Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Yahoo's Code Verification; Prevalent of Malcodes; Hidden File Finding Problem in XP Pro and Home - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Yahoo's Code Verification; Prevalent of Malcodes; Hidden File Finding Problem in XP Pro and Home
Yahoo's Code Verification

One reader reported to us that he received a strange email in his yahoo mailbox. It has a link which redirect to http://help.yahoo.com/help/edit/context/context-02.html.

At the same time, it will call up a pop up from 212.48.140.151 asking you to enter the code based on a given image.

We have some preliminary analysis on this. If you also experienced receiving such emails before, do let us know. We will like to correlate with our findings.
Prevalent of Malcodes

There are a few readers informing us on malcodes. One of them detected one when they saw a significant increase in port 445 traffic within their network, which subsequently was discovered as a new variant of Sdbot worm. Malcodes have been so prevalent nowadays that antivirus vendors have been playing catch up game. Some of them attempt to exploit known Windows vulnerabilities in order to spread. Patching will help to prevent infection from such worms. Of course not forgetting running a proper configured personal firewall will also help to protect your system.

This also demonstrated the important of constant monitoring of your logs. Early detection of abnormal network traffic will help you to reduce the damage should there be a worm attack.
Hidden File Finding Problem in XP Pro and Home (Contributed by Patrick Nolan)

With Simple File Sharing available on XP there are some "circumstances" caused by Microsoft's design that can result in Hidden Files remaining hidden unless you start the system in Safe Mode (and I'm not addressing the possibility of Trojaned command line tool here). These circumstances have occurred on system compromises reported to the ISC.

FWIW, "Simple File Sharing is always turned on in Windows XP Home Edition-based computers. By default, the Simple File Sharing UI is turned on in Windows XP Professional-based computers that are joined to a workgroup. Windows XP Professional-based computers that are joined to a domain use only the classic file sharing and security interface." (Link A below). Even if you're connected to a Domain, check the setting.

To View these "circumstantially" Hidden Files in Safe Mode:

For Windows XP Professional using the NTFS File System on a Workgroup or Standalone Computer, the Simple File Sharing setting can be viewed and turned on and off in Windows Explorer, under Tools, Folder Options Click the View tab, scroll to the bottom of the Advanced Settings list and clear the "Use simple file sharing (Recommended)" check box. Then restart the system using Safe Mode, log on as Administrator, and use your favorite commands to find the hidden files/s. If the command executable you use has not been trojaned you'll find the hidden files.

For Windows XP Home Edition Using the NTFS File System restart the computer using Safe mode, "Simple File Sharing is automatically turned off when you run the computer in Safe mode." (Link B below). Log on as Administrator, and use your favorite commands to find the hidden files/s. If the the command executable you use has not been trojaned you'll find the hidden files.

A: How to configure file sharing in Windows XP (MS provides a WMP video too)

http://support.microsoft.com/default.aspx?scid=kb;en-us;304040

B: How to Gain Access to the System Volume Information Folder

http://support.microsoft.com/default.aspx?scid=kb;en-us;309531

"Circumstances" - see Windows® XP Under the Hood By Brian Knittel

Publisher : Que
Pub Date : July 30, 2002
ISBN : 0-7897-2733-1
Pages : 736
http://safari.informit.com/
Kevin

32 Posts

Sign Up for Free or Log In to start participating in the conversation!