Diaries

Published: 2004-01-30

www.sco.com unreachable

It appears that access at www.sco.com is intermittent/unreachable at this point in time. It is not known whether they took themselves off line or whether its the result of mydoom.a and the DDOS that it was supposed to launch on 1 February 2004. Right now all of us are in a watch and wait mode until we see what actually happens.


For more information on MyDoom.B and the possible DDOS of Microsoft on 3 February 2004 see the handler's diaries at:



http://isc.incidents.org/diary.html?date=2004-01-28

http://isc.incidents.org/diary.html?date=2004-01-29
Enjoy the Super Bowl!!!

Lorna Hutcheson

0 Comments

Published: 2004-01-29

MyDoom.B Update

MyDoom.B is rapidly spreading, and using some new techniques in addition to features shown in yesterday's diary:

- MyDoom.B will replace the 'hosts' file on infected system. This file is used to override DNS resolution. If a system is infected with MyDoom.B, sites like support.microsoft.com, some anti virus sites (www.symantec.com, www.sophos.com, www.my-etrust.com and other) will no longer be reachable.

- There are reports that MyDoom.B will scan for systems which are infected with MyDoom.A, and it will upload itself to such systems.

- while MyDoom.A included code to launch a DDOS attack on www.sco.com, MyDoom.B modified the target host to www.microsoft.com

Recommendation

- closely monitor your network for excessive port 3127 traffic. It may pinpoint MyDoom.B infected systems. - MyDoom uses fake 'From' headers. DO NOT REPLY to infected messages. Some Antivirus filters will automatically notify the sender of an infected e-mail. Turn off this feature, as it may flood innocent bystanders.

Removal

Antivirus vendors are offering free removal tools. However, in particular for MyDoom.A, attempts have been observed to upload additional malware using the backdoor installed by the virus. A more thorough forensic analysis of the system may be necessary. Removal tools will only remove the specific virus, not any additional malware installed later.

Links

- MSFT Details about how to restore the hosts file:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/alerts/mydoom.asp
- Network Associates analysis:
http://vil.nai.com/vil/content/v_100988.htm
- Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.B
- Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.b@mm.html
- Computer Associates:
http://www3.ca.com/virusinfo/virus.aspx?ID=38114
-------
Johannes Ullrich, jullrich@sans.org,http://isc.sans.org/contact.html

0 Comments

Published: 2004-01-28

Update 20:10 GMT 2004-1-28: New variant of Novarg/MyDoom found, Microsoft Changing IE's URL Handling, Solaris Local Privilege Escalation

New Variant of Novarg/MyDoom Found (18:20 GMT)



There are reports of a new variant of the Novarg/MyDoom worm being found. Initial reports indicate that the new worm adds www.microsoft.com as a DDoS target and also alters an infected machine's "hosts" file to block access to several "banner" site, windowsupdate.microsoft.com, and many antivirus vendor websites. It appears that most AV software will require new signatures to flag this. Keep an eye on the diary and your antivirus vendor's website for additional details.



(News links added 18:40 GMT)



http://www.f-secure.com/v-descs/mydoom_b.shtml

http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.b@mm.html

http://www.kasperski.com/news.html?id=3657414
http://vil.nai.com/vil/content/v_100988.htm




Microsoft To Change IE's URL Handling (Added 19:50 GMT)



In response to security issues, Microsoft will be releasing an update to IE that will change the web browser's default URL syntax handling. URLs like the following:



http(s)://username:password@server/resource.ext



will no longer be supported.



In Microsoft Knowledge Base Article 834489 ( http://support.microsoft.com/?kbid=834489 ), the software giant explains that the change in default behavior is necessary to protect users from being tricked into visiting spoofed or malicious websites.



According to the HTTP specific section of RFC 1738 ( http://www.faqs.org/rfcs/rfc1738.html ) this behavior is appropriate, but it will still cause problems with many existing implementations. Microsoft offers workarounds in KB834489.



Microsoft has not specified a release date for the update.





Solaris Local Privilege Escalation (Added 20:10 GMT)



A buffer-overflow in the runtime linker ld.so.1 under versions of Solaris 2.6, 7, 8, and 9 on both the SPARC and x86 platform can allow an unprivileged local user to gain unauthorized root privileges.



http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F55680
http://www.idefense.com/application/poi/display?id=1&type=vulnerabilities




Port 3127 Scanning



We're seeing an enormous surge in scanning for port 3127, as the race begins to find/exploit machines backdoored by Novarg/MyDoom.



http://isc.sans.org/port_details.html?port=3127&days=10



Yep... "surge" is appropriate.





Once more, with feeling...



Ok, we've said it and said it and said it, and we're going to keep saying it, so you might as well just do it, 'cause we're starting to get grumpy:



TURN OFF THE AUTO-RESPONDER ON YOUR AV SCANNER!



Way back in the 20th century, when your AV gateway received an email with a viral attachment, perhaps (!) it made sense to fire off a notice to the sender informing them that they were sending out infected email.



It doesn't anymore. Viruses routinely spoof the "From:" field on infected mail and the notifications sent by AV gateways are just plain wrong. They only add to the load on mailservers already under stress. They also give out far more information about your network configuration than you should be willing to freely give away.



If you're running an AV gateway, turn off the notices. If you receive a notice, find a polite way to suggest to the sender that they turn them off.



On a related note, why don't AV Vendors take care of this? They know what viruses spoof headers. Why don't they simply flag those to not initiate an auto-response?



----------------------------------------------------------------

Handler on duty: Tom Liston - http://www.labreatechnologies.com

0 Comments

Published: 2004-01-27

MIMAIL/MyDoom/Novarg Email Virus Continues; H.323 Problems in Firewalls

MIMAIL/MyDoom/Novarg Email Virus Continues

Beginning about 5 pm EST (2200 UTC) yesterday we began receiving a flood of email containing a malicious attachment. To visually see what has been arriving at our servers, we have two graphs available. We are showing emails per 10 minutes at
http://isc.sans.org/images/virus.png and emails per hour at
http://isc.sans.org/images/virus2.png . Notice the drop-off overnight followed by the rapid increase this morning as people came to work. There was a spike for the east coast workers and another increase as the west coast came to work. The time across the bottom is EST. Today's increase started at about 8 am Central European time, again corresponding roughly to the time workers began opening their mail. This afternoon there has been a gradual decrease as the infected computers are brought under control. While no new variants have been detected yet, it would not be unexpected to see modified versions appear in the next few days.



A very detailed writeup of the events surrounding this malware including analysis and discussions by the Trojan Horses Research Mailing List is available online at http://www.math.org.il/newworm-digest1.txt .



We considered moving the INFOCON to yellow but once we saw that the AV companies had updated their signatures within an hour or so of the outbreak we decided to leave it at green. If the situation changes we'll re-evaluate the INFOCON and make a change as needed.



All of the major antivirus software companies have updated their signature files overnight. As usual, this piece of malware goes by different names:



W32/Mydoom@MM

http://vil.nai.com/vil/content/v_100983.htm




Novarg (F-Secure)

http://www.f-secure.com/v-descs/novarg.shtml




W32.Novarg.A@mm (Symantec)

http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html




Win32/Shimg (Computer Associates)

http://www3.ca.com/virusinfo/virus.aspx?ID=38102




WORM_MIMAIL.R (Trend)

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R



Analysis shows that a denial of service attack directed at www.sco.com will begin on February 1, 2004 from all infected computers. This DoS will be the result of the infected machines making multiple requests of SCO's main web page. It is also scheduled to stop spreading on February 12, 2004. SCO has offered a reward for information leading to the arrest of the malware author:
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,89470,00.html




Many email systems are clogged with inbound infected email as well as numerous "helpful" email messages from antivirus software on servers that send error messages back to the apparent sender of the malware. This particular piece of malware forges the return address, so we ask that email administrators disable the auto-reply feature for the next day or two in order to cut back on the amount of unnecessary email traffic generated by this event.


H.323 Problems in Firewalls

The University of Oulo in Finland recently released their findings
( http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/h2250v4/index.html )
concerning multiple vulnerabilities in the H.323 protocol. This protocol is primarily used for video conferencing and Voice Over IP (VOIP) applications. It was reported that Check Point FireWall-1 and VPN-1 products are vulnerable to the H.323 security tests recently conducted by NISCC ( http://www.uniras.gov.uk/vuls/2004/006489/h323.htm ) based on the University of Oulu Security Programming Group (OUSPG) test suite. Check Point did not provide any details regarding the specific impact on the products. The report indicates that VPN-1 parses H.323 messages by default but FireWall-1 does not. More details are available at:

http://www.checkpoint.com/techsupport/alerts/h323.html
http://www.securitytracker.com/alerts/2004/Jan/1008846.html


tcp/1387

We received a request from a user wanting to know if others are seeing an increase in activity aimed at tcp/1387. Our database shows an increase late yesterday over what could be considered "normal" for the past few days so perhaps there is something worth investigating. If you are seeing increased traffic on that port and can do a full packet capture please forward it to us for analysis. Thanks!




Marcus H. Sachs

The SANS Institute



0 Comments

Published: 2004-01-26

FAST MOVING EMAIL VIRUS, More IE scripting concerns

FAST MOVING EMAIL VIRUS

A mass-mailing virus has been released that uses its own SMTP engine and Kazaa P2P to spread. AV vendors began releasing updated signatures around 6 pm EST (2300 UTC) on the 26th, with several different names. Since release of the new signatures, our mail filter has intercepted several hundred copies of this virus at a rate of several per minute.



As of 10pm EST (0300 UTC 27 JAN 04) there has been a slowdown in the number of emails received here. More details about the virus are online at
http://news.com.com/2100-7349_3-5147605.html?tag=nefd_top


The following excerpts are from AV vendor write-ups at their links below, check frequently for additions.

Names
W32/Mydoom@MM
http://vil.nai.com/vil/content/v_100983.htm

Novarg
F-Secure)
http://www.f-secure.com/v-descs/novarg.shtml

W32.Novarg.A@mm (Symantec)
http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

Win32/Shimg (CA)
http://www3.ca.com/virusinfo/virus.aspx?ID=38102

WORM_MIMAIL.R (Trend) http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R

The email arrives with a masked executable attachment. The attachment file extensions vary (.exe, .pif, .cmd, .scr)

Size - (22,528 bytes)

Attachment Names (not exhaustive) are chosen from the following list of names:

Data
Readme
Message
Body
Text
file
doc
document


The icon used by the file tries to make it appear as if the attachment is a text file. There are other reports of different icons being used such as a MSDOS shortcut which is the executable.

The worm may also send itself out as a legitimate ZIP archive.

Upon execution, it launches Notepad.exe and displays a message with non-legible characters.

The worm encrypts most of the strings in its UPX-packed body with rot13 method.

The worm opens a connection on TCP port 3127 suggesting remote access capabilities. Connecting to this port on an infected computer using Netcat shows only binary output, suggesting a possible backdoor, additional instructions for a possible future worm, or perhaps an encrypted SMTP engine for spammers. Investigation continures.

Other email
characteristics;


From: (spoofed)

Possible Subjects (not exhaustive):
Server Report
Mail Delivery System
hi
status
hello
HELLO
Hi
test
Test
Mail Transaction Failed
Server Request
Error

Or a subject name consisting of randomly genereated characters.

Body: (Varies, such as these examples)

"The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."
"The message contains Unicode characters and has been sent as a binary attachment."
"Mail transaction failed. Partial message is available."

After a system becomes infected, it may begin to participate in a DDoS attack against sco.com by routinely sending 63 HTTP requests. This may cause local DoS conditions as well due to excessive traffic from multiple infected hosts.

More Internet Explorer Scripting Concerns

A new method of exploiting Microsoft Internet Explorer security zones was posted to the BUGTRAQ mailing list today that uses the Windows XP ".folder" extension to trick users into running scripts in the My Computer zone. This is another example of the dangers of unrestricted scripting in trusted zones. Preliminary information from Microsoft indicates that Service Pack 2 for Windows XP will include improvements to restrict web pages from running in the My Computer zone. In the meantime, organizations are advised to disable the "Hide Extensions for Known File Types" option on Windows systems, and advise users to report instances of folders appearing with the ".folder" extension.

--------------------

-Joshua Wright

(Updated by Marcus Sachs)

0 Comments

Published: 2004-01-24

Port 1070, Dumaru Worm, Email Disguised as Microsoft Patch

Port 1070

We received a report that there is an increase scan on port 1070.

If you see any unusual activities or have any sample logs, please let us know.

http://isc.sans.org/port_details.html?port=1070

Dumaru Worm

There is a new variant of worm that sends an attachment as a zip file which contains the worm executable, myphoto.jpg<56 spaces>.exe.

On infected system, it may open a backdoor on port 10000 which allow the attacker to connect and perform malicious actions.

If you have a copy of the worm, please let us know.

http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru.y@mm.html

http://www.f-secure.com/v-descs/dumaru_y.shtml

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DUMARU.Y

http://www.messagelabs.com/viruseye/info/default.asp?frompage=threats+list&fromURL=%2Fviruseye%2Fthreats%2Flist%2Fdefault%2Easp&virusname=W32%2FDumaru%2EY%2Dmm

Email Disguised as Microsoft Patch

We also received a report on an email disguising as Microsoft Security Patch. According to Microsoft, they will not send patches via email. If you receive such emails, be wary as most likely it is attempting to trick you to execute some malware.

0 Comments

Published: 2004-01-23

Updated: Security bulletins from Sun, more Dameware

2 Sun security bulletins


Yesterday, Sun released several security bulletins, we'd like to mention 2 of them here today. The first involves the possibility of a local user being able to gain additional privileges through the loading of arbitrary kernel modules. Sun has released kernel patches for Sun OS 5.7, 5.8, and 5.9 (aka Solaris 7, Solaris 8, and Solaris 9) to address the situation. The second bulletin we'd like to mention addresses a buffer overflow leading to possible remote denial of service or unauthorized root acces against 5.9 (Solaris 9) systems running in.iked (IKE stands for Internet Key Exchange). This vulnerability is apparently in ASN.1 parsing code that Sun uses from SSH, Inc. ASN.1 vulnerabilities were the subject of Cert Advisory CA-2003-26.


You can see the bulletins here:

http://sunsolve.sun.com/private-cgi/retrieve.pl?doc=salert%2F57479&zone_32=category%3Asecurity


http://sunsolve.sun.com/private-cgi/retrieve.pl?doc=salert%2F57472&zone_32=category%3Asecurity



Continuing Dameware traffic

We continue to see a great deal of traffic on port 6129 including new reports of systems being exploited running versions of Dameware that were not supposed to be vulnerable to the previously reported problems. We'll continue to monitor the situation.



Other ports on the rise

We are seeing increases in apparent DNS attacks, and in port 901 and port 2234 traffic. If you have any packet captures of any of this traffic, we would be very interested in taking a look at it, send it to us at
http://isc.sans.org/contact.html



FDIC phishing scam

Finally, a report late today of another phishing scam, this one telling people that the Department of Homeland Security has instructed the FDIC to deny federal deposit insurance due to suspected violations of the USA PATRIOT Act. FDIC (the agency that insures bank accounts in the US), has posted a response. http://www.fdic.gov/news/news/SpecialAlert/2004/sa0504.html



--Jim Clausing

0 Comments

Published: 2004-01-22

Dameware Traffic and mailbag

Dameware Traffic


In yesterdays diary (http://isc.sans.org/diary.html?
date=2004-01-21) , we ask you info about 6129 traffic.



Thanks for all the logs sent to us. We are still interested
in it if you have full tcpdump packet captures.



In despite of the high number of reports received, until
this moment there is no evidence that the 6129 traffic is
caused by a Worm. The relevant factor is the low/stable
number of sources. (http://www.dshield.org/port_report.php?
port=6129&recax=1&tarax=2&srcax=2&percent=N&days=40 ). We
are noticing an interesting pattern in the scanning tool
that, apparently, is behind this traffic. The Incident
Handler Donald Smith pointed that "it increments the 3rd
octet. That will move it cross networks in most cases! So
sequential packets might not trigger a scan if you are only
counting packets per second to your network."



If you want to participate in the internet storm center, as
well as get reports, fight back, and other benefits, we
would like to you to consider the use of Dshield, as well
its clients to send the logs to Dshield
(http://www.dshield.org/howto.php).




Mailbag


We received an email about a possible Nachi/Blaster worm
infection in a XP computer. SANS released a very good
document about Windows XP security called Windows XP
Surviving the first day (
http://www.sans.org/rr/papers/index.php?id=1298 )

-------------------------------------------------

Handler on Duty: Pedro Bueno

0 Comments

Published: 2004-01-21

Another Active Day



The Beagle/Bagel has been busy today.

Early this morning Symantec raised it to a level 3 due to the number reported to be out in the wild. They have now posted a removal tool on the web site.
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html



Strange Port Activity

Still receiving reports of unusual activity on Ports 80 (Code Red II ?) and 53 (DNS), as well as a continued increase in port 6129, Dameware.
The ISC would like to encourage anyone seeing unusual activity to contact us and let us know what you are seeing.


http://isc.sans.org/contact.html



Deb Hale
BCP Enterprise Inc

0 Comments

Published: 2004-01-20

ICMP Echo/HTTP Pattern, HP Mystery Patch Explained, DNS Reflector Attack(?)

Combined ICMP Echo Request and TCP Port 80 Traffic

We have received reports of an odd traffic pattern: a single ICMP echo request followed immediately by an HTTP request for the default website page. This pattern is repeated at a daily rate of approximately 1200 times per day, each sourced from a different IP.



We're "fishing" (rather than "phishing") for information on this. If anyone out there is experiencing the same phenomenon, please drop us a note:



http://isc.sans.org/contact.html



HP Patch Mystery Explained

In the January 16th Diary ( http://isc.sans.org/diary.html?date=2004-01-16 ), we mentioned that HP had made a "mystery" patch available for SSH on Tru64 Unix. This article explains its purpose:



http://news.zdnet.co.uk/software/linuxunix/0,39020390,39119149,00.htm



The patch fixes flaws in both SSH and VPN on Tru64 Unix. The flaws are believed to be present only in the Tru64 versions of these services.



Looking For Signs of Large Scale DNS Reflector Attack

We have received reports of DNS servers suddenly attempting to repeatedly and rapidly resolve a single hostname.



Again, we're on a "fishing" expedition here, folks. Please take a look for this behavior on your networks and report anything you find to us.



http://isc.sans.org/contact.html



-------------------------------------------------------------------

Handler on Duty: Tom Liston ( http://www.labreatechnologies.com )

0 Comments

Published: 2004-01-19

Redhat Kernel Packages (one AMD64 CVE security item), Bagel AV Vendor Summary

"Updated kernel packages available for Red Hat Enterprise Linux 3"

Advisory: RHSA-2004:017-06
"On AMD64 systems, a fix was made to the eflags checking in 32-bit ptrace emulation that could have allowed local users to elevate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0001 to this issue."
http://rhn.redhat.com/errata/RHSA-2004-017.html

Affected Products:
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)

CVEs (cve.mitre.org): CAN-2004-0001
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0001

Bagel AV Vendor Summary

Reports to the ISC indicate that AV gateways intercepting this worm and configured to "Autoreply" to the spoofed "From:" source are once again causing needless congestion (see SOBIG issues). Offenders should consider changing this configuration.

Three write-ups specify the worm's email will have an attachment "Length: 15,872 bytes" and one write-up says it is "an .exe file extension and consists of 3 - 11 randomly-generated lowercase characters."

After infection and initiation of it's email routine AV write-ups state that Bagel "will initialize and open a TCP socket in listening mode on port 6777."

The Trojan Retrieval Routine consists of:

"[HTTP connection]
HTTP GET REQUEST
GET /1.php?p=6777&id=[uid value, same value as used in the registry key]
User-Agent: beagle_beagle"

In AV Vendor write-ups so far the worm has hardcoded URLS which have not had 1.php available.

One Vendor (TrendMicro) cryptically reports "This worm may perform port scanning to connect to a remote system."

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html
http://vil.nai.com/vil/content/v_100965.htm
http://www3.ca.com/virusinfo/virus.aspx?ID=38019
http://www.sophos.com/virusinfo/analyses/w32baglea.html
http://www.f-prot.com/virusinfo/descriptions/bagle_a.html
http://www.messagelabs.com/viruseye/threats/list/default.asp
http://wtc.trendmicro.com/wtc/summary.asp

Patrick Nolan

0 Comments

Published: 2004-01-18

SPAM-Let the time fit the crime;

Time to speak out & help the Justice System
The US Government is asking for feedback on sentencing guidelines in regards to spammers. With the implementation of the "CAN-SPAM Act of 2003", they are asking the experts for feedback on punishment.

An article by 'The Register' (link shown below) gives a good summary of the Sentencing Guideline.

Link:
http://www.ussc.gov/FEDREG/fedr0104.htm
http://www.theregister.co.uk/content/55/34951.html

0 Comments

Published: 2004-01-17

More SoBig comments, and Whack-A-Scam, Ultr@VNC Vulnerability

Alex Shipp of Message Labs email further comments on the SoBig.F

resurrection. Alex pointed out that their statistics show no overall

increase in SoBig.F emails - instead, just normal fluctuation in the daily

statistics.
----
It's been pointed out that while the trojan-loaded website EV1.NET has

been shut down, in typical whack-a-mole fashion, a new one has already

popped up at chwolter.com. If you happen to see any more of these pop up,

it's probably worth mentioning them.
----
Ultr@VNC[1] is a VNC variation for administrating Windows based platforms

remotely. It supports Windows logins and access rights - however, today

Secure Network Operations released a new security escalation example (you

have to already be logged into VNC) and Ultr@VNC has not been patched yet

to fix the problem. A quick fix (via commenting out some lines and

recompiling) was mentioned in the release on BugTraq.
(Mentioned because I know a number of Windows admins who make use of some

of the VNC variants for remote server configuration. Since it's unknown

when the patch will be released at this time, )
[1] http://ultravnc.sourceforge.net/
Handler On Duty, Davis Ray Sickmon, Jr

Midnight Ryder Technologies (http://www.midnightryder.com)

0 Comments

Published: 2004-01-16

0x01 trojan update (ev1.net host), openssl proof of concept exploit, HP mystery ssh patch

ev1.net trojan (was: Yahoo.fr)

A user submitted a fake e-mail, which is using the %01 MSIE bug to trick the
user into downloading a Trojan.

The virus spreading this email is smart enough to tailor the 'From' address
to match the users domain. So for example, if your email address is 'user@example.com', the from address will read:

Example.com's Virus Department.
The fake URL will show up as 'http://example.com' followed by the 0x01 character and a randomized URL.

Likely in an effort to dwarf attempts to capture the trojan and shut down the
site, the site uses multiple redirects and will only deliver the trojan if the
user is using Microsoft Internet Explorer. In order to accomplish this, java script and cgi scripting is used.

The trojan is only delivered once to a given IP address. The final URL used
to download the trojan is http:/ /66.98.208.24/cgi-bin/page.cgi at this point, but it has been changing.

The ISP hosting this site, EV1.net, was notified via e-mail to abuse, and
replied that the virus has been removed. However, even after this reply was
received, the trojan was still accessible via this URL.

A phone call to the customer service department of ev1.net was answered. The ev1.net representative was not able to respond to the case and was not able to provide a phone contact for the ev1.net abuse department.

Later today (early afternoon EST), the host was shut down. Another user reported
to us, that a very similar URL was used at ev1.net back in December 2003:

http://66.98.188.67:180/cgi-bin/page.cgi

Back then, the e-mail claimed to include a "Gift Card from Sears".
OpenSSL POC exploit

Exploit code for the older ASN.1 vulnerability in OpenSSL has been posted to
various mailing lists. Please double check that your openssl installs are
current. Remember, some software may not use the dynamic library. Such
software has to be recompiled to link it against the new version.

HP Mystery SSH patch

HP released a patch for ssh on Tru64 Unix. The patch does not state what vulnerability it fixes.
-------------------

Johannes Ullrich, SANS Inst., jullrich at sans.org

0 Comments

Published: 2004-01-15

Possible Qmail Vulnerability / KDE vulnerability / New SoBig wave ?/ and more...

Possible Qmail vulnerability


In a earlier post at FD list, a security advisory by George Guniski explains about a possible Qmail vulnerability.
According the advisory, there are two main problems:

"a) It is possible to crash qmail-smtpd 1.03 from remote with a long SMTP session. The crash is not global, it affects only the current SMTP session.

b) If gdb is to be believed, it is possible to overwrite memory in qmail-smtpd 1.03 from remote with a long SMTP session."

An exploit was also posted.
Although there is no real evidence of the effectiveness of this exploit, users are advised to keep the qmail version up-to-date. Qmail website doesnt show any new version, and a discussion about this bug in the Qmail mailing list doenst show any conclusion yet.

References: http://www.guninski.com/qmailcrash.html

http://www.qmail.org



KDE Vulnerability


KDE released an Security Advisory about a potential
vulnerability in its kdepim application.
Kdepim versions distributed in KDE 3.1.0 through 3.1.4 are
vulnerable to a buffer overflow attack.

According the Security Advisory, the CVE has assigned the
name CAN-2003-0988 to this issue.

The impact of this vulnerability is that local attackers
can execute commands with the victim's privileges. If
information reading is allowed to remote users (not the
default), remote attackers can also take advantage of this
vulnerability.

Users are advised to upgrade to KDE 3.1.5. A patch is also
available for KDE 3.1.4 users.

Reference: http://www.kde.org/info/security/advisory-20040114-1.txt



PHPDig Vulnerability


PHPDig is a search/spider engine written in PHP.
Kernelpanik.org released a security advisory about a remote
execution vulnerability in PHPDig 1.6.x .

The workarounds, according the advisory are the usage
of .htaccess in ./include, PHP globals off (which is
default in PHP > 4.2) and an unofficial patch for
config.php available in http://www.kernelpanik.org .

Users are advised to take extreme care with all patches
that are not offically released by the Vendor.

Reference: http://www.kernelpanik.org



Personal Firewall Day


An advisory published in various security mailing lists,
about January 15 to be the Personal Firewall Day. A website
was also created for the purpose of educating users to make
use of personal firewalls.

Reference: http://www.personalfirewallday.org/



New SoBig wave?


Some users are describing some new SoBig wave.

A quick look at Postini and TrendMicro's tracking sites show that SoBig maybe coming back.

Yesterday Postini had it as #8 and Trend had it as #10.
Today
Postini has it as #6 and Trend has it as #2 worldwide and #1 for North
America.


References:

http://www.trendmicro.com/map/

http://www.postini.com/stats/

Yesterday (15/01) they both reported around 1,000 today Trend has it at over 10000 and Postini is over 7000.

If you are observing these, please contact us.

Thanks to Deb Hale for the reference numbers.

-------------------------------------

Handler on duty: Pedro Bueno

0 Comments

Published: 2004-01-14

Possible NetDevil Scanning, RH Linux 7.1, 7.2, 7.3 and 8.0 End-of-Life

Possible NetDevil Scanning



The Internet Storm Center has noted a concurrent rise in scans for ports 901, 902, and 903. This is consistent with the default ports used by the NetDevil (Backdoor-RP) trojan for control, keylogging communication, and file transfer. If anyone monitors outbound traffic to these ports, please notify us: http://isc.sans.org/contact.html


More information on the NetDevil trojan can be found at:



http://securityresponse.symantec.com/avcenter/venc/data/backdoor.netdevil.html


http://vil.nai.com/vil/content/v_99295.htm




Red Hat Linux 7.1, 7.2, 7.3 and 8.0 end-of-life



As per their support policy, RedHat Software has announced that RedHat Linux 7.1, 7.2, 7.3 and 8.0 have reached their errata maintenance end-of-life.



RedHat will no longer be producing security, bugfix, or enhancement updates for these products. Note also, that Red Hat Linux 9 reaches its end of life on April 30, 2004.



Those of you running these systems should consider migrating to newer versions.




-----------------------------------------------------

Handler on Duty: Tom Liston - http://www.labreatechnologies.com

0 Comments

Published: 2004-01-13

Microsoft patches released; H.323 vulnerabilities; Anti-virus engine vulnerabilities; Citibank anti-fraud measures

It's that time of the month... Microsoft has released 3 new patches for January.
See the following location for further details: http://www.microsoft.com/security/

1. Critical - MS04-001 - Vulnerability in Microsoft Internet Security and Acceleration Server 2000 H.323 Filter Could Allow Remote Code Execution (816458). This vulnerability allows remote compromise of your ISA server. If you run ISA Server 2000, you should apply this patch now.

2. Moderate - MS04-002 - Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation (832759). This vulnerability allows someone who has already authenticated to OWA to reach another person's mailbox. If you are affected, you should apply this patch during your next maintenance window.

3. Important - MS04-003 - Buffer Overrun in MDAC Function Could Allow Code Execution (832483). This vulnerability would allow someone on your local network to compromise Microsoft SQL server clients. The vulnerability requires the attacker to be local to your IP network, which may be difficult to accomplish. The exact set of circumstances for exploiting this vulnerability is still unknown. Best to patch client machines at the next opportunity.

-----------------------------------------------------------

Several vendor implementations of the H.323 protocol have been found to contain vulnerabilities. Many Cisco and Nortel products are affected in addition to the Microsoft ISA server (mentioned above). If you utilize VoIP (Voice over Internet Protocol) or VTC devices you may be affected. Check with your vendor for product updates or reference the following articles:

http://www.kb.cert.org/vuls/id/749342
http://xforce.iss.net/xforce/alerts/id/160
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml

While checking for your exposure to the H.323 vulnerability, you may also want to check your exposure to the SIP vulnerabilities announced in Feb. 2003 that affected multiple vendors:

http://www.cert.org/advisories/CA-2003-06.html

-----------------------------------------------------------

Two different problems with anti-virus engines have been recently reported. The first problem is specific to Symantec and Norton antivirus programs. A privilege escalation attack can be performed when the Symantec Automatic LiveUpdate is running:

http://securityresponse.symantec.com/avcenter/security/Content/2004.01.12.html

The second problem is a Denial of Service issue with multiple different virus engines related to decompression of bzip2 compressed files. When certain virus engines decompress bzip2 files prior to virus scanning, the file could grow excessively large and cause a Denial of Service of the machine (mail gateway, file server, client). The following advisory contains further information:

http://www.aerasec.de/security/advisories/txt/bzip2bomb-antivirusengines.txt

-----------------------------------------------------------

Citibank has a web page that provides information on recent e-mail fraud attempts:
http://www.citibank.com/domain/spoof/report_abuse.htm

Also, see the following site for the latest in "phishing" fraud attempts:
http://www.anti-phishing.org/

0 Comments

Published: 2004-01-12

Windows 98 support extended. Reports of SQL Slammer, Solaris TTYPROMPT compromises

Windows 98 Support Extended

The ZD Net news service is reporting that Microsoft has announced a reprieve for the discontinuance of support for Windows 98. Organizations should use this extra time to plan a migration path away from Windows 98 in order to continue receiving security updates and patches in the future.

Link:

http://news.zdnet.co.uk/software/windows/0,39020396,39119028,00.htm

SQL Slammer Activity

One organization reported a recent increase in the number of SQL Slammer infections. Just a reminder that SQL Slammer is still a very real threat if you are running unpatched versions of MS SQL Server 2000 or the Microsoft Desktop Engine (MSDE). Microsoft patches MS02-039 and MS02-061 are needed to resolve the vulnerability exploited by SQL Slammer. Organizations should consider maintaining filters on routers and firewalls for UDP/1434 to stop SQL Slammer activity from entering and leaving your network.

Links:

http://www.cert.org/advisories/CA-2003-04.html
http://www.microsoft.com/technet/security/virus/alerts/slammer.asp

Solaris TTYPROMPT Exploits in use

At least one organization has reported Solaris 8 systems being exploited with the Solaris TTYPROMPT vulnerability. This vulnerability affects the Solaris telnet service and permits a remote attacker to gain access to privileged user accounts. SunSolve patch 110668-03 is needed to fix this vulnerability on Solaris 8. This vulnerability was announced on the BUGTRAQ mailing list on 18-JAN-2002.

Links:

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F28063
http://www.securityfocus.com/bid/5531/info/

-Joshua Wright

0 Comments

Published: 2004-01-11

Pretty Quiet Day

Pretty Quiet Day

There were no major issues submitted today. We did have some questions on virus/trojan removal and a phishing scam using PayPal (the site was already removed). All in all, it was uneventful. Hopefully we are all using this "quiet" time to verify system patches, check our security policies, relook our defense-in-depth strategy and do all those things we usually don't have time to do!!

Lorna Hutcheson

0 Comments

Published: 2004-01-10

Trojan Disguised as Microsoft Patch; Identity Theft

Trojan Disguised as Microsoft Patch

Another new Trojan, Xombe/Downloader-GJ, attempts to fool people by claiming to be a critical patch from Microsoft. It has a downloader component which will attempt to retrieve a Trojan file from a predetermined website. According to the anti-virus vendors' website, the site has now been disabled.

The subject of the email is "Windows XP Service Pack 1 (Express) - Critical Update", with sender email as "windowsupdate@microsoft.com". The attachment is named as "winxp_sp1.exe" (4,096 KB).

According to Microsoft, they will not send patches via email. If you receive such emails, be wary as most likely it is attempting to trick you to execute some malware.

For more information on this Trojan, please refer to the following:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.xombe.html

http://www.f-secure.com/v-descs/xombe.shtml

http://vil.nai.com/vil/content/v_100945.htm

http://www.sophos.com/virusinfo/analyses/trojdloaderl.html

http://www3.ca.com/virusinfo/virus.aspx?ID=37965

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_XOMBE.A
Identity Theft

An interesting article on "Account takeover leading to identity theft":
http://www.cardcops.com/account_takeover.htm



This article discussed the threat on how hackers can retrieve your personal information from various means leading to identity theft.

0 Comments

Published: 2004-01-09

What's In Store For 2004!



2004 to be year of the 'superworm'
Is it possible that "Virus writers have created secret P2P virus network"? According to one security company there is evidence that a potential "sinister underground peer-to-peer (P2P) virus creation network" has been created. Pete Simpson, manager of ThreatLab at Clearswift says "It looks as though 2004 will be the year of the superworm". To read more about the potential for this "superworm" check the articles on VNUNet.
http://www.vnunet.com/News/1151887

http://www.vnunet.com/News/1151898
Computer virus plague predicted
Some sources expect this year to bring a bumper crop of new viruses and malware to the Internet.
Many new viruses and variations of old viruses have been added to the definition files since January 1. According to the web sites of three of the major players in the AV world:
Symantec 13

McAfee 5

Trend Micro 14
http://www.news.com.au/common/story_page/0,4057,8347518^421,00.html
Could this be a record year? Only time will tell. Bookmark this page and check back with us daily to see what's happening in the world of modern technology.
Update on WeatherBug False Alert - It appears that the alert yesterday that went out in the DC area was caused by an operator error during a test of the systems software changes.
http://timesargus.nybor.com/Story/58206.html


New 'phishing' exploits today:
Earthlink - We are receiving reports that Earthlink once again is a target for exploitation. Earthlink users are reportedly receiving an e-mail supposedly from Earthlink Security telling them that their password has been compromised and to click on the button in the e-mail to change it.
Deb Hale

0 Comments

Published: 2004-01-08

Symantec AV linked to Verisign certificate problem, DUGallery, False Weather Alerts, more phishing


Verisign Certificate Expiration linked to Symantec AV issue

Today, a Verisign root certificate included with Internet Explorer expired. As a result, Verisign's certificate revocation list server was not able to handle all the requests from clients attempting to contact it as a result of the expiration.

Verisign, apparently to lower the load on its server, now resolves this server to non-routable 10/8 IP addresses 50% of the time.

Some applications, most notably Norton Antivirus, use this server to verify certificates. In the case of Norton Antivirus, it is used to verify its signature file.

As 50% of the time, users will not be able to contact Verisigns certificate revocation list, Norton Antivirus will stall.

Workarounds:

Verisign set the TTL of its DNS records rather short. So if you try after one minute again, you will likely get a valid IP address. If this is not an option, edit your hosts file and insert one of these IPs for 'crl.verisign.net':
198.49.161.200, 198.49.161.205, 198.49.161.206, 64.94.110.11.

However, this is not recommended as a long term solution, as these IPs may
change at any time.
http://slashdot.org/article.pl?sid=04/01/08/1849245&mode=thread&tid=126&tid=128&tid=172&tid=95

http://www.verisign.com/support/vendors/exp-gsid-ssl.html?sl=070807


Web Defacements

At least one web-defacement crew appears to use Google to find sites with
vulnerable versions of 'DUGallery' installed. Recently, a number of issues
regarding this product where posted to Bugtraq. As of this writing, no
updates are available.

http://seclists.org/lists/bugtraq/2003/Dec/0246.html

False Weather Alerts

A user reported that the "Weatherbug" application he is using is displaying
false weather alerts. We have not identified the source of the false alerts. According to the report we received, corrections followed shortly after the false warnings had been received.

Phishing sites of the day

We did receive reports about spam advertising a fake Citibank site.

-----------

Johannes Ullrich, SANS Institute, jullrich_AT_sans.org

0 Comments

Published: 2004-01-07

Forgery FBI email / Virus W32.Bugbros / New PoC for Linux Vulnerability

Forgery FBI email around

A false email from FBI with the Subject: "Your IP was
logged" is being around with a malware in attachment. The
email intends to intimidate the user saying that the
machine was scanned by the FBI and that Illegal contents
were found. The email will try to induce the user to check
the attachment to see what illegal contents were found.

Reference:

http://www.theage.com.au/articles/2004/01/06/1073268005348.h
tml
Virus W32.Bugbros

Yesterday, an user sent a message to the Handlers saying
that MS told that she had the blaster worm in hers computer
( http://isc.sans.org/diary.html?date=2004-01-06 ). A virus
with a very similar message was discovered. It is called
W32.Bugbros according Symantec. It sends itself with the
body:

"Hi,
I have send you the needed informations for the new worm-
backdoor discovered.
The Backdoor is called W32.Bug.Gear.A You can run the
attachment to avoide getting
hacked by closing the backdoor."

Reference - Thanks to Scott Fendley:

http://www.sarc.com/avcenter/venc/data/w32.bugbros@mm.html
New PoC code for Linux vulnerability

A PoC code for testing the Linux do_mremmap() vulnerability (Affecting Kernel 2.4.x and 2.6.x)was released today . Apparently it checks the vulnerability
with no harm. It is time to patch the Linux kernel again.
Check your Linux distribution site for upgrades.
------------------------------------------------------------

Handler on duty: Pedro Bueno

0 Comments

Published: 2004-01-06

Adore-ng 0.31 released and POC code for do_mremap()

Adore-ng 0.31 released



A new version of the "adore" rootkit for Linux systems has been released. According to the information found within the source tarball, the new version has the following feature set:


- runs on kernel 2.4.x UP and SMP systems

- first test-versions successfully run on 2.6.0

- file and directory hiding

- process hiding

- socket-hiding (no matter whether LISTENing, CONNECTED etc)

- full-capability back door

- does not utilize sys_call_table but VFS layer

- KISS principle, to have as less things in there as possible but also being as much powerful as possible



Something to watch out for...




POC Code for the Linux Kernel do_mremap() exploit posted at bugtraq



Christophe Devine and Julien Tinnes have posted proof-of-concept code at bugtraq for the recently announced do_mremap() flaw in Linux kernels 2.2, 2.4 and 2.6. Once proof-of-concept code is released, working exploits are generally not far in the future. Although at first blush this vulnerability appears to be limited to being a local exploit, it could be used to escalate privilege following a successful remote attack. Time to get patching those kernels folks...



Mailbag:



In today's mailbag we received this question, "MS says I have the blaster worm
on my computer. How do I get rid of it?" Well, Microsoft generally doesn't
tell you that you are infected with any particular worm or virus, so most
likely what you saw was a Windows Messenger pop-up spam advertising an
anti-virus product.



But if you do suspect that you are infected with Blaster, Symantec has a
nice removal tool at:



http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html




Once you have removed it - you will want to make sure you update your
computer. Go to http://v4.windowsupdate.microsoft.com/en/default.asp and
make sure that you get all of the service packs and patches on your
computer. You will need to click on the "Scan for Updates" link and it will
advise you of which updates have not been applied to your computer. Please
install all of the recommended items. This will help to prevent a
reinfection in the near future.



It is important that you run a good Anti-Virus program and keep it up to
date, install service packs and patches as recommended by Microsoft, and
avoid opening attachments on emails that are suspicious in nature.



If you recently purchased a new WinXP system, or received one as a gift, be sure to get help in securing your new system:



http://isc.sans.org/presentations/xpsurvivalguide.pdf



Many thanks to Marcus Sachs for his suggestions on this entry.



---------------------------------------

Handler on duty: Tom Liston - http://www.labreatechnologies.com

0 Comments

Published: 2004-01-05

Linux Kernel Vulnerability, Ethereal Patches

Linux Kernel Vulnerability

Paul Starzetz ( http://www.isec.pl ) identified a new vulnerability in all current linux kernels ( 2.2, 2.4 and 2.6 ). This vulnerability could allow unprivileged users to gain root access.

So far, we have not seen an exploit for this vulnerability.

New kernels were released today for all major linux distributions.

Kernel upgrades can be tricky and require a reboot of your system. Be advised to carefully test new kernels before deploying them. While this vulnerability is not directly remotely exploitable, it is possible that other vulnerabilities (e.g. cgi scripts) will be used to gain access to a machine as a non-privileged user. This vulnerability will allow such an intruder to escalate privileges and become root.

Vulnerable Kernels: 2.6.0, 2.4.23, 2.2.25 (and respective earlier versions)

Fixed Kernels: 2.4.24

http://isec.pl/vulnerabilities/isec-0012-mremap.txt

Please submit any additions or corrections using the contact form at
http://isc.sans.org/contact.html

-----------------
Johannes Ullrich, SANS Institute, jullrich_AT_sans.org

-----------------
Ethereal Patches

Debian has released Ethereal patches covering 5 issues;

Debian Security Advisory DSA 407-1
http://www.debian.org/security/

DSA-407-1 ethereal -- buffer overflows
http://www.debian.org/security/2004/dsa-407

Patrick Nolan

0 Comments

Published: 2004-01-04

tcp/135 and ICMP Continue to Decline; Solaris 8 Hacks

tcp/135 and ICMP Traffic Continues to Decline. The decline in reported activity on tcp/135 (http://isc.sans.org/port_details.html?port=135) and ICMP (http://isc.sans.org/port_details.html?port=0) continues. This is due to the Nachi and Blaster worms expiring on January 1st. Many of our submitters are reporting that with the decrease in this activity they are able to see other attacks with a bit more clarity.

Solaris 8 Hacks. We've received a few reports of significant intrusions into networks of patched Solaris 8 machines. Initial analysis indicates what appears to be a multi-vector attack, using finger, rpcbind, and ftp. In one network, the systems that got broken into did not have tcpwrappers installed nor did they have the rpcbind from Wietse Venema and Casper Dik that has tcpwrapper support. However, there were Solaris 8 systems in the same machine room that are behind on patches, but have tcp wrappers installed and they were not broken into. If there have been other cases of similar intrusions in the past few days, the Storm Center would like to hear about it.
Marcus H. Sachs

The SANS Institute

Handler on Duty

http://isc.sans.org/contact.html

0 Comments

Published: 2004-01-03

Microsoft Update on Windows 98, Microsoft Outlook

There might be a minor issue with Windows 98 machines and Microsoft
Update. We had a report of a user who hit Windows Update with a machine
that had been last patched in Dec 2003. On Jan 2, 2004 the machine was
updated again - and it listed needing all updates for the system.

However, we've had not corroboration of this - no other reports and a
fellow handler could not replicate the bug. Testing on Windows 2000 Pro
and Windows XP Pro also did not replicate the bug. If you've seen this
come up, you might mention it along with circumstances under which it
occurred. Otherwise, we may just file this one as a PotM Error.

----

For some this is not new news: It's being recommended by Russ Cooper of
NTBugTraq[1] to keep the Preview Pane in Outlook closed. The issue boils
down to a difference between how AutoPreview handles messages -vs- what
happens when you open the message normally. You can read Russ's full
comments here[2]

Handler On Duty, Davis Ray Sickmon, Jr - Midnight Ryder Technologies
(http://www.midnightryder.com)

[1] http://www.ntbugtraq.com

[2] http://www.ntbugtraq.com/default.asp?pid=36&;sid=1&;A2=ind0401&;L=ntbugtraq&;F=P&;S=&;P=72

0 Comments

Published: 2004-01-02

Nachia Decline; Increased Activity on Port 1026


There is not alot going on today on the Internet, even traffic on port 80 was down. However, there are a couple of things worth mentioning. Nachia Decline
Now that 2004 has arrived, we should see traffic for Nachia on the decline. As more systems get rebooted in 2004, Nachia should turn itself off on the rebooted system.
Increased Activity on Port 1026
There is an increase in traffic on port 1026.

http://isc.incidents.org/port_details.html?port=1026
This port has nterm service as well as Microsoft's Task Scheduler RPC service running on it. (Scheduler only listens on this port for NT/2000 systems and uses Port 1025 for XP) It has also been part of the ports used in the pop-up messenger spam. It is worth watching. If anyone is seeing traffic destined for this port, let us know.
Lorna Hutcheson

0 Comments

Published: 2004-01-01

Happy New Year

According to Email Security Company Postini, IP addresses in the 218.107.x.x class are in the top 10 for both spam and directory harvest attacks. 8 of the top 10 spam sources and 4 of the top 10 DHA sources came from this class for December 31 and January 1. These IP's are registered to China Netcom and have a hostname "host.better-delivery.com". It looks like these ip's may be good candidates to block.
www.postini.com/stats

I hope everyone had a Happy New Year.

Deb

0 Comments