove very helpful to other victims.

Using Google's cache we came to the conclusion this script was inserted in at least some pages on web sites in the following domains for a while:
  • airindia.com
  • acmt.net
  • fireworks.com
  • fci.org
  • pbonline.com
  • postbulletin.com
  • post-bulletin.com
  • k-1usa.net
  • scsusports.com
  • stariq.com
  • erskinecollegesports.com
  • installshield.com
  • roundballclassic.com
  • onebrick.org
  • whozontop.com
  • dove.org
  • cvac.net
  • honestreporting.com
  • totallydrivers.com
  • irinnews.org
  • ...
Note that in all likelihood all of those sites are victims. The main purpose of listing them is to allow administrators to check if they got visited by their users and to make it clear that users can't help it with changing their surfing habits. Certainly not all -if any- of those sites qualify as part of the dark alleys on the Internet. Some would easily fit in a proper for business use category.

We contacted all those still sporting the bad link to the exploit earlier today. We're also asking those sites to verify how they got compromised and to share the results of that as far as possible so we can help others find and close the entry vector.

--
Maarten Van Horenbeeck

Keywords:
0 comment(s)
Diary Archives