Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Don't open that invoice.zip file its not from UPS

Published: 2008-09-16
Last Updated: 2008-09-16 20:15:52 UTC
by donald smith (Version: 1)
1 comment(s)

We received two reports of fake UPS invoice tracking Trojan zip files.
This is similar to other invoice Trojans we have seen.

Here is one of the email bodies notice that while this appears to be a two way conversation it was really just the spammer who created the whole thing. The victim did not send UPS an email.
Email header:

To: victims@email.address
Subject: Re: missing package
From: John Henry <johnhenry.support@ups.com>
Reply-To: johnhenry.support@ups.com

Email body:

 Mr./Mrs. Victims First and Last name
 
 I am sorry for this late reply, but we have good news.
 
 We managed to track your package, and we have attached the
 invoice you asked for to this reply.
 
 The invoice contains the correct tracking# , since the one
 you gave us was invalid.
 
 You can use it on the ups website to track your shipment.
 
 Thank you
 John Henry
 UPS Customer Care Department
 
 
 From: victim’s name and email address
 Subject: missing package
 To: support@ups.com
 Date: Monday, September 8 , 2008, 10:38 AM
 
 I have recently used UPS to send a package to my cousin but
 he never received it.
 
 Also , the tracking number doesn't check on the website, and
 I lost the invoice.
 
 Can you forward me a copy?
 
 
 
Here you have the tracking# : 03073332100016836200


 
Original File Name: invoice.zip

9/36 of the virus engines at VT recognized it.

AntiVir 7.8.1.28 2008.09.16 TR/Crypt.FKM.Gen
Authentium 5.1.0.4 2008.09.16 W32/Heuristic-VFM!Eldorado
BitDefender 7.2 2008.09.16 MemScan:Trojan.Spy.Delf.NQT
CAT-QuickHeal 9.50 2008.09.16 (Suspicious) - DNAScan
F-Prot 4.4.4.56 2008.09.16 W32/Heuristic-VFM!Eldorado
Ikarus T3.1.1.34.0 2008.09.16 BehavesLike.Win32.Malware

MD5...: 400d16b0b2752eec51ff98597a883109
SHA1..: f1aa065f051af97dcca5bd0717b57f186d4ff85d
SHA256: 3c5600c53f16dd00940154f3e28e8dc06c6b55eb423ea453a1af72b5f76523a0
SHA512: fb6ff9abb2f422a2cda2a9b0de7703ace2d404d75ead7622aa7e789ff0df4152
d23a5eb6692486fc72fee1a496720398a8c80eb2dac25e7d3a4932f876f09452

Thanks TomG for submitting this one.
 

1 comment(s)

SSH brute force password guessing AKA SShellPhishing

Published: 2008-09-16
Last Updated: 2008-09-16 15:26:54 UTC
by donald smith (Version: 1)
5 comment(s)

A coworker (Matt) and I wanted a shorter name for ssh brute force password guessing and we combined ssh shell and phishing into SShellPhishing.


We continue to see ssh brute force password guessing attempts. Occasionally we see large increases. We have seen the attacks switch from one host attempting lots of passwords to lots of hosts that appear to share a dictionary attempting a few password username combinations (coordinated and distributed).
That was the direct result of limiting the number of times an ip could attempt to login
(fail2ban, bruteforceblocker, denyhosts, sshdfilter, pam_abi, ...).
So the cyberwar arm’s race continues with the bad guys developing tools and methods to get around common mitigation methods.

I recently wanted to validate some SShellPhishing reports I received.
One of the validation steps I used was to check those reported ip addresses against this SShellPhishing blacklist run by Daniel Gerzo. It has nearly 3k entries.
http://danger.rulez.sk/index.php/bruteforceblocker/
I spot checked about 40 IP addresses with other SShellPhishing lists also but every ip I checked also appears on Daniel’s list. So while I didn’t get a chance to validate his work in my previous diary https://isc.sans.org/diary.html?storyid=3529
I am now willing to say that I believe Daniel’s list has a very low false positive rate. I saw no false positives so the percentage has to be near 0%. If anyone else has the time and wishes to validate portions of his list I would appreciate any feedback.

This diary had a fairly large list ssh brute force password guessing mitigations and tools.
http://isc.sans.org/diary.html?storyid=846
Combining some of those mitigation recommendations for a defense in depth approach is a good idea.
I recommend moving your ssh from port 22 as we have yet to see a single report of SShellPhishing against a port other then 22. For those of you that think that is simply security via obscurity I would agree with the following caveat forcing the bad guys to scan all 64k ports on a system prior to attacking to find the ssh port adds to the time it takes to compromise systems. It buys system owners time to react potentially preventing compromise. It buys ISPs time to notify compromised customers and it is fairly noisy.

Keywords:
5 comment(s)

Apple Updates you may have missed in the past week

Published: 2008-09-16
Last Updated: 2008-09-16 13:28:48 UTC
by Joel Esler (Version: 2)
0 comment(s)

Since I posted the Apple update 10.5.5/Security Update 2008-006 earlier, I thought I might go ahead and put all the Apple Updates that have come out in the past week

1)  iTunes 8.0 -- Security related updates here.

2)  iPod Update 2.1 -- Security related updates here. Referenced here by Adrien.

3)  iPhone Update 2.1 -- Security related updates here, already posted by Mark.

4)  Bonjour for Windows 1.0.5 -- Security related updates here.  Referenced here by Adrien.

5)  Quicktime update 7.5.5 -- Security related updates here.

I recommend applying all of these, obviously, as there are some pretty vital updates buried in here. 

-- Joel Esler http://www.joelesler.net

Keywords: Apple
0 comment(s)
Diary Archives