Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

JPEG exploit toolkit , JPEG Hacktool, GDIScan Tool, In search of the Botnet - Lessons learned

Published: 2004-09-25
Last Updated: 2004-09-25 14:09:06 UTC
by Deborah Hale (Version: 1)
0 comment(s)

JPEG Exploit Toolkit
A toolkit designed to exploit a recently-disclosed Microsoft JPEG vulnerability has been released. The security hole compromises the system and creates a buffer overflow condition. This could potentially allow an attacker to create a JPEG file. The JPEG file would then over take control of a victim's machine when the user views it through Internet Explorer, Outlook, Word, and other programs.

http://www.theregister.co.uk/2004/09/24/jpeg_exploit_toolkit/

For a complete list of Microsoft Operating Systems and Microsoft Application Programs potentially affected by this see the information at:

http://www.microsoft.com/security/bulletins/200409_jpeg.mspx

A group of Handler's have been "playing" with the toolkit. So far it hasn't worked too well. However, as with all of these, they have a tendancy to get better real fast. Therefore apply the patches on both the Operating Systems and Application Programs as recommended by Microsoft.

Microsoft applications are not the only ones that may be affected by the vulnerability. It may be in many other image viewing, manipulation, screen capturing and digital camera programs as well. See GDIScan Tool section below for a tool to help you determine your vulnerable applications. Once you have determined the applications that are vulnerable you will need to contact the manufacturer for updates.
JPEG Hacktool
The 3 major anti-virus companies have now released definition files that will detect the JPEG exploits.

Symantec - Hacktool.JPEGDownload
http://securityresponse.symantec.com/avcenter/venc/data/hacktool.jpegdownload.html

McAfee - Exploit-MS04-028
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=128461

Trend Micro - HKTL_JPGDOWN.A
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=HKTL_JPGDOWN.A
GDIScan Tool

One of our fellow Handler's and our resident expert on the color "orange", Tom Liston, has written a program that will help to detect the files and identify the files that are potentially vulnerable to the JPEG Exploit. The tool allow you to select which drive to check. The files that are possibly vulnerable are identified in yellow text.

The GDIScan program can be downloaded from the Internet Storm Center.
http://isc.sans.org/gdiscan.php
In Search of a Botnet - Lessons Learned

In my Inbox today was an email with a link to an article titled "When Bot Nets Attack". The subtitle was "Is your computer part of a bot army, infiltrating systems and spreading spam?"

This particular article caught my attention. This article hit really close to home! I have first hand experience with the topic of the article.

For the last three weeks I have been assisting a large organization that has been virtually brought to a standstill by a Botnet. They have agreed to allow me to talk about the experience providing that I don't disclose the name of the organization.

Our challenge with the worm began on September 6th. The organization has 40 locations and approximately 60 servers and approximately 3000 workstations.
The organization began to experience loss of Internet connectivity in several locations and before long they discovered that they were in the middle of a Denial of Service attack. Their network was under extreme load and continually kept shutting down. They hooked up their EtherPeek system and began monitoring the network and soon discovered that they were being overrun with CIFS traffic.

They immediately shutdown their network and killed all connection to the outside world and we began to try and track down the cause of the traffic load. We began bringing the locations back on line one at a time and soon discovered that of the 40 locations 29 of them were participating in the activity. The traffic seemed to be aimed at port 445 and was very persistent. As quickly as we brought the infected locations on line the Denial of Service attack would ramp back up. We began to look at the machines in the main facility that appeared to be generating a large amount of traffic. Quickly we discovered that their Norton Anti-Virus definitions were not getting updated inspite of the fact that they had always worked in the past. As we began to attempt to determine the cause of the failure to update we discovered that the hosts file was corrupt and was overriding and preventing the Live Update from running. We soon discovered that approximately half of the workstations and some of the servers were infected with W32.GAOBOT. We began to clean the machines up and get the definition files updated. We thought we had everything under control when it hit again. However Norton was not detecting it as W32.GAOBOT. As a matter of fact, it was not being identified at all. We soon discovered that there were two different executable files running that were causing the problems.

The files were not detectable via Windows Explorer or in DOS. The only way to find the file was to go to the command prompt - to the C:\winnt\system32 directory and attrib the file. On XP the file is SHR and on 2000 Pro it is R. After we discovered this we removed the attrib and deleted the file and the CIFS traffic stops. Norton now identifies this as W32.Spybot.Worm.

We also discovered several of the computers had a bla.txt file. This file contained a pointer to an IP address for a computer within the organization, a port call and userid and password. I finally located the machine and began to evaluate what this computer was doing. I found a program called bot.exe in the registry run and run services keys. I finally was able to locate this file by booting to DOS and doing an attrib and locating the file. All was well I thought - delete the file and all would be well. Well - not exactly, I deleted the file - the computer immediately rebooted and immediately gave me an error indicating that the computer was missing some required files. I put in a Windows XP CD and ran repair. And the computer recovered.

We are still cleaning up and testing to ensure that the infection does not return. We did discover that we had several machines throughout the organization that had various spyware and other downloaded games and programs. One that stands out and may well have been the entry point for the worm is the ARES P2P program.

In spite of the Policies in place that prohibit download and installation of software, inspite of the policies in place that prohibit P2P applications, despite the Firewalls and protective measures that the organization had taken, despite installing a managed anti-virus solution they got infiltrated.

We have already identified several items that need to change, policies that need to be put in place and procedures that need to be updated. All of this will be reviewed after this has passed and hopefully we can find solutions to yet better protect their systems.
Deb Hale

Handler on Duty

haled@pionet.net
Keywords:
0 comment(s)
Diary Archives