Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-08-25 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Windows Genuine Advantage (WGA) servers down

Published: 2007-08-25
Last Updated: 2007-08-25 23:43:15 UTC
by Johannes Ullrich (Version: 2)
0 comment(s)

we got reports (thanks Mike, Matt...) that Microsoft is having issues with its WGA validation servers. This may affect downloading some software from Microsoft as well as new Vista installs. From posts to a Microsoft forum, it looks like this may persist for a few days. I am not sure if the phone-based activation still works, but its something you may want to try.

This should mostly effect Vista users.

For the Microsoft forum see:

forums.microsoft.com/Genuine/ShowForum.aspx

and a statement from MSFT: forums.microsoft.com/Genuine/ShowPost.aspx

UPDATE

The forum is stating that the issue has now been resolved.  With an explanation forthcoming.

Keywords:
0 comment(s)

Storm of the Day, Now with YouTube

Published: 2007-08-25
Last Updated: 2007-08-25 21:00:55 UTC
by Johannes Ullrich (Version: 2)
0 comment(s)

The latest variation of the Storm worm claims to be a youtube video. The link looks like a link to youtube, but actually points to a "numeric" URL like old storm variants. The downloaded binary is called "video.exe". Malware researchers: This time, the web server will make sure that you are using the right referrer.

The source code for the URL:

<a href="http://10.99.65.224/">http://www.youtube.com/watch?v=Ga4y9EQMuDe</a>

of course, this is just a sample... I replaced the first byte in the IP with 10 to protect the innocent again.

And a quick update. i forgot to post this tip form Robert Reid last time around. Sorry for the delay. Its still a useful tip:

(this ISA signature will block access to web servers that identify themselves as "nginx/0.5.17". This is actually a valid web server, but used very little aside from "Storm". As always, watch for false positives)

We use ISA server and http filters to block access to various web apps and it occured to me today to do the same thing with Storm. These instructions will work for both ISA 2004 and 2006 and are completely effective.

1. Right click your default access rule and select "Configure http".
2. Click the "Signatures" tab then "Add"
3. Drop down the "search in" box and select "Response headers"
4. In the http headers field type "Server:"
5. In the "Signatures" field put "nginx/0.5.17" (the web server type and version used by Storm)
6. Give the signature a name, click ok, click, apply.
The http filter will now block the download of applet.exe on all web proxy clients. Clients will receive the message:
"502 Proxy Error. The request was rejected by the HTTP filter. Contact your ISA Server administrator. (12217)"
Keywords:
0 comment(s)

Phish or Vish? The IRS is back.

Published: 2007-08-25
Last Updated: 2007-08-25 09:05:13 UTC
by Mark Hofman (Version: 1)
0 comment(s)

The IRS wants to give you $80 dollars to participate in a survey, yup really.

Aw... alright, so it’s the IRS scam that is back again, this time with a twist.

<Phish>

Users will be receiving SPAM messages from the IRS along these lines:

From: Internal Revenue Service [mailto:security@IRS.gov]
Sent: Friday, August 24, 2007
5:23 AM
Subject: IRS Survey : $80.00 to your account - Just for your time!
Importance: High
Congratulations!
Dear Customer,
You’ve been selected to take part in our quick and easy 8 questions survey In return we will credit 80.00 to your account
- Just for your time!
Please spare two minutes or your time and take part in our online survey so we can improve our services.
Don’t miss this chance to change something.
To continue click on the link below:
htm://www.irs.gov/login.asp=survey
© Copyright © 2007 Internal Revenue Service U.SA

 The link directs you to a survey page where the IRS’s satisfaction is measured, product knowledge, etc.   The only details requested on this page are your name, phone number and if you want to an email address.

On submission a results page is shown where the credit card details are entered to receive the $80.

Straight forward so far.

</Phish>

So why the phone number?

That’s where the Vish comes into play.  Using VoIP to call the person and social engineer information out of them.   For example:

<Vish>

“ Hello Mr I fell for-it, this is Tim from the IRS.  Thank you for filling out the survey, however you didn’t leave any details for us to deposit the $80.  If you provide me with some information now we can arrange payment.”

“uh, ok”

“Let’s start with verifying some details, starting with your social security number....”

.....

</Vish>

Now it might be that the phone number will be used in any case.  A credit card number and name is valuable, combined with other personal information it is much more valuable.

There will have been millions of emails sent, so we don’t really want any of those at this stage, but if you know of anyone who has been approached via voice after completing one of these surveys please let us know.

Mark H - Shearwater

Keywords:
0 comment(s)

Humour, Politics and Kids online

Published: 2007-08-25
Last Updated: 2007-08-25 07:42:38 UTC
by Mark Hofman (Version: 1)
0 comment(s)

Humour and politics don’t usually mix, but when you start getting closer to an election things just get a little bit more interesting.   In Australia we are getting closer to a federal election and as the day dawns things are heating up.  One of the topics that had some traction for a number of parties was protecting kids online, an admirable goal.  The current government is therefore now spending AUD189 million to help protect kids online.  AUD84 million was set aside for filtering products for the home computer, to be made available to all Australians for download (some of you are probably already seeing where this is heading). 

A few products were selected (but not endorsed by the government) and made available to the public for download on the 20th of August.  The products are available for various flavours of Windows and Mac and perform the filtering and reporting functions you would expect of this kind of product.  Five days later, you guessed it.  A 15 year old has found a way around the filter (full story here), leaving enough in place for the parent to have a false sense of security and he is able to get to all those nasty little places on the internet.   The relevant vendors are no doubt working hard to fix the issue, but funny nonetheless.  As we all know it is not really a question of if the product can be circumvented, but how fast (something that is actually stated on the governments own site).  In this case my guess was closest with 4 days, so the pot is mine!

Now to be fair to the government the program they implemented was not just an attempt at retaining votes (although I’m sure that it was part of the idea).   When you look closer at it, it is actually a well thought out program.  There are sites for kids and parents to visit to learn about responsible internet use, things to look out for.  The main issue I have with schemes like this is that they are unlikely to reach the people that really need the information.

As for my kids, they know what they can and can’t do on the internet, they also know that dad watches everything, new sites are vetted before they can use them and they know that if they come across anything that makes them uncomfortable they are to let me know and teach them about security issues.  I asked my 8 year old the other day for her email password so I could check it (it’s easier to ask her, she uses a 8 character password with numbers and special characters, maybe I taught her too well....).  She said “I’m not supposed to tell you daddy”, luckily for me social engineering your own child still works, but she has the right idea.

In the real world it is easy to tell your kids don;t talk to strangers, don't walk down dark alleys, don't go to that part of the city.  On the internet it is not often clear where the dark alleys are and who the stranger is.

Cheers

 

Mark H - Shearwater

Keywords:
0 comment(s)
Diary Archives