Handler on Duty: Johannes Ullrich

Threat Level: green

Diaries

Published: 2005-12-31

* New exploit released for the WMF vulnerability - YELLOW

On New Year's eve the defenders got a 'nice' present from the full disclosure community.

The source code claims to be made by the folks at metasploit and xforce, together with a anonymous source.

The exploit generates files:

with a random size;
no .wmf extension, (.jpg), but could be any other image extension actually;
a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
a number of possible calls to run the exploit are listed in the source;
a random trailer

From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the current IDS signatures work for it.

Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files.

Wishing all windows machines a happy New Year, with a bit fewer nasty exploits.

Considering this upsets all defenses people have in place we voted to go to yellow in order to warn the good guys out there they need to review their defenses.

--
Swa Frantzen

0 Comments

Published: 2005-12-31

New IM Worm Exploiting WMF Vulnerability

We have received information that a new IM Worm is hitting the Netherlands. Apparently the worm is spreading with MSN and is spreading with a malformed WMF file called "xmas-2006 FUNNY.jpg".

Kaspersky Lab Blogs

Be very careful when opening the New Years Greetings that you receive folks. We wouldn't want you to have to spend the rest of your holiday weekend rebuilding your computer.

Thanks to Juha-Matti for providing the information.

0 Comments

Published: 2005-12-31

From extreme to in depth

Warning: some might get offended by some of the initial thoughts in this story. Please read till the end before you vent the frustration.

I'm also not trying to bash on Microsoft. If I were I'd have borrowed a subject of some spam message I got recently: "forget microsoft, get big and hard". I'm just trying to show how you can come from an extreme reasoning to a workable solution to protect those assets that need protection.

Suppose you defend a place that has high to very high security needs and wants to avoid the wmf thing at all cost. Reasons to do this should be based on a risk assessment, but elements that might lead to such extreme conditions might include:

No patch in sight from Microsoft
Not wanting to infect peers such as customers
Not wanting to rely on anti-virus signatures when people are developing versions of the exploit with a highly random nature
Not wanting to rely on IDS devices due to the same randomness and the "it's too late already" aspect

Suppose you are basically just not capable of accepting the risk associated with the WMF vulnerability, almost no matter what you break. In such a case you have big avenues to walk:

Ban Microsoft products in your environment

I told you we were going to start from the extreme viewpoint, so hold your horses.
What does it buy?

No windows, no windows WMF vulnerability

What does it not buy?

You still can pass on dangerous payload to others like to your customers.
If a single escaped machine remains or a single machine snuck back in, you still might get affected.

Ban all communication and/or file exchanges

Extreme again isn't it? Moreover it is perceived very hard in a modern world.
What does it buy you?

You prevent yourself from getting and giving dangerous payload to all peers

What does it not buy you?

If a single file would sneak in, or be present already, you might still have a major problem
You have sacrificed a lot of the availability to gain confidentiality and or integrity

With those extreme paths in mind, think about what it can do for you, which parts can help you in your setup and with your risk assessment help.

Most of our readers do not have the extreme "at all cost" risk situations.

Most of us have a situation where we have a business, and the business must continue to operate. In such a business however you will identify -if you look for it- areas that might need more protection and are willing to sacrifice more for that protection than other parts of the same business. That difference in need for protection is what you can play on to do something.

E.g.: Suppose I know the accounting department was considered sensitive and due to the risk analysis performed, worthy of more extreme measures then other departments.

What could I try to do to use some of the very extreme ideas and build a safer solution for them now and in the next weeks ?

Isolate them frmm the rest of the company. Plug a firewall between them and the rest of the internal networks. Disallow all unneeded communication with the rest of the company, making sure their servers are on their new inside.
Use advanced networking solutions to prevent (accidental) hookup of unauthorized equipment to the sensitive network. E.g.:

Make sure switch ports automatically shut down when try try to learn a second MAC address
Assign only DHCP addresses to known MAC addresses
Kick unknown MAC addresses into a separate VLAN
Use layer 2 measures (such as private VLANs) to prevent client-to-client communication

Disallow dangerous usage:

Disallow IM
Disallow web surfing
Disallow email, or strip all attachments from the more secure email server they get access to.

Now no surfing, no email, ... etc can be hard on the users and they might have really good arguments to have the functionality back.

Build a second less sensitive network on different infrastructure
Add machines for those that need the web/email/...
Allow them to surf the web (with traditional restrctions) on those "less" secure machines but not on the "sensitive" machines which are to be used exclusively for their sensitive application(s).
Be very procedural and build the needed infrastructure if you want to allow transfers between the two environments.

The more traditional stuff should not be forgotten, especially not on the more secure side:

Take a tough stance on updating Anti-virus signatures

Look for unregistering the DLL as per Microsofts suggestion
May be consider an unofficial patch from some reputable source

Look for other platforms

This is hard as training users to switch platforms takes time, and worse applications might not have clients for other platforms that work properly. Still it's one way out of the de-facto monoculture of operating systems and related vulnerabilities. We know from agriculture monoculture has risks. If we want not to accept the risks we need to act on it as well.

Look for other strongholds to build

If you have more than one sensitive section in you company, build more of these strongholds, do not build larger ones.
More smaller ones will contain the spread of infections and the associated risks and costs in clean up better under control.

So basically I'm back to a very in depth security approach that when compared to medieval defenses is the equivalent of not trying to build a city with a huge wall around it, because it's too much of a hassle and too costly. But instead trying to build a city with a somewhat flimsy wooden palisade and build for the few nobles we have a big sturdy donjon to protect them, even at the cost of some discomfort in the process.
Add to that that families of nobles get their own donjon so as not to risk all nobles getting wiped out in one go should disease strike the city.

--
Swa Frantzen

0 Comments

Published: 2005-12-31

2006 Predictions

On December 27th I asked for predictions for 2006. Here is what we got. Many thanks to all of you that responded. Now let's see how close these guys are.

From Dan:

You asked for them...

http://www.websensesecuritylabs.com/blog/

Below is a list of some of the topics we may be seeing in the New Year:

*Web-born worms

Not a lot of these around yet. Myspace and some other online sites were infected, but with the mass amounts of exploits for Web scripting languages and un-patched machines this is bound to happen.

* RSS malcode

Great technology. As more browsers embed this and include exploits, the frequent / unattended nature of RSS will be used to infect.

* Trojans outpace worms

We already are starting to see this. New Trojans and variants of Trojans are coming out daily in volume.

* Voice-over-IP Phishing (Vishing )

Somebody had to come up with another name :-). Using Voice over the Internet could introduce another means to deceive unsuspecting users to do something they should not be.

* Toxic Blogs

Yes, blogs are everywhere. Including here. Fact is that most of them do not check for scrupulous scripting, scan their file posts, and allow active content in posts.

* Xbot 360

The Xbox connecting over the Internet for updates and other things leads me to believe that this will simply be another way for attackers to use your PC and your connection at home for their own purposes.

* Cross Site scripting attacks

High-profile ecommerce and financial websites have had (and will have cross site scripting vulnerabilities). Attackers will leverage these for Phishing , Trojan Downloader's and for other nefarios reasons more frequently.

From Jeremy:

I believe that one of the biggest threats are going to be insecure databases. The proof of concept database worm that was released about a month or so ago is just the very beginning of what we will see over the next year+. To me this is a very real problem as I have audited environments where there was a huge focus on securing hosts and servers, but zero or minimal focus on securing the database.

From Jim:

My 2006 predictions/paranoid phobias:

"Zero-Day" exploits that are discovered and exploited by The Bad Guys, with no one being the wiser until it is far, far too late; 2. Tightly-targeted malware (currently being used) that, once it gleans information from financial institutions, allows the attacker(s) to then completely trash the entire information store - causing panic/chaos (if only for the targeted company(s); 3. Hackers taking the Fed's recent announcement that "the Internet is not vulnerable to widespread attack" as a personal challenge.

Again - thanks to the contributers.

0 Comments

Published: 2005-12-31

Leap Second

Just a reminder that tonight is one of those special times that we see some strange things. One of those things is the fact that 12-31-2005 23:59:60 UTC is not the same as 01-01-2006 00:00:00 UTC (and it is just before midnight UTC that the leap second will be inserted), but most OSes can't handle a 61 second minute. So when reviewing your logs next Tuesday morning remember to cross reference the times. If you use NTP to sync machine times, your clock should gradually adjust back to the correct time and you'll probably never notice.

0 Comments

Published: 2005-12-31

While catching up on email from the past week, I noticed a security issue that has fallen by the wayside in the midst of all of the 0-day exploit discussion. On Tuesday, Ethereal released a security advisory which discusses problems with 3 of its dissectors. Of particular note is the IRC dissector can go into an infinite loop. As you, our loyal readers, have probably already noted mentally, the IRC dissector is a fairly important one as we eavesdrop on botnets that primarily use irc as its command and control channel.

It is possible that one could run arbitrary code through the vulnerability with the OSPF dissector, but more likely you will just have Ethereal crash or use up all available system resources.

The new version is available at http://www.ethereal.com/download.html .

--
Scott Fendley
Handler on Duty

0 Comments

Published: 2005-12-30

phpBB 2.0.19 released

phpBB 2.0.19 has been released.

It looks like it's upgrade time for those of us running a phpBB forum. XSS and dictionary attacks against forum users seem to be on the menu.

Stay tuned for more details.

--
Swa Frantzen

1 Comments

Published: 2005-12-30

Musings and More WMF Information

Websense released some more information about their investigation in some website exploitation that involves IFRAMEs and WMF vulnerability. My fellow handler Lorna said recently, "IFrames are always suspect in my eyes." In light of this information, I have to agree with her. Take a look at Websense Security Labs website for details of their investigation including a nice movie file showing the exploitation at work.

As a side note, I am quite thankful that most university and K-12 schools are still on holiday until next week. This will hopefully give enough lead time for the mass media to report on this issue, and maybe, just maybe, Microsoft will have a better solution for the home users and our student populations. *crossing his fingers that MS will release a preliminary update quickly*

One reader send us the following summary, which pretty nicely outlines the issues with this vulnerability:

Filename extension filtering will not work.
Even if you un-register the DLL, some programs may re-register it by invoiking it (shimgvw.dll) directly.
you have to delete or rename the DLL to protect yourself. However, remember to undo this once there is a patch.
While images embedded into docuements may not immediately trigger the exploit, they may once saved into their own file.

The readers goes on to note that whatever mitigation is offered in Microsoft's advisory is not much more then a quick temporary bandaid. What we need is a patch and we need it quick.

--
Scott Fendley
Handler on Duty

0 Comments

Published: 2005-12-30

Lotus Notes Vulnerable to WMF 0-Day Exploit

John Herron at NIST.org discovered today that Lotus Notes versions 6.x and 
higher is vulnerable to the WMF 0-day exploit. In the advisory, located
on the NIST website here, John reports that Lotus Notes remained vulerable 
even after running the regsvr32 workaround in the Microsoft security advisory.

0 Comments

Published: 2005-12-29

* Windows WMF 0-day exploit in the wild

From Daniel's diary entry yesterday ...

Just when we thought that this will be another slow day, a link to a working unpatched exploit in, what looks like Windows Graphics Rendering Engine, has been posted to Bugtraq.

The posted URL isÂ Â [ uni on seek. com/Â Â d/tÂ Â Â 1/Â wmf_exp.Â htm ]
(DON'T GO HERE UNLESS YOU KNOW WHAT YOU'RE DOING. Added spaces to avoid accidental clicking. See Firefox note below!!)

The HTML file runs another WMF (Windows Meta File) which executes a trojan dropper on a fully patched Windows XP SP2 machine. The dropper will then download Winhound, a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove the reported threats.

During the test Johannes ran, it was interesting that the DEP (Data Execution Prevention) on his system stopped this from working. However, as this was tested on a AMD64 machine, we still have to confirm whether (or not) the software DEP also stops this - let us know if you tested this.

Internet Explorer will automatically launch the "Windows Picture and Fax Viewer".Â Note that Firefox users are not totally imune either. In my install of Firefox, a dialog box will ask me if I would like to load the image in "Windows Picture and Fax Viewer". If I allow this to happen ("pictures are safe after all" NOT!), the exploit will execute.

UPDATE - According to F-Secure's blog "Firefox users can get infected if they decide to run or download the image file."

For more information, see also http://secunia.com/advisories/18255/Â http://vil.mcafeesecurity.com/vil/content/v_137760.htm and http://www.securityfocus.com/bid/16074/info

We received several comments about firewall rules and silently dropping packets vs. sending the correct icmp or TCP reset codes. While it violates some rfc's silent drop is my standard recommendation.
Some might ask why I choose silent drop. I will explain but first a few questions.

What does it help if the firewall sends notification of traffic it rejects?

Why tell the bad guy what you're blocking? (And what your not blocking).

Which good guy is permitted to scan my systems for open ports or protocols?

1: Silent drop prevents some reflective attacks.
In some cases the source address of the attack victim is spoofed. The desire is to cause firewalls, routers and other systems to send traffic back against the spoofed source.

2: Silent drop prevents reverse mapping.
In other cases by sending back a "port closed" type message your firewall can be negatively mapped. (e.g Denied 1-1024 except 22, 23, 25,...). That is how nmap udp port scan and protocol scan work. They basically assume a port or protocol is open unless they get a message stating its closed.

3: Silent drop might not be effective, as a reject might never reach the intended target.
With the recently discovered blind TCP resets via forged icmp errors the rfc's governing some of these reactions will probably be changed. Gont the author of the vulnerability suggested a larger amount of the original packet be returned with the icmp error packet. In the mean time one of the primary mitigations for this issue is to ignore the first few icmp errors that could cause a reset. Many networks blocked some incoming icmp error messeges as a result of that vulnerability.

I personally require silent drop (no icmp, no TCP resets) as a standard feature from firewalls and other filtering devices.

The jury is still out on the "correct" thing to do but if a firewall or filtering devices doesn't support silent drop I would not buy it or recommend it. It should be an option the end user can choose.

Additional comments were contributed by fellow handler Swa Frantzen and Johannes Ulrich respectively
"I try to build "drop" to the "bad" side and reject to the "good" side. Good
and bad might not always be in and outside. I permit the
network admin stations to initiate traceroute and icmp echoes,
in order to not have the reaction "it's the firewall" all over the place when the firewall is working as intended."
Swa

One reason to have internal reject rules that prevent systems from 'calling out' but send correct error report: is rejects make it easier to debug issues. In these cases its more about mistakes then malicious users.
Johannes

donald.smith

0 Comments

Published: 2005-12-26

Phishing: Saudi style

On a very slow day the majority of the messages that reached us were about phishing. It consisted of the usual phishing for ebay, amazon, ... accounts, but one jumped up that was somewhat unusual:

Suliman brought a phishing attempt to our attention that was written in Arab aiming at a bank out there and diverting the clicks to http://www_sambaonlineaccess_com/ instead of the bank's http://www.samba.com/ normal address. According to the submitter -I can't read Arab- it was linked to an online registration of a large IPO for a chemical company.

Aside of the IPO relation, it was also noteworthy because of the language used (Arab) and of the location of the server where the clicks were directed to: Israel. I cannot help to note that at the very least this is quite provocative.

The website supposedly collecting the information wasn't responding at time I tried to look at it, which might be a good sign after all.

The lesson for the end users remains the same: never follow links you get in email. If possible turn off the rendering of HTML for email, it's a serious risk from a security perspective.

The warning for those of us fighting abuse is also clear.

Some attacks might aim at very shortlived events.

You won't be able to understand it all, so you will have to make sure you have processes in place that can deal with language in abuse complaints you can't understand yourself.

--
Swa Frantzen

0 Comments

Published: 2005-12-25

Observations on the Family System Administrator

Some observations from http://isc.sans.org/diary.php?storyid=960:

8% suggested the use of a hardware router
8% suggested that Linux was the answer for their parents
11% thought that Macs were a safer option
19% were willing to enter a lifetime support contract for their parents
19% thought that their parents couldn't handle a computer
25% of the submitters chose to send their suggestions anonymously

0 Comments

Published: 2005-12-25

RFC2142 is a two-way street

As Johannes pointed out in http://isc.sans.org/diary.php?storyid=957 RFC2142 is a pretty good RFC to follow. It works both ways too.

For example, let's say you're running vulnerability scans against your local bank's website and you come across what you think is a very serious vulnerability do you:

a) Jot that IP address down for later use when you need to pay off your credit card debts from the holiday season's over-indulgences.

b) Drop a friendly fact-filled note to abuse@localbank.com

or

c) Launch a media campaign to publicize the risk encouraging your readers to write letters to the Office of the Comptroller of the Currency

If one supports the idea of Responsible Disclosure the answer would be B, followed by C after an acceptable period of time.

0 Comments

Published: 2005-12-25

A couple of handy iptables tutorials

Harry Hoffman submitted his intro to iptables on Linux servers: http://www.ip-solutions.net/firewall/servers.html

It's a nice little getting-started piece and it starts off with a default-deny policy-- which is one of my personal favorites.

A more advanced treatment on reactive iptables is available here: http://www.sans.org/rr/special/index.php?id=adaptive_firewalls

0 Comments

Published: 2005-12-25

phpBB <= 2.0.17 exploit code in the wild

It's an early holiday gift for phpBB admins all over the world. Exploit code affecting phpBB version 2.0.17 and previous has been made public. The targeted vulnerability was announced on Halloween, and updates have been available since then.

I predict we'll be seeing profile.php probes appear in your web logs right along with the awstats and xml-rpc attacks that you've been getting.

0 Comments

Published: 2005-12-24

The Family System Administrator

A couple of days ago we asked our readers, "if your parents got a new computer for Christmas, what would you tell them to do?" The responses have been great! Rather than trying to summarize, we decided to just print them all in the order they were received. If the submitter clicked the box that said it was OK to use their name, we've done so. Thanks to everybody who sent us their ideas.

Good luck on Christmas morning, everybody! We know that most of our readers are also family system administrators and this time of year we work overtime.

Best wishes to you and your family from all of us at the Internet Storm Center!

Marcus H. Sachs
Director, SANS Internet Storm Center

From Gary Hinson:

I'd talk them through Bill Cheswick's presentation: "My Dad's Computer, Microsoft, and the Future of Internet Security" at

http://www.cheswick.com/ches/ppt/soups-dad.ppt

Merry Christmas to all at SANS.

From Yves Konigshofer:

If it's a new computer, I would tell them to get a wired (not wireless) router at the same time and set up the router with the old computer before connecting the new computer. That way, windows updates can be installed without having to worry about worms.

In fact, I got my parents a router last year (OK, I also wanted to be able to use my laptop there at the same time) and my father is looking to get a new computer any day now.

It's also important to set up accounts that are not administrator accounts for everyday use.

From John Herron:

If my parents received a new computer for Christmas I would tell them to use Firefox with the Adblock and NoScript extensions. And if they were ever asked to answer "Yes" or "No" they were to answer "NO" unless they called me first. The internet is just too dangerous for amateurs unless they follow these steps.

From Pawel Maczka:

We can multiply hundrests of tips but following are essential and minumum list "must have" to protect new Windows box with absolutely minimum cost and effort:
- set strong admin password - use >= 8 characters mix with !"#¤&/) and numbers
- just uncheck "Sharing disks and printers in MS networks" in network connection properties
- agree for firewall and automatic updates
- get Mozilla FF from www.mozilla.com and set as default system browser.
- purchase and install commercial antivirus software
- set password for regular user like admin password
- install an ad/spy-ware freeeware like spybot or lava or just even MS AntiSpyware

From Jafar Calley:

First I would tell them give me a few hours with to to remove Windows and install Linux. Then they can claim a "Cashback" from Microsoft by sending back a rejected licence. :D

Next, my present to them would be free Linux lessons and support for life. As they are complete PC n00bs they wouldn't be able to tell the difference between Linux and Windows, but a little help in using it would go a long way.

Using Linux would also be less frustrating for them as they wouldn't have to worry so much about viruses and spam so they can surf the "interweb net thingy" without worrying. No Spyware either.

Most other stuff like email, writing letters etc.. is straight forward and usually pre-installed with most Linux Distros so after a few lessons, they won't need to keep call ing me back because the computer keeps crashing or they can't do what they want to do.

From Steve K:

If my folks got a Windows PC for Christmas I would explain that it's a very powerful tool - not an appliance, and that they "would only benefit from it if they were to attend a local training course (picked by my good self)", one which covered Windows & broadband security routines.

(Luckily the limit to my father's computing expertise is playing "Missile Command" from MS Arcade and he has no aspirations to further technical savoir faire!)

From Peter Glock:

I'm getting a mac mini for my mum to rig up to her LCD TV. This will replace an ageing IBM ThinkPad which I'm heartily sick of providing remote support on (she lives 150 miles away).

She has an existing AOL account for the rare times when she needs to be online which I set up for her some years ago. I foolishly though this would add some additional layer of protection (d'oh).

I'll use the included Apple Remote Desktop to give me VNC access (tunneled over ssh of course) for remote diagnostics, not sure how this will work through the AOL proxy, I will probably have to put a script together to setup a reverse tunnel. I'll set her up two accounts, a 'normal' one for everday usage plus an admin account for those rare occasions when she needs to install/update something.

The mac firewall will be set to allow only ssh inbound. I'll setup ClamAV on the mac to scan stuff for malware.

I'm probably going to setup a wifi dial-up access pont (I have an older Apple Airport going spare) so she doesn't have to have a phone lead installed by the TV. This will be locked down with WPA.

Thinks that's it!

From Gavin:

If my parents got a new omputer for christmas, I'd make sure they had my brother in laws number and go on holiday somewhere with no mobile phone coverage.

From Anonymous:

If my parrents were to get a new computer, I'd take on the role of security elf and intercept it to ensure it would be running still on the Day After Christmas.

Knowing it would most likely be Windows as the OS (beginner's choice), I'd have autoupdate set up, AV with hourly checks and weekly scans, a REAL firewall with updates set up, and a card taped to the monitor with my phone number for emergencies that will occur (new users).

After a bit, I might try to persuade them to go LINUX, use openoffice, firefox, thunderbird, etc. Security updates are posted as soon as they can be resolved and don't wait for a patch cycle on fixes for Zero-Day exploits.

From Anonymous:

If my parents recieved a new computer for christmas I would insist that they give it back. I have spent years trying to educate them on the basic concepts of how to use a computer and they still struggle with the concept of 'right-clicking' for a list of options, they still do not understand how to send photos via email to Aunt whoever or how to save the photo of Uncle Joe that was emailed to them.

I find that many of my relatives that are 55 and older just have not had the experience with technology to intuitively understand it and these are the same ones with always-on high speed connections at home and no firewall/AV measures. I spend many hours helping fix these issues for them only to find that after 12 months and the subscription runs out, they get confused by the nag screen asking for a renewal and never do it and end up compromised again. Return to top of paragraph.

I hate this time of year.... My list of relatives that call me for help will increase with each new PDA, computer, and MP# player.

From Randy Nash:

I saw your post this morning asking what we'd tell our parents if they got a new computer for Christmas. Last year I started getting calls right after Christmas from family and friends, prompting me to write my "New Years Security Resolutions" article (http://www.atriskonline.com/archives/00000037.htm)

While some of this may be somewhat dated, I tried to keep it generic and high-level enough to be useful over time. Today I'd at least add a section on using a secondary browser such as FireFox. I may also expand on the various tool listings for each category. I hope you find this suitable.

From John Franolich:

This is easy on the windows home user...

UltraVNC is a nice remote app that can be customized to connect with your IP. The executable, that the home user downloads, does not install as a service. Also, it will time out after a few minutes if there is not any inbound connection.

See http://ajaxtricks.blogspot.com/2005/11/put-geeksquad-out-of-business.html

and http://www.uvnc.com/addons/singleclick.html

From Bert Rapp:

I'd tell them to buy a Mac. I've been telling everyone to buy Macs.

From Michael Varre:

Return it for a full refund. Then take the money and go on vacation for a few days :)

From Dan:

What I would tell my parents is:

Write down the Dell tech support number and keep it on the fridge.

P.S. That number should do ya for a year :) After that please feel free to call me. Baahhhhh Humbug.

Oh, I may also share the basics of keeping their computer up to date with patches. A reminder every week or so in their calendar to double check their AV signatures and run a spyware scan also worked extremely well.

From Art McFadden:

If my mother-in-law were to get a new computer for Christmas, first, I would faint. Then I would get ready to be bombarded with calls.

The first logical steps would to ensure the OS and drivers are up today and add some of my favorites. Microsoft's anti-spywear program, Spybot Search and Destroy, and Girsofts free version of AVG antivirus. From experience, I have found that people with expired antivirus programs allow them to lapse for two main reasons:

• Money- Will the computer still work? Yes? Well then why should I pay anything? I won't get a virus. (sounds like an incorrect similar line of thought I heard about from some less cautious fellow students in college ;-) • Not informed- We warn people constantly about fraud on the Internet, identity theft, and other white collar crimes. Now they get a window asking them for credit card information. Hopefully, they will call someone they trust before dismissing this as a scam to be enlightened.

If my father (the retired computer analyst/administrator) received a new computer for Christmas, I would ask him what the specs were and how does he like it. After all, he is one of the people I call when I have questions.

Happy Holidays and stay safe.

From Tim:

Already happened... In '98 us "kids" got together to get a pc for mom and dad. Windows 98 with dialup AOL. Put the usual Office suite, McAfee, Adobe, etc on the box. Then came training day - ugh. We very slowly went thru the power on, boot up, click the America Off Line button, listen to the modem dial, connect, verify the username, click No Thanks to their barrage of ads, then click the email icon. I had already called my brother on the other coast to email jpg's of his kids. We found the email waiting and explained how to view the attached photo's. As soon as he was done reading the email, dad reached over and unplugged the pc from the wall - while still online. In disbelief, I asked why he did that. His reply: "I was finished". It took another week of constant tutoring before he could grasp the concept of disconnecting from AOL and shutting down the machine before powering down. He was 70 then.
Now he has broadband on a little celery 2 gig machine. He still does email, but now his joy is printing color photo's of the fish his son catches. He goes thru color ink cartridges pretty fast. I worry about phishing attacks because he's a prime target. I swing by and run spybot and adaware occaisionaly and so far, so good.
My neighbors are in their 80's and surf high speed all the time. They are very pc savy and know about suspicious emails and using Firefox instead of IE, etc. It just depends on their comfort levels. Mom and Dad's machine is ripe for a zombie attack, while my neighbors are trusted surfers.
happy holidaze

From Wayne Smith:

What I told my mom over two years ago when she 'got a Dell'.

1) You will use alphanumeric passwords at least 8 chars long. You will not use the same password for more than one account. Your ISP email password should not be the same password you use for ebay, which should not be the same password you use for paypal. Period.
2) You will have an anti-virus program installed and you will update it every time you are online. You will get the new upgrade once a year. Yeah, it's a pain on dial-up so just do it when you are done surfing each time, unless you haven't been on for a few weeks and then do it immediately before you surf the web or check email.
3) email... you will never forward, forward, forward something that simply has to go to all your friends. Chili's and sear's aren't given away their money. If you forward anything like that to me, I'm changing my email address and my name.
4) you will never, ever, for any reason, click on a link inside an email. If you want to go to ebay, paypal, anywhere, you open up a new browser and type the URL in. You look for the 'lock' and the https. If it looks strange, don't trust it. If anybody says your account has been hacked and click here, what do you do? Exactly
5) if you weren't expecting an attachment in an email, you don't open the attachment until you contact the person you know and ask them what it is and why and have them confirm they sent it. If you don't know the person sending it, delete it and don't email the person.
6) Windows requires updating. It's not an option. When you are online, check for new updates.
7) you will have a separate, low limit credit card you use for online transacations. You never send the number via email and unless you see https, the lock, and you didn't get any warnings about 'certificate', etc, you don't use it.
8) if something pops up on your screen, you'll read the whole message before clicking anything.

I'm a tech head and so is my wife. My Mom is on the other side of the spectrum. She's been computing safely for two years and only asks me for help when she needs to pull down a new copy of Norton once a year (hard on dialup).

From Dean:

If Mom and Dad actually bought a new computer, we would have miracle number one...
If I could talk them through installing the antivirus and firewall software, we would have our second miracle.
Now if, and this is a biggie...if I could get Mom and Dad to stop forwarding every single chain letter they receive, asking if it really is true, or warning me about...
This would be miracle number three, and I would consider myself truly blessed.

Happy Holidays to all!

From R. J. Brown:

My father is 84 years old, and has several computers already. I tried to get him to switch to Linux, but the learning curve was too steep for him without my being able to be there physically and help him. The only advice I would give him at this point is to be sure his anti-malware tools are working -- virus scanner, internal firewall, and spyware scanner. He pretty well knows what he is doing by now. He was involved with the early GE computers in the 1950's, and is a big reason why I am now a computer consultant myself! Now my wife's mother? If she got a new computer for Christmas, I would just tell her not to hook it to the internet! ;-)

From Jim Halfpenny:

...I'd buy them a copy of Civilisation IV and tell them the Internet is expensive and overrated.

My parents do have a computer and use it only for web browsing. It's coming home with me this Christmas to have Linux installed on it. So long as it has Firefox and Solitare they will be happy. So long as it's not got pr0n dialers, spam relays, spyware, adware, DoS tools, viruses, trojans, worms et. al I'll be happy.

From David Hamilton:

I gave my parents a computer at Christmas a few years ago. My folks have DSL. I installed a hardware firewall and virus protection immediately. Later on, Firefox, anti-spyware and a pop up blocker all with training. I keep the "gift giving" going all year by talking to them about the bad stuff out there in terms that make sense to them. I also trained them to ask me if they have questions or just don't understand.

If I did it over, I would install hardware and software above all at once and train them throughout the year.

From Kristina Harris:

I dunno about everyone else, but if my parents got a new computer for Christmas (without me getting it, in which case they would get it will all applicable updates, antivirus, and firewall software installed), it would go something like this:

*ring* *ring*

"Hello?"

"Hi, honey, it's mom."

"Oh, hi mom."

"Say, I got a new computer, and I was wondering if ..."

"No."

" ... what's that?"

"No. Just No. You got it at Costco, didn't you?"

"Well, yes, but ..."

"And it has Windows, doesn't it?"

"I think so, but ..."

"Okay, do NOT plug in the computer until I come over with my adware detector/firewall/antivirus CD."

"Well, I was just going to .."

"No."

" ... what?"

"I said no. No, no, no. Do NOT. Plug IN. The computer. Until I get there."

"Well, really, honey I was just ..."

"Mom, don't make me disable your DSL."

"Oh ... okay."

"I'll be over in a few minutes."

"All right honey, I guess I could wait for ..."

"Oh, and Mom?"

"Yes?"

"If you decide not to listen to me, just remember: Wells Fargo does not outsource their emailing to a company in Uganda, and Paypal does NOT need to verify your information. Neither does eBay. And you don't need to click on that link to verify anything. Trust me."

"Oh. Are you sure?"

"Yes. Oh, and Mom?"

"Yes, honey?"

"Merry Christmas."

*click*

From Ron M:

"The question to you is, if your parents got a new computer for Christmas, what would you tell them to do?"

Return it. No kidding. There's just no hope that it'll stay updated and happy if they actually plug it in. An cuticle chainsaw would be a safer gift.

Have a good holiday, all!

From Anonymous:

I would tell them to _not_ connect it to the Internet, until I did a few things:
* many new motherboards have built-in RAID capabilities.
I would purchase a 2nd hard-drive, and build a "mirrored"
RAID ocnfiguration. Then, if one hard-drive died, the other drive will become a backup, until I could replace the dead-drive, and re-enable the mirroring.
Yes, mirroring adds a one-time hardware cost, but it certainly is much easier for my parents than trying to teach them how to do routine backups.
* enable the Windows XP firewall *BEFORE* connecting the computer to the Internet, and then accessing Windows Update.
* download free software: MS Word Viewer, Adobe Reader, the GIMP (www.gimp.org), the latest Shockwave and Flash plug-ins. Then, tell them that anytime that a pop-up window tells them to download or install something, just say "no", by closing the window, rather than clicking on the "NO" or "DECLINE" or "CANCEL" buttons insdie the window.
* of course, anti-virus software (www.my-etrust.com/microsoft) is an absolute essential.
* inventory the CDs and documents that come with the computer, to ensure that they have received everything that they are entitled to, and help them to store that bundle in a safe place.

Enough? :-)

From Alan:

My advice to anyone receiving a new computer for Christmas:

1) Do not connect it to the Internet without an external hardware firewall.

2) Boot the machine and set a secure login password for admin / root and for the user account.

The following advice assumes it is a Windows machine

3) Before doing ANYTHING ELSE, perform a complete Windows Update.

4) Launch Internet Explorer. Download and install an alternative browser. My choice is Firefox, but Opera is also a reasonable choice. Then remove the blue e from the desktop and the launcher on the taskbar, and exit from IE.

5) Launch the alternative browser. Download and install Thunderbird for email. Remove Outlook / Outlook Express from the desktop and the launcher taskbar.

6) Install a good anti-spam tool. I like K9 from www.keir.net/k9.html. Teach the new PC owner how to train the antispam tool.

6) Download and install a personal firewall. Unfortunately Sygate is no longer recommended because support has ended :-( ZoneAlarm is ok.

7) Download and install the free grisoft AVG antivirus product. Update it and set it up to scan nightly.

8) Go to housecall.trendmicro.com and perform a scan to be sure the machine is clean.

9) Give the standard lecture about not clicking on links in emails, not opening attachments, and being generally paranoid about unknown web sites.

10) If they insist on using instant messaging, install the latest version of gaim and remove icons for any IM tool supplied with the pc.

11) Install Startup Monitor and Startup Control Panel from http://www.mlin.net/. Educate the owner about how to answer the popup questions that will occasionally be presented to them.

ALTERNATIVE to #3-11: Install Ubuntu Linux or a similar user-friendly distribution.

From Anonymous:

If my parents got a new computer for Christmas, and it would be a laptop, I'll tell them to plug the thing in, turn it on, close it, put it on the floor, put the feet on it - and they'll have warm feet all day long ;-)

From Anonymous:

It's funny you sould ask; My parents ARE getting a new computer for Christmas. I steered them to a notebook so they could easily transport it between thier winter and summer places. That also means they can just bring it with them when they stop by my house and I can check it out.

From Anonymous:

Direct them to leave it in the box and bury it in the backyard. :)

From Mike Lewis

My advice would be simple. Buy a MAC with the 3-year service and support contract, and then in 3-years, buy another MAC. The things my parents would do with a PC include e-mail, web browsing, paying bills on-line, and maybe saving digital pictures.

Why go through all the service, support, spyware, antivirus, free downloads ... crap available to Windows based PCs if all you want to do is e-mail, surf, and save pictures?!

From Brent Bice:

Interesting that you ask this as I've had this same scenario with several family members except not at Christmas. :-)

1. The first thing I've recommended several times to the extended family is, go buy a router/firewall -- not just firewall software, but a separate network device. Yes, they've had their own set of issues but it's far harder and less likely that the malware du jour will disable a hardware firewall than any of the software firewalls that may be on a compromised PC. I also urge them to get the latest firmware updates for their new network router/firewall.

2. From behind the firewall, update the brand new machine with the latest recommended patches and all security patches from Microsoft. Reboot. Rinse, lather, repeat until no more recommended or security patches are found.

3. Repeat step 2 with any software packages installed on the system and repeat as needed if any additional software gets installed.

4. Install Firefox and Mozilla and configure them to not trust cookies, have javascript off by default and to not load remote images. Yes, Firefox and Mozilla have also had security bugs, but they've been fewer in number and usually less severe and less broad in scope than those found in MSIE and Lookout (er, I mean Outlook). Tell the user to use firefox when possible, enable javascript only when absolutely necessary, and use MSIE only when absolutely necessary and only for trusted websites (like their employer's poorly designed website, for instance).

5. Uninstall unneeded software.

6. Install/update anti-virus software. Ensure it updates itself at least once a day.

7. Install/update anti-spyware tools such as (but not limited to) Spybot S&D, AdAware, the new MS Malware Removal Tool, etc.

8. Give a class (or two or three) on the care 'n feeding of anti-virus software, anti-spyware software, applying updates (ensure automatic-updates are on), recognizing phish, the risks of opening holes in the firewall or installing browser plugins/helpers, and generally install a bit of healthy skepticism about clicking on links coming via IM or email.

Most of these require that I or another geeky family member pay a visit to help out. Oh well. It's usually good for a dinner and generally means far fewer of those REALLY painful attempts to walk someone through un-fscking their computer over the phone after it's been trashed by the MS Worm of the week -- especially if you're a unix geek like myself who hasn't kept up with all the changes to the windows desktop interface!

From Keith Rosenberg:

What would I tell my Parents?
- Antivirus software
- Firewall
- anti-spam capability
- Hardware firewall if they have broadband
- Keep OS and all software updated
- Provide phone and e-mail support
- Educate them about the internet's redlight district
- And finally, set up their computer for them if possible. That is what I did in one case.

From Anonymous:

Have them return it.

From Dave Rundle

'Twas the day after Christmas, when all through the house
we were gathered round the PC, examining the mouse;
The flat-panel LDC; speakers, so new and so crisp,
Displayed Microsoft Sam, with his usual lisp;

"Welcome to Windows," it intoned with a beep
Never warning that the Internet has more than one creep;
And mamma's logging in, and shopping like crazy,
Cause security issues make most people lazy,

When up on the screen there arose a quick popup,
A quick flash of the drive light, a really quick screw-up.
Away to the keyboard I flew like a flash,
Tore open the registry and cried "Where's the Patch!"

The new startup path was pointed to "Temp,"
Hmm, where the Internet cache is usually kept?
When, what to my wondering eyes should appear,
But a known key logger, to cause much fear

With an outdated driver, more useless than junk,
"Who hacked my computer; what little cyber-punk!"
More holes than had patches, who was to blame?
And he whistled, and shouted, and called them by name;

"Now, Microsoft! now, Borland! now, eBay and Spammers!
On, Oracle! on Apache! on, Mozilla and Hackers!
Who can guard my computer, who's the best of them all?
Who can do a good job, and not leave me to fall?

As Norton was loaded, and Mcafee started,
My guests grew tired, and soon they departed.
Loading up patches took most of the night,
And then the next morning, I had a new fight.

My adolescent son awoke before dawn
Frantic scrambles downstairs I heard as I woke with a yawn.
Cam Girls Live he'd found; a deviant site,
You won't meet him here, cause he's grounded for life.

Net Nanny I loaded, and then CyberSitter,
A whole lot of trouble caused by this little critter…
A new bunch of toolbars has just been installed,
And a DLL error, (the kid will get mauled!)

By the next week, I gave up, the computer reloaded,
40 hours of work, like the Matrix I coded.
Had I taken the time to prepare my Dell,
I would not be he sitting here inside malware hell.

From Anonymous:

I would do the same as I already did for my daughter (she got a 2nd hand PC as an early Christmas present) and install Ubuntu linux plus the codecs required to access some non-free audio and video.

Merry Christmas and a safe and prosperous new year to all the handlers.

From Anonymous:

If my parents had a computer for Xmas:

I would hope it is a Macintosh.

First and foremost because they easier to use, so less support calls...

But also because they are somewhat less prone to the on-going barrage of malware and viruses and all around pests that make computing such a pain.

If it is not a Mac, then I just got myself a free weekly dinner on Sundays...

0 Comments

Published: 2005-12-24

Parents and Computers

We compiled the information that many people sent to us over the past few days to answer the question, "if your parents got a new computer for Christmas, what would you tell them to do?" The long list of ideas, poems, and thoughts are here.

From all of us at the ISC, we wish you the merriest of holidays and best wishes in the coming year!

0 Comments

Published: 2005-12-23

Bots: They are not just for Windows anymore.

Couple readers noted the use of the "kaiten" bot in some of the recent php exploits. The php vulnerability is used to install kaiten, which like all well behaved bots will connect to an IRC channel and do its master's bidding.

We kind of have come used to seeing "bots" as a Windows issue. But to be fair: Kaiten probably pre-dates a lot of the Windows worms and bot. IMHO: its so much easier to write a bot for Linux. You got perl after all. I wouldn't be surprised to find one written in bash.

On realy quick and dirty way to fool bots in Linux: make 'tmp' its own partition and mount it as non-executable. This will fool probably 80% of the bots, as they start out by writing themselves to /tmp. Don't forget to make /usr/tmp and /var/tmp symlinks. If you don't want to repartition: use a loopback file. Most Linux malware will compile itself on the target system. So removing development tools is always an option but a bit painful for many. And you may not be able to do without perl. I wouldn't be able to make coffee in the morning without it, and without coffee not much would be happening here.

We do get LOTS AND LOTS of reports about various php exploit attempts. Its one of these things where you are probably already long exploited if you are vulnerable. The exploit attempts target a long list of vulnerable php applications. Nothing particular fancy, just more and more of it.

0 Comments

Published: 2005-12-23

Getting Ready for the Holidays

We had a couple reports from readers, who tried to contact abuse departments or notify companies about breached systems, only to receive a "vacation" reply indicating that the systems are on autopilot until sometime next year.

Unless you turn off the systems, they will still need a bit of watching and caring. Do you have someone on call in case the burglar alarm goes off? Make sure you have someone checking the 'abuse' or 'security' mailboxes once a day (at least). You may have them even forwarded to a pager if you can filter the spam.

And while I am on the topic: Make sure you do actually have an 'abuse' and a 'security' alias for all of your domains. There are a number of aliases you should define for each of your domains:

RFC2142 provides a number of references to other RFCs, and suggests the following aliases:

postmaster@domain (RFC822). This should exist on all mail servers. You should also have postmaster@IP-Address-of-the-mail-server.
usenet@domain (RFC977). I know a lot of people will write to say differently. But I consider usenet dead for all practical purposes. You can probably do without this address.
abuse@domain
trouble@domain
noc@domain
security@domain

We updated the RSS feed from 0.91 to 2.0 this morning, and added partial diary content in addition to the headlines. There are a couple of reasons why we did that:

RSS 2.0 should now be understood by most aggregators. When we originally started offering the RSS feed two years ago, RSS 0.91 was the most commonly used standard.
RSS 2.0 allows us to include a 'TTL', which indicates to the RSS reader how frequently to refresh the feed. Lets see if this helps a bit with overly busy readers
We do get regular requests to include full diary content.

Despite efforts to cut off the distribution points (http://www.honeynet.org.cn/honeyneten/index.htm) new versions of Dasher continue to pop up. Symantec identified Dasher.C yesterday that added an anti-security-software payload (your typical disable anti-virus and firewall type of gig.) New versions with new distribution points, and signature-evasion changes continue to come out. Before you ask: "which ones don't detect it?" Right now, it's most of them. In a few hours, I hope that list to be much shorter.

It would be simply swell if the AV developers would write sigs for the samples that we're sending them. I know it's a weekend... but I'm working.

So, why is Dasher "finding-legs?" or why is it successful?

To answer that, we have to ask Microsoft: why are services listening on ephemeral ports? Or, why are some filtering/firewall strategies blocking only 1024 and below?

E-cards are a different story. From a sender's perspective, there are a number of companies trying to offer a responsible service but how do you recognize them? If you use one of the services you give the company behind it the list of e-mail addresses of your friends. If the company is trustworthy that should cause little concern, but how can you be sure?

On the receiving end it gets worse, sometimes it says who tried to send you something, sometimes it doesn't. Sometimes you know the company sending you the e-card, sometimes you've never heard of them. You do know that the sender sometimes gets confirmations you went are read the card.
If you read this regularly, you might even be aware of possible cross site scripting issues that could be exploited somehow.

So what to do?

Start you own chain of secure greetings this year

Send out the E-mail greetings early this year to your contacts. Keep it plain text and ask them to please not send you e-cards as you will not read them this year over security reasons.

If enough people do that, there will hopefully be a few less incidents of people getting infected with all sorts of malware and loss of privacy.

--
Swa Frantzen

0 Comments

Published: 2005-12-14

Black tuesday - the day after

Traditionally we brace for impact on the Wednesday after the second Tuesday of the month. So far today has been rather uneventful. Big part is probably that the important update is actually fixing things that have been exploited already and therefore are already over their peak.

So in summary: Make sure you grab the MS05-054 update. It has fixes for things that have been exploited since last month.

As reported by Koon Tan yesterday we have seen, and are continuing to see, increased activity reported by more users now.Â The link below will show a graph that indicates activity over the past ~72 hours.

http://isc.sans.org/images/port1025tcp.png

We still need full packet captures to help nail this down, so if anybody has them please submit them via the 'Contact' link at the top of the page.

Core Security Technologies has an excellent article on this subject and RPC Vulnerabilities.Â One highlight from this article is that the "patches for these vulnerabilities ..... effectively fixÂ the problem(s)" with the vunerabilities used in the discussion.Â All of the vulnerabilities are more than 18 months old; these fixed have been out for some time, giving lots of time for admins to perform testing and loading of said patches.

Musings on the Internet Explorer 0-day vulnerability

So are any of you like me with regard to the Internet Explorer vulnerability mentioned last week http://isc.sans.org/diary.php?storyid=874? I know that I am watching and waiting to see if Microsoft is going to release an out of cycle patch, or wait for December 13th patch day. If I were a gambler, I might actually bet on Microsoft releasing it early.

Why do I think this way? Well.... Glad you asked.

Yesterday, Microsoft updated the advisory located at KB911302 with a couple of tidbits. First, they made mention of both Proof of Conecept and malicious software which appear to be targeting the reported vulnerability. Second, they also mention the Windows Live Safety Center where end users can scan and remove any malicious software and variants that may be running around now.

Throwing in that Microsoft has on occasion released out-of-cycle patches (June 2004 is a case in point in my mind), then I think it is a safe bet that Microsoft will take appropriate steps to fix the problem as quickly as possible. In the meantime there are 2 things I can continue to suggest.

1) Be vigilant. Know that a patch will be forthcoming hopefully within the next 2 weeks and be ready to deploy quickly.

2) If your organization can operate with one of the workarounds Microsoft has mentioned in KB911302, then I recommend mitigating your risk as much as possible. We all have at least one person who is a little too...uhm...liberal with browsing the Internet on company time. Think about it, that very person is probably shopping for Christmas* presents right now on less-than-secure sites. SO....I would suggest doing those workarounds to that computer first. :-)

* For those that celebrate other holidays in December than Christmas, this statement is not meant to be offensive in any shape or form, or otherwise slight your holiday of choice.

Update

It was just a question of when will malware authors start exploiting this Internet Explorer vulnerability.
When users visit certain web sites, a file will be dropped on their machine using this exploit. The file being dropped is currently detected as TrojanDownloader:Win32/Delf.DH. When executed, this dropper will download another trojan.

Microsoft published information about this trojan at http://www.microsoft.com/security/encyclopedia/details.aspx?name=TrojanDownloader:Win32/Delf.DH.

Thanks to Juha-Matti!

0 Comments

Top of page