Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-03-14 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS Windows 2003 SP2

Published: 2007-03-14
Last Updated: 2007-03-15 00:13:20 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Looking deeper into the security aspects of Windows 2003 SP2, we received a list of known CVEs that are supposed to be fixed in SP2 for Windows 2003:

CVE name Affected Reference
CVE-2006-5578 MSIE 6 MS06-072
CVE-2006-5577
CVE-2006-3443 Winlogon MS06-051
CVE-2006-3281 MSIE 6 MS06-045
CVE-2006-2385 MSIE MS06-021
CVE-2006-2384
CVE-2006-2379 TCP/IP stack MS06-032
CVE-2006-2375 ? ?
CVE-2006-2218 MSIE 6 MS06-021
CVE-2006-1992
CVE-2006-1388 MSIE 6 MS06-013
CVE-2006-1359
CVE-2006-1315 Server Service MS06-035
CVE-2006-1313 Microsoft JScript MS06-023
CVE-2006-1192 MSIE MS06-013
CVE-2006-1190
CVE-2006-1189
CVE-2006-1188
CVE-2006-1185
CVE-2006-0026 IIS MS06-034
CVE-2006-0021 TCP/IP stack MS06-007
CVE-2006-0006 Media player MS06-005
CVE-2005-4089 MSIE MS06-021
CVE-2005-3240 MSIE race condition MSRC blog
CVE-2005-2388 USB driver ?
CAN-2006-1626 MSIE MS06-021
CAN-2005-2129 ? ?
CAN-2005-2123 WMF MS05-053
CAN-2005-0944 Jet DB CERT vuln id 176380
CAN-2005-0803 EMF MS05-053
CAN-2005-0109 Hyperthreading support CERT vuln id 911878
CAN-2004-1331 MSIE CERT vuln id 743974
CAN-2004-1173 MSIE ?
CAN-2004-1060 TCP/IP stack MS05-019

There are a number of interesting things in here for sure.

--
Swa Frantzen -- NET2S

Keywords:
0 comment(s)

Allaple worm

Published: 2007-03-14
Last Updated: 2007-03-14 23:54:52 UTC
by donald smith (Version: 1)
0 comment(s)
This comes from one of our friends over at the Finish cert team CERT-FI / FICORA.

"CERT-FI has been tracking the situation with the Allaple worm
for about 8 months now. We have traced the evolution of the
worm since the first variants came out.

Allaple is a polymorphic worm. The first variants spread through
Radmin installations that had weak passwords.
Every variant so far also tries to locate
all html files on the harddisk to prepend an <object> -tag
into the file to ensure activation of the worm when a local
webmaster views the files. Traces of this behaviour can be
seen on some websites: There's an <object> tag right below the
<html> tag in the page, with the source pointing to a random
UUID.

The first variants were DDOSsing only 1 target and the DDOS was a basic
SYN flood. Shortly there after another target was added to the DDOS routine in the
code.

A bit after that the spreading mechanisms were changed from
Radmin scans to basic catering of Windows exploits,
and yet another target or victim was added.

The SYN DDOS routine has been the same from the first variant
to the latest variant available. Early in the winter code was
added to do HTTP GETs on the target websites. A few other ports
were also targeted. One site is currently getting gentle packet
love on tcp ports 22,80 and 97. Another site is getting packets and
HTTP gets on port 80, and yet another is getting packets on
ports 80 and 443.

The worms have absolutely no Command and Control channels in them.
Once released, there is no way to make them disappear. Their sole
purpose is to spread and DDOS.

In case you are in the correct position, and you feel you would
want to help in this pesky problem, here are a few tricks you can
use to identify Allaple variants on the loose in your networks:

1) ICMP packets with the string "Babcdefghijklmnopqrstuvwabcdefghi",
sans quotes, in the payload.
2) Echo requests to entire networks including host octets of 255 and 0.

We have reason to believe that there will be more variants,
it's just a matter of time when a new one pops out into the open.

CERT-FI is interested in any information or observations regarding the DDOS
or the malware itself. We can be contacted at cert(at)ficora.fi"
Keywords:
0 comment(s)

Mac OS X patches

Published: 2007-03-14
Last Updated: 2007-03-14 22:47:42 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
Well, looks like this month we get more Apple fixes than Windows patches for a change. Mac OS X 10.4.9 is out, and according to US-CERT, this is an upgrade that plugs "arbitrary code execution and SYSTEM level access" type of vulnerabilities. Sounds like a fix even Apple fanboys with lots of faith into the unbreakable nature of their system should consider applying real soon. The same fix covering only the security portion but leaving out the functionality upgrade is also available as Security Update 2007-003, and installs on 10.3.9. More information on both can be found on the Apple Docpage.
Keywords:
0 comment(s)

The end of the trend

Published: 2007-03-14
Last Updated: 2007-03-14 13:23:35 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
I used to be an avid reader of the port statistics of my firewalls, because I can remember a time when they actually told me something. Lately though - it must have started in the second half of 2006 - I've come to the conclusion that the daily stroll through the firewall stats isn't much worth my time anymore. Purists always considered "enumerating badness" as one of the dumber things to spend your time on, but fact is that statistical analysis of firewall drop logs did in the past successfully act as an early warning system for new nasties. My guess (and your opinion is of course entitled to differ) is that these days are past. Looking at my firewall stats, I see lots of things making their way to the top of the trend radar and blinking at me in scary red. Investigation turns out that it is - who knows what, some botnet gone wild, some kid boldly scanning the port no kid has scanned before. For the past months, things on top were invariably neither a trend nor a new attack, simply a random escape of the Internet's intestinal gas.

What really made me think though was the conspicious absence of telnet scans when the Sun snafu came to light a few days back. My stats, while covering lots of IP space, didn't show the scary bright red upswing of tcp/23 badness that - I admit - I was almost gleefully waiting for. Careful manual inspection then showed that - oh! - the telnet probing did happen at my perimeter, but it was well below the level of all that noise that makes it to the top of the "trend" radar. On one day, where a single IP address from South Africa slowly probed a good portion of my IP space for telnet, we also got slammed by a 2000-nodes-in-parallel scan for tcp/17458. And. And. Enough to make the telnet thingy rank on position 84, way below my attention span.

As a couple folks who are more savvy at inspecting network traffic than I am have suggested, trending and comparing the in/out flows on ports that are permitted through the firewalls is of much more value than converting the hits on dropped ports into colorful statistics. They are right - but, alas, as most commercial firewall log analysis tools show, enumerating badness is so much easier to do...
Keywords:
0 comment(s)

OpenBSD IPv6 remote vulnerability

Published: 2007-03-14
Last Updated: 2007-03-14 08:58:09 UTC
by Swa Frantzen (Version: 2)
0 comment(s)
OpenBSD 3.9 and 4.0 have fixed an issue to correct a problem in the IPv6 stack.

Source code patches are available at:
For  workarounds, and if you do not need IPv6, you can use the following (it will block all IPv6):

# vi /etc/pf.conf
Add a line:
block drop in inet6 all
# pfctl -f /etc/pf.conf
To load the new rules in the pf packet filter
# pfctl -s rules
Check the rule got loaded in the runtime rules.
The workaround does disable all incoming IPv6 packets on the machine.

The patch itself is a kernel patch, so you will need to recompile a kernel, install it and reboot the affected machines.

Update (Arrigo): the 3.9 patch applies cleanly to the 3.8, 3.7 and even 3.0 trees.  No excuse not to patch older systems!
--
Swa Frantzen -- NET2S
Keywords:
0 comment(s)
Diary Archives