php boxing continues

Published: 2004-12-26
Last Updated: 2004-12-26 23:03:47 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
php users, Update php and AV sigs, MS users, Update your AV sigs

A few of the pairs of eyes in the FOSS (Free and Open Source Software) community recently looked over the security of php, and as a result of that community effort developers released new versions in a flurry last week. If you haven't updated, please do so asap.

A php Internet worm released on 12/25/2004 that doesn't use php bulletin boards - it attacks "ALL php scripts/pages which are vulnerable to a "File Inclusion" Flaw".

K-OTik Security has issued an Alert to clarify issues relating to whether or not php worms commonly named santy.c and santy.e attack bulletin boards.

They have demonstrated that a php worm released on 12/25/2004 and commonly called santy.c and santy.e has had incorrect information associated with the descriptions of it that may delude you into thinking that, since you do not use php bulletin boards, your server is not at risk. K-OTik Security has named this the PhpInclude.Worm and their alert is emphatic that "This worm attacks ALL php scripts/pages which are vulnerable to a "File Inclusion" Flaw (related to an insecure use of the Include() & Require() functions).

these "programming" flaws are independent from the server's PHP version, they result from common coding mistakes"

K-OTik has described this worm as a significant threat. And from what I've seen this shift and weekend you may not be configured to "Dodge This".

The K=OTik Alert is at:
For background PhpInclude information see the summary:

Also, some AV Vendors have responded quickly to the rash of php Internet worms and santy variants, and have also added protection for recent exploits aimed at MS products. For additional information check out yesterday's Diary, and the Handlers Diary from 12-17-2004:
or the F-Secure Weblog.

"boxing-day" Incident Response

One of the most enjoyable exchanges I had this shift was with Arjan van der Oest who responded with professional alacrity to a report from the ISC of malicious activity. Arjan ended one of his emails with the sentence "Enjoy your boxing-day!" and I got the meaning of his use of "boxing" immediately, incident response to 0wn3d b0x3n. Arjan's use of the word "boxing" as a description of all of our incident responses to the php Internet worm variants (yesterday and for the next few days) really "made" the early morning hours of today for me, all before coffee was even done. If this is a new use of the word "boxing", and it surely is appropriate, "Salute Arjan!". And even if it's not a new use of the word "boxing" for describing Incident Response to 0wn3d b0x3n, "Salute Arjan!".

Readers and Reporters - Thanks for your 2004 submissions.

SANS has multiple lists and their participant's reports, observations and analysis "from the field" regularly equal and exceed infosec offerings by a load of other sources. I appreciate your submissions immensely. So .... I thank all of you very much and best wishes for 2005! And as far as the new year goes, any year when the "originals" continue to post extensively to other public list forums is a great year, and I hope that in 2005 they continue sharing their insights.

More Thanks

Over the last 2 days we have received many reports and samples of the php santy Internet worm variants. In addition many submissions contained detailed information and evidence sufficient to get many bot servers and malware storage systems taken offline. Here's another "Thank You" to the ones who can be publically acknowledged for your community efforts. Thanks! Will Beers, K-OTik Security Research & Monitoring Team, Matt Jonkman and the folks at, Handler Erik Fichtner, Handler Koon Yaw Tan, Pascal Zoutendijk, den_RDC, Daniel Hay, Arjan van der Oes, Paul Laudanski, Razz, Handler Donald Smith and ISC CTO Johannes Ullrich.

2005, out with the old? Nope. (..trends.. and personal opinion)

There have been many excellent threat trend analysis' published this year. I thank all of the vendors for their efforts and information sharing.

fwiw, I find one trend, a MM that "uses (usermode) rootkit techniques", troubling (more below at the end, in the Rootkit Trend item). And I hope that sales of IDS's in 2005 don't take a hit for any reason this year, because it'd be a real shame if something like a NIDS' deployment decision receives fewer network resource allocation$ than "compliance" software. Compliance software isn't going to detect anything a rootkit is sending out of your network using HTTP (another troubling trend), and by the time AV vendors get a signature deployed for each days new rootkit variants, the "horse already left the barn". I'm not slamming the AV vendors here, their rapid deployment of protection against easily deployed exploits for unpatched vendor vulnarabilities is a very positive trend.

As usual, I reviewed available information and put together some thoughts, and as usual, they're based on other people's great work. Errors are my own though, and I note I religiously scan for indications of the NIH virus.

How to prevent usermode rootkit installation:

1. Don't run the attachment ( ... user education has been an explicit issue for more than 10 years iirc ......)

2. Prevent dll injection and hooking (protecting critical system files has also been an explicit issue for more than 10 years iirc ......):

DiamondCS ProcessGuard and Sygate's Firewall
3. "Just Say No" to Admin and System priveleges - Configuration and Change Management;

CIS Benchmarks
"The practical CIS Benchmarks support available high level standards that deal with the "Why, Who, When, and Where" aspects of IT security by detailing "How" to secure an ever widening array of workstations, servers, network devices, and software applications in terms of technology specific controls."

Visible Ops
4. Other - prevention or latent detection:

... keep up to "Day" (nay, _hour_) AV def's. (although this is something that is critical for an email gateway, accomplishing it for the masses is problematic, a trend that is promising is ISP inclusion of AV in their offerings. How a solution is going to be found for the bandwidth impaired escapes me.

5. Rootkit Boxing - Incident Response:

A. Flatten the system, not the user.

B. Have incident responders armed with security response tools for remote incident management and onsite incident response using bootable CD's with capable tools.

C. Train them in how to use those security tools to flatten systems or detect rootkits (and no, I do not mean that the responders need to be trained to do an Alien system autopsy).

STD Knoppix
Winternals Administrator's Pak

Winternals ERD Commander 2003


SANS@HOME - X, -Jan 27-May 05, 05
Security 504: Hacker Techniques, Exploits & Incident Handling With Ed Skoudis

SANS@Home - XI, -Feb 02-23, 05
Security 601: Reverse-Engineering Malware With Lenny Zeltser
"The SANS@HOME Instructor Led program meets the demand for high quality information security training in a convenient setting that is right for you. The sessions are conducted by SANS best. The same SANS Certified Instructors you would find at a six-day onsite conference. SANS@HOME - IL offers flexibility, affordability and critical information security training without the travel."

Book of the Year?

Exploiting Software - How to Break Code
By Greg Hoglund, Gary McGraw
Publisher : Addison Wesley
Pub Date : February 17, 2004
ISBN : 0-201-78695-8

More information is at;

ROOTKIT - The Online Rootkit Magazine, try downloading the kits and see how long they've been working on avoiding detection in Safe Mode, and looking at and using other device firmware, and there is a "rut ro" I hope some security application vendors are looking at, "intermediate driver" research.

As a related fwiw, MS's "new" stack design is linked next (legitimate application vendors, I feel your pain):
"Introducing the Windows Filtering Platform
This paper provides information about the Windows Filtering Platform (WFP) for Microsoft® Windows® codenamed ?Longhorn?."

Rootkit Trend:

Websense, thanks! for the inertia kick analysis.
"December 16, 2004 Malicious Code / Phishing Alert: Maslan.c"

More Info

"stealths its presence on the victim machine"

"Browser Monitoring"

"The worm monitors (monitors = keystroke logger) browser sessions where the window title contains one of the following strings:


Name Backdoor.Win32.SdBot.ts (AVP, dropped bot) Net-Worm.Win32.Maslan.b (AVP) PE_MASLAN.C (Trend) W32.Maslan.C@mm (Symantec) W32/Maslan-C (Sophos) W32/Sdbot-RW (Sophos, dropped bot) Win32.HLLM.Alaxala (Dialogue Science)"

"Uses rootkit techniques to prevent the files and processes whose "names start with ___ (three underscore characters) from being visible to users. This may also cause the Task Manager to fail to start."

"Logs keystrokes."

Patrick Nolan
0 comment(s)


Diary Archives