Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

TLS & SSLv3 renegotiation vulnerability explained

Published: 2009-11-13
Last Updated: 2011-01-25 00:02:08 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

Thierry Zoller has written a nice summary of the TLS & SSLv3 renegotiation vulnerability. He covers examples, impacts, solutions, and a conclusion. It can be found here: http://www.g-sec.lu/practicaltls.pdf. The ISC previously discussed the vulnerability here: http://isc.sans.org/diary.html?storyid=7534 and the OpenSSL update here: http://isc.sans.org/diary.html?storyid=7543.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

0 comment(s)

Conficker patch via email?

Published: 2009-11-13
Last Updated: 2011-01-25 00:01:54 UTC
by Adrien de Beaupre (Version: 2)
7 comment(s)

Microsoft does not send patches, updates, anti-virus, or anti-spyware via email (hopefully ever). The following ended up in my inbox this aft. The subject was: Conflicker.B Infection Alert

"Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division"

Attachment is 3YMH6JJY.zip application/zip 45.82 KB and detection at Virustotal is soso: https://www.virustotal.com/analisis/5d8caa7c9baaed6242e3842e0dafea5056f41d9c99732f0fd2961bedff647ae5-1258134283

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

 

7 comment(s)

Flash Origin Policy Attack

Published: 2009-11-13
Last Updated: 2011-01-25 00:01:35 UTC
by Adrien de Beaupre (Version: 2)
1 comment(s)

An apparently critical vulnerability in Adobe Flash has been identified that could allow sites with user generated content to attack clients. Adobe has been advised but has not issued an advisory as of yet, and no patch or easy mitigation information is available. It is possible of course to disable Flash entirely, or even selectively using addons and plugins for your browser of choice.The original disclosure is here: http://www.foregroundsecurity.com/flash-origin-policy-issues.html

I would wonder what methods of detecting this exploit exist?

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

 

1 comment(s)
WordPress 2.8.6 Available - security fixes
New challenge posted at ethicalhacker.net "SSHliders" due 23/11/09

It's Never Too Early To Start Teaching Them

Published: 2009-11-13
Last Updated: 2009-11-13 12:42:55 UTC
by Deborah Hale (Version: 1)
0 comment(s)

Last week it was my pleasure to visit a group of middle school students that are interested in anything Science.  These young people were eager to learn and had prepared many really good questions about viruses, worms and other malicious programs as well as other dangers found on the Internet.  As they asked their questions and received the answers they became more and more excited about the task ahead of them.  You see this group is involved in a special after school education program. They spend several weeks working together on a project and then compete against other groups of young people.  The group I talked to are tasked with creating a virtual world on the Internet.  They are tasked with coming up with a plan to protect this virtual world against the dangers that it faces.  

In the discussion I mentioned that many of us in the Security Field think that people should have to pass a test and get a license before operating in the Internet.  So one of the things the kids are working on is a "Driver's Test" for the "Internet Super Highway".  They are also working on a "plan" for protecting their virtual world.  I am really looking forward to seeing what they come up with.  

I enjoy going out and "meeting" young people and talking to them about the dangers in Cyberspace and how to protect themselves, their families and their identity.  Perhaps someday this group of students will come up with some new and creative ideas about how to create a safe virtual world.

I encourage all of you to go out in your communities and talk to the young people, help them understand the Internet Superhighway and the dangers that are just around the corner.  With all of us working together we could really make a difference. To my new young friends I want to say that you are the hope of the future, never stop learning, never stop trying to improve the world we live in or the virtual world we "play in".  You truly are our hope for the future.

Deb Hale Long Lines, LLC

Keywords: Educate Children
0 comment(s)

Pushdo/Cutwail Spambot - A Little Known BIG Problem

Published: 2009-11-13
Last Updated: 2009-11-13 02:56:14 UTC
by Deborah Hale (Version: 1)
13 comment(s)

Today was another one of those days that all ISP's dread.  I am the Abuse Coordinator for a small Midwestern ISP.  Several days ago we started receiving Spam Abuse reports on the IP address to our Corporate firewall.  Unfortunately,  the IP I discovered is blacklisted on several blacklists.  I began to investigate what could be causing these reports of abuse.  I reviewed the logs in the firewall and discovered that we had a couple of workstations doing some bad things.  Our It techs began to look at the computers (both of which had AV installed) and discovered that we had some pretty significant infections on these computers. Both machines were pulled offline, the data backed up and the machines were formatted and reloaded.  We were pretty confident that we had solved the problem and breathed, an unfortunately premature, sigh of relief. 

Yesterday we again started getting abuse reports so it was back to the drawing board for me.  I started trying to get information on exactly what was being detected and what was causing these abuse reports.  This investigation led me to MultiRBL.org.  We were indeed listed on several blacklists again.   As I began to look at the various blacklists looking for the answers it became apparent that we will dealing with a Trojan/Botnet called Cutwail Spambot aka Pushdo aka Pandex.  The interesting thing is, I hadn't never heard of it. So last night I began to research just what this Cutwail Spambot was.  What I find out just blew me away.

I came across an article from Trend Micro Researchers Alice Decker, David Sanchog, Loucif Kharouni, Max Goncharov, and Robert McArdle.  The article is titled A Study of the Pushdo /Cutwail Botnet, An Indepth Analysis. The article indicates that this particular botnet has been around since January 2007 and is the second largest spam botnet on the planet. This particular spambot is believed to be responsible for approximately 7.7 billion spam emails per day making it responsible for 1 out of every 25 spam emails sent world wide. According to the findings of the research team the development team for Pushdo/Cutwail work very hard and used several techniques to keep their program "under the radar".  In the article they outline these techniques which include things like using multiple variants that react a bit differently, remain memory resident, with very little actually written to disk, and frequent updates and changes to the code to prevent discovery.

This article contains an indepth look at the botnet and gives good insight into how to detect and control the botnet.  This article is well worth reading. Other research that I have done indicates the best program to find the Pushdo/Cutwail Spambot is Microsoft's Windows Malicious Software Removal Tool.

Another article - by Matt McCormack entitled "WHEN THE HAMMER FALLS – EFFECTS OF SUCCESSFUL WIDESPREAD DISINFECTION ON
MALWARE DEVELOPMENT AND DIRECTION" gives additional information about the botnet and gives detailed information and instructions for ridding your network of the botnet.

Our tech's have their work cut out for them.  They are going to have to "touch" all 250 employee computers (249 - mine is clean) plus all of our Windows Servers so that we make sure that we get rid of all of the infected computers.  We are also investigating a change in Anti-virus software.  Unfortunately the one we have been using has fallen into the category of less that reliable so now we are trying to decide what we need to switch too.  Now is as good a time as any, after all we are going to have to "touch" every computer.

I am just amazed that this botnet is the 2nd largest in the world, been around for almost 3 years and I am just now dealing with it.  We still haven't figured out how this botnet got started, we aren't sure where it started at, but we do know we can't wait to rid our network of this mess.

Everyone who manages networks no matter what the size needs to read these articles and know what to look for and how to recognize the presence of the botnet.  I for one vote for irradication of this botnet and a reduction of 7.7 Billion spam emails a day.  Sure would make my spam filter easier to manage.  Wouldn't it be great to somehow eliminate these bad guys.

Check out the articles at:

Matt McCormack Article - download.microsoft.com/download/3/8/d/.../McCormack-VB2008.pdf

Trend Micro Article - us.trendmicro.com/imperia/md/content/us/pdf/.../study_of_pushdo.pdf

I would be interested in hearing about other people's experiences with this Botnet and in finding out if you have any good tips for detecting and "killing" the bot.  So let's hear from all of you botherders out there.

 

Deb Hale Long Lines, LLC

13 comment(s)
Diary Archives