Published: 2007-09-29

Packet Call

Yes I know, "curiosity killed the cat", but I can't help myself when it comes to packets.  My curiosity has been piqued after looking at some of the port trends last night on DShield.  Take a look at these ports below and their interesting trends.  None of them had any activity so to speak till these explosive amounts of traffic.  Notice the number of targets all stay very low.  Is it legitimate or evil in nature?  I can think of scenarios for both, but I have no clue which is why I would like to get some packet captures to spend my weekend playing with.  If anyone happens to be able to nab some or has seen a large amount of this, please let me know! 

Port 47673

date                records    targets    sources    tcpratio
2007-09-21    64            15            15               62
2007-09-22      6              4               3               83
2007-09-23    16              5               4               88
2007-09-24    7692        12            5099          42
2007-09-25    1989          8            1220           57
2007-09-26    65876      14           25756        18
2007-09-27    7012        11            4572          18
2007-09-28    47652      14          17596            1
2007-09-29    2459           5          1420            55

Port 13883

date                records    targets    sources    tcpratio
2007-09-18    74               5                13            100
2007-09-19    68               3                9              100
2007-09-20    21               5                7                88
2007-09-21    38498        11           5510            81
2007-09-22    22264        7             3285            81
2007-09-23    10790        7            1330             81
2007-09-24    6029        10            1273             67
2007-09-25    3392        10                37            100
2007-09-26    6377        9                  33            100
2007-09-27    22454      11            2704            85
2007-09-28    36223       9            7687             65
2007-09-29    1218         6               440             54

Port 60611

date                records    targets    sources    tcpratio
2007-09-15    47              13                33            46
2007-09-16    26              14                10            100
2007-09-17    87              15                24            87
2007-09-18    18729         9              6421          37
2007-09-19    3941           7              1567          48
2007-09-20    1017          11              345           58
2007-09-21    3830          20            1942           41
2007-09-22    2301          10            1108           43
2007-09-23    1500          13              648           40
2007-09-24    1015          11              409           40
2007-09-25    79                8                   9            92
2007-09-26    2293          11              822           52
2007-09-27    11424          7            3961           52
2007-09-28    49706        12          13721          42
2007-09-29    1027            4               485          31

Port 30695
date                records    targets    sources    tcpratio
2007-09-23    18                6                6                100
2007-09-24    11                6                5                100
2007-09-25    5                  4                3                100
2007-09-26    35663         9            15275             23
2007-09-27    44523        14           18609             14
2007-09-28    20268        10            9684                 7
2007-09-29    497                6            29                   30


Published: 2007-09-28

Congratulations Brian Granier!

Our handler Brian Granier became this week the second student to graduate from the SANS Technology Institute!



Published: 2007-09-28

Grey Friday?

Just as the memories of this months Patch Tuesday faded into the past, Microsoft have announced an update to the advisory for MS07-042.

Microsoft have updated from Version 1.1 to Version 2.0 and it covers two issues

  • Added Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats and Microsoft Expression Web as affected products.  
  • Potential reliability issue exists in applications that have installed Microsoft XML Core Services 4.0 on Windows Vista,     which can be addressed by applying the download available in Microsoft Knowledge Base Article 941833.

However, FIRST have indicated that it also fixes a privately reported vulnerability that could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer.



Published: 2007-09-28

Python script for packer identification

In doing malware analysis, I like to have some idea of the packer being used. I like PEiD, but it is Windows only and isn't command-line so it is difficult to script. After I saw a posting about Ero Carrera's pefile, I decided he had already done the hard work, so I wrote (my first Python script) packerid.py which uses a peid database like this one (updated 2007-09-28 02:30 UTC) or Neil's collection or this one from Panda. Mine includes a few additional signatures or changes that I've made recently. I've been in contact with Neil about getting them merged back into his and/or released with PEiD itself.  Until that happens, I'll be periodically updating mine, see the tools section of my handlers page.


Published: 2007-09-28

Cyber Security Awareness Month - Daily Topics

October is Cyber Security Awareness Month and the Internet Storm Center is going to focus on one security awareness subject per day.  We plan to provide useful information for information security professionals who want to educate their users but do not have a ready set of awareness tips. 

We asked for your ideas and boy did you have some good ones. To all of our readers who sent in hundreds of ideas over the past two weeks, thanks very much!  It took a bit of work but I think we've got about 95% of the topic suggestions covered.  Below is the list of topics by week and day that we will use them in October.  As you'll see, the first week focuses on tips for getting the message out to your users.  Subsequent weeks focus on specific topics.

We need your help beginning this weekend and continuing through the month of October.  If you would like to submit a tip, please use our contact form and be sure to put something in the subject like "Security Tip, day 15" to make it easier for us to sort them.  Keep your tips brief and to the point, also remember that the audience is the end user, not your sysadmins or netops geeks.

1. Establishing a User Awareness Training Program
  1 Penetrating the "This Does Not Apply To Me" Attitude
  2 Multimedia Tools, Online Training, and Useful Websites
  3 Getting the Boss Involved
  4 Enabling the Road Warrior
  5 Social Engineering and Dumpster Diving Awareness
  6 Developing and Distributing Infosec Policies

2. Best Practices
  7 Host-based Firewalls and Filtering
  8 Anti-Virus, Anti-Spyware, and Other Protective Software
  9 Access Controls, Including Wireless, Modems, VPNs, and Physical Access
 10 Authentication Mechanisms (Passwords, Tokens, Biometrics, Kerberos, NTLM, Radius)
 11 File System Backups
 12 Managing and Understanding Logs on the Desktop or Laptop (AV, Firewall, or System Logs)
 13 Patching and Updates

3. Hardware/Software Lockdown
 14 Data Encryption
 15 Protecting Laptops
 16 Protecting Portable Media like USB Keys, iPods, PDAs, and Mobile Phones
 17 Windows XP/Vista Tips
 18 Mac Tips
 19 Linux Tips
 20 Software Authenticity (Digital Signatures, MD5, etc.)

4. Safe Internet Use
 21 Understanding Online Threats, Phishing, Fraud, Keystroke Loggers
 22 Detecting and Avoiding Bots and Zombies
 23 Using Browsers, SSL, Domain Names
 24 Using Email, PGP, X509 Certs, Attachments
 25 Using Instant Messaging and IRC
 26 Safe File Swapping
 27 Online Games and Virtual Worlds

5. Privacy and Protection of Intellectual Property
 28 Cookies
 29 Insider Threats
 30 Blogging and Social Networking
 31 Legal Awareness (Regulatory, Statutory, etc.)

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2007-09-27

Apple iPhone update 1.1.1

Apple has just released update 1.1.1 for the iPhone.  It addresses at least 10 security issues (based on counting the CVE numbers in their announcement), so iPhone users (at least those who haven't "unlocked" theirs) should probably update soon.  One of the fixes addresses bluetooth, 2 address Mail, and 7 address issues with Safari.  For those who have "unlocked" their iPhones, there were stories in the press over the last week that a future update would turn the unlocked iPhones into expensive paperweights.  It is unclear at present if this update is the one that does it or not (probably not based on the descriptions of the updates included).  Note: We (SANS, the SANS ISC handlers, and me, personally) hold no position on whether or not unlocking the iPhone is a "good" or "bad" idea, we're just passing along the info.

Apple's bulletin: http://docs.info.apple.com/article.html?artnum=306586


Published: 2007-09-26

SDLC and Change Management

We received several reports today of a high profile software vendor's website that had a directory traversal bug in a specific script.  And while it is fun to find these still in existence in 2007, it's probably more likely that new code was introduced or existing code was modified without the security auditors looking at it.

So how good is your change management process when it comes to code that has been security reviewed?  In most cases, reviewing the changes is just as important as performing the code audit in the first place.


Published: 2007-09-25

XSS Incident Handling

There are tons of cross site scripting vulnerabilities around the Internet. Any online sites are potential victims of cross site scripting attacks. More accurately, the actual victims are the users of the victim site. If you have not handled a XSS attack yet, you might want to start planning for one. It could hit any online sites and yours might be next.

Identification - Symptoms

There are some easy giveaways when it comes to XSS attacks, you might get users complaining about your site leaking their information or they discover funny activities after visiting your site. Yet, there are no clear indication that your site has been compromised. The goal of XSS is to trigger the browser to render some abitary content as if it comes from a legit site. Scripting can be used for the attack payload so that scripting commands get executed in the context of the victim site. It is extremely hard to determine the potential outcome, that limit is up to the attacker.

Another possibility is for the victim's site to show HTTP and application logs of funny looking cross site scripting strings. Reflective XSS is a lot easier to detect than the Persistent XSS, since reflective XSS would mean the victim sending in XSS string everytime an attack happen. Keep in mind that not all XSS attack would show up in the logs, some XSS attacks do not involve the attack strings to be sent to the victim site at all.


Once the XSS vulnerable field is identified by looking at the logs and through other investigative means, the process of stopping further attack would be pretty simple. A emergency code fix would be reasonable, just throw in proper input and output validation and we are done for containment. For some environment that has web app firewall capability, it might be as simple as filtering out bad input with web app firewall.


Eradication is not easy. We have seen sites getting nailed time and time again. Close off one XSS hole and the next hole get nailed. My best advise here, if you get XSS attacked, it might be time to get some help with identifying all the web app vulnerabilities on your site. If someone has that much interest to attack you, it might not be too long before the person come back thru another hole. (eg. XSS, SQL injection) In the end, it might be time to ensure security is incorporated in your development lifecycle.

Overall, XSS can be hard to detect. Once detected, fixing the particular vulnerability is not too difficult. Fixing the whole development lifecycle is required for a fundamental fix of the problem. This is often very costly and slow.

To learn more about XSS attacks, SANS offers defensive web app course SEC519 and also the testing course SEC538.


Published: 2007-09-25

Firefox as the weapon of choice?

The security testers alike are always seeking new tools to make their testing more effective. I am really not thrilled about some testers wannabe thinking that tools are the only thing they need to be good security testers. Skills, techniques and understanding of the overall picture are all very important to security testing especially while testing the non-standard components (eg. application security assessment). That's the exact reason I discuss not only tools but also the techniques and reasons some security checks were done in my web application security testing course.

Most application security testers are already using some Firefox plug-ins to assist in their testing. These plug-ins are usually very helpful in getting some quick and easy test tools directly from within the browser. The folks from security-database.com has compiled a catalog of the security plug-ins in Firefox, called FireCAT. I would suggest taking a look at their catalog and load up your Firefox browser with some of the security tools. Although most of these plug-ins would not be considered best of breed tools in their respective area, the ability to use them from within the browser usually makes them very accessible and easy to use. You might also want to know that these tools would not only benefit the application testers but also the infrastructure testers and most other security professionals as well.


Published: 2007-09-24

Web Application Security Followup: Password Strength

One of the early leaders in security issues with banks is password strength. A lot of readers write in about banks that do not allow users to pick long passwords. The leader so far is a bank which only allows 7 character passwords and only allows letters a-z and numbers. (update: someone just wrote in with a bank that only allows 6 (!) characters)

We probably all know that longer passwords are better, and a common tip to achieve long passwords is a passphrase vs. a short password. A passphrase requires the use of punctuation marks and spaces, which some banks don't appear to allow either.

Now it may sound obvious that web applications will not allow single quotes (') or less than / larger than symbols, in order to avoid sql injection or cross site scripting. However, this is a bit a poor solution. And remember that passwords are not supposed to be stored in the clear anyway.

Regarding storing passwords in the clear: Some users report somewhat arbitrary password requirements like 20 characters. This may actually be an indication of passwords stored in the clear. A hashed password should always result in the same length hash, no matter how long the original password. On the other hand, if the original developer picked a "char(20)" database column to store the passwords (in the clear), then the password will be limited to this size.

Couple "mitigating" notes:
- Frequenlty, web application password strength is limited by legacy backend systems. This may also require the use of clear text passwords. Legacy issues may also be responsible for case insensitive passwords.
- if you only got 8 characters to work with, you can still use the passphrase approach, but you just pick the first/second or whatever character from each word. "I visit the ISC 3 times a day" becomes "ivti3tad".

A couple lines pseudo code on how I like to see passwords stored:

store password:


check passwords:

if ( $dbhash == $hash ) {
redirect("logged in");




Published: 2007-09-24

Financial Website Security

Financial websites (banks, credit card companies, investment companies) are probably the biggest targets for hackers out there. I am sometimes a bit surprised by some of the blatant security issues some of these websites have. Just a few weeks ago, after "reseting" my password with a credit card company, I received my old password in plain text via e-mail. One of the classes I teach most frequently for SANS is the Web Application Security class. I do use a number of problems like this in the class to make the material covered more real. However, it would be nice to have a more complete catalog of these problems.

If you run into a blatant big problem with a financial site, please let us know. We will notify the site, but if you wish we will not mention your name. DO NOT "HACK" OR PENTEST ANY SITES WITHOUT WRITTEN PERMISSION FROM THE OWNER OF THE SITE. We are looking for problems that you run into as a regular part of doing business with the site.

Once we notified the sites, we will post some examples here. Again, we are looking for *big* problems like:

  • passwords sent in the clear
  • insufficient user identification to reset the password
  • cross site scripting (again, DO NOT TEST)
  • SQL errors / Java errors and the like visible to the user.
  • Site does not allow long passwords.
  • badly formated / worded e-mails that encourage phishing.

Things I consider minor or things we don't want to cover right here:

  • non SSL login forms that submit to SSL servers (we already covered that in the past).
  • login pages that give different errors if a username doesn't exist.
  • site downtime.
  • site allows the user to opt in for certain e-mail notifications, even if the notifications reveal balances and the like.

Please use our contact form to submit reports. Did I mention NO HACKING?!



Published: 2007-09-22

Anonymous domainnames

In the past we've pointed readers in private email and publicly to use whois to find out who's behind domainnames and IP addresses.

Over the years we've seen the whois system deteriorate for domainnames with -paid for- anonymous registrations, with systems that point you to website where you have to interact with the website instead of continuing on the command line, with results that come back as gifs instead of text etc.

But today I was dealing with a .name registration that's likely up to no good, but on the odd chance there was a real company behind it I checked it out in whois:

$ whois [suppressed].name
Disclaimer: [skipping the legalese]

This is the .name Tiered Access Whois. For help, query whois with the
string "help". A whois web service also exists on http://www.whois.name.
A full list of .name Registrars can be found on http://www.nic.name

Domain Name ID: 2899351DOMAIN-NAME
Domain Name: [suppressed].NAME
Domain Status: ok

Ok, nothing of use here, it's basicaly a "see http://www.whois.name/"

On to that website, - it's actually a redirect to https://whois.nic.name/ :

You basically have 3 options:

  • the "summary search": equally useless as the whois interface itself
  • the "standard search": ah yes, that must give what we need! Let's try it:
    Domain Name ID: 2899351DOMAIN-NAME
    Domain Name:
    Sponsoring Registrar ID: 21
    REGISTRAR-NAME Sponsoring Registrar: Directi Internet Solutions d/b/a PublicDomainRegistry.Com
    Domain Status:
    Registrant ID:
    CONTACT-NAME Admin ID: 2314764
    CONTACT-NAME Tech ID: 2314764
    CONTACT-NAME Billing ID: 2314764
    CONTACT-NAME Name Server ID: 1306740
    HOST-NAME Name Server: NS1.[suppressed].NAME
    Name Server ID:
    HOST-NAME Name Server: NS2.[suppressed].NAME
    Created On: 2007-04-25T07:58:33Z
    Expires On: 2008-04-25T07:58:33Z
    Updated On:
    No such luck apparently.
    It seems they lowered their standard quite a bit.
  • There's a third option: "For detailed Whois searches, which are subject to higher privacy protection than Summary and Standard". Now, that sounds like what we need.
    Unfortunately, higher privacy protection seems to not apply to those who seek the information at all. They insist on having not just the obligatory hurdle of a CAPTCHA (without escape for the visually impaired), but it almost looks like a typical phishing website as they also want all your private data, including your credit card number.

    Yes, you got it: ".name" wants to charge you for knowing who registered what domainname!

I guess I need to say thanks to those who created and run .name for this "wonderful" scheme. I'm sure those up to no good will love you for it.

Before we get flooded by reactions: I can be sympathetic to privacy, but if you have something to say (email, web, ... something that needs a domainname) I want to have the right to know who you are and I want those giving you the domainname to verify you are who you are before letting you have the domainname. If you cannot safely say what you want to say unless you are anonymous: don't get a domainname, there's plenty of services out there to get a message across without your very own domainname.

Swa Frantzen -- NET2S


Published: 2007-09-22

virtualization and security

In the grand scheme of things -think the matrix- the question might not be "to be or not to be", but instead evolve to "to be real or not to be real"

Let's look at the evolutions:

  • Malware researchers (as in reverse engineering) tend to use products like VMware to allow them to run malware in a more controlled environment where they also can undo having run it easier (on a to be discarded copy of the image)
  • Malware authors more often than not detect VMware and have their malware not give away what it would do on a real machine
  • Joanna Rutkowska "Blue Pill" research most likely deserves a mention in here just as well.
  • Last month Microsoft fixed in MS07-049 a thread they classified as important that allowed a break out of the virtual OS to the host OS. We had some disagreement on that rating with Microsoft as we saw it as a significant bigger deal than "just" privilege escalation.
  • This week VMware released updates that fix a number of vulnerabilities. They've announced the details on a mailing list, but on their own website all seems to be much more rainbows and butterflies unless you dig through some of the release notes (search for "security"): E.g. (there is one for every product): Now what does this mean in terms of impact ?
    It fixes quite a few vulnerabilities:
    CVE-2007-2446 CVE-2007-2447 CVE-2007-0494 CVE-2007-2442 CVE-2007-2443 CVE-2007-2798 CVE-2007-0061 CVE-2007-0062 CVE-2007-0063 CVE-2007-4059 CVE-2007-4155 CVE-2007-4496 CVE-2007-4497 CVE-2007-1856 CVE-2006-1174 CVE-2006-4600 CVE-2004-0813 CVE-2007-1716 CVE-2006-3619 CVE-2006-4146
    Some of these are fixes propagating from DHCP, cron, samba etc, nothing special as such except that they've been around for a while now -with fully documenting source code patches-.
    The more spectacular vulnerabilities are:
    • CVE-2007-4496 A privileged user in a guest OS can execute arbitrary code on the host OS
    • CVE-2007-4497 A user on the guest OS can cause a DoS not just on the host OS (and on the guest OS)
  • There is also a paper by Google that studied some aspects for multiple vendors in the virtualization world: http://taviso.decsystem.org/virtsec.pdf While two product names are obscured they'll be easy enough to guess for those knowing the platforms they are used on. Ever since Apple moved to Intel CPUs Parallels has been popular on that platform (I use it myself), and we already mentioned Virtual PC from Microsoft above.

Now with all that, how do we react ?

It all depends what you use it for. E.g. I use parallels on my Mac to be able to run windows applications on my mac when (and if) I need it. When teaching about security I run a virtual machine that has known vulnerabilities to demo how easy it is for real attackers to attack a system and how little skill it requires to execute a program that gives you a command prompt on a target.  If that is what you run a virtualization suite for, you're not more or less at risk than you were before.

If I'm a malware researcher, I'd be extra careful not to trust the malware to break out of the virtual machine, they already detect it, what could be more delaying in the analysis of their contraption than to zap the host OS ?

If I were to feel my host OS was immune to attack (fanboys to /dev/null please) due to the more targeted OS being in a virtual machine I might be in for a rude awakening down the line as those attacks might start to build in things to break out of their segregated environment. Having that false sense of security is a really bad thing.

If I buy less separated machines but instead buy more redundant hardware that's more powerful and run machines together on a shared hardware platform, I'd watch carefully what I'm putting together. It would be a bad idea to put e.g. the firewall, an IDS probe outside of the perimeter and the web server and database server all on one shared platform as if one if broken, all can be broken without going through the layers separated hardware would have provided. Even if all the hosts are from a same security layer there's increased risk as the machines can talk among themselves without passing through the network layer but that's probably easier to mitigate. So it does depend on your architecture and what you mix together.

If I'm a organization that has air-gapped networks that carry differently classified data on, it would be a very risky move to migrate those two hosts on those who need access to both networks onto a virtual machine setup. Better invest in that KVM switch if you need the real estate on those desks.

Swa Frantzen -- NET2S


Published: 2007-09-21

Spammers feeling lucky with Google

For quite some time spammers have been trying to hide links advertised in their e-mails. The main reason for this is probably increasing effectiveness of various realtime blocklists, such as SURBL. For those that aren’t familiar with SURBL (http://www.surbl.org), it’s an RBL that lists list URIs found in spam e-mails. In other words, instead of listing spam zombies or relays, RBLs like SURBLs list sites that are referenced in advertised spams.

Anti-spam applications generally query multiple RBLs and latest versions of Spam Assassin, the most popular open source anti-spam application, will query SURBL by default.

Spammers realized that this can cause them big problems so initially they started using various open redirectors. Redirected URLs try to hide themselves behind some other (innocent) domain and server. For example, Google has a redirector service that can be easily used like this:


If you visit this URL now Google will warn you that you are about to be redirected to your favorite bookmarked site ;-) – however this was abused historically when there was no such warning.

Anti-spam tools soon incorporated detection of similar abuses because well known redirection services, such as those provided by Google or Yahoo! are easy to enumerate and parse, although spammers use various URL encoding techniques to make this more difficult.

While spammers are still using similar redirection services, sometimes even on compromised web sites, recently I saw another new trend where they are abusing another Google’s service.

This mainly seems to be happening in meds related spam e-mails. A typical spam looks like this:

Order All of your favorite RxMeDs Online!
With fast discreet trackable USPS shipping!
No Prescription Needed!

Order__NoW ~ <a href="http://www.google.com/search?q=myvisameds+global+cart&btnI=ec">Click__Here</a><br>

As you can see, the e-mail is very small (probably trying to affect some other anti-spam methods) and it contains only one URL, pointing to Google!

The trick here is in the last part of the URL that is highlighted above: “btnl=ec”. This actually tells Google that you want to use the feature called “I’m Feeling Lucky”. This feature is actually nothing special – it performs the normal search but instead of returning the page containing the search results it automatically redirects your browser to the first returned search. We can try doing the same thing for the Internet Storm Center, with the link above:


So, the spammers do the following. They first “poison” Google so that a particular search returns their wanted web site as the first match. This isn’t too difficult to do because they don’t need to “poison” proper searching keywords – they can use whatever they want because all they need is their web site to come back first. If we go back to the example above, the keywords to search for are “myvisameds global cart”. If you search for this (normally) you will see that the spammer’s web site comes as the first search. Also take a look at all the other web sites that are returned. See something interesting? (I still have to check those web sites to see if they are even serving some malicious content).

We can see that the “poisoning” process was successful, so all they need to do now is send their e-mails with the link above until Google figures out what’s going on and blocks this. At this point they change the web site and/or keywords and go from beginning.

Finally, it should be relatively easy to catch these links with a regular expression. However, it looks like there are several implementations on Google’s web site so they don’t always and with “btnI=ec”. If you have good rules for this, let us know.




Published: 2007-09-20

Pen Testing - Dangerous side effects?

Submitted by a reader.

Its seems to be a common place that when we deploy nessus or other tools on a network to detect vulnerable systems and patch them, that we crash a system or two in the process due as an unintended side effect.  And some organizations have started using bluesweep to map bluetooth devices being used in an enviroment to check for unauthorized deployment of bluetooth access points. (http://www.airmagnet.com/products/bluesweep/)

   Due to my personal experience dealing with the declining health of my father I have found that there is a growing trend in the medical industry of wirelessly enabling medical devices such as pacemakers.   This has taken the form of bluetooth enabled devices, as well as proprietary radios and protocols.   While I am sure the government has good regulation for these types of devices from the medical side, it makes me wonder how well they have regulated these devices from a "cyber" perspective.   My primary concern would not be whether your pacemaker could be hacked by a terrorist, or if someone could listen in our your current health and well being.    But my concern would be on what kind of unintentional side effects could we potentially have on a person's well being by running wireless security penetration tools as part of securing our own networks and facilities.   I know that many of bluetooth pen testing tools have crashed numerous cell phones and PDA's, just as effectively as nessus has done so as part of standard lan testing.    But what would happen if that "device" we end up crashing is someones pacemaker?   I am used to receiving calls from people to ask me to stop my pen testing because I have crashed an exchange server, but would hate to see the day when I receive a call that I crashed "John Smith" down the hall.   I have a feeling we will start seeing may more Bluetooth and Zigbee enabled medical devices implanted in our coworkers, and I know for one that I have never seen much discussion on the topics in the cyber forums.

Submitted by Craig Goranson



Adrien de Beaupré


Published: 2007-09-20

Alleged Acrobat Vulnerability

An alleged vulnerability in Adobe Acrobat and Reader has been released. At this time we have little information on the vulnerability itself, any exploit, or impact. Stay tuned.

If you have more information please let us know HERE.


Adrien de Beaupré


Published: 2007-09-19

Microsoft releases Office 2003 SP3

As Jason announced in his diary on MOICE yesterday, Microsoft has today released Office 2003 SP3. This service pack includes a roll-up of several existing security fixes, but also makes some behavioral changes that affect security:

  • Office can now no longer by default open certain older document formats, which include Coreldraw and older Powerpoint versions (pre-97). This significantly reduces the amount of attack surface;
  • Older COM components that behave in a non-appropriate way may no longer have the same level of access as they did in the past (KB 938814);
  • Administrators can now, through the registry, configure Office to no longer allow certain COM components. They also have the ability to block the opening of files older than a certain Word version (KB 938815 and 938810)

Plenty of other changes apply, this is not a complete list. Read more at Microsoft.


Published: 2007-09-19

Security advisory and fix released for Firefox

Mozilla has issued a security update for Firefox. It resolves a new exploitation pathway for the MFSA 2007-23 advisory. As you may recall, this dealt with the way Internet Explorer could invoke either Firefox or Thunderbird. These applications support a "-chrome" option, which allows loading of a specified Chrome, but could also allow code execution.

The new fix now removes the ability to run arbitrary scripts from the command line. It was implemented specifically due to a finding in QuickTime media-link files. A 'qtnext' attribute allowed the passing of parameters to a web browser which would be invoked upon finalizing playing of the media file.

We strongly advise you to install the updated version if you have any form of the QuickTime plugin installed.


Published: 2007-09-19

JavaScript/HTML droppers as a targeted attack vector

It need not always be a plain and simple Word attachment.

April 2007. A small group of about 20 people receives an e-mail on a topic that is of great interest to them, and which invites them to sign an attached petition. The petition is a rather benign looking HTML file. Their anti virus had not indicated anything was amiss, and they click away.

They did not realize that the file in fact consisted of a targeted malicious code attack. In fact, the file contained several routines to download and drop an executable from a remote web site on the local system.

Would they have seen the contents of the file, they would never have clicked. It’s a genuine HTML file, indeed, but it contains a large body of Javascript. One obvious variable contains shellcode as well as a Unicode encoded download URL. There’s also some code that should ring a bell, sorry – a loud fire alarm - even to a non-developer, due to its naming convention:

evilObject.push( evilString );
                var obj = document.getElementById('target').object;

Further down the execution path, resulting data is loaded into CLSID: 0002E510-0000-0000-C000-000000000046, better known as the Microsoft Spreadsheet Object aka Microsoft Excel on Office systems. The target is an old Office vulnerability.

We humans are not capable of looking at every file we open in great depth. We lack both scale as well as in-depth protocol knowledge. We outsource this function to our anti virus solutions:

AhnLab-V3 2007.4.12.0 04.12.2007  no virus found
AntiVir 04.12.2007 HEUR/Exploit.HTML
Authentium 4.93.8 04.12.2007  no virus found
Avast 4.7.936.0 04.11.2007  no virus found
AVG 04.11.2007  no virus found
BitDefender 7.2 04.12.2007  no virus found
CAT-QuickHeal 9.00 04.11.2007  no virus found
ClamAV devel-20070312 04.12.2007  no virus found
DrWeb 4.33 04.12.2007  no virus found
eSafe 04.11.2007  no virus found
eTrust-Vet 30.7.3562 04.12.2007  no virus found
Ewido 4.0 04.12.2007  no virus found
FileAdvisor 1 04.12.2007  no virus found
Fortinet 04.12.2007  no virus found
F-Prot 04.12.2007  no virus found
F-Secure 6.70.13030.0 04.12.2007  no virus found
Ikarus T3.1.1.5 04.12.2007  no virus found
Kaspersky 04.12.2007  no virus found
McAfee 5006 04.11.2007  no virus found
Microsoft 1.2405 04.11.2007  no virus found
NOD32v2 2183 04.12.2007  no virus found
Norman 5.80.02 04.12.2007  no virus found
Panda 04.12.2007  no virus found
Prevx1 V2 04.12.2007  no virus found
Sophos 4.16.0 04.12.2007  no virus found
Sunbelt 2.2.907.0 04.07.2007  no virus found
Symantec 10 04.12.2007  no virus found
TheHacker 04.09.2007  no virus found
VBA32 3.11.3 04.12.2007  no virus found
VirusBuster 4.3.7:9 04.11.2007  no virus found
Webwasher-Gateway 6.0.1 04.12.2007 Heuristic.Exploit.HTML

While these solutions generally do a great job, and are continuously improving the way they deal with such droppers, at the time of the attack, they were of little use. Once the final binary was downloaded and executed, users of most security applications were still not quite protected:

AhnLab-V3 2007.4.19.0 04.18.2007  no virus found
AntiVir 04.18.2007 TR/Crypt.FKM.Gen
Authentium 4.93.8 04.18.2007  no virus found
Avast 4.7.981.0 04.18.2007 Win32:Protux-C
AVG 04.18.2007  no virus found
BitDefender 7.2 04.18.2007  no virus found
CAT-QuickHeal 9.00 04.18.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 04.18.2007  no virus found
DrWeb 4.33 04.18.2007  no virus found
eSafe 04.18.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3576 04.18.2007  no virus found
Ewido 4.0 04.18.2007  no virus found
FileAdvisor 1 04.18.2007  no virus found
Fortinet 04.18.2007 suspicious
F-Prot 04.17.2007  no virus found
F-Secure 6.70.13030.0 04.18.2007  no virus found
Ikarus T3.1.1.5 04.18.2007  no virus found
Kaspersky 04.18.2007  no virus found
McAfee 5012 04.18.2007  no virus found
Microsoft 1.2405 04.18.2007 TrojanProxy:Win32/Agent.AYY
NOD32v2 2202 04.18.2007 a variant of Win32/Protux

Norman 5.80.02 04.18.2007  no virus found
Panda 04.18.2007  no virus found
Prevx1 V2 04.18.2007  no virus found
Sophos 4.16.0 04.17.2007  no virus found
Sunbelt 2.2.907.0 04.14.2007 VIPRE.Suspicious
Symantec 10 04.18.2007  no virus found
TheHacker 04.15.2007  no virus found
VBA32 3.11.3 04.18.2007 suspected of Malware.Agent.88
VirusBuster 4.3.7:9 04.18.2007  no virus found
Webwasher-Gateway 6.0.1 04.18.2007 Trojan.Crypt.FKM.Gen

The file installed itself in the registry, and then connected to the host ding.pc-officer.com, as well to ihe1979.3322.org. At that point in time, both resolved to

This is a common but rarely discussed trick in targeted attacks, the parking of attack hosts – when the control server resolves to, the only way an infected client could be identified is through DNS queries. Traffic will no longer be leaving the machine, and network detection/firewall log analysis wouldn’t result in detection at all. An attacker can ‘switch off’ the compromise when he no longer requires access to information, enabling it at will when a new need exists. All he needs to do is change the DNS resource record to point to a host under his control.

The code itself was a modified version of the Protux backdoor, which provides virtually unrestricted user level access to a compromised client: adding services, command execution, whichever the attacker requires.

September 2007. Five months later, a new HTML file appears attached to a seemingly benign looking e-mail. This time, the entire mail is in Chinese. Clicking on the attachment doesn’t actually do anything – while it contains some dropper code, it appears to have been corrupted, or does not load correctly on our UK English test systems.

It does once again contain an obfuscated download URL pointing to the same North Carolina based web server as in the April attacks. Once downloaded, the binary hosted there points to ding.pc-officer.com. It appears to be a modified version of the PCClient backdoor series, which contains key logging code. This time the host name resolves, but to a false and unused address. Further research shows that over the last few months, the control host had been moved several times, from Taiwan over to South Korea.

In case you’re interested: all recipients of these e-mails were members of the Falun Gong, a large originally Chinese spiritual movement which has been banned by the People’s Republic of China since July 20th, 1999. The first e-mail originated from the systems of FastMail.FM, but was sent by a Taiwanese host. The e-mail attachment posed to be a petition to the International Olympic Committee on Chinese human rights violations and appeared very trustworthy and within context.

There’s plenty we can learn of just this single sample to better protect our organization against targeted attack:

  • HTML exploits or droppers attached to e-mails have been used in ‘public’ viruses as well, dating back to 2003’s W32/MiMail. Nevertheless, it’s still pretty rare;
  • Regular public host names don’t resolve to If they do, it’s the administrators trying to counter a Denial of Service attack, or not a valid web site at all (and as such the user making a typo). If you’re suspicious, try to monitor DNS resource records returned from public DNS servers for this value. Generally difficult to implement, but interesting;
  • Ensure users are correctly trained on the threat of e-mail attachments, and use strong heuristic scanners at the mail gateway. While heuristics can do damage to internal machines, where software is deployed, they are much less likely to cause significant issues on the gateway, where you have centralized control;
  • If you’ve had an incident like this, try to get permission to share through your local ISAC (Information Sharing and Analysis Centre), so that other organizations can learn and information security is advanced as a whole;

The privacy problem posed by trojans increases significantly when the attackers actually have a goal of gathering information about us, and it isn’t just a random infection. This type of behavior is something we as security teams should never tolerate towards our users.

By request, here are the MD5 hashes for each of the affected files:

April dropper: 7611a842392d0c3b57d2106835a27c5b
April binary: 86b426cf4162df7782df5bdeff76a1c2
September dropper: d1d78cc086466f8d2c01d02fc0c0d3c5
September binary: d7ba1cfd3ee2ddd235ddf599f73ab8fb

Maarten Van Horenbeeck


Published: 2007-09-18

MOICE - Microsoft Office Isolated Conversion Environment

Tomorrow is the release day of Office 2003 SP3. Just before another round of service pack installs, we would like to re-introduce our readers to one of the preventive components released by Microsoft called MOICE (Microsoft Office Isolated Conversion Environment). What's so great about it? MOICE is like an intrusion prevention system for Microsoft Office 2003.

We all know that the Microsoft's secure development lifecycle is getting better and better, Office 2007 file parsing code is a lot better than the Office 2003 parsing code. Based on this fact, MOICE tool converts the Office 2003 (and below) document to the new Open XML format and then converts back to the legacy binary format before the document gets actually processed. While it might sounds like a whole lot more work, these extra steps provide extra validation that would protect the Office instance from many of the file parsing exploit from working.

To provide even more protection, the whole conversion process happens in an isolated desktop environment and is run with a low privilege account to protect the user even if the converter itself become compromised.

If you are running Office 2003, you might want to seriously consider installing MOICE to protect from future attacks.

For more information on MOICE, refer to the following links





Published: 2007-09-18

Flaw in MFC42 and MFC71 findfile() function

A few readers brought it to our attention that a new 0-day vulnerability related to Windows platform has been published. The vulnerability is in the native libraries of Windows MFC42 and MFC71. The function CFileFind::FindFile() in MFC library is lacking in validation, when function argument is an overly long string, a heap overflow condition can result.

The effect of this vulnerability would be dependent on the application calling the function, some applications are easier to exploit than others. It is unknown at this point what major applications are affected by this vulnerability.

Please refer to this article for more details


Published: 2007-09-17

Is Pump-and-Dump more lucrative than Identity Theft?

An interesting aspect of the Ameritrade data breach last week was that according to their press release the only information stolen was "contact information" such as name, e-mail, phone number and address.  Even though more sensitive data like SSNs and account numbers were in the compromised database, that information was "not taken".  While this could be due to strong internal controls that prevented the theft, it is also possible that attackers simply weren't interested in that information (this is speculation).  The theory is that pump-and-dump scams might be what this attacker had in mind, and not identity theft.  The reality is that far more identifies have been compromised then have actually been used in theft.

In a related note, the United States Securities and Exchange Commission put out this press release detailing a pump-and-dump scam that netted near $3 Million USD for the scammer.  In this case, the individual had cash-strapped companies give him a bunch of stock.  He then used pump-and-dump spams to artificially inflate the stock, at which point he cashed out.  The stock then fell when people realized the scam.  The plea deals and agreements are recent, but most of these scams took place in 2002.  With the continuing presence of pump-and-dump spam, people must still be making money with this scam.  The Ameritrade data breach case means someone out there can target their e-mails for greater effectiveness. As is the case with phishing, the more "legitimate" an e-mail is or the perception that it comes from a known source makes phishing up to 8 times more successful.

John Bambenek, bambenek/at/gmail\dot\com
University of Illinois


Published: 2007-09-16

Cyber Security Awareness Month - We Need Your Ideas

As many of you know, October is Cyber Security Awareness Month in the USA (and perhaps in other countries?)  We'd like to do a repeat of our popular "Tip of the Day" series we did last year but we need your help. 

With four full weeks (October 1st is on a Monday) and a half-week at the end, this year's plan is to have a common theme each week with a specific topic each day.  For example, we might decide that the first week is for a theme like traditional security measures, and subjects like firewalls, anti-virus software, intrusion detection, etc. become the daily topics  Then the second week might be something like wireless security, with daily themes covering encryption, limiting the range of APs, etc. 

What we need now are some ideas on the weekly themes.  We'll get to the daily topics later.  If you have suggestions please send them to us via the contact page.  Remember, right now we just need weekly themes, so pick five that would make good high level weekly areas and we'll ask for the daily topics later.  Next weekend we'll let everybody know what the top five themes are and will ask for topics.  Once we get the daily topics settled, we'll start asking for specific tips.  Each day we'll publish the tips we've received and give credit to the submitter if you want your name published.  Otherwise we'll let you stay anonymous.

Marc Sachs
Director, SANS Internet Storm Center


Published: 2007-09-16

Learning about Bots

Pedro's diary entry yesterday on malicious file names reminded me that I wanted to point everybody again at the BotHunter honeynet web site.  There's a lot of new information there, beyond just the lists of evil IP addresses and DNS look-ups.  Check out Behavorial Clusters, where you'll see that with over 6000 infections caught in the honeynet there are only about a dozen bot profiles.  If you look at the daily catch (for example, September 15 vs September 14) you'll see that the behavorial cluster doesn't show up immediately but eventually gets updated.  On September 14 the majority of the infections are "Aug-Sept-A" clusters and all are easily detected by various Snort rules and AntiVirus signatures.

Another interesting tool is the geographic distribution of infection sources for a particular malware binary.  For example, the first infection for September 15 has a malware hash of a12cab51ef.  In the column labeled "Packed Malware Binary" you'll see a link to [Firefox:203 hits: 05-01 to 09-02].  If you follow that link you'll see a Google map that shows the infection sources for this particular piece of malware over the past few months.  Of course, the accuracy of the dots on the Google map depends on the accuracy of the ARIN, RIPE, APNIC, AFNIC, and LACNIC databases which as we know are all highly accurate and dependable.   :)

If you enjoy looking at the automated output of the honeynet, be sure to download a copy of the BotHunter program itself and run it inside your own environment.  This is a government funded research project so there is no charge for the public distribution.

Marc Sachs
Director, SANS Internet Storm Center


Published: 2007-09-15

Malicious File names of the day

Ok, so today is saturday. And what is a nice thing to do on a sunny morning? Yes, play with honeypot logs!:)

What follows below is a list of filenames being used downloaded/dropped malwares. This list is a consolidated data from the last month til today and is sorted by appearance:


And what could you do with such list? Well, of course that it will not replace your AV, but you could it as a feed for a script to look for those (uncommon) filenames in your machine(s) :)


A reader sent a list from what he got last week:





Handlers on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)


Published: 2007-09-14

TD Ameritrade info stolen

We've gotten several reports about a new article that's been posted around about Ameritrade.


"TD Ameritrade Holding Corp. said Friday one of its databases was hacked and contact information for its more than 6.3 million customers was stolen." -- Quote from Article


Ameritrade has put out some info on their website, make sure you check it out:  http://www.amtd.com/newsroom/releasedetail.cfm?ReleaseID=264044


Thanks to all those that wrote in!



Joel Esler





Published: 2007-09-13

Is Microsoft Doing a Stealth Update?

We have received several emails from reader’s today regarding concern over reports that Microsoft had begun patching files on Windows XP and Vista without users' knowledge.  It was reported that even though the user had turned off auto-updates some of the files were still being updated. 





There is a lot of concern about these updates and rightfully so.  One of our reader’s, Wade, posed some very interesting questions in regard to this issue.  Here is what he had to say:

 “In the case of compliance auditing, does this revelation mean that unless we completely block access to the Microsoft update servers at the firewall, we cannot attest that we have full knowledge and control of all changes to our systems?  Does this functionality classify as malware, in that changes to "your" system are occurring without your explicit knowledge or consent? (Ignoring the fact that you "signed" the EULA absolving Microsoft from any wrong doing in any situation).”

 As I thought about his questions, I have to admit that I agreed with him and that it does raise some issues in the area of compliance auditing and the ability to say without a doubt we have full control and knowledge of all changes made to our system. I was concerned about how I would answer this question on my next audit.

So I decided to check with Microsoft to see what this was all about.  I quickly received information that has helped to at least put my mind at ease.  From what I can tell from the Microsoft information this update is not taking place automatically, but rather takes place when you go to their update site. So if you never go to the update site or you never check for updates… you will not get the updates.


Microsoft’s article contains this:

 “Before closing, I would like to address another misconception that I have seen publically reported. WU does not automatically update itself when Automatic Updates is turned off, this only happens when the customer is using WU to automatically install upgrades or to be notified of updates.

So, I guess I feel a little better about this.  There is still the possibility, I suppose, Microsoft could install some other program via this process with out our knowledge. (Malware and virus authors having been silently installing these programs for years).   For this reason we have to remain vigilant, watchful, and not become complacent when it comes to our computers and our networks.   

Thanks to everyone that contributed links and information.




Published: 2007-09-13

Experimental Storm Worm DNS Blocklist

Threatstop is currently experimenting with a DNS based blocklist scheme to dynamically block storm worm infected hosts. Its a test list they offer for free to get some feedback on how well it works for people. The basic idea of their blocklist scheme is not like traditional DNS blocklists, which require a DNS lookup for each new IP address seen. Instead, you add a hostname to your blocklist, which will then resolve to multiple A records, each of which is an IP address to be blocked. It appears that most firewalls will refresh the list whenever the TTL for the record expires. Currently, the following hostnames can be used: basic.threatstop.com basic1.threatstop.com basic2.threatstop.com basic3.threatstop.com basic4.threatstop.com Each one resolves to a set of storm infected IPs. This is just a temporary service to test this distribution method with a larger set of users. For more details, see the threatstop.com website.


Published: 2007-09-12

Why every email is important

At first glance, it looked to be the same as any one of a thousand other e-mails.

The following is from an e-mail that was forwarded to us because delivery to the original sender bounced

I just wanted to make sure you know that currently most (or all) of the images and navigation on Bastille-linux.org are broken.  I appreciate the project and all you do for the info sec community.   If there is something I can do for you please let me know.

We always get reports of sites that are down or somehow "wrong".  Quite often it's a localized routing problem, other times it is a browser rendering issue, but when we get a report of a site down, more often than not there is no malicious activity.

Not this time.

After investigation by ISC Handlers Don Smith and Joel Esler in combination with site owner Jay Beale, Jay issued a statement here that began:

"Dear Bastille Linux Users, On the morning of September 11th, 2007, alerted by handlers from the Internet Storm Center, I learned that one Mykhaylo Perebiynis purchased our Bastille Linux domain and is demanding $10,000 to return it to the project. He appears to be in business as a domain squatter."

Please make sure you read the full text of Jay's announcement which includes the PGP fingerprint for the key he will be using to sign any downloads and critical e-mail announcements going forward.

At SANSFIRE this year, one of the comments during the Handlers forum panel discussion was that the reader was concerned about sending in reports that turn out to be incorrect (because of a routing problem, browser issue, user error ...) and "bother us".

Don't be.

This is a perfect example of how something that you might think we consider "routine" and not important turns out to be (for Jay) a major event.

In incident handling, the sooner the compromise is detected, the sooner it can be contained, eradicated and recovered from.

This time, the issue is relatively limited.  Next time ...

And in case you're curious, the publicly available WHOIS information for the current (not Jay Beale) domain owner is available here


Published: 2007-09-12

XSIO: Cross Site Image Overlaying

I found a new paper on a vulnerability called XSIO. XSIO stands for "Cross Site Image Overlaying" and is basically the same as XSS except there is no scripting involved, but instead an image is referenced and positioned using CSS over an important part of a website.

I've seen images being used in the past to convince e.g. managers of the need to fix XSS vulnerabilities. Basically it's too hard to explain how bad XSS is without goign into some level of technical detail. It's just simpler to understand the impact of that "inappropriate" image on a website than it is to explain the website's vulnerability causes the clients to get exploited via XSS.

The defense is the same as with XSS: input and output validation, echoing back input from the user is asking for trouble.

Swa Frantzen -- NET2S


Published: 2007-09-11

September microsoft patch overview

Overview of the September 2007 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS07-051 An input validation failure allows remote code execution via crafted URLs with the rights of the logged on user.
Replaces MS07-020
Agent (Windows 2000)

KB 938827
No known exploits Critical Critical Important
MS07-052 Input validation failure leads to a buffer overflow that allows remote code execution via a crafted "RPT" file with the rights of the logged on user.
Crystal reports redistributed with visual studio

KB 941522
Well known vulnerability with public exploit code Important Important(**)(***) Less Urgent(**)(***)
MS07-053 suid binaries allow escalation of privileges
Windows services for UNIX

KB 939778
No publicly known exploits Important Less Urgent(**) Important(**)
MS07-054 Unspecified failure allows remote code execution with the rights of the logged on user

KB 942099
Details of how to exploit are public Important Critical Important


We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): If installed.

(***): This rating is provided the RPT files have not been associated with Crystal Reports, which is the default.

Swa Frantzen -- NET2S


Published: 2007-09-11

TOR - sniffing exit nodes

The (IT) press is buzzing somewhat with attacks against the onion router (TOR).
The problem is lies in an atack performed and used to gain access to mailboxes by creating and sniffing the unencrypted side of some Tor exit nodes.

From a technical perspective these attacks are known and documented in e.g. the Tor FAQ:

Tor -tries to- provide anonymity. Anonymity and security are two different beasts. When passing unencrypted traffic (such as POP3, IMAP etc) you are basically not only handing the malicious Tor exit node the contents of your email, but also -in many cases- the keys (login and password) to your mailbox.

Swa Frantzen -- NET2S


Published: 2007-09-10

Skype worm

A worm is currently spreading which is specifically aimed at Skype users. Known as Ramex, Skipi or Pykspa, it abuses the chat function of Skype to send a short message containing a link to a seemingly benign JPEG file to other users. Users that click on the link will download and run a copy of the worm, and start to infect others.

Skype's heartbeat has a brief entry on this new malcode which contains manual removal instructions. Samples of the worm have been gathered and are currently under analysis to improve anti virus coverage. In the meanwhile, you may wish to educate your users not to click on appearingly benign links.


Published: 2007-09-08

"Are you ready for some football?"

With the NFL season about to start, it seems that the Storm worm authors have got a new "teaser" topic to try to catch your interest.  Thanks to Nicholas from DISOG for the heads-up.


Published: 2007-09-08

AOL changes the free anti-virus they distribute

We've gotten e-mail from several people over the last week from folks who suddenly weren't able to get updates (after 31 Aug) to the "Active Virus Shield powered by Kaspersky" that they had gotten from AOL.  It appears that AOL has switched from Kaspersky to McAfee and are now distributing "McAfee Virus Scan Plus-Special edition from AOL" according to this page.  It isn't entirely clear how (or if) this was communicated to the folks using the Kaspersky software.  If you follow the link at the bottom of the page it looks like the old software may still get updates if you point back to a Kaspersky site, but that isn't entirely clear and I was unable to find anyone to answer that question for sure today (I'll update the story if I get more info).  Without some action by the user, however, it appears that they will now be unprotected, which is unfortunate.  In the meantime, if you have an AOL e-mail address, you can still get free anti-virus software from here.  Kaspersky and McAfee are two of the big names in the field, so both are good.  I'm not sure why AOL decided to change, but they are still to be commended for providing anti-virus software to their customers.


Published: 2007-09-07

Next week's Microsoft patches

Yesterday, Microsoft sent out their advanced notice of next week's patch Tuesday.  There will be 5, 1 rated critical, the rest important.  Components affected include Windows, Visual Studio, Windows Services for Unix, and Windows Messenger.  We'll have our usual coverage (table and all) as soon as we can after they go live on the Microsoft site on Tuesday.  Hopefully, this will be a relatively quiet Black Tuesday.


Published: 2007-09-05

Dealing with application in-security

At the recent SANS Application Security Summit, I had the pleasure to chat with some of the brightest minds in the webappsec field. Aside from educating the developers, everyone seems to agree that we need to roll security into development lifecycle and make sure we test the security aspects of applications before letting them move into production. On the testing front, there has been lots of activity in the product space.

You can have static code scanner which is able to scan code for vulnerability. The approach is obviously more thorough but can generate tons of alerts which could overwhelm the user. Rolling it into the development lifecycle can be a big challenge, organizations are struggling to place it between developer and QA, some organizations are more successful than others. Overall, organizations have to really change their development culture to adopt a static source scanning product.

The runtime analysis tools (commonly known as web application scanners) have been around for a long while. There has been some M&A happening in that space recently (here and here). The principles of application security scanners are simple, you throw the bad input at the application and see how it reacts. Some scanners obviously perform better than others on doing the scanning but at the end of the day, they perform similar functions.

The industry is now waking up to the fact that identifying the vulnerabilities is only the first step, fixing the vast numbers of vulnerabilities in a short period of time while keeping the false positives at bay is ridiculously difficult. Jeremiah Grossman from Whitehat Security revealed in the summit how many vulnerabilities he has seen in the past months, "there's just so many vulnerabilities." This feeling is shared by most others in the field. Most vendors in the testing field are tackling the problem of addressing things at a large scale, answering to the need to find vulnerabilities quickly and accurately across many applications.

False positives is one huge issue that organizations are facing. It is not surprising to have a tool produce a few hundred false positives for one single application. It takes time and expertise to eliminate the false positives. The work of false positives elimination has become a burden for some organization. There is a movement towards service model for vulnerability assessment especially for shops that are lacking app sec expertise. In the service model, the owner of the application get a report of vulnerabilities in the application with most of the false positives eliminated already.

Testing result is still not the end state of securing applications. Finding vulnerabilities is one thing, fixing them is another. Industry is in serious need to have expertise to fix applications, experts who can guide the developer to the proper solution for fixing the vulnerabilities. For lack of a better term, "the application security janitor" A lot of times, the developer just get handed vulnerabilities that they cannot easily fix. Some vulnerabilities are not even meant to be fixed by the developer as those flaw are introduced at the design time (eg. lack of encryption). Some of those tasks require going back to the drawing board (involving the architects) to fix. This is where the "janitor" role get to become very useful in helping to distingush the flaws and assist in getting the right parties involved.

As the goal of application security had been well defined, the industry is slowly moving towards the goal while figuring out the exact path to get there.

Shameless plug: SANS published two videos (video 1 and video 2) related to AJAX security on Youtube (featuring Johannes Ullrich and myself)


Published: 2007-09-04

Websense blocking isc.sans.org

We continue to receive reports about users of Websense being blocked from visiting http://isc.sans.org . We contacted Websense and they told us that they are not blocking access to our site.

If you are running into this issue, please contact Websense support. Mention the exact versionof their software you are running, including the database version and when it was last updated. You may also want to mention the exact URL that is being blocked (e.g. is it the index page? or a particular diary? which domain? (isc.sans.org, incidents.org ...).

 Update: Websense informed us that the latest database should fix the problem.







Published: 2007-09-03

Deobfuscating VBScript

Couple of days ago Maarten wrote a nice diary about an iframe tage pointing to a “benign” VBScript that was planted on a relatively high profile web site in Belgium (the original diary is here: http://isc.sans.org/diary.html?storyid=3324).

I’ve been thinking about writing a diary about how to deobfuscate VBScript for quite some time and recently even received couple of e-mails about this (since we covered JavaScript deobfuscation pretty thoroughly here I would say), so here we go ..

The main problem with VBScript is that you basically have to run it on Windows – there aren’t any stand alone VBScript interpreters for Linux (as far as I know – if you know of one please let us know through our contact form).

As we have to work with malicious VBScript programs on Windows platforms this means also that we have to be extra careful – we are actually using the platform that the original exploit was written for (virtual machines come to help here – you don’t want to infect your main host accidentally). As an analyst, you now have the following options

  • Use Windows Script Host which can execute VBScript from the command line (the wscript command).
  • Use Microsoft Script Debugger from Internet Explorer.
  • Use Microsoft Script Editor from Internet Explorer

I will explain methods 1) and 3) here and leave 2) for a future diary (or as an exercise to you, if you find this whole diary interesting). The example malicious VB Script is almost the same as the one Maarten analyzed (and which one is pretty popular. The screenshot below shows the important part where the decoded content is executed with the execute(decode(cde)) call (the program first calls the decode() function and then executes its output):

Obfuscated VBScript

Windows Script Host

Wscript is an interpreter that comes with Windows and that can easily execute VB Script programs. When deobfuscating VB Script programs with wscript, almost same rules apply as when using Spider Monkey with JavaScript. As we typically want to see what will happen when the current layer is deobfuscated, the most important part of the deobfuscation process is to change the execute() calls to Wscript’s equivalent of print, wscript.echo, so the final two lines will look like this:

Wscript.echo (decode(abc))
Wscript.echo (decode(cde))

You will also have to strip all non-VB Script content (similarly as you have to strip out all non-JavaScript content when running a script through Spider Monkey) and change the extension to .vbs, so wscript will know how to execute this. After this is done, you can just start the script with:

wscript sina.vbs

And the output will look like this:


This is pretty much self explanatory … Let’s see the other method.

Using Microsoft Script Editor

Microsoft Script Editor is a powerful utility that comes with Microsoft Office so in order to install it you have to have a Microsoft Office license (I will cover the free Microsoft Script Debugger in a future diary – there is a reason I picked this one, as you will see in a future diary as well). Microsoft Script Editor will not be installed with Office by default, so you’ll have to add it (it’s under Office Tools and is called Microsoft Script Editor (HTML Source Editing)).

It is easy to check if it’s installed correctly since we have to configure Internet Explorer to use it as well. So first start Internet Explorer and go to Tools -> Internet Options -> Advanced and deselect Disable Script debugging (Internet Explorer). Now restart Internet Explorer and if everything is fine under View you should have an option called Script Debugger:

IE options

If you click on Open, Internet Explorer will allow you to choose between available debuggers, if you have more of them.

Now that we have our environment ready, let’s prepare the malicious VB Script. A nice thing when debugging programs like this is that we don’t have to strip out any HTML tags since Internet Explorer will parse that properly for us. There is one thing I like to do in advance, though. While you can tell Internet Explorer to break the script at the next statement, I prefer to do this manually by adding the statement “stop”. This is similar to a breakpoint, so the result will look like this:

<Script language="VBScript">
abc = "006F006E002000650072….. [rest of the code]

Now we basically execute the file from Internet Explorer (double click it, but do this in an isolated virtual machine) and Internet Explorer will immediately ask us which debugger we want to use. Select Microsoft Script Editor and you will end up debugging the file:

Microsoft Script Editor

You can now use all debugging features you want, set breakpoints and see what’s going on. Microsoft Script Editor is an extremely powerful tool, so if you often have to analyze malicious JavaScript/VBScript files you should get familiar with it. Next time I will show you how you can use Microsoft Script Editor to defeat a very complex obfuscation method with only two clicks.

I have to stress out, once again, how important it is to do this in an isolated virtual machine since you will be executing the malicious code.




Published: 2007-09-03

Immanentize the Eschaton

A couple of weeks ago, my stepdaughter came home from college for a long weekend and brought her roommate's computer. Like most of us, I end up playing the leading role in the “Six Degrees of HelpDesk” game... you know... the one where you do technical support for a-friend-of-a-relative-of-a-next-door-neighbor-of-your-wife's-hairdresser's-second-cousin? For the most part, I really don't mind, because... well... it gives me a chance to pad out my collections of mp3s* and porn**.

The machine in question had more than a few issues. In its relatively short life, it had two different major AV packages installed. One of them had been rather incompletely uninstalled, leaving behind several running processes that were bogging the machine down horribly. The product that had been installed in its place wasn't doing too well either. Most all of its detection functionality was disabled (more on this later) and it hadn't been updated in months. I tried to jump-start the AV, but something kept shutting it off.

To those problems, add the fact that a glance at the registry showed several suspicious “RUN” values, and what should have been a rather peppy machine took nearly 15 minutes to fully boot. Not good.

My stepdaughter brought the machine home for me to see if I could get the wireless network card to work, but networking this box would be like... well... like asking Lindsey Lohan to drive down to the corner liquor store and pick you up a bottle of Jack Daniels....

So... I set to work doing my normal computer cleanin' schtick. I keep a bunch of tools on a USB key for jobs like this, and after whacking more than a few ugly little critters, I tried kicking the current AV program to life.

Big mistake.

The program started up just fine, and once it realized that it was waaaay past due for a full system scan, it fired up a window and started listing off the files that it was dutifully inspecting. As I watched the list scroll by, it slowly dawned on me that the filenames seemed awfully familiar. For whatever reason, the program had decided that the first disk it was going to inspect was my USB drive.

Suddenly, a little red window popped up and announced that the program had found and removed some malicious code... a little executable called Spycar.exe.

For those of you who don't know, Spycar is a suite of programs the I wrote about 18 months ago to test the behavior based detection capabilities of anti-spyware programs. Ed Skoudis and I were reviewing enterprise anti-spyware for Information Security magazine and we needed a repeatable way to test specific spyware-like behavior.  The Spycar tools do about 25 different “things” that spyware typically might do (it will drop a program and install it to automatically run at startup, it will change and lock IE's homepage, it will drop and launch a keystrokes logger, etc... and when its all done, it'll clean up after itself). While Spycar represented only a small portion of our overall testing strategy, our release of the tool following our testing apparently immanentize the Eschaton (look it up... from the first line of a very cool book) as far as the anti-spyware folks were concerned.

Holy Smoke! It was like Tom and Ed had shown up naked for church (something which I would heartily discourage... pews are cold, and there's the ever-present danger of splinters...) The Skodo-Liston hate-fest flew to fever-pitch when Consumer Reports, in a display of poor judgment, used Spycar as the sole criteria for their own magazine's anti-spyware shoot-out (Note: That was done without contacting us to ask what we thought of the idea... it was also in direct violation of Spycar's online documentation and EULA. Worse still... they didn't comp either of us with a free subscription... )

So here we are, a year and a half later, and I'm watching an AV program eat the copy of Spycar that I had on my USB key. What the heck? Spycar isn't malicious, its a testing program. It isn't evil – its just a tool for testing the limits of anti-malware's behavior-based detection capabilities. So why tag the executable as malicious and delete it?

But wait... the funny thing was, the version of Spycar that was detected and removed was one that had never been publicly released.  It was a copy of Spycar version 2 that was written about nine months ago, and sent out to select AV vendors for comment.  Interesting... here it was being detected just sittin' around on my USB key.

Hmmm... suppose you have an anti-spyware tool that doesn't have behavior-based detection. Or, what if you do have behavior based detection, but it's pretty crappy. What better way to deal with Spycar than to write a signature for it, EVEN BEFORE IT IS RELEASED...

Huh... seems that Spycar can detect lousy behavior-based detection without even being run.

I'm a better programmer than I thought.

(FYI: By the way, right now, Skodo and Matt Carpenter are testing various enterprise anti-malware tools and are using a massively polymorphic version of Spycar 2 that I whipped up to evaluate their behavior-based detection capabilities.  Happily, the polymorphism stuff I brewed in the lab quite effectively dodges their signature defenses, so we can separate out their behavior-based detection abilities.  Awww... too bad AV dudes...)

-Tom Liston - Intelguardians

* To all my friends at the RIAA: I'm talking about free, legal, re-distributable music here, of course.  Believe it or not, some artists release their work for free and want it distributed far and wide without involving record companies.  I know, I know... it's sacrilege.

** Honey... it's a joke... really.  Honey?  Sweetheart? Hello?


Published: 2007-09-02

To AV or not to AV, is that the question?

Over the last few years we have seen malware go from the “Oh look at me” attempts at “fame” to “how much can I make” approaches.   It has now become a business.  To succeed in this kind of business you need malware that is delivered and remains undetected.   But you also have to keep costs low.   Often this results in variations, the same malware over and over again, but wearing different coats, a funny hat or a false moustache.  To protect against malware we use our trusty antivirus product, because it will find all those nasties,  right?

Wrong.  For example earlier in the week we received a file, delivered through what seems to be a targeted SPAM attack.   Running the file through Virus Total showed that the file was detected by two products.  After identifying the site it pulled the next file from, it was also downloaded and submitted to Virus Total.  This time only one product flagged it as something that should be looked at.   A little digging showed that the files were a variant of a particular bot.  This variant created the same named files as the original and had essentially exactly the same behaviour pattern.  It waddled like a duck, quacked like one, two wings and two feet,  it just had blue feathers instead of brown ones.  So why the virtually nil detection rate? 

To answer that we’ll go back to the blocklist diary from a few days ago.  The main component of most AV products is the signature or pattern recognition component.  Essentially a blocklist, I see something I don’t like and I’ll block it.  This makes the product only as strong as the capabilities of the people that write the signatures as well as the processes the vendor has in place to produce signatures.   And whilst some vendors are quick off the mark there are some who, for example, three days after submitting a file still have not produced a signature (detection of the two files mentioned above is now at a staggering 40% of the AV vendors at virus total). 

The main issue with this approach is that the blocklist method only detects those pieces of malware that are already in the wild, plenty of opportunity for a blue or red duck to waddle past the defences.    If the pattern doesn't match it is passed, hence the low detect rate.  Does this mean that we at the stage where pattern based AV products are a thing of the past?   

Possibly not, after all a pattern check is nice and fast, so it probably has a place in the new order.  But we will need to do something else.  The various AV vendors are looking at solutions and many are bringing out new products this year.  There are also a number of behavioural based systems that have a reasonable track record without too many false positives.   Or is something more drastic needed such as the approach taken by the one laptop per child project with Bitfrost  Where every process essentially runs in its own virtual machine?  

One thing is for certain the malware business model works (storm seems to be doing well) and until we change the approach to managing malware it will continue to.  As  many of us have learned the hard way, you can't put all your eggs in one basket.  By relying on AV alone you may be exposing your machine or your network.


Mark H - Shearwater


Published: 2007-09-02

Network Solutions having the day off? (nope just a few hrs)

UPDATE: And it's back to normal.

A few readers have reported that network solutions seems to be off the air.

No information on how and why just yet.  We'll keep an eye on it throughout the day and provide an update when we know more.  In the mean time you may need to find yourself a different DNS server to use.

Mark H - Shearwater