Published: 2004-09-30

Request for AIM IDs Involved with GDI Exploits; GDIscan Tutorial

Request for AIM IDs Involved with GDI Exploits

On September 28, we had an entry about GDI exploits being spread via AIM. We know of at least two subject messages that have appeared in the popup messages:

1) Check out my profile, click GET INFO!

2) hi you. Look at my new profile. click on GET INFO!

The AIM IDs these messages have come from have been an initial mix of alphanumeric characters followed by 6-7 numeric digits. If anyone receives an AIM message similar to these, we are requesting that you provide that information to the ISC.

GDIscan Tutorial

We have had a few questions about how 98/ME/95 users can see the results of gdiscan. Mr Abrams documented the steps do it and has updated his tutorial with instructions for the OS version users.

The URL to his tutorial is http://www.bleepingcomputer.com/forums/topict3077.html


David Goldsmith

dgoldsmith at isc.sans.org


Published: 2004-09-29

New Virus Behavior / GDIScan Questions

New virus behavior

Our fellow handler Patrick Nolan sent this news about the Surila.k virus. According to the VirusList.com website "In order to gain full access to the Internet, Surila registers itself in the Windows FirewallPolicy, thereby becoming a legal program with full Internet rights."

This will bypass any Firewall settings that may otherwise block the virus from
contacting the IRC server is connects to for remote control. The virus installs
an HTTP and SMTP proxy server. Traffic to these proxies will be permitted by the
modified firewall rules.
GDIScan questions

We are still receiving some questions about Tom Liston´s tool GDIScan.
In yesterday´s diary, Donald Smith included a good link with a FAQ for the tool ( http://www.bleepingcomputer.com/forums/topict3077.html ). One interesting question is about the tool in Windows 98.

Donald Smith answer explains it well:

"...it means the application was designed to run on win2k and higher.
I have successfully run it on an old 98 machine. The reporting was a
little messed up because my 98 system didn't render the ansi sequences
correctly BUT it did find vulnerable dlls. The report just wasn't in
red/black and had ansi sequences in the text."


Handler on Duty: Pedro Bueno ( pbueno /AT/ isc.sans.org)

If you are at SANS Network Security 2004 in Las Vegas, send a hello to our lucky Handlers there! (ps. ask them to send some postcard to the handlers over here...(like a brazilian one...)


Published: 2004-09-28

aim for a gdi exploit.

Lawrence Abrams has created a step by step end user documentation for the gdiscan.exe scan tool by Tom Liston.

Many people have asked what to do about dlls being reported as vulnerable to MS04-028. Currently we are recommending they contact the vendor of the product that installed the dll. Some people have had fairly good results copying a non-vulnerable dll over the top of the vulnerable one. If you choose to do that please first backup the vulnerable dll in case your software relies on that specific version of the dll.

Anyone still needing a copy of Tom's most excellent tool can obtain it here
Anyone wanting modifications will have to wait because Tom is goofing off in vegas with a bunch of other off duty handlers.
If your going to SANS Network Security Las Vegas, Sep 28-Oct 04,
be sure to look for our missing handlers.

The handlers have received several reports that AIM messages are being used to entice users to download and view jpegs that match current signatures for the GDIplus.dll exploit.

The basic method is to attach GDI exploits to profiles on AIM.
The attacker then sends messages to get the user to go look
at the user profile that has a jpg with the gdiplus.dll exploit in it.

This is the message being seen "Check out my profile, click GET INFO!"
But of course that would be easy to change so it is probably not worth adding to your IDS signature list.

We have not received any copies of the jpegs involved in AIM propagation so it is possible that these were false positives from the IDS. But the signatures being used are very accurate so I strongly suspect these images contained a gdiplus.dll exploit.

We have also received several reports of Newsgroups having jpgs with a gdiplus exploit in them. These appear to have been Backdoor.Roxe.

We were alerted by Chris Mosby, to two new trojans that exploit the GDIPlus.dll.
Trojan.Moo is a Trojan horse program that exploits the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028).

Backdoor.Roxe is a backdoor Trojan horse program that exploits the Microsoft GDI+ Library JPEG Segment Length Integer Underflow Vulnerability (described in the Microsoft Security Bulletin MS04-028).

A new version of bagle is spreading fast.
The From address is spoofed so any SMART antivirus mail portals will NOT respond with "you sent us a virus message".

The subjects seen so far appear to be responses to a email.

RE: blank, hello, thank you!, thanks :), hi

The body of the message is a smiley :) or :))

Attachments have an extension of .exe, .scr, .com or .cpl.
and the first part of the name is joke or price.

We have received several copies of bagle.az.mm.whokeeps changingtheversionnumberbetweenAVvendorssonoonereally

This is the result from several Antivirus vendors of the newest bagle:

BitDefender 7.0 09.28.2004 Win32.Bagle.AU@mm

ClamWin devel-20040822 09.28.2004 Worm.Bagle.AP

F-Prot 3.15a 09.28.2004 W32/Bagle.AM@mm

Kaspersky 09.28.2004 I-Worm.Bagle.as

McAfee 4395 09.28.2004 W32/Bagle.az@MM

NOD32v2 1.880 09.28.2004 Win32/Bagle.AQ

Norman 5.70.10 09.28.2004 -

Panda 7.02.00 09.28.2004 W32/Bagle.BB.worm

Sybari 7.5.1314 09.28.2004 W32/Bagle.az@MM

Symantec 8.0 09.27.2004 -

TrendMicro 7.100 09.26.2004 -

Those with - at the end did NOT detect this new version. Newer versions of their av engines and dats may have detected it. Those with bagle.xx.NN.## detected it but nearly all called it by a different version number.

For more information:


Published: 2004-09-27

MS04-028 Public Exploit Attempts, VENDORS TAKE NOTE, Contacting ISC

MS04-028 Public Exploit Attempts

A post on the BUGTRAQ mailing list led us to a MS04-028 exploit attempt that was posted to adult-oriented newsgroups. The malicious image appears to have been created with one of the more recent MS04-028 exploit kits. Most popular anti-virus scanners are able to detect these exploitative JPG's including BitDefender, Kaspersky, McAfee, Symantec and TrendMicro, identifying them as "Exploit-MS04-028" or "Bloodhound.Exploit.13" (Symantec).

Testing this exploit image on vulnerable Windows 2000 and Windows XP SP1 machines with Internet Explorer only caused the application to crash. However, we suspect that a working exploit is very close to widespread availability. Thanks to Johannes Ullrich and Bob Hutzley for offering up assistance in testing.

Vendors Take Note

Many people have written in indicating that they are detecting vulnerable non-Microsoft applications with the ISC GDIScan tool. Reader Neal L. Lester writes in:

"Your GDI scanner found a vulnerable copy of gdiplus.dll in my "HP CD-DVD" directory. I contacted HP and they had me install an old patch. Well, I've learned enough to know that asking why a two year old patch will cure a recent vulnerability isn't going to get me anywhere so I did as I was asked: Still There."

Vendors - If your software redistributes Microsoft DLL's that are vulnerable to the MS04-028 flaw, your software may be vulnerable to attack as well. Please work toward offering a solution for resolving this issue for your customers!

Contacting ISC

All of the Internet Storm Center Incident Handlers value the anonymity of the individuals who submit information to us. Anyone who wishes to anonymously share information or confidentially ask a question is welcome to do so by using the form at http://isc.sans.org/contact.php . However, if you ask us a question and do not supply your email address, it is very difficult for us to respond to your request. In some cases, Tom Liston will use his psychic ability to "IM" you back, but that is quite rare.

-Joshua Wright/Handler-on-Duty


Published: 2004-09-26

GDI Vulnerabilities : An open letter to Microsoft

GDI Vulnerabilities: An open letter to Microsoft

Dear Redmond Folks:

When I was but a wee lad, we lived in a rather large, old house that had, among other charming qualities, a basement that would make even the bravest soul think twice before venturing downstairs. It was cavernous, ill lit, and, quite frankly, always smelled a little funny. My older brother, as older brothers are wont to do, would tell me fantastic stories about why the basement had that odor; generally centering on some unfortunate past resident’s demise. I hated that basement.

My parents, in a vain attempt to rid the basement of its malodorous “twang” purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.

And, no matter how many times I begged, bribed and pleaded with my older brother, he would somehow know when I was making my daily trek to the basement and, as I was down there trying to pull the heavy bucket out of the dehumidifier, the lights would suddenly snap off, the basement door would slam shut, and I would hear my older brother’s voice wafting down from above: “It’s cooooooooming..... It’s cooooooooming to get you.......”

And there I stood: alone in the dark, unknown terrors approaching, armed only with a bucket of water.

Which is, curiously enough, almost exactly the position that Windows users find themselves in today: alone in the dark, unknown terrors approaching, but in their case, having a bucket of water would be an improvement.

MS04-028 is, perhaps, the epitome of bad technical writing -- the literary equivalent of spaghetti code. I’ve read through it far too many times, and I still understand far too little.

Your “GDI Scanning Tool” is worse than useless. Run it, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Go to Windows Update and update everything you can find. Go to Office Update and do the same. Run the scanner again, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Lather, rinse, repeat.

[Which is why the ISC has made GDIScan.exe and GDICLScan.exe available. See http://isc.sans.org/gdiscan.php for details.]

What about those old gdiplus.dll files that we’re all finding in our Side-By-Side DLL directories? Are they a problem? Why are you updating sxs.dll? Is there vulnerable code in there, or did you just rig it to avoid using the bad code in older versions of gdiplus.dll? (Hey, if you had asked me years ago, I would have told you that this was a serious problem with your Side-By-Side implementation.)

When a third party vendor wants to distribute a Microsoft DLL with their product, don’t they have to get permission from you? Wouldn’t there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll? Can you tell us what they are?

Please stop treating your customers like idiots and give us information; information that we can use.

In other words: Turn on the lights and open the door. We’re ready to come back upstairs now.



Handler on Duty : Tom Liston ( http://www.labreatechnologies.com )


Published: 2004-09-25

JPEG exploit toolkit , JPEG Hacktool, GDIScan Tool, In search of the Botnet - Lessons learned

JPEG Exploit Toolkit
A toolkit designed to exploit a recently-disclosed Microsoft JPEG vulnerability has been released. The security hole compromises the system and creates a buffer overflow condition. This could potentially allow an attacker to create a JPEG file. The JPEG file would then over take control of a victim's machine when the user views it through Internet Explorer, Outlook, Word, and other programs.


For a complete list of Microsoft Operating Systems and Microsoft Application Programs potentially affected by this see the information at:


A group of Handler's have been "playing" with the toolkit. So far it hasn't worked too well. However, as with all of these, they have a tendancy to get better real fast. Therefore apply the patches on both the Operating Systems and Application Programs as recommended by Microsoft.

Microsoft applications are not the only ones that may be affected by the vulnerability. It may be in many other image viewing, manipulation, screen capturing and digital camera programs as well. See GDIScan Tool section below for a tool to help you determine your vulnerable applications. Once you have determined the applications that are vulnerable you will need to contact the manufacturer for updates.
JPEG Hacktool
The 3 major anti-virus companies have now released definition files that will detect the JPEG exploits.

Symantec - Hacktool.JPEGDownload

McAfee - Exploit-MS04-028

Trend Micro - HKTL_JPGDOWN.A
GDIScan Tool

One of our fellow Handler's and our resident expert on the color "orange", Tom Liston, has written a program that will help to detect the files and identify the files that are potentially vulnerable to the JPEG Exploit. The tool allow you to select which drive to check. The files that are possibly vulnerable are identified in yellow text.

The GDIScan program can be downloaded from the Internet Storm Center.
In Search of a Botnet - Lessons Learned

In my Inbox today was an email with a link to an article titled "When Bot Nets Attack". The subtitle was "Is your computer part of a bot army, infiltrating systems and spreading spam?"

This particular article caught my attention. This article hit really close to home! I have first hand experience with the topic of the article.

For the last three weeks I have been assisting a large organization that has been virtually brought to a standstill by a Botnet. They have agreed to allow me to talk about the experience providing that I don't disclose the name of the organization.

Our challenge with the worm began on September 6th. The organization has 40 locations and approximately 60 servers and approximately 3000 workstations.
The organization began to experience loss of Internet connectivity in several locations and before long they discovered that they were in the middle of a Denial of Service attack. Their network was under extreme load and continually kept shutting down. They hooked up their EtherPeek system and began monitoring the network and soon discovered that they were being overrun with CIFS traffic.

They immediately shutdown their network and killed all connection to the outside world and we began to try and track down the cause of the traffic load. We began bringing the locations back on line one at a time and soon discovered that of the 40 locations 29 of them were participating in the activity. The traffic seemed to be aimed at port 445 and was very persistent. As quickly as we brought the infected locations on line the Denial of Service attack would ramp back up. We began to look at the machines in the main facility that appeared to be generating a large amount of traffic. Quickly we discovered that their Norton Anti-Virus definitions were not getting updated inspite of the fact that they had always worked in the past. As we began to attempt to determine the cause of the failure to update we discovered that the hosts file was corrupt and was overriding and preventing the Live Update from running. We soon discovered that approximately half of the workstations and some of the servers were infected with W32.GAOBOT. We began to clean the machines up and get the definition files updated. We thought we had everything under control when it hit again. However Norton was not detecting it as W32.GAOBOT. As a matter of fact, it was not being identified at all. We soon discovered that there were two different executable files running that were causing the problems.

The files were not detectable via Windows Explorer or in DOS. The only way to find the file was to go to the command prompt - to the C:\winnt\system32 directory and attrib the file. On XP the file is SHR and on 2000 Pro it is R. After we discovered this we removed the attrib and deleted the file and the CIFS traffic stops. Norton now identifies this as W32.Spybot.Worm.

We also discovered several of the computers had a bla.txt file. This file contained a pointer to an IP address for a computer within the organization, a port call and userid and password. I finally located the machine and began to evaluate what this computer was doing. I found a program called bot.exe in the registry run and run services keys. I finally was able to locate this file by booting to DOS and doing an attrib and locating the file. All was well I thought - delete the file and all would be well. Well - not exactly, I deleted the file - the computer immediately rebooted and immediately gave me an error indicating that the computer was missing some required files. I put in a Windows XP CD and ran repair. And the computer recovered.

We are still cleaning up and testing to ensure that the infection does not return. We did discover that we had several machines throughout the organization that had various spyware and other downloaded games and programs. One that stands out and may well have been the entry point for the worm is the ARES P2P program.

In spite of the Policies in place that prohibit download and installation of software, inspite of the policies in place that prohibit P2P applications, despite the Firewalls and protective measures that the organization had taken, despite installing a managed anti-virus solution they got infiltrated.

We have already identified several items that need to change, policies that need to be put in place and procedures that need to be updated. All of this will be reviewed after this has passed and hopefully we can find solutions to yet better protect their systems.
Deb Hale

Handler on Duty



Published: 2004-09-23

GDI Scanner Released

This is a preliminary diary, and will be updated throughout the day, as the situation warrants, due to the possibility of a rapidly emerging exploit, or worm, we are releasing this early.

Over the last 24hrs, several exploits taking advantage of the JPEG GDI
vulnerability (MS04-028) have been released. We expect a rapid developemnt
of additional exploits over the next few days.

Tom Liston has put together a scanner, which will scan your systems for vulnerable versions of the GDI libraries you can get it at http://isc.sans.org/gdiscan.php This program should have an MD5 checksum of (91ff45c6158e77eb57fbf6fbe38f05d1)

Several non-microsoft programs include versions of GDI libraries which are vulnerable to exploitation. Using this tool you can identify programs which may be vulnerable, and attempt to obtain updates from the software developer.
SNORT Rules:

Judy Novak sent us these rules developed by the Snort Community.
Snort Rules:

JPEG parser heap overflow attempt"; flow:from_server,established;
content:"image/jp"; nocase;
reference:bugtraq,11173; reference:cve,CAN-2004-0200;
classtype:attempted-admin; sid:2705; rev:2;)

JPEG transfer"; flow:from_server,established; content:"image/jp";
nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g/smi";
flowbits:set,http.jpeg; flowbits:noalert;
classtype:protocol-command-decode; sid:2706; rev:1;)

JPEG parser multipacket heap overflow";
flow:from_server,established; flowbits:isset,http.jpeg; content:"|FF|";
pcre:"/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; reference:bugtraq,11173;
classtype:attempted-admin; sid:2707; rev:1;)


Michael Haisley


Published: 2004-09-22

MS04-028 PoCs and Exploits released / UPDATE: Snort Rules

MS04-28 PoCs and Exploits

Things are just getting better and better on this topic.

Today another exploit for the MS04-28 , regarding the JPG, was public released. This one will open a command prompt in your machine.

The first PoC (proof-of-concept) released some days ago is already detected by some AV vendors.
According to the free service VirusTotal, Symantec, Trend, Kaspersky and McAfee detects the malformated jpeg headers. So, if you run updated versions, you should be safe.

On the other hand, if we are seeing exploits opening command prompts, something worst is on its way...

If you already have Tom Liston's ISCAlert ( http://www.labreatechnologies.com/ISCAlert.zip ) on your systray, stay tuned, it may blink soon...

So, please, remember to apply Microsoft Patches in your and your friends and family computers (I already applied on my mother's windows box...). Companies should test it and also apply as soon as possible...
Remember that patches are not to be applied only when a new malware is exploiting the vulnerability, so dont wait for it as a reason to apply the patches.

Reference: http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

We will update this diary as soon as we have more info.


Judy Novak sent us these rules developed by the Snort Community.

Snort Rules:


JPEG parser heap overflow attempt"; flow:from_server,established;

content:"image/jp"; nocase;


reference:bugtraq,11173; reference:cve,CAN-2004-0200;


classtype:attempted-admin; sid:2705; rev:2;)


JPEG transfer"; flow:from_server,established; content:"image/jp";

nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g/smi";

flowbits:set,http.jpeg; flowbits:noalert;

classtype:protocol-command-decode; sid:2706; rev:1;)


JPEG parser multipacket heap overflow";

flow:from_server,established; flowbits:isset,http.jpeg; content:"|FF|";

pcre:"/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; reference:bugtraq,11173;



classtype:attempted-admin; sid:2707; rev:1;)


The second exploit mentioned on this diary is already identified by the same AV vendors.


Handler on Duty: Pedro Bueno (pbueno /AT/ isc.sans.org)


Published: 2004-09-21

PUT requests and Using Web Server Logs, trillian exploit, sudo exploit.

"PUT" Followup

The 'PUT' requests we posted about yesterday have now been linked
to a defacement crew. As mentioned yesterday, make sure you disable
'PUT', or if you use it, secure it sufficently.

Web Server Error Log Patterns

Based on our note about web site defacement attempts using 'PUT'
requests, we received a couple of reports about various odd web server
log entries. Monitoring these entries is important and a web server
log can provide many of the information traditionally provided by an
intrusion detection system. While incomplete, here a couple of common

(a) spam relays.

There are a number of commonly installed cgi scripts that can be used
to relay spam. Among others, these are formmail.pl,rt_response.cgi,
friends.cgi,backcon_sales.cgi, mt-send-entry.cgi (there are many more)

(b) Unicode exploits.
Old versions of IIS do not decode unicode correctly. As a result, the
right URL may allow traversal of your system files and execution of
commands via the 'script' url. Most commonly, these requests are caused
by the Nimda worm. Typical requests:

(c) Buffer overflows.
Various web servers can be tricked into executing arbitrary code by
triggering buffer overflows. Typically, the requests stick out because
they use long URLs in various shapes to trigger the overflow. As a
sample the famous Code Red request:

GET /default.ida?NNNNNNN...NNNNNNNN%u9090%u6858

or more recently the WebDav 'search' exploit:

(both log entries abbreviated)

(d) SQL injection / script exploits

SQL injection typically attempts to insert quotes to terminate the
SQL statement and start a new (malicious) command. For example:
GET somescript.php?param=test'%20or%201=1

(e) Cross Site Scripting

In its simples form, you will see the string '<script>' included
in the URL. However, this may be obfuscated using URL encoding. Again,
overly long (and just plain weird looking) URLs will show whats going
on. Since XSS is usually used against a valid URL, you will not see
an entry in your error log, and even if you are not vulnerable, you
will see a '200' code or similar.

Lesson of the day:

Most of these exploit attempts are 'harmless' for a well maintained web
site. They do attempt to exploit older faults of standardized scripts.
In order to detect more targeted attacks, consider the following:

Many times, as part of standard recognizance prior to an attack, the
attacker will download the 'robots.txt' file, to look for URL that
should not be indexed by search engines. Inexperienced sysadmins will
use this technique to 'hide' administrator pages. The attacker will
then use the 'robots.txt' file as a guide to launch their attack.

Add a fake "admin page" to your robots.txt "disallow" section. If you
are using a web scripting language like php, have it send you an e-mail
whenever this fake admin page is accessed. This will provide an instant
IDS to alert you of anyone poking around in areas they shouldn't.

Trillian Exploit

An exploit has been released against the popular instant messenger client
'trillian'. It is written to exploit the MSN module vulnerability in Trillian version 0.74i

sudo vulnerability

sudo version 1.6.8 may provide a local attacker with super user (root) access to files.


Johannes Ullrich, jullrich'&at&sans.org (filling in for Cory today)


Published: 2004-09-20

Increase in HTTP PUT Requests; DDoS Against Authorize.net; More JPEG Comments

Increase in HTTP PUT requests. A report from Ryan stated that he noticed an increase of HTTP PUT attempts to his public web servers over the past few weeks. After looking at the file names attempting to be uploaded, it appeared that this was an attempt to deface his web site. Some of the file names in his logs included:

PUT /index.html HTTP/1.0

PUT /at4k3r.htm HTTP/1.0

PUT /ka.htm HTTP/1.0

PUT /kateam HTTP/1.0

PUT /scanned HTTP/1.0

PUT /inf.txt HTTP/1.0

PUT /ownz.htm HTTP/1.0

PUT /hdg.htm HTTP/1.0

Johannes Ullrich, the ISC's CTO, checked our web logs and found similar activity. A quick search online revealed several hits on these file names (obviously we didn't bother checking index.html)

Fortunately the attempted defacements were not successful. Both Ryan and the ISC would like to highlight the importance of restricting the authorized HTTP request methods on public web servers. This "hack" (the easiest defacement method of them all) can be effectively denied by not allowing the PUT method and also with appropriate documentroot directory ownership/permissions. Check your web logs for this type of behavior. A simple snort rule to ALERT on PUT statements for sites that do not expect uploads would also be prudent.

DDoS Against Authorize.net. Authorize.net has been enduring an extended denial of service attack. A statement on their web site indicates that as of 1900Z today, they continue to experience intermittent large scale distributed denial of service (DDoS) attacks. These attacks have led to periodic disruptions for some of their merchants.

More JPEG Comments. The ISC received several requests to clarify the comments in Friday's diary concerning JPEG file attachments. Our recommendation is to not waste time blocking JPEG file attachments as a mitigation step while patching the MS04-028 issue. It creates a false sense of security as well as an enormous inconvenience to users, help desks, and system administrators. Here are some additional thoughts on this reasoning.

Internet Explorer and other applications will classify a file as an image based on the file extension, using header information to identify the actual image type. Because of this, an attacker can take a malicious JPEG and rename it to ".gif" before sending it as an attachment. Your filtering system may not correctly identify the file as a JPEG since the extension is ".gif", but your client system will try to render the file as a JPEG, potentially exposing your system. Therefore, if you were to try and filter malicious images by file extension, you'd have to filter out all known image extensions. Test it for yourself - take a .jpg file and rename it as a .gif/png/jpe/bmp/wmf - they all process the file as a JPEG on a WinXP SP2 system.

If you decide to block JPEG attachments in email, then you also need to consider blocking instant messaging, P2P, web surfing, and "allowed" email attachments that could contain JPEG images such as Microsoft Office applications. While it sounds like a easy quick-fix, blocking JPEG attachments is the wrong way to attack this problem. It removes a single vector at a very high cost to your network users and the help desk. Save your energy for security battles that are more worthwhile.

Train your employees to not use their business email for personal use, to turn off any in-line image rendering, to use text (rather than HTML) email for non-digitally signed and encrypted email, and use a good spam filter on your email gateway. These steps are preventative in nature and will defend against multiple attack vectors, not just the JPEG problem. Knee-jerk reactions to specific vulnerabilities rarely work. It is much better to engineer a secure network environment that includes strong policy and lots of user awareness training. "DENY ALL" is the best starting point, then ALLOW only those activities that support your business operations.

As security professionals, we have to be very careful to not become the person who prevents people from getting work done. Focusing on a secure network environment based on business needs and defense in depth will allow you to become an enabler of more efficient business processes while operating a more reliable and secure communications network.

(Thanks to Josh Wright and Johannes Ullrich for the additional thoughts and comments.)

Marcus H. Sachs

Handler on Duty


Published: 2004-09-19

SETI@Home site problems

Very early this morning we received a report that the SETI@Home site had been changed for some odd reason. In addition, there was an unexplained server crash on the 13th. These things combined lead to a very disconcerting situation.

Our concern at ISC is a _possible_ compromised SETI client that would allow unauthorized access into the machine(s) on which it resides. As with any software published for public consumption, it is always a good idea to have MD5 sums or PGP to go along with it. We are _strongly_ encouraging all users who have downloaded the client to double check that what they have downloaded is the correct version and date/time stamp.

These are the md5 checksums for the release which is currently posted on the SETI@Home website as of 9/19/04.

5322fb39dd6af736bc8aee6c31db35b8 *boinc_4.09_i686-pc-linux-gnu.gz
ca69109543ed734e8cbf95e2ac3b3f86 *boinc_4.09_powerpc-apple-darwin.gz
cf69d759218db851461fb94c4ff6409f *boinc_4.09_sparc-sun-solaris2.7.gz
a0ebd49d9f445b732c6194637b786794 *boinc_4.09_windows_intelx86.exe

Michael Haisley
Johannes Ullrich
Marcus Sachs

Tony Carothers
Handler on Duty


Published: 2004-09-17

MS04-028 Proof of Concept Rumors; Beyond Patching; Mailbag

MS04-028 Proof of Concept Rumors. At least two examples of concept code exploiting the recently announced MS04-028, Buffer Overrun in JPEG Processing (GDI+), were released in the past 24 hours. This should serve as a warning to those who are ignoring a potentially explosive vulnerability that there are individuals and groups actively at work trying to build a working exploit.

We have seen this same pattern in the past - a significant vulnerability is announced, followed in a few days by POC code that usually causes a system crash or denial of service condition, followed by a hunt to get a reliable and simple buffer overflow to work using universal stack pointer offsets. Once an attack mechanism is perfected, then it's just a matter of hours or days before worm code is launched. With the growth in popularity of the Metasploit Framework project, simple point-n-click access to vulnerable systems follows quickly, allowing anybody from script kiddies to nation states to gain unauthorized access to insecure systems.

So here we are at roughly day three. POC code is circulating. Working exploit code is probably going to find its way into the public domain within a few days or a week. Then it's up to the whims of somebody or some group to build and launch a malware attack using the newly developed exploits. Crystal ball says to look for a worm or mass-mailer by the end of September.
Beyond Patching. You've got an enterprise that is nearly 100% Microsoft, with thousands of desktop computers that need patching, not to mention all of the servers, and of course those pesky laptops that your road warriors and management use but won't keep updated. Now you are faced with an issue as devious as the MS04-028 vulnerability in JPEG processing. Of course it could be another significant vulnerability in Microsoft systems, or in other popular products including Cisco, Juniper, Oracle, Linux, or AIM. Regardless, you are faced with reality of a whole lot of machines that are now vulnerable to a known security problem, and the clock is ticking.

Before you call all of your staff in and start working them overtime, consider some of the below options that can be done quickly while you start deploying patches. In fact, many of these steps should be done regardless of any published vulnerabilities. Yes, they may cause some squealing from your users, but take that as an opportunity to help them understand the risks your organization faces by being connected to the public Internet.

1. Set your gateway devices (routers, firewalls, etc.) to a "deny all" setting as the default for inbound traffic, then explicitly allow the ports needed to support your business or operational processes.

2. Use egress filtering to block all outbound traffic not sourced from the subnet behind a particular edge router. This is just good common sense, but so many network administrators do not take this simple step.

2. Disable HTML rendering in your email clients. Some email clients have a feature that blocks inline images. If so, turn it on. (Blocking .jpg or .jpeg file attachments is a waste of time. Don't do it.)

3. Likewise, disable the preview panel in Outlook and Outlook Express.

4. Do not use Word as your email editor. Use Outlook's built-in editor.

Once you do start patching for MS04-028, do not forget to patch twice - once for Microsoft Windows and once for Microsoft Office. Microsoft's statement about WindowsXP SP2 being not vulnerable is a bit misleading. If you are running Office products, you need to patch them too regardless of your SP level.
Mailbag. Chris sent us a note that he received an email from "security@microsoft.com" with an attachment - patch.exe. As most of our readers know, Microsoft does not send patches by email.

Matthias pointed us to an article in Germany concerning WindowsXP SP2 opening local shares to the dialup networking interface. We have not validated the claim. Details are at http://www.pcwelt.de/know-how/extras/103039/

Steve told us about a physical security issue with a popular brand of bicycle and laptop locks. Details are on Slashdot at http://slashdot.org/article.pl?sid=04/08/09/0218225&tid=172

Thanks to the many people who wrote in supporting Cory's missive on ASCII graphics a couple of days ago. For those who thought it was inappropriate, our apologies. Perhaps we should use ASCII emoticons to warn readers when we are just joking. :)
Marcus H. Sachs

Handler on Duty

See everybody in Las Vegas - I'm teaching E-Warfare on September 28th and would really like to meet some of our readers!


Published: 2004-09-16

System Store Trojan, Infection Persistence, Save the Pr0n

Trojan Stealing System Store

A "multi-stage" trojan has been reported to us by Morton Krkvik (Telenor Security Operations Center, Norway). The trojan starts at www.alarm-works.com, and uses the old
.chm exploit to upload its 'first stage' (ttt.exe). Next, it will grap
as second stage from This part, a binary called sstore2k.exe
is a UPX packed. It appears to upload the SSL certificates and cached passwords from the
Windows Systems Store to the same system.

This analysis is not complete, and may be completely wrong ;-). more
later or in tomorrows diary.
Infection Persistence

The data collected by DShield.org can be used to estimate the time it
takes on average to clean an infected system. The infection persistence
can be estimated by calculating the time between the first and last
report received for a particular host. Overall, this should provide
use with a reasonable estimate.

Errors are introduced by three issues:

(1) Our sensors will likely not receive the first and last bad packet
sent by an infected host. This will shorten the observed duration of
an infection.

(2) We are not able to connect reports from dialup users (or in
general dynamic IP users) who are assigned a new IP address whenever
they connect.

(3) Some systems in our database may not be infected at all, but due
to configuration choices of a particular sensor, or due to unusual but
legit traffic from the site it may show up as infected.

Given these caveats, here is the data:

I did try to fit a few different models to this curve. Without exhausting all the possible models, the model that fits in particular well is the assumption of two different populations with a distinct half-life to be fixed. The red
dots represent the data collected by our sensors, while the thick green
line is calculated using the following assumption:

(1) 96% of the infected systems will have a 50% chance to be discovered and
fixed within 6 hrs.

(2) 4% of the infected systems will have a 50% chance to be fixed within 7 days.
I did a similar graph about 2 years ago:

Interesting, even then we had a similar split between fast/slow fixed systems. However, only 0.5 % of the systems fell into the 'slow' group. It is however too earlier to call this evidence that systems are less like to be fixed right away. There are a couple of things that changed over the last two years.

First of all, the older data was collected not too long after a worm outbreak
(Nachia worm if I remember right). If you call the fast-fixing systems 'well maintained', you can assume that shortly after a worm outbreak you are more likely to have well maintained systems infected vs. some time after a worm outbreak. On the other hand, our sensor coverage increased substantially over the last two years. As a result, for some of the systems we observed for only a short time two years ago, we not get more data which extends their 'persistence' in our database.

Save the Pr0n

We got a note from Frank somewhat flaming yesterday's handler (Cory) for his suggestion to move back to a text based Internet (we all still have a gopher client?).

Clarification: It was meant to be a joke. However, in case you are using
Lynx to read this, here is a text based ISC logo for you:
(thanks to http://www.degraeve.com/gif2txt.php )


Johannes Ullrich, jullrich_'at&sa\ns.org


Published: 2004-09-15

Panic Storm Over MS04-028 Reaches Category 4, Mozilla Responds With Vulnerabilites Of It's Own!

JPEGs Will Destroy All Life As We Know It

As the panic over yesterday's MS04-028 patch (mentioned in the previous diary) begins spiraling wildly out of control, I'd like to offer myself up as a calm, reasonable head in this tumult of madness. Some may suggest disabling or stripping JPEG images to prevent slow patchers from being annihilated by a JPEG of Doom. I, for one, say this is folly, as it leaves end users open to attack from TIFFs & GIFs, PNGs & MNGs, not to mention the near DoS-level bandwidth consumption of BMPs!!!

I'd like to propose a return to a simpler time. A time when ANSI graphics reigned supreme. Have we really become so shallow since the days of Tradewars on a 9600 baud Renegade BBS that we demand our images be made up of *tiny* colored blocks instead of *giant* colored blocks? Advanced graphics have brought us nothing but trouble in the form of expensive graphics cards and vulnerabilities! Sure, none of these vulnerabilities have generated a decent exploit (yet?), but I'm not about to shut the barn door after the horse has already owned my box.

Mozilla, Firefox Have Vulnerabilities Too!

Not to be outdone, the Mozilla project released updates that fix a number of vulnerabilities in the Mozilla & Firefox browsers, as well as the Thunderbird mail client. Problems fixed include buffer overflows leading to remote system access, so it's recommended that users upgrade. This is actually a great excuse to upgrade to the just-released Firefox 1.0 Preview Release, which I'm loving. Updates to all Mozilla products are available here:
http://www.mozilla.org/products/ Detailed information on the vulnerabilities fixed with these updates is available here:


Cory Altheide




Published: 2004-09-14

Microsoft Sept Patches and Weblogic vulnerability

Microsoft released 2 security bulletin today

Microsoft has released 2 updates today - MS04-027 and MS04-028.

MS04-027 - This vulnerability affects Microsoft Office, the vulnerability is in the WordPerfect converter of MS Office. Microsoft assigned the serverity as "important" for this vulnerability.

MS04-028 - There is a buffer overflow vulnerability in Microsoft's GDI+ - a graphical component in Windows operating system which handles JPEG processing. This vulnerability affects most Microsoft's software that has that ability to process JPEG on Windows platform (Office, IE...). Microsoft assigned the serverity as "critical" for this vulnerability. If a remote attacker can trick a user to browse/view a malicious JPEG file, malicious code embeded in the JPEG will be executed with the possibility to compromise the machine.

ISC Handler Donald Smith pointed out that if you have installed any of the affected programs or affected components listed in this bulletin, you should install the requiredsecurity update for each of the affected programs or affected components. This may require the installation of multiple security
updates. The non-affected versions of Windows do not natively contain the
vulnerable component. However, the vulnerable component is installed on
these non-affected operating systems when you install any of the
software programs or components that are listed in the Affected Software
and Affected Components sections of this bulletin. See the FAQ section
of this bulletin for more information.
Weblogic vulnerability

BEA have released 9 vulnerability alerts for Weblogic server. These vulnerabilities affect versions from 6.1 to 8.1. If you are running BEA Weblogic server, it's time to deploy patches. These alerts can be found at the following URL,


Wordlist for cracking

We have recent reports that some bots and other hacking tools are using the wordlist located at http://www.weblinxorz.com/wordlists/ for password cracking attempts. It would be a good idea to feed this wordlist to your own cracker before the attackers do.

--- Handler on duty - Jason Lam, jason AT networksec.org


Published: 2004-09-13

WS domain, audio applications, and IP addressing

Monday, September 13th was generally quiet. SSH probes, telnet
probes, and phishing web sites continue to show up as common themes.

One individual pointed out some problems in the .ws top-level
domain. While some domains themselves resolved, there did not appear to
be any nameservers for the .ws TLD. The problem is now resolved.

One common problem we encounter are Voice over IP (VoIP) and
other audio applications that open audio streams. These tend to use a
steady, if not large, amount of bandwidth. The directory lookup
feature, especially in Skype, tends to be rather noisy - I personally
forgot Skype was running at one point and was alarmed at the number of
outgoing connection attempts on my network wire.

Skype: http://www.skype.com
Vocaltec: http://www.vocaltec.com
RealAudio: http://www.real.com

One question came in from a user about IP addressing. In IPv4,
here are the network addresses that shouldn't show up on your network
This is legal on the loopback interface, though.
Illegal as a source address, or as a destination address for
anything but udp or igmp.
Although is occasionally used as a legal
These are reserved for internal use. They shouldn't show up as
the source or destination address of packets crossing the Internet.

The last block of illegal addresses are the "bogon" networks; IP
address blocks that have not been allocated. This list changes as new
IP blocks are handed out, so it's best to get these from a source from here:
Finally, Mark Cooper will be leaving the handler's team. On
behalf of the team, thank you, Mark, for taking part.

---- Handler on duty, William Stearns wstearns@pobox.com
http://www.stearns.org/ (security papers and tools)


Published: 2004-09-12

SDBot sniffs, blings

Over the weekend a reader, Infinite, wrote to us and commented on "Bling.exe" with a pointer to TrendMicro write-ups of two new SDBot variants. Thanks Infinite! (Bling.exe is a component of these Trojan's spreading mechanism, the "TFTP server .. attempts to send this worm to other systems as the file "BLING.EXE").

Whats notable is that these SDBot variants have a sniffer with a list of strings they filter for. (Although there are two earlier bot variants, described by Sophos, that use Bling.exe, they are not reported to have a sniffer component). If the trojans described by Trend can successfully transmit the filters packet captures back to the owner they are going to cause problems well beyond typical bot infestation issues. It is my understanding that the filter will only work when it matches a string exactly.

The addition of the sniffer also brings up the question of "What are the intended targets of these particular trojans?" (my favorite malware question!). Are they after the usual SDBot stuff, ... after all ... building a SDBot variant is trivial, or is the trivial use of SDBot just camouflage for attacks on critical systems resulting from the harvest of the sniffer's filter? If you'd care to contribute to an answer to this question ("if you got bling") and care to share the sniffer's impact, privately or publically, please write us at;


fwiw, if your network is vulnerable, while researching the history of the use of sniffers by Trojans and Backdoors, in "Malware: Fighting Malicious Code" by Handlers Ed Skoudis and Lenny Zeltser, there's a recommendation for finding sniffers, the book refers to;

-- the sentinel project v1.0 : by bind : copyright (c) 2000, 2001 --
The sentinel project is an implementation of effective remote promiscuous detection techniques.

SDBot and Bling.exe References;


Filtered Strings from Trend;
"Information Theft

This worm uses carnivore network sniffer and checks for the following strings:

: auth
: login


SSH Saga Continues

Reader Tomi Junnila offered these views and solicited feedback on the following approach to defending against recent SSH brute force attacks. Thanks Tomi!

"Using syslog-ng, I set up a new filter and destination to detect the attacks:

filter f_sshd_failed { program("sshd") and match("(Failed password for root|Illegal user (test|guest|admin|user)"); };

destination sshd_blocklist { program("/usr/local/sbin/sshd-blocklist"); };

log { source(src); filter(f_sshd_failed); destination(sshd_blocklist); };

This forwards log messages from sshd containing "Failed password for root from (host)" and "Illegal user (user) from (host)" to the program /usr/local/sbin/sshd-blocklist. This is a simple shell script:


# Settings:

# This program will match lines:
# Illegal user (userid) from (host)
# Failed password for (userid) from (host) (...)
# and adds (host) to the iptables blocklist chain
# $blockchain.
#This chain is cleared regularly by a separate
# script to let entries expire after a while.

while read mm dd hms localhostname sshd word1 word2 word3 word4 host1 host2 rest; do

if [ "$word1 $word2 $word4" = "Illegal user from" ]; then

$iptables -A $blockchain -s ${host1}/32 -j $blocktarget

elif [ "$word1 $word2 $word3 $host1" = "Failed password for from" ]; then

$iptables -A $blockchain -s ${host2}/32 -j $blocktarget



It's not perfect, but will block anyone trying to hack the machine for a while (the duration will depend on how often the chain is cleared) after their first failed attempt. If you have a separate whitelist which gets accepted before the blocklist chain is executed, you can ensure that a failed password won't cut you off from the host.

The downside is that this could theoretically be used to slow your host down if someone launched the attack from a huge number of IP addresses, causing the blocking chain to become very long. A more robust /usr/local/sbin/sshd-blocklist might help there, if it did some more checking before adding the hosts on the blocklist.

There may be better ways, and if anyone has any, I would be interested to know too."

Some initial feedback was that "key based authentication will be even better" and "the approach will not help against lucky shots that hit the right password on the first try, and against more distributed scans".

Patrick Nolan


Published: 2004-09-11

Ethics / SSH brute forcing continues

On a day like this it's not such a big effort to ponder about the
different mentality and ethics people have. Don't worry,
I won't go away from the information security scene.



I generally call people breaking into systems crackers, not hackers.

Why do they do it? Because they can.

Do they know they cause a lot of work? Yes:
they will often try to minimize the work by leaving the original content
in a backup copy.

In their ethical view it's right, all you need
to do as a defender is
fix the bug and reinstall the backup over their defacement.
this is only true is you know 100% sure the cracker didn't do anything else,
otherwise it takes a lot more work.


People sending unsolicited bulk email are what I call spammers.
They have noticed honeypots and don't seem to like them
very much. But their view on the ethics is very strange indeed.

Many people are quite irritated about unsolicited bulk email, many places
have laws against it.

But still the "bulkers" as they call themselves
sell tools to be more anonymous, and as a new catch form one of our
readers, to avoid honeypots.

They label honeypots as framing them.
Perhaps that's true, but if you don't steal resources, while trying
to get away with it in the first place, the honeypots woudn't get
found in the first place.

And if reporting them to their ISP does hurt them it's only because
they violated an AUP.


I'm not a developer anymore for many years, but when I do program that odd
script the way I look
at software is quite different from the way I see developers look at software.

- I'm interested in KISS

- I'm not interested in a dozen libraries, objects, middleware, language, ...

- I'm interested in getting data clean and efficiently through the system.

- I'd think of data when coming in to the system as tainted, esp. if
it came from the web. And when it comes from one of my scripts running in the
client's environment I don't trust my own software.

SSH brute forcing continues

We keep getting reports of people getting hit seriously by brute force attempts to exploit ssh. It looks like this is going to stay with us for a while longer. Best to make sure:

- Weak passwords aren't used on your machines.

- sshd version is up to date.

- User root cannot login over the network.

- Typical usernames like guest and test aren't present on your system, or are disabled from logging in.

- Consider filtering where you accept connections from on TCP port 22.

- Consider moving ssh away from port 22 if you can't filter easily (the automated bots will have to look harder to find you)

- Report on failed login attempts, but make sure you don't aggravate the problem by sending an email per attempt.

- Consider migrating to public/private key-pairs instead of passwords.

- Some of our readers have had success with rate limiting incoming ssh connections.


Swa Frantzen


Published: 2004-09-10

Combating phishing for banks / Story of a former worm target / Disaster preparation

Combating Phishing

A document outlining some simple steps that financial institutions can take to limit the impact of phishing on their website titled "6 simple steps for businesses to beat phishing" is now available at http://isc.sans.org/presentations/phishthat.pdf

There are a number of active phishing emails in the wild. Be on the look out for them. Some of them point to sites which are no longer responding fortunately, many are still active though.

Worm Targets

We were contacted by a site which was a target for one of the bagle worms. They are seeing a large amount of traffic from infected hosts. Any one else out there have a story like this to share? We'd like to identify potential collection points for finding infected hosts.

Hurricane Preparations

In response to yesterday's query about preparing for a hurricane, Travis Abrams had this advice to share:

Local IT staff

- Work with local building management to coordinate building shutdowns. Be aware that most buildings will begin shutdown procedures when a Hurricane Warning is issued. (If they say power is going off at 1:00 pm that means power is shutdown at that time not that they are starting to shutdown.) Coordinate with firm wide IT to begin systems shutdown 30 minutes prior to building shutdowns.

- Work with local managers and share any information with Firm wide IT.

- Loaner laptops should be issued to key personnel that do not have laptops.

- Keep a loaner laptop that contains Ghost images for desktops/laptops.

- Ensure you have updated your contact information in the IT Contacts.

Firm wide IT

- Perform a full backup of all systems 4 days prior to the impact of the storm unless already scheduled. Have backups sent off site. (Be aware that UPS, FedEx, etc will stop shipments prior to the hurricanes impact.)

- Perform incremental backups every night prior to storm and have them sent off site

- Perform Full backup prior to storm impact if possible. Have local IT retain control.

- Once building power is shutdown redirect the main numbers for the affected offices to an offsite voicemail box. (This eliminates busy signals and we can notify clients of the offices' status.)

- Updates Office Closure hotline as the situation changes.

- Update Intranet with Hurricane updates for offices in unaffected regions.

- Prepare alternate procedures for the firm wide helpdesk.

- Get any necessary equipment into or out off the offsite datacenters. (Be aware the datacenter will not allow access 48 hours prior to the storm making landfall in the area and will not resume until the local authorities have deemed it safe to travel)

- Wrap critical systems that are located in the affected offices in plastic to help reduce water damage.

Hoping for a dry weekend for those who are recovering from or preparing to weather the storms in both hemispheres.

Dan Goldberg

dan at madjic dot net


Published: 2004-09-09

New Mydoom / Hurricanes

The Next Version of MyDoom

Chris Mosby alerted us to the latest strain of MyDoom.

The newest MyDoom variant ...

# contains its own SMTP engine for constructing messages

# harvests target email addresses from the victim machine

# forges the From: header of outgoing messages

# downloads BackDoor-CEB.c over HTTP

After execution, the worm copies itself to the \%windir%\system32 folder as WINSPF32.EXE and created the following registry keys:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "WinSPF" =

Additional, it copies itself to

* C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\rx32hh00.exe

It tries to download BackDoor-CEB.c from these sites:









Full descriptions are available at:



On behalf of the ISC, I'd like to extend our sympathy for those who have suffered a loss as a result of Hurricanes Charley and Frances.

While some of us have been personally inconvenienced, worried about the safety of friends and loved ones or suffered minor losses, when compared to the devastation in some parts of Florida and the Caribbean it becomes very easy to put things into perspective.

If you have any interesting perspectives on how your company protects it's systems from attack specifically before/during/after a natural disaster (like a hurricane or earthquake), drop us a note.


Published: 2004-09-08

IRC Botnet Update / Windows Rootkit Detection / Port 23/ ICQ Virus Messages / ISC Contact Form / 2004 SANS Top-20

IRC Botnet Update

On yesterday´s diary, there was a mention of a IRC Botnet on on port 10009. This host is still active but changed the port to the standard 6667.

:irc.imsoXXXXXXXyandao.com NOTICE AUTH :*** Looking up your hostname...

:irc.imsoXXXXXXXyandao.com NOTICE AUTH :*** Found your hostname

ERROR :Closing Link: [xxx.xxx.xxx.xxx] (Ping timeout)

Windows Rootkit Detection

A tool was released today regarding Windows Rootkit Discovery. According to the release note, this tools is aimed to detect generic windows rootkits, like Hacker Defender.

By the way, two good Unix rootkit detection tools are ChkRootKit and RootKit hunter.
Reference: http://www.security.nnov.ru/files/rkdetect.zip

Port 23

We received a report about a raise on scans on port 23. Although Dshield doesnt show anything unusual, it may be a good idea to take a look on your logs. Maybe it is a brute force, like SSH and VNC? We dont know yet, as we didnt get packets, but will let you know as soon as we get more info.

ICQ Virus messages

Arthur Magon sent us an advisory about users receiving a message: *DO NOT CLICK IN THE URL*

"Come to look new photos me and my friends _http:/_/myfriends.go2me.biz/_"

When opening the page my anti-virus (Norton) noticed a virus attempt.

Virus: Trojan.ByteVerify

Trojan.ByteVerify is a Trojan Horse that exploits the vulnerability described in Microsoft Security Bulletin MS03-011 and could provide a hacker the ability to run arbitrary code on an infected system.

Write-up by Symantec.

ISC Contact Form

Sometimes we receive questions through the ISC Contact form (http://isc.sans.org/contact.php) with the return email set to isc.sans.org, which means that the person didnt fill the ´E-Mail´ box in the contact form. In this way we are unable to reply to you and give you an answer. If you just want to send some info in an anonymous way, thats ok, but if you want a reply to your question, please fill in the ´E-Mail´ box.

2004 SANS Top-20 Release

The SANS Institute would like to invite readers of the SANS Internet Storm Center to the European launch of the 2004 Critical Internet Threats Research (CITR) on the 8th of October in Westminster.

The SANS CITR is undertaken annually and is the basis for a community consensus paper known as the 'Top-20'. This report defines the most serious of Internet vulnerabilities and security exposures, providing guidance for identification, mitigation and elimination of core threats.

The Top-20 began life as a research study undertaken jointly between the SANS Institute and the National Infrastructure Protection Centre (NIPC) at the FBI. This work led to the creation of a document summarizing the 'Ten Most Critical Internet Security Vulnerabilities'. Thousands of organizations from all spheres of industry used that list to prioritize their efforts to address the most dangerous threats to their information infrastructures.

The 2004 Top-20 will once again provide the expert's consensus on threats; the result of a process that has brought together security experts, leaders, researchers and visionaries from the most security-conscious federal agencies in the US, UK and Europe and Asia; the top university-based security programs; and the leading security software vendors and consulting firms.

Join us on the 8th of October 2004 at the DTI Conference Centre in Westminster and hear leading international experts discuss many topics that are relevant to the study of critical internet threats and exposures. Presentation topics include; “Information Assurance: Managing and Mitigating Threats to Critical Information Infrastructures”, “Fighting back against exposure”, and the “Top-20 2004”. A panel discussion will allow your voice to be heard in a forum where you can share your experience in fighting attackers and eliminating vulnerabilities.

Keynotes from many of the participating UK Government agencies will be delivered, providing perspectives from NISCC, CESG/GCHQ, and the CSIA (Cabinet Office).

Invitations to this event are strictly limited and are not transferable. To reserve your place, please RSVP to Ross Patel by 24th September by e-mailing: rpatel [at] sans [dot] org.

We look forward to you joining us at the European launch of the SANS Critical Internet Threats Research 2004.


Handler on Duty: Pedro Bueno (bueno/AT/ieee.org)


Published: 2004-09-07

IRC Botnet, Solaris in.named Vulnerability, Information about SuckIT Rootkit

IRC Botnet Found and Shutdown

We received a report this morning from the Telenor Security Operations Center(SOC) of an IRC botnet. The network contained over 10000 clients. The server has now been shutdown. If you have network traffic logs, you may want to check for connections from your hosts/network to the IRC server -- it was listening on IP tcp port 10009.

Solaris in.named Vulnerability

The Solaris in.named daemon process may cease proper functioning if it recieves an invalid DNS dynamic update. The Sun bulletin with information about the vulnerability and links to the patches can be found at:


Information about SuckIT Rootkit

We receved a query today from Dan about a file he found on a Solaris system. George Bakos, one of the ISC Handlers, determined it to be a copy of the "suckit" rootkit. His reply included:

'On first inspection, it appears to be the linux kernel rootkit "suckit". Suckit is loaded directly into kernel memory, hiding its existence and allowing an attacker to remain on the box undetected while she maintains root-level control. A number of high-performance computing facilities have seen a lot of this activity on Linux and Sun systems. Stanford has a writeup at:


I would pay particular attention to other hosts that this machine may have been able to reach. Do you have packet-level logs of outgoing traffic from it?'


Published: 2004-09-04

Win XP SP 2 and You

Win XP SP 2 and You

It is almost a month since the public release of Win XP SP 2 and already there is much talk on installation and compatibility issues. There are also discovery of new vulnerabilities. Expecting SP 2 to fix everthing, leaving Win XP to be totally free from vulnerabilities will be a bit far-fetched. There is no perfect software.

Proper usage and configuration of the system also play a critical role. There is no point installing a good firewall when you configure it to allow everything to go through, or run an anti-virus scanner but yet do not bother to to update the virus definition. Worst still if you always click on executables without second thoughts whether they are trusted or free from malcodes.

If you have not install SP 2 because it is too big for you to download, you can now order it on a CD send to you free of charge:

Before you start installing SP 2, it is recommended that you back up your data and read the release notes. In the event that the SP 2 setup program is not completed successfully and you need to recover your computer to its previous configuration, Microsoft has an article on how to recover your computer to a bootable state and to remove Windows XP SP2 if Windows does not start correctly after you try to upgrade your computer:

Don't forget to share your experience at:

With the release of SP 2, Microsoft has also updated the Windows XP Security Guide and the Antivirus Defense-in-Depth Guide:

Windows XP Security Guide

The Windows® XP Security Guide v2.0 describes the features and recommended settings for Microsoft Windows XP Service Pack 2 (SP2). The Guide includes thoroughly tested templates for security settings for Windows Firewall, which replaces Internet Connection Firewall (ICF). Information is provided about closing ports, Remote Procedure Call (RPC) communications, memory protection, e-mail handling, Web download controls, spyware controls, and much more.

The Antivirus Defense-in-Depth Guide

The information presented in the Antivirus Defense-in-Depth guide has been updated to reflect the security improvements provided as part of Windows XP Service Pack 2. A number of the features in Windows XP Service Pack 2 have made it more difficult for malware to attack a Windows XP-based computer. The updates to this guide are designed to ensure that these enhancements are identified and explained.

Have a nice weekend and hope you enjoy reading them.


Published: 2004-09-03

WinZip Vulnerabilities Highlight User Threat

WinZip Vulnerabilities Highlight User Threat
Following yesterdays report on new winzip vulnerabilities, I thought it would be a good time to highlight the user factor in security.

Quite frequently users will open many files which have traditionally been treated as 'safe', many new vulnerabilities are highlighting the fact that files from an untrusted source should never be opened. Several exploits are currently in the wild for Adobe Acrobat (PDF), Winzip (ZIP), Microsoft Compressed Folders(ZIP), and many other products.

User education should include basic malware recognition, although corporate firewalls, email scanners, and end user virus scanners are great, they can not completely eliminate the threat.

In most cases, files do not open automatically, but the user is required to take action to open them. Many users are conditioned that files are safe if they are a zip, or a pdf, or a jpg, but they should understand that no file is ever safe, and that files from untrusted sources should not be opened, not even to see whats inside.

Currently no worms are propagating using the above exploits, but it would be reasonable to assume that they will be used for this purpose in the future, the time to act is now, before the worm exists, not after word.

I urge all of you to consider implementing a user education program to compliment your current network security programs. Despite what the exploit is, quite often, the end user, not the network administrator will be the first to encounter it, and their reaction can determine how much damage is done, recognizing a threat, eliminating it, or at least reducing the risk can do wonders. Train your users, they can understand the basic concepts of network security.
Also our heart felt condolances go out to Matt Scarborough, one of the other SANS Incident Handlers for the loss of his father.

Michael Haisley

Handler On Duty

SANS Incident Storm Center


Published: 2004-09-02

Comments on Oracle Vulnerabilities, WinZip, MIT Kerberos, Seeking Wireless Compromise Stories, More Weak Password Hacks?

Comments on Oracle Vulnerabilities

The Oracle vulnerabilities highlighted in yesterday's diary are a coordinated mass of vulnerabilities reported by the US-CERT. While NGS Research has indicated they will withhold details of their reported vulnerabilities for three months, Application Security Inc. has released sufficient details about the vulnerabilities that could be used to start exploiting Oracle databases immediately.

While Oracle users have often benefited from the lack of full-disclosure in Oracle vulnerabilities in the past, Oracle's recent decision to post monthly vulnerability updates may have changed this scenario. In my experience working with Oracle databases, patching is frequently not an option for customers using third-party products while retaining support, often due to vendors inability to sufficiently test and certify Oracle patches with their products in a timely manner.

Organizations using Oracle are encouraged to implement the Oracle Database hardening recommendations made available by the Center for Internet Security and the well-written "Securing Oracle: Step-by-Step Guide" by Oracle security expert Pete Finnigan. Patch affected databased whenever possible, and limit the expose of systems with restrictive port-filtering and other technologies.


More WinZip Vulnerabilities

Following the 2/27 WinZip vulnerabilities, additional flaws in the popular WinZip software have been reported that could be manipulated to compromise vulnerable systems. WinZip Computing Inc. has released WinZip 9.0 SR1 to address these issues.

Vulnerabilities in very popular third-party software products should be a significant concern for organizations that have not deployed comprehensive patch-management solutions. Configuring systems to automate the process of installing patches for Microsoft products is a welcome feature, but does not adequately address third-party software. Other examples of recent vulnerabilities in third-party software include Adobe Acrobat Reader, Sun Java Runtime Engine and AOL Instant Messenger.


MIT Kerberos Vulnerabilities

Critical vulnerabilities in the MIT Kerberos 5 implementation's Key Distribution Center (KDC) program were reported by the MIT Kerberos team today. Patches are available for affected systems.

Cisco Systems has also posted a vulnerability report indicating that their VPN 3000 series of VPN access concentrators are vulnerable to the Kerberos flaws. Customers are advised to update to mitigate these flaws.


Wireless Compromise Stories

I'm interested in hearing stories from readers who have had their wireless networks compromised for one reason or another in an effort to understand how hackers are exploiting wireless networks. If you have had a wireless network compromised or have caught someone trying to compromise your wireless network, I'd love to hear about it. Please write us at handlers@sans.org or by visiting http://isc.sans.org/contact.php . All stories will be kept confidential unless otherwise specified. Many thanks!

More Weak Password Attacks?

A few readers have reported various password-based attacks against FTP, VNC and Telnet services. We are trying to correlate the source addresses for these attacks with other data sources. If you have logs of multiple failed-authentication attempts for these services, please drop us a line ( http://isc.sans.org/contact.php ). It's not necessary to send logs from failed SSH login attempts, we have plenty of those thanks to our readers.

-Josh "sick as a dog" Wright/Handler-on-Duty


Published: 2004-09-01

Oracle - Multiple Vulnerabilities/ XP SP2 Forum / VNC Brute Force / Web Hacking

Oracle - Multiple Vulnerabilities

US-CERT released today an advisory about multiple vulnerabilities in Oracle products.
Some interesting excerpts are:

"Several vulnerabilities exist in the Oracle Database Server,
Application Server, and Enterprise Manager software. The most serious
vulnerabilities could allow a remote attacker to execute arbitrary
code on an affected system. Oracle's Collaboration Suite and
E-Business Suite 11i contain the vulnerable software and are affected
as well."


"There are no workarounds that fully address the security vulnerabilities
that are the subject of this alert. Oracle strongly recommends that customers
apply the available patches without delay. Please see
http://otn.oracle.com/deploy/security/pdf/oracle_severity_ratings.pdf for
a definition of severity ratings."

Once again, TIME TO PATCH!

References: http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf

Another XP SP2 forum

Besides the ISC forum for users experiences (http://isc.sans.org/xpsp2.php), we received another good source of information for XP users regarding SP2. It is hosted by a hardware vendor, but I am sure that you can find some good information about problems with XP2.

Reference: http://forums.us.dell.com/supportforums/board?board.id=sw_svcpacks

VNC brute force

We got a report today about brute force scanning on VNC. This is the first one in some time. If you noticed similar activity in your VNC server, please let us know.

Web hacking

From time to time we receive a report about a web defacement or hacking through a web application. In general, someone discover a vulnerable script and uses a search engine to find sites that uses this vulnerable script. And, as you know, people dont usually care to patch their systems, imagine the web application (i.e. a forum). Please remember that not only the services (Web Servers, Mail Servers...) and Operating Systems (Kernel Patch,Service Pack...), but also your web application, (forums, bbs, shopping...) need patching.

Last year I wrote this small paper about that. If it is still worthwhile, take a look: http://isc.sans.org/webexploit.pdf (Some versions of pdf readers doesnt show the letters, so you may have to upgrade.)


Olympic Games Final Status: Brazil 4 gold/3 silver/3 bronze

Handler on Duty: Pedro Bueno (pbueno /AT/ isc.sans.org)