Published: 2008-02-29

Smiling Bob or Lying Bob you decide.

The makers of Enzyte have been convicted of conspiracy and fraud.
“The company's scheme involved false advertising which included
made-up claims about size increases, fake customer satisfaction
ratings, and fictitious doctors who the ads falsely claimed
collaborated for 13 years to develop Enzyte, the company's
leading male enhancement product. The false ads also contained
representations about money-back guarantees that the company
as a matter of practice would not honor. As part of the scheme,
 the conspirators placed many consumers who responded to
free-trial solicitations on an automatic shipment program
without the customer's authorization, knowledge, or consent.
Berkeley would then send the product to the consumer and bill
the consumer's credit card regularly. When customers
called to cancel, the conspirators employed various means to
 delay or hinder any returns or cancellations from occurring.
The trial included testimony from 22 customers from across
the country, witnesses from the Better Business Bureau,
law enforcement agencies, and copies of internal documents
including emails outlining the scheme.“

What is enzyte? USA today ran an article that included a list of ingredients.
They include some quotes from real doctors that state
that the claims made make no sense. Their site is still up
they still answer the phone and offer to sell you their product.


Published: 2008-02-29

Dense Distributed SSH bruteforce attempts

A contributor (Ben) wrote in with an unusually dense distributed ssh scan.

“We noticed an interesting ssh probe attempt today.
In order to prevent iptables blocking based on the number of probes per
minute, each address in an entire Class C block generated only one or
two probes SSH each. These probes all came from”

Based on the information Ben shared with us it appeared to come from
most of the ips in a /24 cidr block. The last octet is fairly random.
There is some clustering such as a "run" of 200's but that could still
be psuedo random. So who owns that cidr block?

Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: -
netname: TTTNET
descr: Maxnet, Internet Service Provider, Bangkok
descr: under management by TT&T co,.ltd Thailand
country: TH
e-mail: noc@tttmaxnet.com
address: 252/30 Muang Thai Phatra Complex Tower 1, 22nd Fl., Ratchadaphisek
Rd.,Huaykwang, Bangkok 10320 Thailand
phone: +66-2-693-2100
fax-no: +66-2-693-2100
country: TH
changed: wichaip@ttt.co.th 20060410
mnt-by: MAINT-NEW
source: APNIC

 Traceroute shows them near singapore so Thailand is reasonable.

Tracing route to mx-ll-58.147.10-115.tttmaxnet.com []
over a maximum of 30 hops:
1 2 ms 1 ms 1 ms
13 332 ms 334 ms 336 ms ix-2-1-1.core1.S9R-Singapore.Teleglobe.net []
14 353 ms 356 ms 512 ms mx-ll-58.147.0-45.tttmaxnet.com []
15 393 ms 368 ms 334 ms mx-ll-58.147.0-61.tttmaxnet.com []
16 337 ms 339 ms 339 ms mx-ll-58.147.0-85.tttmaxnet.com []
17 341 ms 340 ms 338 ms mx-ll-58.147.0-21.tttmaxnet.com []
18 mx-ll-58.147.4-118.tttmaxnet.com [] reports: Destination host
I seem to be the handler who gets the distributed ssh scan reports.
I wrote a diary about a some seen last year that appeared to be
distributed and coordinated (share a dictionary across multiple hosts)


Published: 2008-02-28

'coldboot' - guidance for your users

When I started a few days ago with the follow-up diary entry on the original coldboot entry, I was hoping to provide an overview that e.g. security officers could use to make sure their users knew how to use the encryption products installed on their machines in order to ensure that the intended protection is actually achieved. But we're faced with a situation where we need to rely on contradictory claims we have no way to validate. Hence, to avoid spreading false information, I'm pulling the overview in the guidance diary, and will change it into a list of vendor reactions.

Only a deep technical audit (reverse engineering or source code) of all these products could be able to provide the needed answers, but we just don't have the resources to do that now.

Instead I've decided to pass on the hard to answer questions for your vendors, if I cant pressure them, collectively we still might cast our vote for honesty and openness.

For the typical pre-boot whole disk encryption, without added hardware:

  • How is/are the key(s) protected in a machine that's fully off ?
    Know that the key is a cryptographic key (e.g. an AES key), it's a sequence of bits, not a password you type. It needs to be stored somewhere, somehow. Know how it is protected.  I strongly dislike any answer including words like "proprietary", "confidential", "obfuscated" etc.
  • How is/are the key(s) protected in a machine that's running and actively used ?
    Once the machine cleared the pre-boot, typically "the key is in the lock", or the cryptographic key is stored in RAM, for use by the drivers. At this point, we expect the coldboot attack can be performed. Any vendor claiming not being vulnerable at this stage should explain how they never have a key in RAM that they use to encrypt and decrypt disk blocks.
    GUIDANCE: machines where control is lost in this state, are most probably vulnerable.
  • How is/are the key(s) protected in a machine that has its screen locked ?
    Once a user leaves his machine for a bit of time a screen saver might kick in and lock the machine. By default this does not always mean the keys are removed from RAM (mostly they will not be). It is not trivial to remove the cryptographic keys at this point as they need to be retrieved and e.g. programs can continue to run (which might require access to the disk ...)
    GUIDANCE: machines with a locked screen are typically not protected by the disk encryption due to the coldboot attack, unless your vendor specifies exactly how they remove the key(s) while allowing the processes to continue to run.
  • How is/are the key(s) protected in a machine that's asleep ?
    Once a user closes his laptop one of the actions possible is to sleep the machine. Basically the contents of the RAM is kept in place. Since this is a mode users would typically use to transport machines, attention needs to be given to this mode. While the processes are not running anymore, there might be some way to remove the keys from RAM before sleeping the machine, and upon waking the machine first prompting the user and restoring the keys from their protected storage.
    GUIDANCE: for most products of the pre-boot type, the guidance you need to give your users is not to use sleep  mode at all (if you can block it, or replace it with hibernation, that might be a good option to consider).
  • How is/are the key(s) protected in a machine that's hibernating (RAM+hibernate file)?
    This might seem easier: the machine first writes its status (including a memory image) to disk and then powers off. The encryption software might erase the keys from RAM before powering off, making the machine more safe in the first minutes. If it doesn't erase the keys from RAM, they will eventually fade anyway, allowing for a short window of vulnerability to the coldboot attack (up to a dozen minutes or so).
    An interesting part is how the memory image is managed: it potentially contains the key from RAM too! Similarly swap files (or partitions) can contain keys just as well.
    GUIDANCE: much depends on the answers you get from your vendor, there seems more difference between products in this respect, so do ask them how their product works. Determine trust and risks afterwards.

For solutions that add hardware (e.g. TPM, USB tokens, dedicated hardware, ...) details are needed and the questions need to be adapted to those details.

For solutions that only encrypt a directory or a file, the issues are slightly different , still focusing on the different states and knowing how the key(s) are protected, how the processes using the data continue to run etc. is the answer you seek in order to build the guidance for your users.

All other products that you use that handle cryptographic keys could/should be examined in the same fashion, it's not just disk encryption that's at stake!

Contacts at vendors claiming full invulnerability or extremely unlikely scenarios are not good sources of information to gather data from to use in evaluation your risks, seek more technical answers before you believe their evaluation blindly.

Finally, with frustration, I need to express my sincere regrets to the people of those vendors who were cooperative in providing information to questions such as those above; to the readers contributing information and to all those hoping we could get the overview stable and correct.

Swa Frantzen -- Gorilla Security


Published: 2008-02-28

Linux, FreeBSD and Mac (!) bot

Yesterday I received samples of an IRC bot. This in itself would be nothing interesting except the fact that the archive contained binaries for FreeBSD and Mac (Darwin, ppc).

After initial analysis I found out that it's nothing special – just a port of a well known IRC bot called EnergyMech. The most interesting thing was that the attacker compiled it for FreeBSD and Mac. This probably didn't require any extra effort though since it compiles out of the box on FreeBSD and Linux anyway.

The bot did all the standard stuff: had couple of "owners" defined; comments in Portuguese and connected to Undernet, the IRC network that a lot of attackers like.

I decided, for the fun of it, to run the sample through VirusTotal, just to see what results AV programs will have. It was .. erm.. interesting, as you will see below.

There were in total 3 files:

$ md5sum linux freebsd darwin
fbab7e9bf1780fd2bc99e44d46535be5  linux
17eb3a901811ea86f7d71394cde36202  freebsd

a93b41466e330fc3cf8e6602e5cd03c2  darwin

The FreeBSD version of the bot was detected by 23 out of 32 AV programs (decent) and the Linux one by 24 out of 32 AV programs (even better). This was clearly signature detection since almost all AV programs detected the FreeBSD version as something for Linux (Linux/RST.B) – my guess is that they trigger on some text in the binary.

Finally, the Darwin version was a bit of a shock – 0 detections in total (!). Since it was a Mach-O executable for PPC, my guess is that AV programs didn't know how to parse the file format and just thought of it as data.



Published: 2008-02-28

Wireshark 0.99.8 released

Just a quick note to alert our readers that an new version of the popular network protocol analyzer/sniffer Wireshark (v0.99.8) has been released.  This release includes some security fixes in the SCTP, SNMP, and TFTP dissectors.  Malformed packets can crash the application.  We'll update the story with CVE entries when they become available.




Published: 2008-02-28

Abusing Image File Execution Options

As a frequent reader of ISC, I have no doubt that you are aware of malware that was distributed on digital frames and other devices (if you haven't read those diaries, see http://isc.sans.org/diary.html?storyid=3817).

After we received some samples from our readers (thank you!) I decided to analyze one of them just for fun. According to VirusTotal, all AV programs (except for one) detected this sample, so at least all users running an up to date AV program are safe.

Most of the activities by the trojan were more or less standard until I saw that it creates a high number of new registry keys. I dig a bit further and found that it uses one relatively old technique that I haven't seen abused for quite some time: the trojan used the Image File Execution Options section of the registry.

Disassembly of the trojan showed that it cycles through a loop and creates a Debugger value for a lot of keys:


The question now was: what is this doing? I had to dig through MSDN to find what exactly this section of the registry does (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options). Basically, the Debugger value allows a programmer to specify a debugger for any executable on the system. This will make Windows start that program (the debugger) instead of the executable you wanted to start in order to allow you to debug that program (it actually makes it pretty difficult to start the real executable and not the specified debugger).

One really cool usage for this feature is to replace the default Task Manager with Sysinternal's Process Explorer – one has to create this key for the taskmgr.exe application and point to Process Explorer and voila, it'll get started instead of Task Manager.

The trojan abused this feature – it had a list of almost dozens of well know anti-virus and other security tools executables. Then it created these registry keys for every single application so the trojan would get executed instead – pretty sneaky. You can see part of the registry of an infected machine below:


You can see the trojan trying to disable the NOD32 AV program on the screenshot above. Since Windows don't really check if it's a real debugger that is being started, I hope that all AV vendors are aware of this (old) technique and that they check for their own entries in this section of the registry. By the way, this feature can be used for some nasty pranks so don't abuse it please.



Published: 2008-02-27

Lack of digital certificates validation on various PEAP supplicants

PEAP (Protected EAP) is one of the most commonly used EAP methods for strong wireless 802.11 authentication in WPA/WPA2 Enterprise mode (using 802.1x/EAP), as native support is available in the Windows, Mac OS X and Linux supplicants (like xsupplicant). When PEAP is used, the user is authenticated through username and password using MSCHAPv2, and the infrastructure (specifically the RADIUS server) is authenticated through digital certificates using TLS/SSL.

Recently, multiple vulnerabilities on the digital certificate validation process associated to PEAP have been released, due to the supplicant or the deployment failing to properly validate the RADIUS server certificate:

In the first case (best scenario), by using the default PEAP settings on Windows the certificate is validated, but the matching between the name (common name or CN) of the RADIUS server and the name on the certificate are not. As a consequence, an attacker can provide its own infrastructure (access-point plus malicious RADIUS server) and present a valid certificate (signed by a trusted CA), but belonging to  the attacker's RADIUS server. The client will accept it as valid, and the attacker will get access to inner EAP authentication credentials (MSCHAPv2 challenge and response) and can perform dictionary attacks on the credentials.

Do not think just on wireless deployments! If you are using strong layer-2 authentication through 802.1x in your wired network (something I've always promoted), you may be using the same vulnerable supplicant. Since 2005 I've been teaching the renamed SANS "Wireless Security Penetration Testing" course, and during the last day we build up a complete WPA Enterprise setup in class, using a CA, RADIUS, 802.1X & PEAP, where I do not provide any DNS infrastructure on purpose to show this flaw.

For the first scenario, the workaround is to properly configure the supplicant using strict authentication settings. Be very careful on configuring the supplicants appropriately and validate the digital certificate for the server, the CA, plus the common name. For example, on Windows this means to check (see slide 37 of 42 on the presentation above):

  • Validate server certificate
  • Connect to these servers, and provide the hostnames for the servers
  • Select the CA you used to issue the certificates for your network infrastructure
  • Do not allow users to authorize new servers or CA's

For the VoIP network devices there is no easy and overall solution right now, so it is recommended to select long and complex passwords to avoid the dictionary attack to succeed.

My guess is that we're going to start seeing more and more issues like this one in other supplicants from various wireless and wired network devices, and for other EAP types that also use digital certificates, such as EAP-TTLS, and PEAP v1 and v2. Most EAP types are complex authentication protocols.

Raul Siles



Published: 2008-02-27

Thunderbird is out

A new Thunderbird version,, has been released. This version fixes five (5) known vulnerabilities: 1 critical, 3 high and 1 moderate.

MFSA 2008-12 Heap buffer overflow in external MIME bodies
MFSA 2008-07 Possible information disclosure in BMP decoder
MFSA 2008-05 Directory traversal via chrome: URI
MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
MFSA 2008-01 Crashes with evidence of memory corruption (rv:

We were told by the security people at Mozilla a couple of weeks ago, when Firefox was released, that this Thunderbird version contains security fixes that will never be fixed in a 1.5 version. So, if you're still running Thunderbird 1.X, it is time to update!

Thanks Jason for the heads up.

Raul Siles



Published: 2008-02-26

Another trojan embedded in a MS-Word DOC

Once again this appears to be a targeted attack. There have been reports of a 'zero-day' however this has been discounted by Microsoft.

Bell Canada


Published: 2008-02-26

XO seems to be back, Hotmail intermittent

The Internet Health Report has been showing red for XO connections for the past while, but seems to be coming back. We have had multiple reports of Hotmail being inaccessible as well.


Adrien de Beaupré

Bell Canada



Published: 2008-02-26

Cold boot - Guidance for users

As anticipated when we wrote the diary "in memory of hard disk encryption?" about the research from Princeton into the property of DRAM to continue to keep data for a short while without power, the disk encryption vendors are starting to react.

Users of e.g. laptops that contain sensitive data and use (disk) encryption to protect data need to be given guidance on how to use the tools provided to them. In order to allow you to give your users that guidance you need to know when the keys are effectively wiped.

If you know of vendor provided information on how they handle keys, please let us know. Vendors are welcome to provide the information too.

Product Guidance Safe on
sleep hibernate
PGP WDE Hibernation wipes the keys, sleep does not. NO YES
PGP Virtual Disk Keys are wiped when unmounting the image ? ?

If any information is incomplete, inaccurate etc, please do let us know as interpreting the provided press releases can be hard.

Swa Frantzen -- Gorilla Security


Published: 2008-02-25

If site not apeared - Click Here

We received messages from two ISC readers, who reported an increase in spam messages that include a link to sub-sites of blogspot.com. (Thanks, Matthew O. and J. T.) The fake blogs, set up on blogspot.com for this purpose, briefly display the phrase "If site not apeared - Click Here ." before redirecting the visitor to another site via a meta refresh tag, such as:

<meta content='0;URL=http://gentsoftnowu.com' http-equiv='refresh'/>

(Watch out, that gentsofnowu.com URL is not friendly!)

The spam messages we've seen advertise Microsoft Office Enterprise 2007 software, and use subject lines such as "Microsoft Office ready to download" and "Microsoft Office 2007 OEM version". The body of the email currently looks like this:

Microsoft Office Enterprise 2007 includes:
• Access 2007
• Communicator 2007
• Excel 2007
• Groove 2007
• InfoPath 2007
• OneNote 2007
• Outlook 2007
• PowerPoint 2007
• Publisher 2007
• Word 2007


(Watch out, another maliciously-predisposed URL there!)

A Google search for "If site not apeared - Click Here" produced one unfriendly-looking website that resembles the ones hosted on blogspot.com, and a blog posting that describes an incident that might be related to this campaign and vents about Google. A Yahoo search for this phrase leads to two reports on malicious sites hosted on blogspot.com (1, 2). An MSN search produces another report. (Are you surprised I used more than one search engine? Me too.)

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

Lenny teaches a SANS course on analyzing malware.


Published: 2008-02-25

How not to write a mass email to your customers.

Customers are beginning to lose trust in email. With good reason: it is easy to spoof and it has been a leading threat vector for phishing and malware attacks. This means that you need to be extra careful when sending mass-email to your customers.

Earlier this month I received a message that claimed to be from Amtrak [amtrak@amtrak.bfi0.com]. It said:

Dear Customer,

Changes Coming to Your Amtrak.com Login

In an effort to streamline the login process and communicate more effectively with our customers, we will be changing the way you access your Amtrak.com account in a few weeks. Prior to this update, we ask that you log in to verify the accuracy of the information in your account.
•    Go to Amtrak.com Now and Update Your Profile
This change will not affect how Amtrak Guest Rewards members log into amtrakguestrewards.com. [The message continued... Cut for brevity.]

I cannot complain about the text of the message. Unfortunately, the words "Go to Amtrak.com Now and Update Your Profile" were a hyperlink that led to a third-party website, amtrak.bfi0.com. The same was the case with a few other links embedded at the bottom of the message.

Links to websites not associated with the company's recognizable domain are a tell-tale sign of a phishing message. It seems that the message was authentic after all, but how were the customers to know? A phishing message targeting Amtrak customers would look exactly like this, though it would point to some other cryptically-named domain instead of amtrak.bfi0.com.

Companies often use mass-mailing services to send out such communications and to collect click-through statistics. This mail be appropriate for marketing-type messages, but is not wise for sensitive communications that deal with logon procedures or credentials.

If you need to send a sensitive mass email to your customers, consider:

  • Do not include any links in the message at all. Instead, ask the recipient to visit your company's website using the address they know (www.companyname.com) or have bookmarked in the past.
  • If you need to include links, make sure they are to websites hosted under your company's recognizable domain, such as abc.companyname.com. For bonus points, use an HTTPS link, instead of HTTP, with a valid SSL certificate to help the customers validate your site's authenticity.
  • Warn the customers in advance that they will receive an email from you via a status update on your website or in the regular reports you may already deliver to your customers. Explain how the customers can confirm the authenticity of your message.

Do you have any suggestions for communicating with customers via email? Let us know.

Update: David Wharton wrote to share his experiences handling phishing campaigns against his bank's customers. Sometimes he sees "phishing emails that contain valid (non-phish) links and do not point to a phish site.  The links to login actually go to our login page.  My only thought as to the reason they would do that is to add to overall customer confusion." Indeed, adding to customer confusion could be a reason for seeing valid URLs in phishing messages. Alternatively, we may be seeing these messages in the early testing phase. Finally (as was pointed out by another ISC handler), the senders of these messages may be targeting victims whose DNS records may have been tampered with, so when they access www.companyname.com, they will be pointed to an IP address of the attacker's server.

Update 2: Ned Slider mentioned that another reason for phishing emails containing links to legitimate sites could be that "the phish victim may already be infected with keylogging malware designed to capture authentication on legitimate websites." (Looks like T. K. had the same idea, and posted it in the comments to this diary.)

Update 3: John Silvestri pointed out that Steven Bellovin described his perspective on the same Amtrak email earlier this month in his blog. Thanks for the pointer, John!

Update 4: Ray Ellington recommended that senders use DomainKeys, "an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity" (according to Wikipedia). Ray mentioned that "most people probably don't even notice since you must click 'Details' in most web based email browsers to see that it has been signed. But for those who understand what digital signing of email is they can click" and confirm the message's origin.

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

Lenny teaches a SANS course on analyzing malware.


Published: 2008-02-25

Adobe AIR is out. Let's talk about security.

Today marks the official release of Adobe AIR, a platform for developing desktop applications using web-based technologies. Let's see what this tool offers and what security implications it carries.

Adobe AIR (once known as Adobe Apollo) is a run-time environment that bundles several web-enabling technologies and makes them available on the desktop. According to Adobe's Mike Chambers, Adobe AIR "leverages a number of open source technologies," including:

  •  Tamarin - implements JavaScript/ECMAScript, used in Firefox, Flash
  •  SQLite - lightweight database engine
  •  WebKit - renders HTML, used by Konqueror browser in KDE and Safari

Adobe AIR allows developers who know how to write traditional web-based applications to use their skills (HTML, AJAX, Flash, etc.) to write local desktop applications. Applications built using Adobe AIR include AOL Top 100 Videos player, eBay Desktop, and NASDAQ Market Replay.

ISC reader Richard Gurley  emailed us a question regarding security concerns associated with the this powerful development platform. Two categories of threat vectors come to mind:

  • A malicious Adobe AIR application may act as a trojan and do "bad things" to the victim's local system.
  • A web-style vulnerability (XSS, etc.) in an Adobe AIR application may allow an attacker to target the application's data or the victim's local system.

 Desktop-Specific Threats of Adobe AIR Applications

The set of first threat vectors is similar across desktop applications that run locally. Adobe implemented sandboxing to limit some actions a local Adobe AIR application. Adobe's documentation makes it clear that the sandboxes are not meant to mimic the rigorous restrictions of a web browser's sandbox. Adobe AIR FAQ points out that "applications deployed on Adobe AIR have powerful desktop capabilities and access to local data."

Adobe AIR applications need to be digitally signed, to assist the end-user in determining whether to trust the application's author. However, the certificates can be self-signed, and many users will ignore the trust warnings and run even those applications that come from untrusted sources. This is not a new issue, and it is not unique to Adobe AIR.

Ron Schmelzer, an analyst at ZapThink, expressed his concerns with the ability of existing anti-virus tools to protect against rogue Adobe AIR applications in an October 2, 2007, InfoWorld article:

 " 'The current generation of spyware, virus, and malware [detection] products have no visibility into running AIR programs,' Schmelzer wrote in an e-mail. 'As such, there is a high possibility for malicious AIR applications -- which are no longer security-restricted to the browser sandbox and are free to manipulate local machines -- to spread into the wild.' "

I am more optimistic about the ability of existing anti-virus suites to detect improper actions of an Adobe AIR application through behavioral techniques that observe any local programs. Such techniques involve checking for suspicious registry, file system, and network actions that a malicious application would exhibit regardless of the framework within it operates. However, since I have not experimented with Adobe AIR applications, this is purely a hypothetical assessment. (Perhaps those more familiar with inner-workings of anti-virus tools or with Adobe AIR applications would like to comment?)

Web-Specific Threats of Adobe AIR Applications

The other, and perhaps more significant set of threats to consider is tied to those of any web applications. Vulnerabilities in a web application could allow an attacker to launch attacks based on Cross-Site Scripting (XSS), SQL injection, local link injection, and other techniques associated with traditional web applications.

The most interesting security repercussion  of a platform such as Adobe AIR is that it merges traditional web application techniques with the more-permissive security models of local applications. Consider a hypothetical example where an Adobe AIR application allows the user to open and execute a local file. An XSS-style vulnerability in an application could allow a remote attacker to inject a malicious JavaScript into the application that would attempt to execute a local program of the attacker's choice. This is more difficult to execute when the script runs within the confines of a web browser, than if the script runs within a more permissive sandbox of Adobe AIR.

Adobe's Lucas Adamski wrote an excellent article describing the Adobe AIR security model. In his write-up, Lucas describes the two sandboxes implemented by Adobe AIR and outlines the security risks that the developers of Adobe AIR applications need to consider. He also points to the security documentation Adobe wrote to assist developers in addressing some of these challenges. Lucas highlights the need for developers to follow Adobe's security recommendations to create resilient applications:

" However, the privileges inherent in a full desktop application mean the developer can sometimes find ways around these restrictions. The reality is that doing so will almost certainly introduce a large amount of security risk into the application and for the end users of the application. Thus Adobe strongly recommends that developers stay within the restrictions placed by the AIR security model, and carefully consider the cost of implementing rigorous security mitigations for bypassing them. In most cases the development cost of these mitigations will significantly exceed the cost of finding an alternative solution that stays within the bounds of the security model. "

Undoubtedly, many developers will be unaware of Adobe AIR security best practices or will knowingly take shortcuts that expose end-users to attacks. Will our destkop lock-down practices and anti-virus tools compensate for such conditions? I hope the answer is "yes," but I suppose only time will tell.

What are your thoughts on security implications of the Adobe AIR platform? Please let us know.

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

Lenny teaches a SANS course on analyzing malware.


Published: 2008-02-24

Critical VMware security alert for Windows-hosted VMware client versions

During the last couple of years intensive security research has been performed on virtualization environments, like VMware, Virtual PC, XEN etc. It has been mainly focused on finding new ways to detect if you are running inside a virtual machine (vs. a native host), and finding ways to escape from a virtual machine to the host (or to another virtual machine).

This new VMware vulnerability discovered by Core means a full scape from the guest virtual machine to the host is possible: "On Windows hosts, if you have configured a VMware host-to-guest shared folder, it is possible for a program running in the guest to gain access to the host's complete file system and create or modify executable files in sensitive locations."

It has been rated as critical by VMware and it affects all VMware client products on Windows, that is:

  • VMware Workstation 6.0.2 and earlier, AND 5.5.4 and earlier
  • VMware Player 2.0.2 and earlier, AND 1.0.4 and earlier
  • VMware ACE 2.0.2 and earlier, AND 1.0.2 and earlier

VMware on Mac OS (Fusion) and Linux are not affected by it.

By default, the shared folders feature is disabled in Workstation 6, Player 2, and ACE 2. Workstation 5, Player 1, and ACE 1 enable the shared folders feature by default, but exploiting this vulnerability still requires at least one folder to be configured as shared between the host and guest.

The impact on production environments is supposed to be limited as they tend to use the server versions. However, we, as security professionals, make an extensive use of virtualization technologies for multiple purposes: malware analysis, incident response, forensics, security testing, training, etc, and we typically use the client  versions of the products, so... It is  time to disable the shared folder capabilities!!, as no update or patch is available yet:

Workaround (from the VMware advisory)

Until VMware releases a patch to fix this issue, users of affected Windows-hosted VMware products should disable shared folders.

To disable shared folders in the Global settings:
  1. From the VMware product's menu, choose Edit > Preferences.
  2. In the Workspace tab, under Virtual Machines, deselect the checkbox for Enable all shared folders by default.
To disable shared folders for the individual virtual machine settings:
  1. From the VMware product's menu, choose VM > Settings.
  2. In the Options tab, select Shared Folders and Disable.



Published: 2008-02-23

Another quiet day around the ISC fire

We've run out of posters to put on the dart board so we've started playing a version of tic tac toe the involves tossing old CDs into a grid marked in the snow.

Like yesterday, a few emails have trickled in. Only one that I want to bring to the diary at this point. I will update this article with additional notes if anything else comes up:

From reader Pär we have the following information:

There is a new vulnerability in the TCP stack in OpenBSD allowing for a remote denial of service by causing a kernel panic.


A patch is available and can be downloaded at ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/007_tcprespond.patch.




Published: 2008-02-22

Quiet day around the ISC fire, Vista SP1 breaks stuff

As most of us on the East Coast from about DC on North are stuck in the Winter "Storm" we have up here, it's been a rather quiet day around the ISC offices.   We've started throwing darts at the posters of the vendors we don't like.  Everyone keeps threatening to hit the big red button that turns the internet off just because it's my day of being a handler.

Couple emails came in though:

1) One report of some bad Symantec AV definitions, "2/21/2008 rev. 2" is apparently crashing some systems.

2) One email stating that apparently Vista SP1 breaks a number of security programs: "Bitdefender AV and Internet Security v.10, Fujitsu Shock Sensor v, Jiangmin KV Antivirus v. 10 and 2008, Trend Micro Internet Security 2008, Rising Personal Firewall 2007, and Zone Alarm Security Suite 7.1.105"  I looked it up.  Microsoft has a KB on the issue.  See it here.

So, all in all so far, a quiet day.  Go play in the Snow with your kids if you can, (if you are able, if you have snow, if have kids, and if you aren't defending your network by tooth and nail).

I'll post more later if something else comes up, or if you guys write in with more fun topics.

In the meantime, I'll be right back.  Someone is throwing snowballs in the ISC underground lair.


Joel Esler






Published: 2008-02-21

In memory of hard disk encryption?

In security we generally claim there is no silver bullet. Or we say no measure ever is protecting you for 100% of the cases.

Typically we think of the hardware of our computers in a specific way. One of those is that the contents of RAM is gone as soon as you turn off the power. Makers of software such as ssh-agent, PGP software and hard disk encryption software rely on encryption keys in RAM that get erased when the system is turned off.

Newly published research goes a long way to show the hardware isn't behaving like most of us think it is and that memory modules, even removed from the motherboard can retain data for seconds to minutes allowing retrieval of the cryptographic keys.

The abstract of the paper: "Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them."

So what does that mean to us ?

  • We might have a new way down the road to do forensics and extract memory images of corrupted systems more reliably than to have to trust the infected system to create the image.
  • Encryption keys in memory might not be safe or be possible to be protected by the OS from access. While some keys might not absolutely be needed in RAM for a long term, e.g. keys to decrypt hard disk images are non-trivial to only keep for very short time in memory.
  • Other secrets kept in memory are likely to have the same problems, think about ssh-agent keeping a copy of your private ssh key ready to let you log in on a remote system, think about pgp keeping the private key ready to not bother you with the passphrase for every email you send or read.

The current trend towards hard disk encryption we see as a means to address other security failures might need to be revised.

I guess it boils down to me saying that every time the media report on a lost laptop containing some long list of sensitive information that the only questions raised seem to be if the disk was encrypted or not, and why in the latter case.

I'd already since quiet some time would like to see added as questions: why was that data sensitive?; are there no better ways to do what that data does (e.g. SSNs are IMHO abused when used to authenticate you, it's like having your password and your loginname the same)?; why was sensitive data stored on a portable device?; where was the absolute need to have the sensitive data?; why was the sensitive data mixed in with less sensitive data?; why was sensitive data allowed out of the organization that collected it?; why was a laptop containing sensitive data left unattended?; ... There usually is a long chain of failures before such data gets leaked. Assuming all of them are normal except the last link that was missing on the chain isn't the right -nor fair- reaction.

In the future now there should be even more questions that need answers:

  • How long ago was the laptop turned off ?
  • Was the laptop turned off, or just asleep?
  • What encryption product was used and does it wipe its keys from RAM upon shutdown or sleep actions ?
  • ...

Still, if you have confidential material, disk encryption is one of the layers, just don't use it as the only layer.

More information:

Swa Frantzen -- Gorilla Security


Published: 2008-02-20

A little web mystery

Hi everyone,

This morning we received an interesting message from Paul. He was seeing rather unusual log entries on his web server:

x.x.x.x Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+enUS;+rv:1.7.5)+Gecko/20050207+Firefox/1.0.1 
- http://www.[website].com/file.cfm+%5BPLM=0%5D%5BR%5D+GET+http://www.[website].com/file.cfm+
301 0 64 446 720

Decoded, the request translates into the more readable:


As you can see, this is a bit strange. Apparently the [R] precedes any new request, and multiple requests are concatenated into one. After a bit of investigating, we’re unaware of what this is trying to accomplish. It looks like HTTP request smuggling, but it is not. Also, “+” is an RFC 3986 acceptable sub-delimeter, but this request would not pass the second request to the page, so it doesn't appear to exploit an application vulnerability.

We know that the request originated from an open proxy, likely running Bluecoat. In addition, this issue is uncommon, but has been reported by others. If anyone is seeing similar behavior or has ideas, please let us know!


Published: 2008-02-20

Update mechanisms in utility software

Based on Raul's diary last week, I'd like to follow up on updating third party software from a developer's point of view.

Default inbound firewalling has significantly limit the network attack surface posed by core services. Today issues with tools such as Quicktime, Acrobat Reader, Flash, Realplayer and others are causing users to get compromised. The good thing about these massively deployed applications is that they usually have strong update mechanisms. Shortly after a vulnerability is identified and fixed, the user is prompted to update.

This is not the case with all pieces of software, though. There’s plenty of software that is not installed on a whopping 80% of all machines, but is popular with a specific userbase. At the Internet Storm Center, we have recently for example seen the increased use of exploits targeting users of WinRAR, a popular archiver. While each of these vulnerabilities has been remedied years ago, they are still being used to compromise users.

The reason is simple. Some software packages are “tools” that are only run upon opening a specific filetype. These may simply be archives or media files. People don’t expect them to execute code. However, file parsing errors are trivial to make and can quickly lead to code execution.

Infrequent use also means that users will not update these tools. They’re there to be used when needed, maybe only twice a year. There no imminent reason to upgrade. Unless you can’t open the latest gadget, you will not.

As such, developers should really implement mechanisms to prompt users of their software that an update is available. Naturally, plenty can go wrong with an update mechanism, so keep into account that:

  • If you expect enterprise deployment, you want to foresee a way to allow corporations to centrally manage the deployed versions or at least disable the mechanism. They prefer not to lose control over their base image.
  • You don’t control what your hostname resolves to at the client side. Think about DNS cache poisoning and authenticate your update server to the client;
  • Ensure the updates themselves are signed, so clients can check their integrity;
  • Ensure users are made aware of the difference between a security and functionality update;
  • Let the client report its version to the update server, so it is aware if a large part of the userbase isn't upgrading, and you can find out why.


Published: 2008-02-19

MS Vista - Windows Update Issue


We received information in regards to Microsoft Vista getting into a reboot loop after running the Windows Update.  This is good info and thanks to our reader for sending it in.

The following is from MS PSS (paraphrased):


After installing updates from Windows Update, you may get into a Reboot loop where you machines gets to “configuring updates 3 of 3. 0% complete” then reboots.  The machine then continues to reboot.


 1a. Boot to the Windows DVD and choose the repair option in the lower left hand corner, choose System Restore, and select a Restore Point predating the attempted installation of the updates.

1b. If you don't have the DVD and the Vista came preinstalled on the machine, boot to the Safe Mode options using F8 during startup (tutorial: http://www.bleepingcomputer.com/tutorials/tutorial61.html#vista).

 Once in Safe Mode, invoke System Restore as follows:

 Start | Run | (type in) rstrui.exe | [OK]

 Select an available Restore Point predating the attempted installation of the updates.


 To avoid running into the same problem again, install the following update separately and ASAP:

 A software update is available for the Windows Vista installation software feature:


Download links for manual installation:

 Vista x86 :  www.microsoft.com/downloads/details.aspx

 Vista x64:  www.microsoft.com/downloads/details.aspx


Published: 2008-02-19

Digital Photo Frame replies

Several days ago a reporter from the San Francisco Chronicle contacted me because she had read my diary regarding the possible contamination of digital photo frames sold around the Christmas holidays. These frames were purchased from a variety of stores around the country and from what we can gather there are different manufacturers and models.  It has not been an easy task trying to pull all of the details together and is perhaps one of the mysteries that will never be solved to most everyone’s satisfaction.

I am going to try to answer the questions that came in to the Internet Storm Center yesterday.  I decided rather than answering them one on one, I would take a stab at answering all of the questions in a diary format.

So here goes:

Several people wanted to know if their particular frame has been reported to be infected.

             At this point the only 3 that have been identified by name are the Insignia 10.4”, the ADS 8” and Uniek brand.  

Where were the frames purchased?

             We have had reports of frames purchased at various locations throughout the US.  Best Buy, Sam’s Club/Walmart, Target, Costco have all been identified. We know that Best Buy pulled their frames off the shelves.

Many people wanted to know how they can tell if their computer has been infected by their digital frame.

             There are many different “theories” on just what infection has occurred.  If you do a Google search for digital photo frame infections you will come up today with 70,400 hits.  I have not looked at all of the articles of course. However the ones that I have looked at all boil down to basically a malware infection.  As for identifying exactly which one you may have, that is a tough one.  Unfortunately, each of the anti-virus manufacturers has their own twist to it and each has given it their own name.  It would be so nice for many reasons if we could get this part of our world standardized.  It has been identified as Autorun.e, Autorun.worm, and Mocmex. Some of the individual components are identified with additional names.  I wish I could give you a list of what files to look for but I can’t.  First of all the lists that I have seen are many and secondly, this list may change continuously. The nature of many of these worm outbreaks is that they change their file names (identity) continuously in order to avoid detection.  To actually print this list would be irresponsible I think because it may give a false sense of security if you don’t find one of these files on your disk.  I would like to urge everyone to check out their anti-virus programs to make sure that they are current and that the definitions are up to date.  One of the reports that I have read says that this infection may disable your anti-virus programs and/or your firewall programs.  Your best line of defense is prevention.  Anti-virus, anti-spyware software and firewalls are your computers best friend if used correctly.  Just remember, in most cases these programs expire every year and need to be renewed on an annually.

What else?

The digital picture frames are not the only devices that are potential candidates for infection.  Any device that uses a USB connection, any device that allows data whether images or files to be stored, any device that connects 2 devices together to share data may be at risk.  We have had reports in the past of hard drives (both external and internal), USB Sticks/Flash Drives/Thumb Drives, Camera cards, iPods, MP3 players, etc being infected.  Again to try to determine where the initial infection occurred is nearly impossible. 

 Just today we received an email from someone who has witnessed and has evidence of an infection at a photo Kiosk at a retail store. His email had this to say:

  “Recently I found a virus on it called Troj_Agent.SAO, which is what Trend Micro named it.  Anytime you plug a removable device into it, it would create two files Autorun.inf and autorun.exe.  The exe would place itself in the recycler\recycler folder and the .inf would place itself on the root of the removable drive as a hidden file.  At first I thought this virus came in on one of our employee’s pen drive but after further investigation I discovered that the files that the virus uses were created on the kiosk the day it was shipped out to us.  Also our vendor is using this kiosk in some of their stores at the moment and there have been reports that the kiosks have given their customers a virus. “ 

These photo kiosks are wonderful allowing you too professionally print the photos from camera’s memory card.  You put the memory card into the machine, it brings up a preview of the pictures and you select which you want to print. 

There are so many possible means of infection.  There are so many ways that the infection can spread.  The best advice that we can give is:  Anti-virus, anti-spyware, firewall protection.  As I tell my “students” in the workshops that I give…  “You need to become intimate with your computer.  You need to know how it acts when it feels good. Then when it doesn’t feel good… pay attention.  Run a virus scan, run a spyware scan, check to see if any programs have been installed that you don’t know about.” 

I wish that we could require all of our drivers on the Information Highway to have a license to operate.  I wish that we could require all of our Internet users to take a course on Netiquette.  But we can’t, so all we can do is educate when we can and help people to understand the power they have in their hands.





Published: 2008-02-18

Send your Staff to Security Conventions

I just got back from ShmooCon 2008 (http://www.shmoocon.org/) with a notebook full of scribbles and a wiki full of links.  I recommend that companies of all sizes send people to their local security conventions in addition to the larger ones.

How to get the most out of the experience:

Take Notes

Don’t worry if the 1337 Hax0r next to you is looking at you like you’re from the media. Take notes; fill in gaps from the presenter’s power-point. Jot down: links and tools that they mention, concepts you don’t immediately understand, how it affects your workplace and ideas that their talk inspires.

Attend Random Talks

Having a solid plan of what you want to listen to is good. Throwing in a little chaos into the schedule is better. It’ll expose you to new things. I had an excellent example this weekend while attending Sethi and Bhalla’s presentation on Aspect Oriented Programming. I’m not a developer, but now I have something to talk to them about when I get back into the office.

Put the Talks Together

The concepts in each individual talk can be combined with other talks. Another example from this weekend, take Jay Beale’s talk on Client-side attacks with Josh Wright and Brad Antoniewicz’s talk on EAP exploitation to get a feel for the importance of client-side configuration management and security. Or take some lessons learned from Isaac Mathis’ talk on the cultural impacts on security and Matt Weir’s “Smarter Password Cracking” talk to build culture-specific dictionaries.

Bringing the Message Home

Take your notes, rewrite them so that they’re legible, add links to papers, tools, and other talks. List out the impacts to your organization. List out the to-dos in one place so you can track them.
Spend some time writing up some of the key-findings for management. Make recommendations for changes and new projects. This will make them feel better about the money they spent sending you.
At Defcon 14 (circa 2006) there was a talk on blackjacking. I took elements of that talk to influence the corporate Blackberry policy and get application white-listing added before the devices were widely deployed. I can only imagine how much help-desk work that step has saved, let alone the security incidents.

What if I can’t go?

Sometimes you can’t go. And you certainly can’t go to all of them. For big conventions that I can’t attend, I keep an eye on the blogs of people who did get to go, and I keep an eye on the presentations as they are published. Sometimes, the talks will appear on youtube or on the convention site itself. Take time to read through them, and follow the same process: take notes, identify impacts, record inspiration, and combine talks.


Published: 2008-02-17

IT Security in the SMB - Follow-up

Two weeks ago, I posted a call for input asking for feedback from people in the field for the Small to Medium Business from the diary entry at http://isc.sans.org/diary.html?storyid=3923.

 I want to take a moment to thank all of you that responded. While the sample taken from the response is relatively small, there were a few common themes in the responses that were received.

 First, it does appear as if the integrated all-in-one style products have definitely been a step in the right direction. However, independent of additional pressure, the indication seems to be that more times than not, security stops there. This is unfortunate as it appears that there is still a large segment of this community that can be sold on edge device or perimeter defense mechanisms and then they believe they are done.

Second, this market space very often has the specific complication in that there is very often no full time IT staff. Technical support issues are sometimes a collateral duty for another position or it is brought in on a consultant basis as needed. However, "as needed" typically involves reactive instead of proactive drivers resulting in an inability to apply proper preventive techniques until it may be too late. Taking it a step further, in the event that a company does have an in-house IT employee, it is more likely that this person will be focused on production and production support issues which will sometime interfere with IT security controls.

Third, I was very happy to receive some stories that indicate a successful integration of IT security into the SMB space. However, I did notice that the underlying reason for this success has been due to external business pressure. This observation is consistent with my own experience in the field and is likely a key identifier as to whether the SMB market space is going to be "doing the right thing" to protect their systems and networks. Regulatory compliance requirements have helped some, but pressure from clients appears to have reigned supreme in pushing movement in this area. If, in order to do more business, a company must pass a third party IT security audit, then the SMB business leader can make a direct correlation between an ability to present an environment that is well protected with an ability to gain new business. It should be no surprise that this direct of a tie between good security practices and the bottom line is a very powerful motivational factor.

Finally, in conjunction with the first observation, I am very concerned about some of the responses that seem to indicate that SMB leaders very often unintentionally or intentionally ignore the insider component. Because they have a secure perimeter device, they tend to not see the need to protect the internal end-user devices. These devices often lack anti-virus, have no patch management processes and do not use anti-spyware/ad-ware solutions. Further, my observation is that in an SMB company, there is a much higher level of trust given to internal employees. In these companies, everyone usually works out of the same office and everyone knows everyone. This makes for a hard sell in many cases when it comes to deploying security tools and practices that are typically associated with a lack of trust of internal staff, such as proxy servers.

So how can we use this information? Well that depends who you are.

I anticipate that most of the people reading this article who deal with the SMB space are going to be consultants. I'm probably not telling you something you don't know, but if they are using your services, they are most likely looking for a silver bullet. All you can hope to do is educate them without making them feel like you're just there to suck them dry of every dollar they have to spare. Keep in mind that there will not be people on staff monitoring and maintaining the environment, so as much automation to patch maintenance and updates as possible is going to be key. Try not to stop at perimeter security and if the client is unwilling to pay for a commercial anti-virus/anti-spyware product, deploy one of the many free ones that exist out there today. When new security issues or threats come out that have a very simple fix, try to communicate this to your customer base in a manner that can allow them to fix themselves without having to call you. Keep in mind that SMB businesses tend to be fragile and come and go on a constant basis. If you can do your part to help them be successful, you will be helping yourself by increasing their probability of overall success as a business, which will mean more business for you in the long term. Even if the client's business goes under, business leaders talk with each other and word of mouth advertising will work in your favor.

If you are the one-man IT staff in an SMB market space, your company is already head and shoulders above others in this field. If you're reading this article, you're even another notch up from that because you are already interested in IT security issues and are hopefully applying this concern and knowledge in your environment. I want to urge you to think about the security objectives you are having difficulty getting implemented and try to find a way to prove a tie to the bottom line or a return on investment. This is a challenge, but is the most effective method to break down the final barrier. Also, think about areas of your job where you are sacrificing security principles in order to "just get the job done". Can you educate your higher ups about why this is not a very good idea without putting your job at risk?

If you are an SMB business leader and reading this article, I applaud you. Thank you for working to understand the reality of IT security in your business. Educate yourself on what regulatory compliance issues affect your business. If you are in a position where you do have an internal IT staff, does that person have enough autonomy that they can tell you or other executives within your business that they are asking something that puts your company at risk? Can you give them a way to say "that's a bad idea" without putting their job at risk? You want to listen to their concerns and behave accordingly. Even if you decide to say, "I understand your concerns, but I want to do it anyways" the mere fact they feel comfortable expressing concerns and can be taken seriously when they do will make a big difference. If you are hiring a consultant to handle these needs, I would like to encourage you to build in routine "maintenance" calls to have them come by and just do a general health check on your systems. Depending upon the criticality of your IT assets, this could be weekly or monthly. They should do things such as, check for any patches required, assess if there are any hardware issues that need to be addressed, ensure that both perimeter and internal defenses are all up to date and are doing their job and finally, review logs on perimeter defense devices, end-user workstations and servers to determine if there are any warning signs of a problem. While you have personal interaction with your employees and probably have a high degree of trust, when it comes to IT security, this can interfere with doing the right thing. Even if your employees’ intentions are in the right place, they can often do things to put your business at risk unintentionally, so do not dismiss processes, tools or technologies that you perceive as calling into question whether your staff can be trusted.


Published: 2008-02-15

Doing an audit/pentest or other assessment? Here is part of the report for you.

Audit, Security Assessments, Penetration testing and its little sister vulnerability scanning are useful tools to get an idea of the weaknesses in your network.  It is important enough for standards such as PCI-DSS, ISO/IEC 27001, SOX and others to insist on it and many governments around the world insist on it for their agencies.  So we’ll give people a hand and help you the report.

How can we do that?  Easily, we are all individuals, but we all are red inside, have a head, arms, legs, fingers and toes, although the numbers may vary.  Likewise, networks have firewalls, routers, switches, servers, desktops, networking staff and let us not forget users.  So not surprisingly, the issues you come across when doing assessments are remarkably similar from organisation to organisation.  The degree of the issue may vary, but you will find many of them every organisation. 

Why is that?  Hands up those of you who love documentation and can honestly say yours is all up to date and accurate?  Hands up those of you who have all the staff you need, the budget, senior management support, Oh and no users, if you have all of this, then well done.  For the rest of us the world is not quite that rosy, which is why every network has security issues and many of them are the same for everyone.

No doubt  for some of these your response will be, “well duh”, but you’d be surprised how many organisations have these issues.   So let us start the report. 

  • Fill company name in here does not have an effective patching process in place.  The servers examined require numerous patches, some going back as far as 2000.  Workstations likewise require patching to be brought up to date.
  • Servers are not hardened or the SOE is not being enforced,
  • A number of test/training/generic accounts exist with weak passwords such as the account name, password, day of the week, .... Access provided to these accounts is permissive and provides access to confidential information.
  • The SA account on the MSSQL server has a blank/weak password allowing the creation of domain administrator accounts (game over).
  • Internet facing servers are running vulnerable versions of web/ftp/OS software.
  • LDAP/Edirectory/AD allows anonymous queries
  • Network devices are managed using telnet
  • Default SNMP community strings are used disclosing server/switch/router information
  • Policies do not exist or are inconsistently/not enforced
  • Procedures are not documented
  • Logs are not monitored or irregularly monitored
  • Internet facing applications are susceptible to XSS/SQL Injection  attacks.
  • Email header leak internal ip addresses and names.

That will do from me for now.  All of the above we see over and over and over again.  If you have some to add let me know, ideally you’ve seen them in a number of organisations and they are on the "why don't they just fix it list".


Mark H - Shearwater


Published: 2008-02-14

Updating third-party software: The Good, the Bad and the Ugly

This is the last post in the series of updating third-party software. As I reflected in a previous post, I've recently seen multiple glitches in the update process for various commonly used client software when the official update tools are used. If the update process does not work efficiently and accurately, it just only means one thing: lots of end users are vulnerable and exposed to all the client attacks we are seeing in the wild. Let's analyze some current examples for Windows (XP SP2):

  • QuickTime 7.4.1: As we announced last week, a new QuickTime update, 7.4.1, was released to fix a security vulnerability. The Apple's Software Update (ASU) tool ("C:\Program Files\Apple Software Update\SoftwareUpdate.exe"),or the QuickTime (QT) update feature at "Help -> Update Existing Software...", do not detect the latest version, 7.4.1 in a system running 7.4. This was also the case with the update from QuickTime 7.3 to 7.3.1. This behaviour occurs under Windows, but not under Mac OS. QuickTime 7.4.1 can be manually downloaded from the Apple's website.
    The update tool connects to "qtsoftware.apple.com", and requests "/cgi-bin/query2?" with a few parameters. If the "lang=xx" value in the request is different from "us", then it reports back that the latest QuickTime version is 7.0.3!! If the value is "us", then it reports back 7.4.1 and 7.1.6 (for older Windows OS versions) as the latests available versions.
    In the non-US case, it requests and retrieves multiple files from various Apple sites (swcatalog.apple.com, swcdn.apple.com, etc), and although the final file contains references to 7.4.1, they are not taken into consideration.

    A couple of anonymous ISC readers confirmed a similar behaviour and even notified Apple. It seems Apple does "not believe that this issue is a security exposure.". Sorry, but I disagree.

    IMPORTANT!! Yesterday multiple buffer overflow vulnerabilities were released for the QuickTime "QTPlugin.ocx" ActiveX control (including version 7.4.1) that may allow the execution of arbitrary code within the context of the application invoking the ActiveX control (such as Internet Explorer). There is no patch available yet and a DoS exploit is publicly available, and it works. It is recommended to disable the control on IE ("Tools -> Manage Add-ons") or set the kill-bit for CLSID 02BF25D5-8C17-4B23-BC80-D3488ABDDC6B through the registry.
  • Java 6 Update 4: Last month we announced the latest Java update, that includes lots of fixes. Even today (a month later), if you run the Java update tool (C:\Program Files\Java\jre1.6.0_0X\bin\jucheck.exe), it reports back that the latest version is Java 6 Update 3. The update process ends up requesting the following XML file: http://javadl-esd.sun.com/update/1.6.0/map-1.6.0.xml. As you can see, it references "http://javadl-esd.sun.com/update/1.6.0/1.6.0_03-b05.xml", that is, Update 3.

    As Sun is using Akamai to balance the load, we tested this at the ISC from different places over the world and it seems it is always the case (Thanks to the fellow handlers Daniel, Stephen and Bojan!). You can manually download the latest version from the Sun's website.

    It is important to emphasize that all Java updates do not remove the previously installed and vulnerable versions, so you need to remove them manually. Don't forget about it unless you have a reason not to do so!
  •  Unprivileged user vs. Administrator: A few third-party Windows software do not show the availability of new updates unless you are running as Administrator. I understand that the installation must be performed with Admin privileges, but the check could be done as a regular user. Best security practices recommend to work as a regular user unless you need to perform administrative operations, so we have a serious conflict here! Just a few examples:
    • Adobe Reader does not show the "Help -> Check for Updates..." menu unless you are running with Administrator credentials.
    • Thunderbird grays out the "Help -> Check for Updates..." menu if you run as a regular user.
    • The Microsoft Update Web page can be accessed as a regular user, but it clearly indicates you need Administrator privileges to install updates from the Website. The problem is that even if you run Internet Explorer as Admin through "Run as...", it doesn't work. You can see and download the updates, but when  they are going to be installed, they fail. This is not the case with the automatic updates, as the "Automatic Updates" service uses the local System account.
    Therefore, the conclusion is that you need to periodically (every day?) login as (or run things as) Administrator to perform periodic tests for new updates. Obviously, this is not practical for end users, so we clearly need to improve the third-party update mechanisms in Windows to be accurate, up-to-date and work smoothly from non-privileged accounts.

Raul Siles



Published: 2008-02-14

Cisco Unified Communications (VoIP) Vulnerabilities: Update your IP phones!

Cisco has released a couple of security advisories covering vulnerabilities in their IP Phones and the Unified Communications Manager (UCM):

  • Cisco IP Phones present multiple and serious overflows and DoS vulnerabilities. It is time to update your VoIP phones! This issues affect phones using Skinny (SCCP) or/and SIP. The vulnerabilities affect several phone components, and the first four are specially relevant:
    • DNS (CVE-2008-0530): Malicious DNS responses may trigger a buffer overflow and execute arbitrary code on a vulnerable phone.
    • SSH ( CVE-2004-2486, old CVE): Buffer overflow on the phone SSH server that may allow remote code execution with system privileges.
    • SIP (CVE-2008-0528): Buffer overflow when handling MIME on SIP messages that may allow remote code execution.
    • SIP (CVE-2008-0531): Heap overflow when handling SIP challenge and response messages with the SIP proxy that may allow remote code execution.
    • ICMP (CVE-2008-0526): DoS due to large ICMP echo request packets (another ping of death!).
    • HTTP (CVE-2008-0527): DoS due to specially crafted HTTP requests to the phone HTTP server.
    • Telnet (CVE-2008-0529): Buffer overflow may allow privilege escalation.
  • Cisco UCM is vulnerable to SQL injection (CVE-2008-0026): An authenticated  user could access sensitive database information, such as usernames and password hashes, and call records, plus alter or delete call record
    information from the database. Update to UCM versions 5.1(3a) or 6.1(1a). The flaw is in the key parameter of either
    the admin or user interface page.

If you cannot immediately update your IP phones (please, do it asap!), disable the unused affected services on all your phones (what practically means disabling almost all ways of remotely managing the device: HTTP, SSH, Telnet...) or/and filter remote access to them using ACLs.



Published: 2008-02-14

Tools for updating third-party software

Last week we pointed out multiple vulnerabilities in commonly used client software. Several readers replied to my request asking for  tools used to update third-party software, and the most recommended tool for Windows is Secunia PSI (Personal Software Inspector), still in Release Candidate (RC-1) state, for personal use only (they also have a commercial version).

Other options are UpdateStar (Windows), SUMo - Software Update Monitor (Windows), VersionTracker [Pro] (Mac and Windows), RadarSync (Windows), UDC - UpdateChecker (Windows), Belarc Advisor (Windows), and App Update Widget (Mac). For Linux you are pretty much tied to the software package manager of the distribution you like to use. I strongly encourage you to evaluate the best tool that meets your needs.

Thanks to all the readers for submitting their suggestions!

I honestly think this is something we need to take very seriously, as most malware and attacks today (targeted, botnets, etc) are focused on the clients, exploiting OS and third-party software vulnerabilities (plus social engineering). The two sides of the coin are:

  • Corporate environments (not covered by this post) that frequently (in my own experience) present disheartening scenarios, having vulnerable outdated systems without patches for several months.
  • Small organization, SOHO environments, independent professionals, end users, etc. We need to find solutions to deal with all the frequent security updates and simplify the user's software update life.

I've been testing Secunia PSI in a few computers recently and I got a good first impression. The tool scans the system and detects not only vulnerable installed software but remnant installations that still could lay around on the file system. It is focused on outdated vulnerable third-party software - just from a security perspective. Additionally, it can detect small pieces of software that do not appear in the "Add and Remove Programs" list, such as the Adobe Flash Player Plugin and ActiveX components. My main concern about this tool (shared by Kelvin too) is that the data about your installed applications is sent to Secunia to match it against their File Signatures engine, as they state on their website. The impact of someone getting access to all that information is pretty serious.

No matter what process (even manual if it works for you) or tool you use, all your installed software must be updated in a timely fashion! I know you are aware of it, but some responses to my request came from outdated vulnerable browser versions. Blame on my as well, as the software update checks not always work as expected. More about this is a near future post...

-- Raul Siles - www.raulsiles.com


Published: 2008-02-13

Bad Trend Micro signature

Luke, Charles, Paul and others reported a bad signature update of Trend Micro today. The effects seem to vary from blocking IBM's Domino to blocking the entire collection of machines.

The bad signature seems to be revision 4.995. Version 4.997 is supposed to not exhibit the problem any longer.

I've not found an official or public word from Trend Micro yet.

Swa Frantzen -- Gorilla Security


Published: 2008-02-12

Stormworms spammy love notes

We received several reports of spam containing  Subject lines such as: “Sweetest Things Aren’t Things!, Valentine’s Day, The Love Train” and other similar subject lines. These all included a URL that just an IP Address. Those URLs lead to binaries named valentine.exe. The MD5 on the binaries is  changing rapidly so AV detection based on MD5 or other hash values is not reliable.

We submitted one version to virustotal. 12/31 of the av engines there recognized it. Valentine.exe is a new version of storm worm. Thanks to contributors Doug, Colin, Susan.

Jose Nazario of Arbornetworks has some additional about this at:  http://asert.arbornetworks.com/2008/02/new-storm-valentines-day-campaign/

File valentine.exe received on 02.12.2008 17:28:57 (CET)

Antivirus Version Last Update Result
AntiVir 2008.02.12 Worm/Zhelatin.pb
BitDefender 7.2 2008.02.12 Trojan.Peed.IWX
DrWeb 2008.02.12 Trojan.Packed.357
eSafe 2008.02.11 Suspicious File
Kaspersky 2008.02.12 Packed.Win32.Tibs.ic
Microsoft 1.3204 2008.02.12 TrojanDropper:Win32/Nuwar.gen!B
NOD32v2 2868 2008.02.12 probably a variant of Win32/Nuwar.Gen
Prevx1 V2 2008.02.12 Stormy:All Strains-All Variants
Sophos 4.26.0 2008.02.12 W32/Dorf-AW
Symantec 10 2008.02.12 Trojan.Peacomm
VirusBuster 4.3.26:9 2008.02.12 Trojan.DR.Tibs.Gen!Pac.142
Webwasher-Gateway 6.6.2 2008.02.12 Worm.Zhelatin.pb

Additional information:

File size 119296 bytes
MD5 4e6951fffca1e210e4b9bb24e708b74f
SHA1 a7a8a9796146cd77c287a8d82958ff5456fa8d24
PEiD MinGW GCC 3.x
Prevx info http://info.prevx.com/aboutprogramtext.asp?PX5=471C3E5C00B5389FD25A012AD815B300221371E2


Published: 2008-02-12

Apple security update 2008-001 and 10.5.2 upgrade

Apple released today a Security Update 2008-001 for MacOS X 10.4 fixing 5 vulnerabilities in one patch.

At the same time an upgrade to Mac OS X 10.5.2 was released, which also incorporates the security update all in one package (fixing 8 vulnerabilities). An upgrade like this can be best compared to a Service Pack in the windows world. It's not just a security fix, but also a functionality upgrade.

As always, Apple packages security fixes into one big patch. Software update will offer it to your mac users that haven't turned the feature off.

Swa Frantzen -- Gorilla Security



Published: 2008-02-12

February Black Tuesday Overview

Overview of the February 2008 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS08-003 Vulnerability in Active Directory Could Allow Denial of Service.
Replaces MS07-039.
Active Directory


KB 946538

No publicly known exploits Important Important Important
MS08-004 Vulnerability in Windows TCP/IP Could Allow Denial of Service
Replaces MS08-001.
TCP/IP Stack

KB 946456
No publicly known exploits Important Important Less urgent
MS08-005 Vulnerability in IIS Handling File Change Notifications Could Allow Privilege Elevation

KB 942831
No publicly known exploits Important Important Critical(**)
MS08-006 Vulnerability in IIS Handling of HTML-encoded ASP Web Pages Could Allow Remote Code Execution
Replaces MS06-034.

KB 942830
No publicly known exploits Important Important Critical(***)
MS08-007 Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution

KB 946026
No publicly known exploits Critical Critical Important
MS08-008 Vulnerability in Microsoft OLE Could Allow Remote Code Execution

KB 943055
No publicly known exploits Critical Critical Important
MS08-009 Vulnerability in Microsoft Word Could Allow Remote Code Execution.
Replaces Replaces MS07-060 and Replaces MS07-024.

KB 947077
No publicly known exploits Critical Critical Important
MS08-010 Cumulative Security Update for Internet Explorer
Replaces MS07-069.

KB 944533
Exploit publicly available Critical PATCH NOW Important
MS08-011 Vulnerabilities in Microsoft Works File Converter Could Allow Remote Code Execution

KB 947081
No publicly known exploits Important Critical Important
MS08-012 Vulnerabilities in Microsoft Office Publisher Could Allow Remote Code Execution.
Replaces MS06-054.
Office Publisher

KB 947085
No publicly known exploits Critical Critical Critical
MS08-013 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution.
Replaces MS06-047. and MS07-060.

KB 947108
No publicly known exploits Critical Critical Critical


We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): Mainly due to shared webservers being very affected by this

(***): Mainly due to classic ASP being used on many web servers like shared hosting providers

Swa Frantzen -- Gorilla Security


Published: 2008-02-12

RIM Blackberry outage

A number of readers have contacted us about the current RIM Blackberry outage. It would appear that this is affecting a large number of Blackberry users in the US.  Although this is not a security posting, we do understand that a lot of security and system admin staff are attached to their Blackberry so its time to hold together fellow admins until the e-mails start flowing.

There is a useful RSS newsfeed about the Blackberry service here:  feeds.feedburner.com/Bb-outage



Published: 2008-02-11

Linux Kernel Vulnerability ... and prior

From the “batten the hatches department” (borrowed from slashdot), it seems like we have been doing a lot of battening lately and will do even more in the next…um, week or so?  Here is one for the Linux people on pre-patch Tuesday, oh my…

One of our readers, Chris, said, “http://it.slashdot.org/it/08/02/10/2011257.shtml apparently affecting RHEL5 and OpenSuSE 10.3 amongst other popular distributions, could be rather bad news.”

Gordon sent us this quote from Slashdot:  "This local root exploit (Debian, Ubuntu) seems to work everywhere I try it, as long as it's a Linux kernel version 2.6.17 to If you don't trust your users (which you shouldn't), better compile a new kernel without vmsplice."

Here is the Security Focus Data: 



So get busy people… we will keep you updated!  Send any comments here.





Published: 2008-02-10

Update - Tools for the Home User

Here is the compiled list of tools for the home user.  Hopefully this list will grow over time and give people many options for making their systems safer.  Please, if you have anymore to add, let me know. If you have feedback, its very appreciated and can make a difference.  I passed comments I received on to Charlie over at PacketProtector and he appreciated the feedback.  A new version will be out very soon, so keep checking his site.  Here are the list of tools in no particular order.  As the list grows, I'll try to categorize the tools.


1.   PacketProtector  was recently featured on Linux.com and provides some nice features for protecting your wireless home network.  PacketProtector is a Linux distribution for your wireless router.  Here are a list of the features that you get according to their website:

--a stateful firewall (iptables)
--WPA/WPA2 Enterprise wireless (802.1X and PEAP with FreeRADIUS)
--intrusion prevention (Snort-inline)
--remote access VPN (OpenVPN)
--content filtering/parental controls (DansGuardian)
--web antivirus (DG + ClamAV)
--a local certificate authority (OpenSSL)
--secure management interfaces (SSH and HTTPS)
--advanced firewall scripts for blocking IM and P2P apps
--IP spoofing prevention (Linux rp_filter)
--basic protocol anomaly detection (ipt_unclean)


2.  Endian Firewall Community:   Submitted by JD:  I know many people that throw away
old computers when they purchase new ones. If the home user does not
have a supported router for PacketProtector, they can put their old
computer to good use instead of creating hazardous waste at their local
landfill. Endian has many of the same features as PacketProtector.

"What is Endian Firewall Community?
Endian Firewall Community is a "turn-key" linux security distribution
that turns every system into a full featured security appliance. The
software has been designed with "usability in mind" and is very easy to
install, use and manage, without losing its flexibility.

The features include a stateful packet inspection firewall,
application-level proxies for various protocols (HTTP, FTP, POP3, SMTP)
with antivirus support, virus and spamfiltering for email traffic (POP
and SMTP), content filtering of Web traffic and a "hassle free" VPN
solution (based on OpenVPN). The main advantage of Endian Firewall is
that it is a pure "Open Source" solution that is sponsored by Endian."


3. K9 Web Protection is BlueCoat's content web filtering solution for the home user.  It has good functionality now and promises more in future releases.  From their website

"Blue Coat® K9 Web Protection is a content filtering solution for your home computer. Its job is to provide you with a family-safe Internet experience, where YOU control the Internet content that enters your home. K9 Web Protection implements the same enterprise-class Web filtering technology used by Blue Coat's Fortune 500 customers around the world, wrapped in simple, friendly, and reliable software for your Windows 2000, Windows XP or Windows Vista computer."

They also state the following: 

"The function that K9 provides is not antivirus, anti-spam, or firewall functionality. K9 is a Web filter; it determines where the computer user can go inside your Web browser. (In our upcoming release, we'll also be offering Instant Message/Chat controls, and Peer-to-Peer controls.)"


4.  Windows Sysinternals is a popular submission for inclusion (Thanks Paul and Brian).  It is a collection of tools for troubleshooting and monitoring your systems.  Some are GUI oriented and others are used from the command line.  From Microsoft's website:

"The Sysinternals web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their advanced system utilities and technical information. Microsoft acquired Sysinternals in July, 2006. Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications."



Its not a long list, but if you have more, I'll be happy to post them.  Thanks to everyone who submitted!




Published: 2008-02-10

ActiveX FAQ

A reader pointed out an interesting set of Frequently Asked Questions done on Microsoft's blog site pertaining to the concept of a kill-bit which is really just a registry setting.  There are so many ActiveX exploits floating around out on the internet.  For example, on the February 4, fellow handler Mari posted a diary about 6 new ActiveX exploits

In order to protect your network and your systems, it is key you understand how to defend against this threat.  I highly recommend reviewing the three part series posted on Microsoft's site.  The URLs are below:





Published: 2008-02-09

MSN Messenger Trojan

Two readers sent us notes about some malware circulating on MSN Messenger.

First note:

Seems like every 15 minutes someone else on my MSN buddy list sends me a message with:

 "Hot or Not? hxxp://mymsngallery.my.funpic de/viewimage.php?youremail@someplace.com" 


 "this really looks like you hxxp://mymsngallery.my.funpic de/viewimage.php?youremail@someplace.com"

Where youremail@someplace.com is my email adddress.  Pulling up the page returns a 876032 byte file that appears to be an executable.

As of this writing the above site is still live and distributing executable.

Running the malware through VirusTotal give these results.

A second submission came in a few hours after the first one:

We’ve had a handful of hosts that have been infected via a Trojan that arrives over MSN.  While we don’t have specifics it would appear as though the message is similar to “Here’s a funny pic of you...”.  The link is on the funpic.de domain, we don’t have the full hostname, but understand the site is a photo sharing site in Germany.  The file downloaded is PIC006.JPG-www.photoshare.com.  On the one system our student technicians had access to it also appeared that malware opened a connection to

We had a similar outbreak a few weeks ago with our faculty/staff, but the payload was not the .com file, but rather an “a.bat” and an .exe (I couldn’t find the name off-hand).  While we blocked outbound traffic to the funpic.de domain, we didn’t do it on all interfaces — so again now our students are infected with something similar that should have been prevented.  Lesson learned:  Once you block, test, test, and test!  By the way, Symantec threw a generic Trojan warning on our earlier outbreak and would quarantine the files, but not this one (.com).

If you see any variations on this please let us know via the contact form.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2008-02-09

Adobe Reader exploit in the wild

The Adobe Reader vulnerability (see previous ISC post) is being exploited in the wild! A malicious PDF file (called 1.pdf in this example) served from IP address "" (not active at this time) contains a malware specimen called Trojan, a variant of Zonebac. The IP address belongs to LeaseWeb, a hosting provider in The Netherlands we already notified.

The first and only public report (till now) is available from an Italian Forum (original post in Italian), and was posted on January, 20. See image here (from the original forum post) for more file details.

If you see other incidents exploiting this, please, let us know.


VeriSign - iDefense sent us some additional information.  Here is what they told us:

VeriSign - iDefense is observing exploitation of a recently patched vulnerability in Adobe Acrobat Reader. This vulnerability was discovered by Greg McManus of iDefense Labs and reported to Adobe in October 2007.

Since January 20, 2008 banner ads are actively serving malicious PDF files that exploit the vulnerability and install the Zonebac Trojan.  Once installed the Trojan kills various anti-virus products and modifies search results and banner ads. 

Until 2 days ago, this attack did not have a patch available while being actively exploited in the wild.  A similar attack occurred in October 2007 when the same group used a Realplayer 0-day exploit to install the Zonebac Trojan.

No anti-virus vendors currently detect the malicious PDF files though we have provided samples to all.  This type of exploit works for both web browser and email attack vectors.  Exploitation affects all 7.x versions of Adobe Acrobat Reader and versions prior to 8.1.2.  Complete mitigation requires upgrading to Adobe Acrobat 8.1.2.

Vulnerability Timeline:

*     Adobe Reader Buffer Overflow Vulnerability (iDefense orig.) (ID#464641, Oct. 10, 2007)

*     Virus Report (http://www.pcprimipassi.it/servizifree/forum/forum_posts.asp?TID=10066, Jan. 20, 2008)

*     Adobe Acrobat 8.1 Undisclosed Buffer Overflow Vulnerability (ID#467355, Feb. 6, 2008)

*     Immunity POC Exploit (http://www.immunityinc.com/partners-index.shtml, Feb. 6, 2008)

*     Adobe Reader Vulnerability Exploitation in the Wild (ID#467384, Feb. 8, 2008)

*     Adobe Security Advisory APSA08-01  (http://www.adobe.com/support/security/advisories/apsa08-01.html, Feb. 7, 2008)

*     iDefense Receives Hostile PDF Sample (Feb. 7, 2008)

*     iDefense Customer Notification (ID#467398, Feb. 8, 2008)

Additional details: 

1c130a41aa6866bc081cf096bbd08da3 1.pdf
68b804a8463c9261b991f1c92e05f801 b.pdf

The Zonebac trojan communicates with the following URLs:


We ran "1.pdf" through VirusTotal and got these results.  Pretty scary!

--Raul Siles



Published: 2008-02-08

Multiple vulnerabilities in commonly used client software

The last couple of days have brought up multiple serious vulnerabilities in very commonly used client software:

As you already know, clients are one of the main targets for attacks nowadays. Ensure your automatic software update mechanisms are working properly or go back to the manual update process, but please, patch! BTW, based on a quick test, at this time only some of the new updates already show up on the automatic update features of the affected products: Adobe Reader and Firefox do, while Quick Time does not.

A topic I have been researching a little bit about recently is "update tools for third-party client applications". What tools do you use to manage updates on commonly used third-party client tools, apart from the expensive corporate solutions? Please, send us your suggestions and I will summarize in a future post.

-- Raul Siles



Published: 2008-02-08

12, count 'em 12 Microsoft Bulletins coming Tuesday

Get some good sleep over the weekend because Microsoft has announced that they intend to release 12 bulletins (7 ranked as critical, by Microsoft, which means 'can result in remote code execution') on Tuesday.  The overview can be found here.


Published: 2008-02-08

Firefox is out

Just a heads up, Firefox is available for manual download via the links on http://www.mozilla.com which means in the next 24 hours we're likely to see it available for automatic download.  The known vulnerabilities page lists 10 issues (3 critical) fixed in this release.  Thanx, to roseman for the heads up.


Published: 2008-02-07

ISO 27001 and You

As anyone who has looked at the ISO 27001 standard knows, certification is not easy.

Are you currently pursuing certification?  Are you certified?  Do you care about certification?

Take a moment and answer our new poll and if you're moving down the 27001 road and are so obliged, drop us a note with what worked well for you and what made you want to change careers.




Published: 2008-02-07

Reminder IE7 push on the 12th

Just a quick reminder to those in the corporate world and using WSUS.  

From a technet update email

Volume 10, Issue 3: February 6, 2008

"On February 12, 2008 Microsoft will release the Windows Internet Explorer 7 Installation and Availability update to Windows Server Update Services (WSUS). Windows Internet Explorer 7 Installation and Availability Update is a complete installation package that will upgrade machines running Internet Explorer 6 to Windows Internet Explorer 7. Customers who have configured WSUS to "auto-approve" Update Rollup packages will automatically upgrade machines running Internet Explorer 6 to Windows Internet Explorer 7 after February 12, 2008 and consequently, may want to read Knowledge Base article 946202 to manage how and when this update is installed. For more on the Windows Internet Explorer 7 Installation and Availability Update, read Knowledge Base article 940767."

There are still many organisations that use IE6 because of internal applications that may not work with IE 7 or alternate browsers.  So if you use WSUS and have a need to stay with IE6, you should check out the knowledge base article otherwise the 13th is not going to be a happy day for you.

Mark H - Shearwater


Published: 2008-02-07

New TrueCrypt supports full HD encryption

The latest version of TrueCrypt was released yesterday.  This free open source hard-drive encryption software now supports encryption of the entire disk with pre-boot authentication. I haven't tried it yet on my own, but if it works as perfectly as the previous versions of TrueCrypt, then there is definitely no excuse anymore for lost laptops with sensitive data.



Published: 2008-02-06

Does your anti-virus detect old keyloggers?

I was playing around with the Tiny keylogger 2.0 last night, this is a keylogger written by Tony Segreto. Compare to other hostile malwares that come thru ISC, the intention and purpose of this keylogger is very clear and it didn't seem to trigger download of other malware. The special thing about this keylogger? It can be downloaded from download.com.

As I was playing, I noticed this keylogger didn't trigger any sort of AV alerts, not exactly what I would expect from a known keylogger. I would personally like my AV to tell me about the existence of a keylogger file on my computer even though this keylogger might not have the most advanced features to semi-automatically getting itself installed on my box.

While it is fair that AV companies need time to come up with signature and defenses for the latest malware coming up the horizon, this keylogger has been sitting on download.com for years (file date shows Aug 2005), maybe the AV engine somehow forgotten about it? What really worries me is when I do a search on download.com for "keylogger", there're 248 hits, makes me wonder how many of those keyloggers are caught by different anti-virus and anti-apyware engines.

The overall coverage by AV vendors on this specific keylogger is very low. Here is the output of Virustotal.

File tkey.exe received on 02.06.2008 15:44:10 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.2.6.10 2008.02.05 -
AntiVir 2008.02.06 -
Authentium 4.93.8 2008.02.05 -
Avast 4.7.1098.0 2008.02.05 -
AVG 2008.02.06 -
BitDefender 7.2 2008.02.06 -
CAT-QuickHeal 9.00 2008.02.04 -
ClamAV 0.92 2008.02.06 -
DrWeb 2008.02.06 -
eSafe 2008.01.28 Spyware.Gen
eTrust-Vet 31.3.5512 2008.02.05 -
Ewido 4.0 2008.02.06 -
FileAdvisor 1 2008.02.06 -
Fortinet 2008.02.06 -
F-Prot 2008.02.05 -
F-Secure 6.70.13260.0 2008.02.06 -
Ikarus T3.1.1.20 2008.02.06 -
Kaspersky 2008.02.06 -
McAfee 5223 2008.02.05 -
Microsoft 1.3204 2008.02.05 -
NOD32v2 2853 2008.02.06 -
Norman 5.80.02 2008.02.06 -
Panda 2008.02.05 -
Prevx1 V2 2008.02.06 -
Rising 2008.01.30 -
Sophos 4.26.0 2008.02.06 -
Sunbelt 2.2.907.0 2008.02.05 Tiny KeyLogger (Segreto)
Symantec 10 2008.02.06 Spyware.TinyKeylogger
TheHacker 2008.02.06 -
VBA32 2008.02.05 -
VirusBuster 4.3.26:9 2008.02.05 -
Webwasher-Gateway 6.6.2 2008.02.06 Riskware.KeyLogger.AS


Jason Lam



Published: 2008-02-06

When security improvements backfire

Recently, when conducting an (authorized) security review at a small web hosting provider, I ended up as "root" on all their Unix systems within a matter of hours, and did not even need any l33t buffer overflow or the like. Well-meaning system administrators had tried to improve security of their servers, and had unwittingly ended up making life much easier for the bad guys.

Aware of the constant barrages of SSH password guessing attacks that are plaguing the Internet, they had switched to public key (RSA) authentication. This in itself is a good thing. That their system maintenance script user had a password-less SSH-key to allow for automated logins is a less good thing. The key itself was well protected with file system permissions, but somebody someday had also created a TAR archive to back up the maintenance user's environment. Unlike most of the other files, the TAR had permissions set to rw-r--r--, and contained the .ssh folder as well. The RSA key was mine.

Their second security improvement was to introduce "sudo", so that none of their staff had to log in as "root" in the daily course of operations. This again in itself is a good idea. Until I went and checked if any "sudo" privileges had been granted to the "monitor" user whose SSH key I had just filched

monitor@gamlumi:/home/monitor$ sudo -l
User monitor may run the following commands on this host:
    (root) NOPASSWD: /home/monitor/dnsrefresh

Some of you are probably already thinking "Ouch!" now. Yes: The above says that user "monitor" can run the command "/home/monitor/dnsrefresh" with root privileges. In itself nothing to cause sleepless nights, but the "dnsrefresh" file sits in monitor's very own home directory, which means that user "monitor" can replace it. A quick copy of /usr/bin/bash netted the expected root privileges.

Even if you now think "this won't happen to me", maybe it is still a good time to

  • check if you have any "automation" or "technial" users configured that use password-less SSH RSA keys .. and if yes, to make doubly sure that the keys are SAFE. Changing the key and revoking the old one from the "authorized keys" just in case probably won't hurt.
  • investigate if automation users that use password-less SSH keys can be restricted to the particular command needed. SSH supports the "command=" syntax within the authorized_keys file to solve exactly this problem. Had they used this feature, I would not have been able to log in as "monitor" user
  • review your sudoers file to verify that sudo rights are granted only on programs that are owned by root and sit in a directory owned by root

If you have other good tips on how detect security problems with "sudo" or "SSH" configurations as a system administrator before the bad guy do, please send them in and we'll update this diary with a summary of the best.


Published: 2008-02-05

Correction - Yahoo! Data Grid CLSID

Pretty much every news outlet appears to be reporting the incorrect CLSID for the Yahoo! Data Grid ActiveX component.  Alert reader Iain pointed this out to us.  It appears that the original mistake happened somewhere back in the chain of things and has simply been perpetuated...

The actual CLSID of the Yahoo! Data Grid: 5F810AFC-BB5F-4416-BE63-E01DD117BD6C
(ref: http://mep.music.yahoo.com/plugins/docs/webquickstart_page.html)

Almost all of the stories that we've seen have listed the CLSID having an extra "2" on the end.

And yes, I was bitten by the issue...  The programs that I wrote to set killbits used the incorrect CLSID.

So... I've gone back and altered the killbit setting apps.  The updated files are available at the links listed below:

The GUI version can be found here (KillBitGui-Feb08.exe - 4096 bytes - MD5: 9428b9c3778b68e768448ca52c7d8dfd)
The CLI version can be found here (KillBitCLI-Feb08.exe - 4608 bytes - MD5: 30c151ab6de460f5844e9b5826495911)

I'll also update older diary posts to reflect the correct CLSID because they have been linked from other sites.

(A big "thank you" to Iain for pointing this out...)

Tom Liston - Senior Security Consultant - Intelguardians


Published: 2008-02-05

GUI Killbit App Available

I've put together a GUI killbit app that should easily allow you to set and clear the killbits for the ActiveX issues announced today.  It works like this:

  1. It first checks to see if any of the CLSIDs exist on your system
  2. If they do, it saves a copy of any values that you currently have set for "Compatibility Flags."
  3. It then updates its display to show you if the CLSID exists and if the killbit flag is set.
  4. To set the killbit, just check the box beside any ActiveX control that you want to keep from running and then click on the "Set" button.
  5. Our suggestion: set the killbit on all of the ActiveX control unless you have a really good reason for not setting it.  Set the killbit even if you don't currently have the CLSID on your machine (indicating that the ActiveX control isn't currently installed... you never know when they MIGHT get installed...)
  6. Keep a copy of this program around (or at least remember where you got it) in case you want to undo the settings.
  7. Unchecking a checked box and clicking on "Set" will either remove the CLSID completely (if it wasn't there to begin with) or will reset "Compatibility Flags" to its original value.

The GUI version can be downloaded here.
(KillBitGui-Feb08.exe - 4096 bytes - MD5: 078ea6941a9ffab66d9db98ef49f8e1c)

I'll try to put together a command-line version of this program this evening and make it available here tomorrow (U.S. time...).

Tom Liston - Senior Security Consultant - Intelguardians


Published: 2008-02-04

Six ActiveX Vulnerabilities This Week

Symantec is reporting a total of six buffer-overflow vulnerabilities that affect a number of widely distributed ActiveX controls have been disclosed in the past week. We are unaware of any public exploitation of these vulnerabilities. However, the Symantec DeepSight team has confirmed that these issues can be used to execute code or crash the vulnerable applications. 

Admins are advised to set the kill bit for the following CLSIDs as soon as possible:

Aurigma: CLSID 6E5E167B-1566-4316-B27F-0DDAB3484CF7 ('ImageUploader4.ocx') 

Aurigma: CLSID BA162249-F2C5-4851-8ADC-FC58CB424243 ('ImageUploader5') 

Facebook: CLSID 5C6698D9-7BE4-4122-8EC5-291D84DBD4A0                                                           

Yahoo! MediaGrid: CLSID 22FD7C0A-850C-4A53-9821-0B0915C96139                                                 

Yahoo! DataGrid: CLSID 5F810AFC-BB5F-4416-BE63-E01DD117BD6C2.


Security Awareness updates should be issued warning of Active X controls and safe browsing.


Published: 2008-02-04

And yet another cable break in the mid east

On NANOG are reports of yet another submarine cable in the middle east that was damaged Sunday. It's a cable between Haloul, Qatar and Das, United Arab Emirates.

Also interesting is that Egypt claims no ship were near two of the previous cable cuts.

Now even in the face of this many concurrent submarine cable losses, most will still have (reduced) service, so it's not a reason to panic just yet. Still designing for a quadruple failure isn't the most trivial nor economical solution in all cases, especially not when dealing with expensive submarine links.

Submarine cables are essential for the Internet traffic as they are low latency. Geostationary satellites induce -due to the distance they must be at- significant additional delay on the packets, causing trouble for interactive work over those links.

It's a good reminder for those of us who "only" account for double failures when designing systems and networks.

A good question to pose yourself for business critical applications: what if we had a quadruple failure?
It's a good mental exercise for verifying and potentially enhancing your Business Continuity Plan (BCP) and your Disaster Recovery Plan (DRP). Still keep in mind designing for this level of failures in unused capacity (redundancy) will have significant costs associated with it.

Swa Frantzen -- Gorilla Security


Published: 2008-02-03

Spot Checking Websites using Google Alerts

While thinking of ideas of what cool and interesting thing I could share with our readers, it came to mind that I haven't shared a tip that another university employee (thanks Chris) gave me long ago. 

As most of you know, University environments have some unique problems when it comes to data security that are the result of a cultural mindset.  Academic environments are very edge-focused where departments, research groups, and individual professors are used to being semi-autonomous and providing much of their budgets and staff.  The central IT group tends to provides only bandwidth and a few central services such as email or web server space, DNS services and the like.  And the faculty and staff tend to reject any form of restrictive uniform security policy leaving the institute with a very uneven security landscape.

With this in mind, university networks end up with a number of unofficial webservers hosting student organization websites, or virtual organizations for professors.  Web developers of these web servers may graduate or leave for other positions within the university leaving the site with little or no maintenance.  As the central information security officer, I do not have the ability to know every single PHP or cgi based program running on every web system on our campus.

Using tools like nmap and nessus you should be able to spider your network and identify the webservers and do some level of research and keep an eye on new servers and applications.  However, it would be nice to have something monitoring your websites and alerting on new pages without having pages of results of things you have already seen or dealt with.

Google already is spidering your public hosts routinely, so why not let it do some of the leg work for you.  Using Google Alerts , I have placed some alerts out to catch comment spam being added to guest books and blogs and this idea can be extended to other keywords that you need to spot check. 

The following are some of the rules that I have found useful in finding these web applications and having a chance to remediate some problems prior to them becoming bigger problems.  Remember to change the site: keyword to your domain name if you use these rules.

oxycontin OR levitra OR ambien OR xanax OR paxil OR porn site:university.edu
texas-holdem OR cialis OR viagra site:university.edu
wordpress OR phpbb OR guestbook site:university.edu

If you have other Google alerts rules you are using that might be useful, please feel free to share them.  In the meantime, happy Carnival, Mardi Gras week and Super Bowl Sunday.


Published: 2008-02-02

IT Security in the SMB - Call for input

One of the catch phrases when discussing IT Security is the principle that there is no "silver bullet". In order words, there is no one thing or solution that will solve all of your IT security problems. With that in mind, I would like to turn the focus on the small to medium business (SMB). Over the past few years, I have observed a lot of development being done for the SMB markets that work to integrate as many different layers of IT security into one product as possible.

At the same time, IT security has become integrated into a business must do rather than a business should do thanks for IT security regulations and a change in thinking for business leaders that have learned over time that IT security can be a business decision driven by ROI.

Given these two primary factors I have observed impacting this market, my concern is that while SMB business leaders are now more aware of IT security as a necessity, how many of them are falling into the old trap of relying on a single purchase to satisfy all of their needs? Even though multiple function devices are improving, there is still no silver bullet. Or has the industry made progress in educating these business leaders that security is a journey, not a destination.

I am requesting feedback from anyone who works with these types of business and can provide their thoughts from the field.
I will be looking at all of the feedback I get and posting a follow-up article on a future shift.


Published: 2008-02-02

Large scale recovery – results

I asked a little while ago what people do with large scale recovery (http://isc.sans.org/diary.html?storyid=3861) should there be a large number of machines in the network that need to be rebuilt.   It has taken a bit longer than intended to collate the results, mainly due to a small scale recovery issue on my laptop.

Firstly, thank you all for contributing.  The answers were interesting and if there was a prize to give it would go to Dave whose response was to “to QUIT and move to Antigua”. 

A number of people are using recovery images on a “hidden” partition on the actual device itself.  Some have these password protected to prevent the “oops” re-image factor.   In the event of an issue the user can be talked through a recovery, follow a documented procedure, or as some of you are already doing scripted.  

There are a number of you that are using bare metal recovery options to push/pull  images to/from workstations, using multicast to reduce the load on the networks. 

The simplest solution provided was to send DVDs around with the image, but that takes some time.

The biggest issue everyone had was how to keep the image up to date, variety of hardware and road warriors.   We can probably add loss of data to that which was stored locally on the machines.   

For images, the more common solution was regularly updating the image and if stored on the machines itself, push the new image or just the updates down to the workstation.   Others provide updates through scripting or tools, which will work on clean networks, but it might be a race against time if the network still has some worm or other malware running loose. 

When dealing with different flavours of hardware, most of you opted for standardizing on specific models for laptops and desktops.  Road warriors however were a little more difficult to deal with, especially those that rarely make an appearance in the office.   The combination of standardisation of hardware, local recovery images and a patch/image update mechanism seems to be the favourite.  There are some of you that utilise locked down, virtual images, on roadwarrior machines.  So provided the vm starts, the roadwarrior can still work.

The data issue was reasonably easily dealt with by using  AD, Zen or other mechanisms of enforcing policies that ensure data is stored on the network (e.g redirecting My documents to the network).  Again road warriors were an issue as they often have no choice but to store info locally.  An automated process to back up files when connected to the network seems to be the go.

So that is how many of you would deal with having to rebuild a large number of machines on the network.  Thanks for your input.

Mark H - Shearwater


Published: 2008-02-01

More cable outages in the middle east

According to news reports, a third undersea cable to the middle east got cut. The third cable cut today was less important then the other two, but it was one of the systems used as a "backup" during the last few days. On Wednesday, two cables off the coast of Egypt got cut. Today, one more off the coast of Dubai was cut. Of course, three cuts in such a short time may look suspect. But don't forget that you have "cascade failures" where backup systems go down due to overload once the primary system goes down. The cable that went down today wasn't used much in part as it was known as less reliable. These cable cuts are in particular challenging as repair times are long (weeks) and there is little extra capacity. Other technologies like Satellites do not provide the same capabilities as cables. Connectivity to and from the Middle East as well as India is severely affected. Availability and disaster recovery planning is a frequently neglected security function. Newcomers to the security field are frequntly attracted by "cool exploits". But the true professional usually knows that boring and tedious tasks like disaster recovery planning will frequently save the business in the end. Also see: http://www.renesys.com/blog/2008/01/mediterranean_cable_break_part_1.shtml


Published: 2008-02-01

Universities in the US being targeted in a Spear Phising attack.

We’ve had a few reports of Universities/Colleges being hit with some very targeted emails trying to get the userid and password of students.   The email is usually along these lines.



Dear xxxxx Email Account Owner,

This message is from xxxxx messaging center to all xxxxx email account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused xxxxx email account to create more space for new accounts.

To prevent your account from closing you will have to update it below so that we will know that it's a present used account.


 Email Username : .......... .....

EMAIL Password : ................

Date of Birth : .................

Country or Territory : ..........

 Warning!!! Account owner that refuses to update his or her account within Seven days of receiving this warning will lose his or her account permanently.

Thank you for using xxxxxx!

Warning Code:VX2G99AAJ


Xxxxx  Team


The sender will be often be xxxxxteam@isp used to send msg or uni address
The reply address will be external to the organisation.  In the sample we have (thanks John) it is usxxxxxxcountupgrade@live.com.  (where xxxxx is the domain name used by the institution, without the .edu). 

The message often passes through some SPAM filters due to the relatively low volume of messages.

If you have some samples we’d be interested in a copy. 

Look for messages to multiple recipients and increased volume of internal email to one specific external address.  Oh, and educate your students.


Looks like was doing the rounds in Europe around the 13th/16th of Jan, I guess APAC is next.  In Europe the targeting was ISP accounts (thanks Alexander) and others.  Margrete reports that it goes back even further, as much as 2 months.

Looking at the samples sent in,  the text basically only varies where the xxxxx are in the sample shown.  The reply addresses used so far were in live.com and hotmail.com domains.  The ones submitted to us have been taken care of.


Mark H - Shearwater