Diaries

Published: 2005-02-27

phpBB worms continued; Phishing; Spyware from the developers point of view; New server

phpBB worms continued



phpBB worms continue to to be active. As Mr. Mancini found out before he sent us the bot he found on his server. The bot communicated over IRC and his machine had scanned more than 4500 hosts. It was a variant on the Santy/AWS theme.


If you happen to run into a bot we'd like to get a copy of logs and the code you find, even if the comments in the source code are in Portuguese as in this case, we'll help in finding a way to alert the right people.


Last minute update: phpBB 2.0.13 was released to fix 2 security vulnerabilities.
Read the announcement at
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563


One of the fixes was labeled as critical by the developers as it would allow anybody to login with admin credentials.

Phishing



We're still seeking people who can share statistics on changes in the amount of phishing messages. If you run a large site and can share statistics, we'd be happy to try to correlate them and see if we can find a trend out of it.

In this respect a reader called Laurent pointed us to the of the latest Beta release of the Opera Browser. It is designed to tackle some aspects of the Phishing problem as well as solve some IDN issues.

Fellow Handler Patrick Nolan pointed to the
as a source of information. Especially the move outlined on page 5 toward more sophisticated phishing by using malware could be an explanation for the decrease some of us are seeing. The next logical step for the attackers might be to shift their attack vectors to use key loggers embedded with other malware and are slowly abandoning on social engineering people into cooperation.

Even if some of us see a decrease in phishing, we all need to stay alert. It's pretty easy to spot a phishing scam from a bank if you're not a customer of the phished for bank, but it's not so easy when you are a customer. Therefore we need to keep all users aware of the problem regardless of the abundance of attempts.

Spyware from the developers point of view



No worries, I won't talk about people actually creating spyware, adware or worse malware. I cannot pretend to understand them or their justification for doing what they do.

But we did receive a message from a genuine developer, Glenn Jarvis, who showed us what developers of real tools and games face.

They get unsolicited messages with proposals to include and distribute malware with their software. The prices for installing such tools seem to be calculated per install. Adding 3 such malware items would yield a quarter per installation.

The reference malware might seem very contradictory to anybody with a sound mind: one of the so called tools is supposed to be a pop-up blocker. The other is a pop-up advertising tool. Guess what will happen ads or no ads ?

The P.S. of the letter was actually the sickest part, it said their malware was submitted for approval of COAST.
isn't in the business of approving of malware, quite the contrary actually.

New server



We got a bit more potent server for isc.sans.org yesterday, let us know if you experience any problems coming from the move.




--

Swa Frantzen
Published: 2005-02-26

New Viruses This Week; Possible Decrease in Phishing emails; This Handler's observation


New Viruses This Week


This has been a record week for new virus discovery - at least for me. We yet again saw an infiltration of new activity at one location here in our local area. Upon investigation we found 3 new files that had characteristics similar to other Spybot worms that have been detected. Upon scan with Symantec Enterprise Edition v9 with current definitions nothing was detected. However running them through virustotal.com they were detected by a small number (2 or 3) as some form of worm. I submitted the files to Symantec for evaluation and have received no information back from them so apparently they have not yet had a chance to analyze them.


The really scary one was an executable file with the name veritas. At first glance we thought nothing of this because we do indeed use Veritas software. However, we quickly realized that no Veritas software had ever been installed or used on this particular workstation. These types of filenames are making it easier and easier for people to be deceived and tricked into missing an infection.


In looking at todays list on Symantec's web site, in the last week there have been 24 new entries that are rated as a Level 2. In the last month there have been close to 100 new entries with the majority being Level 2 and one of them being Level 3.


http://securityresponse.symantec.com/avcenter/vinfodb.html


Of course, a lot of them are remakes of old players such as Mydoom and Spybot, however it doesn't minimize the impact of the damage that can be done.


Interestingly enough, the location that had the, yet to be identified files on their computers also had, as we discovered this week, an active SubSeven server (on a workstation) loaded with "questionable photographic images" (if you get mey drift) and zip files of some popular games.


We are continuing our investigation of this and will share any info with you that can be shared. Stay tuned.




Possible Decrease in Phishing Emails


It seems that there has been a holiday taken by the Phisher Friends. I have seen a rapid decrease in the number of phishing type emails that I have received in the last 2 weeks (only one this week). Other's have indicated that they are seeing the same thing. Gotta' make you wonder what they are up to now.


Let us know if you too have seen a change in your inbox.




This Handler's Observation


With the decrease in phishing type emails - I have seen a marked increase in emails that appear to come from my email address (however with varying names) to my email address. I have a spam filtering service that is usually pretty good at stopping junk before it gets to me. However, this week they haven't been so successful so consequently my inbox is full of Junk mail trying to sell me Cialis and other drugs, software (Microsoft/Adobe, etc) at unbelievably low prices, and a "well earned new Low Interest Rate Mortgage with No Credit Check Needed".


Oh for the day when these things were in my Postal Mailbox and THEY were paying for them. Nostalgia, wonderful nostalgia.






Hopefully this weekend will continue to be a quiet one so that I and my fellow Internet Storm Center Volunteers can enjoy the quiet. If not we will be here to hopefully "Slow the Flow".


Stay Tuned.


Deb Hale

Handler on Duty



haled@pionet.net


0 Comments

Published: 2005-02-25

Firefox 1.0.1 fixes vulns; RootkitRevealer output; more on port 41523

Redhots heah!....come getcha redhots!


Mozilla Foundation released an update to Firefox that fixes the following issues
since 1.0:



MFSA 2005-29 Internationalized Domain Name (IDN) homograph spoofing

MFSA 2005-28 Unsafe /tmp/plugtmp directory exploitable to erase user's files

MFSA 2005-27 Plugins can be used to load privileged content

MFSA 2005-26 Cross-site scripting by dropping javascript: link on tab

MFSA 2005-25 Image drag and drop executable spoofing

MFSA 2005-24 HTTP auth prompt tab spoofing

MFSA 2005-23 Download dialog source spoofing

MFSA 2005-22 Download dialog spoofing using Content-Disposition header

MFSA 2005-21 Overwrite arbitrary files downloading .lnk twice

MFSA 2005-20 XSLT can include stylesheets from arbitrary hosts

MFSA 2005-19 Autocomplete data leak

MFSA 2005-18 Memory overwrite in string library

MFSA 2005-17 Install source spoofing with user:pass@host

MFSA 2005-16 Spoofing download and security dialogs with overlapping windows

MFSA 2005-15 Heap overflow possible in UTF8 to Unicode conversion

MFSA 2005-14 SSL "secure site" indicator spoofing

MFSA 2005-13 Window Injection Spoofing



Download at


This being said, it is always adviseable to turn of any functionality you don't
need AND recognize that just because a web developer types "trust me!" you
shouldn't blindly click without being prepared for surprises. I like using the
prefbar extension to rapidly turn on and off images, flash, java, javascript,
cookies, etc. without navigating through menus.




There has been plenty of dicussion about "luring" users into taking actions on
behalf of an attacker by creating objects for you to drag 'n' drop, then hiding
them behind, or hidden in, things like flash or images. Peruse the Bugtraq
archives and look for things like "firescrolling". While the browser developers
continue to play cat <-> mouse with the vuln devels, you should recognize that
with more "features" come more possible badguy avenues. I personally use a
text-only browser (links is my choice, but there are others such as lynx, elinks
& w3m) for most casual browsing, and fire up the ol' gooey when necessary, but
everyone's needs are different, I understand.



void rant(){

This tug-o-war between features and vulnerabilities reminds me of a conversation
I had with a colleague about anonymity. We agreed that to be a consumer of all
the technological wonders available (ATMs, voice mail, online pharmaceuticals,
etc.) you need to give something in return - the right to use any and all information that you provide for those services. Remember, friends, whenver information is out of your direct control, it is percisely that. Don't expect the technologists and developers to provide hack-proof solutions. Remember Microsoft's 10th
: Technology is not a panacea. *These laws are MS's crowning security achievement, IMHO* If, instead, you prefer all of your personal details be safe and unreachable from the digital inquisitorial squads, you are quite welcome to change your identity, sell all of your technologically-acquired assets, and plant yourself somewhere in Garfield County, Montana (or the NE Kingdom of Vermont, for that matter). No offense, Rick!

}

RootkitRevealer output


Someone wrote in:

Yesterdays post suggested that a new release tool at
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml assists with
identifying hidden software or code on a computer.

Upon reading through the available SysInternals tool related help and directions
for using this tool, running it on a test system, I do not find any
specific code installations that I be able to classify as a rootkit. On the
contrary I see the following as an example,
C:\$AttrDef 11/28/2004 10:09 2.50 KB Hidden from Windows API.
C:\$BadClus 11/28/2004 10:09 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 11/28/2004 10:09 5.87 GB Hidden from Windows API.
C:\$Bitmap 11/28/2004 10:09 187.77 KB Hidden from Windows API.
C:\$Boot 11/28/2004 10:09 8.00 KB Hidden from Windows API.
C:\$Extend 11/28/2004 10:09 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 11/28/2004 16:58 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 11/28/2004 16:58 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 11/28/2004 16:58 0 bytes Hidden from Windows API.
C:\$LogFile 11/28/2004 10:09 32.05 MB Hidden from Windows API.
C:\$MFT 11/28/2004 10:09 14.52 MB Hidden from Windows API.
C:\$MFTMirr 11/28/2004 10:09 4.00 KB Hidden from Windows API.
C:\$Secure 11/28/2004 10:09 0 bytes Hidden from Windows API.
C:\$UpCase 11/28/2004 10:09 128.00 KB Hidden from Windows API.
C:\$Volume 11/28/2004 10:09 0 bytes Hidden from Windows API.
Any suggestions where can I read more about these files and any references will
be appreciated.


What you are seeing is RootkitRevealer noting NTFS metafiles.
Metafiles are listed in the MFT (Master File Table) but are not
intended for usersace access, thus are "hidden" from the Windows API.
RootkitRevealer identifies discrepancies between low-level access
results and API access results, thus can't make any determinations on
the integrity of metadata files.



See the
for a good overview of NTFS particulars.

Port 41523 info


James Williams from CA wrote:

I have some additional information related to Handlers Diary February 24th 2005.


1) in the php-worm section, please note that eTrust-Iris does detect the malware. detection name is Perl/ShellBot!Worm, and latest signature version is 11.7.8963. earlier sig versions also detected it.


2) eTrust-Vet signature version 23.68.46 detects new versions of the malware. earlier sig versions also detected it.


3) in the "two ports moving as one" section, 41523/tcp is indeed used by ARCserve, but it is not used by eTrust AV 7.x.



Thanks for the update
Published: 2005-02-24

Just Added - Trend Micro Advisory; Update on PHP worm spreading, Update on Meeneemee.exe, more on RootKitReveal

Regarding the report of a new PHP worm that we mentioned yesterday.
It is based heavily on the PhpInclude code on  site. It 
appears to be a variant of the ASW worm and is being used to drop
an IRC bot that is connecting to a server in Brazil. Google has
been notified. The worm doesn't appear to be identified by many AV
vendors yet however the bot is: (from VirusTotal)


Antivirus Version Update Result -
AntiVir 6.29.0.16 02.24.2005 no virus found
AVG 718 02.22.2005 PERL/ShellBot
BitDefender 7.0 02.24.2005 Backdoor.Perl.Shellbot.B
ClamAV devel-20050130 02.24.2005 Trojan.Perl.Shellbot.C
DrWeb 4.32b 02.24.2005 no virus found
eTrust-Iris 7.1.194.0 02.24.2005 no virus found
eTrust-Vet 11.7.0.0 02.24.2005 Perl.Shellbot.A
Fortinet 2.51 02.25.2005 no virus found
F-Prot 3.16a 02.24.2005 Unix/ShellBot.C
Ikarus 2.32 02.24.2005 Backdoor.Perl.Shellbot.A
Kaspersky 4.0.2.24 02.25.2005 Backdoor.Perl.Shellbot.a
NOD32v2 1.1007 02.23.2005 Perl.Shellbot.A
Norman 5.70.10 02.22.2005 no virus found
Panda 8.02.00 02.24.2005 no virus found
Sybari 7.5.1314 02.25.2005 Perl.Shellbot.A
Symantec 8.0 02.24.2005 IRC.Backdoor.Trojan


Two ports moving as one


An alert reader noticed that the number of targets for both
41523/TCP and 6504/TCP have been spiking pretty much in unison
over the last two weeks or so. Initial searches don't turn up much
on the uses for the ports. Some suggestions that 41523/TCP might
be Arcserve or InnoculateIT and that 6504/TCP might be NetOp. Any
information would be welcome.


What ever happened to....

I've gotten some questions about what Meeneemee.exe turned out to
be. The simple answer is that we never found a conclusive answer.
However, we have gotten a number of interesting observations:

Eric Tiesinga kindly gave us a possible translation of the word
from Dutch:

Mee --> With, like in "i take something with me"
Neem --> Take, like in "i take something with me"

The words "meeneem" could be a 1st verb of the full word
"meenemen" which could be translated as "take with (me)" like
(i go on a journey).



[Note: STOP! Before you send that email... yes, we *DO* know that it
could be an homage to Dr. Evil's vertically-challenged side-kick.
We knew that before we posted this. We actually *DO* manage to climb
out from under our rocks and see a movie every now and again...
Do you think we've been frozen for the last 30 years, baby? ;-) -TL]


Trend Micro A/V Vulnerable to ARJ Heap Overflow


Just got word that Trend Micro has joined the ranks of A/V 
vendors who have issued advisories and patches to fix an ARJ file
format parser vuln. From
... it is possible to
create a specially-crafted ARJ archive file that overwrites data
after the allocated 512-byte buffer. This specially-crafted
file could possibly execute an arbitrary code.

The original ISS X-Force advisory is referenced there, too.
Published: 2005-02-23

PHP Worm, Winace exploit, new toys

PHP Worm spreading


We have received reports that yet another variant of the phpworm has started to spread, from the beginning analysis it appears that current antivirus vendors do not recognize this variant. Note that we have not received many reports of this worm spreading.

Canada's Security Report Card has been released



The best summary is a direct quote from the report. "two and a half years after revising its Government Security Policy, the government has much work to do to translate its policies and standards into consistent, cost-effective practices that will result in a more secure IT environment in departments and agencies."

http://www.oag-bvg.gc.ca/domino/reports.nsf/html/20050201ce.html

The folks over at k-otik released an advisory on a buffer overflow issue, which could allow arbitrary code execution.



http://www.k-otik.com/english/advisories/2005/0199
http://lists.freebsd.org/pipermail/cvs-all/2005-February/107553.html

Sysinternals has released a new utility which detects windows based root kits.


Its functions by looking for Registry and file system API discrepancies that may indicate the presence of a root kit.

http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

0 Comments

Published: 2005-02-22

Windows XP SP2 Patch released; New phpBB Release; Apple Java Update; Wireless Standards

Windows XP SP2 Patch (Update at 04:13:23 UTC Feb 23 2005)



In a late entry for today, Microsoft released a patch for Windows XP SP2 systems to address an issue, which could cause a computer to stop responding if certain firewall or antivirus programs are installed (which products is unknown at this time). This issue will typically result in a blue screen with a stop error message of "Stop 0x05 (INVALID_PROCESS_ATTACH_ATTEMPT)". The following Knowledge Base article was mention on the Full Disclosure, bugtraq, and ntbugtraq lists last week, but there was not a general announcement by Microsoft about its release. It is surmised that this is because the patch is not exactly a security patch. Instead it was more of a hotfix for the stop condition/blue screen scenario and is not covered by the standard security bulletins.

Since the initial chatter last week about the patch, MS has apparently pushed the patch up a level to be a more critical patch without a security bulletin which may be forthcoming. So imagine my surprise when my computer announces that it has downloaded a critical patch and is ready to install. (What? It isn't MS Patch Tuesday...oh wait...it is a tuesday here still and MS did release a critical patch...so i guess it is after all. ARGH!)

So those with automatic updates or going to windows update should start seeing this patch today. ***This problem may also exist in Windows 2003 server but a patch has yet to be released. ***

For more information on it, please see: <A HREF="http://support.microsoft.com/kb/887742"> http://support.microsoft.com/kb/887742

-- Scott Fendley adding a bit for Joshua Wright (the Handler On Duty)

New phpBB Release - updated 2005-02-22/19:27 UTC



The phpBB Group has release versions 2.0.12 of phpBB, indicating the resolution of a few "potential security bugs". A recent security bulletin from iDEFENSE labs indicates flaws in handling remote avatars that allows an attacker to read any file on the filesystem as the webserver user. Users are encouraged to upgrade.


How to upgrade: http://www.phpbb.com/kb/article.php?article_id=271

Downloads: http://www.phpbb.com/downloads.php

ChangeLog: http://www.phpbb.com/support/documents.php?mode=changelog#2011



Thanks to fellow handler Swa Frantzen for the analysis.



Apple Java Update


Today, Apple has released an update for the Sun Java Runtime Engine and SDK that addresses a flaw that could let an attacker run arbitrary code on the system. This patch resolves CVE ID CAN-2004-1029.


Note: ISS reports that this vulnerability was reported on 11/22/2004 - a vulnerability 4 months old just getting resolved now. Hopefully, Apple won't keep to a similar resolution cycle for well-known vulnerabilities, else Mac OS systems will likely become a much more favorable target for attackers.


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1029

http://docs.info.apple.com/article.html?artnum=300980




a, b, d, e, f, g, i, j, k, ma, n, p ...



No, it's not , it's the 802.11 alphabet soup. Keeping up with all the happenings with wireless networks and the IEEE 802.11 committee is no small task, so I thought I'd include some information about IEEE wireless projects in development, and why they are important:



802.11i - Security

No longer in development, 802.11i is a ratified standard to improve wireless security. It consists of two primary functions: the use of the TKIP protocol to improve security with legacy hardware (aka WPA-I) and RSN for new hardware deployments (aka WPA-II).

Benefit: Well thought-out open security standards are much better than closed "solutions" that have not been challenged openly by the security community.




802.11k - Radio Resource Management

This specification will standardize how radios deal with different wireless signal and noise information, including how they make decisions on when to roam from one AP to another. Right now, the decision to roam between access points is based on vendor criteria and isn't standardized.

Benefit: Consistent roaming between access points, improved connectivity through better medium management.




802.11ma - Corrects and clarifications to IEEE 802.11-1999.

Enhancements to 802.11 MAC and physical functions that have generally been adopted by vendors but not solidified with a standard.

Benefit: Greater consistency in vendor products through clarified standards.




802.11p - Wireless Access in Vehicular Environments (WAVE)

A new physical layer specification using the licensed 5.9 GHz band for transactions between the roadside and moving vehicles. One obvious use for this standard is toll-debit services for cars on the highway, but it could also be used for voice conversations in cars, replacing cellular technology.

Benefit: Niche solution, but forces IEEE to think carefully about "fast roaming".




802.11r - Fast Roaming

A new standard to reduce the amount of time to roam between access points, eliminating the short loss of service that is painful for real-time streaming protocols. This has some security challenges, including how to handle cached authentication credentials shared between access points.

Benefit: Improved service for real-time protocols such as streaming video and VoIP.




802.11n - Enhanced throughput for 802.11 networks

A new physical layer standard offering longer range and improved throughput using MIMO (multiple-input, multiple-output) technology. 802.11n networks are designed to achieve >100 Mbps real throughput.

Benefit: Fast Ethernet throughput on wireless networks with greater range - just be careful not to get caught up in pre-N equipment that may be incompatible with standardized 802.11n.




802.11s - ESS Mesh (estimated completion date is 2007-01-01)
Standards-based mechanism to provide peer-to-peer connectivity using other stations as repeaters. This is a wonderful application of wireless technology, allowing organizations to cover large areas without significant investment in infrastructure. I predict security to be a problem here, since the design of a mesh network is the same as that of a man-in-the-middle attack.

Benefit: Increased range with less infrastructure costs.




802.11t - Wireless Performance Prediction (WPP) - test methods and metrics
Development of a formal standard for testing performance and stability of IEEE 802.11 products. This will open the testing process for wireless equipment, opposed to the closed Wi-Fi Alliance interoperability certification process.

Benefit: Open standards and testing processes improves the quality of products and provides more assurance for interoperability between vendors.




802.11u - Interworking with non-802 networks

A new committee to examine the techniques that can be used to internetwork 802.11 networks with other wireless networks (e.g. cellular, GSM, 3GPP, WiMAX, etc.).

Benefit: This standard will likely be the basis for multi-connected devices, such as a mobile phone, that can select the cheapest available topology for communication.




802.11v - Wireless network management

The TGv (task group "v") committee will develop technology to manage access points in a distributed or a centralized fashion. Identifying the failures in SNMP, TGv is proposing a layer 2 solution to monitoring, managing the configuration, and updating software of access points.

Benefit: Updating code on hundreds of AP's with SNMP and TFTP really stinks, hopefully this task group will create an implementation-independent solution to managing growing wireless networks.



-Joshua Wright/Handler-on-Duty



Published: 2005-02-21

Silly PuTTY; crime pays; if it quacks like a duck get the orange sauce.

It is time to patch/upgrade your PuTTY client again.


http://secunia.com/advisories/14333/
Two vulnerabilities have been reported in PuTTY, which can be exploited by malicious people to compromise a user's system.
Get your updates here:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html




UPDATED: Its not the ssh client itself that has the issue.
It is the psftp and pscp portions of PuTTY.
From the original notification:

http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-readdir.html
Many versions of PSFTP and PSCP prior to 0.57 have a heap corruption vulnerability in their treatment of the response to the FXP_READDIR command (enumerate entries in a directory) in the SSH File Transfer Protocol (SFTP).

In order for this vulnerability to be exploited, the user connect to a malicious server and issue a ls or dir command to PSFTP, or supply the -ls command-line option to PSCP.

Crime pays at least for a while.



According to
http://www.crime-research.org/news/16.02.2005/965/
Members of the Gambino crime family,
reputed to be part of the New York Mob,
have been charged with stealing over $650 million
using phone and internet fraud.

We have received reports of issues with some ad removal software.


In general we don't endorse products. But occasionally we will
recommend a package we have used. If you find a package that is
suspect feel free to send us an email. If you go to a site and get
popups for anti-virus, firewall, ad removal software you should suspect
any security company that uses popups or spam to advertise their security product.
Not all of them are bad but you may not want to do business with companies
that use spam, spim, or popups to advertise their security products.

US goverment agency security report card


http://www.iwar.org.uk/news-archive/2005/02-16-5.htm

It's getting better but there is still plenty of room for improvement.


This diary and the opinions expressed here are my opinion.


I have been wrong in the past and plan to be again in the future.
Donald.Smith:)

0 Comments

Published: 2005-02-20

From the mailbag -

There was a "trend" report from reader Eduardo Cruz (Thanks Eduardo!) the other day responding to the "Phishing Name Server" Diary entry (link below) that Johannes wrote. Eduardo's report describes a narrowing phishing "attack window" (in his e-mail next I added the bold emphasis) ......

"Hi there, Glad finally someone found more information about this issue. I´m a security consultant from a Spanish security services (S21sec www.s21sec.com) company, here in Spain we suffer in a weekly basis phishing attacks to a quite variety of our bank customers.

The attacks seem to be coordinated in such kind of an automatic procedure, a
server is hacked in order to store the fake pages requesting for pin and
codes, some doomed "0wned" PC´s are used to send massive emails impersonating the attacked Bank entity only embedding a clickable image in the email so text filters are avoided. They only open the attack window for a few hours then proceeding to a total removal of the infrastructures used for the attack.

Yesterday (as usual) we got another attack to a bank called "Banesto", they
have used a machine in the same network u guys are reporting that malicious
DNS server is at, the machine was www.spx2k.com, we have scanned the machine
and there are lots of services, it is probably re-"0wned" by attackers, the
attack was performed using a dedicated web server installed at the port 5080
(using SHS web server, a tiny Russian freely downloadable web server for
windows/unix, http://home.lanck.net/mf/srv/index.htm).

I have attached an image capture of the phishing page done this morning
allocated in the web server, they posted the information to a php script
called send.php and then performing a redirect to the real page of the bank.

As i mentioned early, this it is now a normal situation for us here in Spain since we get phishing attacks done in the same exact way in a weekly basis (sometimes three times to three different bank entities in a week for
example like last week).


Thanks for the attention and for the superb service u guys do for the community.

Eduardo Cruz."

"phish or cut bait"

So how does one minimize the effect of the ever expanding number of regional targets of phishing scams utilizing such a narrow window of attack? You can phish... Some defen$ive effort$, particularly the recently announced Phi$h Report Network, that do not detail how they react to, validate and shutdown phishing attack systems that have a window of a few hours, could take a step & tell potential "Senders" and potential customers what the SLA _is_ for it's $15,000 service. I'm a firm believer in customer education about phishing ( ; ^ ) ... or you can cut bait. Absent having resources allocated to adopt available solutions that protect both customers and businesses from phishing losses, consider vertically integrating phishing attack Incident Response in your SLA's, including procedures and follow-up procedures, and have in-house policy, procedures, follow-up procedures and job descriptions that don't fall short of what is needed here. And practice makes perfect, or as perfect as you can get in times like this.

Related and Recent Handlers items;

Phishing Name server
http://isc.sans.org/diary.php?date=2005-02-15

Steps to Beat Phishing
http://isc.sans.org/diary.php?date=2005-02-12

6 Simple Steps to Beat Phishing.
http://isc.sans.org/presentations/phishthat.pdf

http://www.phishreport.net/about_PRN.html

"fish or cut bait" - an american colloquialism;
http://www.randomhouse.com/wotd/index.pperl?date=20010612

Chris Brenton, discussing defending websites, said it best, blackhole the offending domains.

Opinion

Examining e-mail and malware that explicitly point to systems participating in phishing and malware related Internet attacks, then publishing the information publically and _NOT_ actively and explicitly assisting in taking those publically identified systems down is a troubling practice. If you're a vendor or service provider already explicitly trying to shut down attacking systems please post us a note letting us know POC (point of contact in this context) info and what you're following up on, or consider the benefit of posting the information on your website along with your "public" analysis. And for those vendors who participate in taking attacking systems down but haven't published the information yet, Thanks for your efforts!

Nullsoft SHOUTcast v1.9.4 has had Linux and Win32 format string Remote Exploits released.

Patrick Nolan

Assist Thanks! to Daniel Weseman, Michael Haisley, Tony Carothers, and the folks that made anonymous contributions.

0 Comments

Published: 2005-02-19

Arkeia remote exploit scan activity; More MyDoom; Where is Tokelau?; IRC Botnet

Arkeia remote exploit scan activity

On 02/18/2005 there was a remote exploit published for Arkeia, a backup/DR solution, targeting Redhat 7.2/8.0, Win2k SP2/SP3/SP4, WinXP SP1, Win 2003. At this time there is no information published concerning a patch. Workaround - protect Port 617 from Internet attacks. The jump start of Port 617 scan activity is evident here: http://isc.sans.org/port_details.php?port=617

Other Arkeia exploits have been released including one for versions running on Mac OS x.

MyDoom BC and BD



Two more versions of the Mydoom worm, dubbed Mydoom.BC and .BD, are on the loose. AV detection was spurious at first, but since we got a sample early on (Thanks, Mike!) we were able to help the process along by submitting it to the vendors. Additional investigation revealed that the new version was downloading a file called "contraste.jpg" from a web site in France. The JPG isn't really a JPG, but rather a backdoor component named <A HREF="http://securityresponse.symantec.com/avcenter/venc/data/backdoor.nemog.d.html">Nemog.D </A> or <A HREF="http://vil.mcafeesecurity.com/vil/content/v_131340.htm">BackDoor-CEB.f</A> depending on which AV vendor you ask. The owner of the site in France, as well as the owners of five more sites hosting the same backdoor, were contacted during the day, but have yet to take action.

Dialers Galore



Dialers still seem to be very "popular" in Italy. While these pests are slowly dying out elsewhere because less and less people are using dialup to connect to the Internet, there are apparently still tons of web pages in Italy that are booby trapped with a dialer. The pages are cross-linked among themselves, leading to high page ranks in Google when searching for some of the more popular Italian words (auto, lotto, calcio ... :-). The various front companies and their connections become visible when disassembling a couple of the dialers: An Italian company, fronted by a domain purchaser in the U.S., with dialers that fetch additional code from a site in Moldavia and try to dial various +690 telephone numbers in Tokelau. Hm.
Yes, I admit that I had to look up Tokelau as well. Tokelau consists of three atolls, Atafu, Fakaofo and Nukunonu, and lies about 350mi north of Samoa in the South Pacific. Sounds like an expensive enough long distance call to me. Should somebody aspire to write a bestseller techno thriller, I bet that tracking down the dark forces behind the dialer scam would be worthy of a Pulitzer.

IRC Botnet



A reader has reported yet another IRC botnet, involving compromised servers in several countries. We're still following up on it and are also analyzing a Linux module and a couple of Perl scripts that seem to be related to the activity. Thanks to Stephane for providing the info.

From Russia with Love



We're also analyzing a new piece malware one of our handlers has found on a web site in Russia. The stuff is disguised as a "Happy Valentine Day" animation, but programmed to do some nefarious things behind the scenes, like downloading a password stealer. So far, only AntiVir detects the downloader trojan (as PMS/Final.Expl.2), but we have submitted samples to all the vendors and are confident that detection will improve.



------------

Daniel Wesemann

echo "ebojfm/jtdAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'

0 Comments

Published: 2005-02-18

More CA BrightStor ARCserve Backup... Is your IDS/IPS Dead?... And Persistent Netcat Listener with While Loop

All in all, it was a pretty quiet day on the Internet. Still we had some interesting items: More scanning and exploits attempts for the CA BrightStor ARCserve Backup vulnerability, a discussion of whether your IDS/IPS might be dead, and one option for setting up a persistent Linux/UNIX Netcat listener.




***CA BrightStor ARCserve Update***



A handful of people sent us packet captures associated with TCP port 41523, the target of interest with the recent CA BrightStor ARCserve Backup vulnerability. Thank you to Andreas, Klaus, and Mark S for their wonderful data on this. So far, we are seeing scanning for the open port, as well as some attempted exploits against honeypots listening on the port. Each of these exploit attempts appears to be based on the exploit code from k-otik, specifically the Metasploit component.



Also, CA has released additional information on fixes for various products with this vulnerability. If you are running any of the following in your environment, you better patch soon, before the kiddies come a-callin'!



BAB r11.1 Windows (repost):
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO64538&startsearch=1

BAB r11.0 Windows:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO64539&startsearch=1

BEB 10.5 Windows:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO64540&startsearch=1

BAB 9.01 NetWare:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO64541&startsearch=1

BAB 9.01 Windows:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO64542&startsearch=1

BAB r11.1 NetWare:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO64543&startsearch=1

BEB 10.0 Windows:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO64544&startsearch=1




***Killing Me Softly With Your Sploit... Is your IDS or IPS Really Alive?***



We received a report from one of our diligent and wonderfully paranoid readers expressing concern that his IPS hadn't detected any alerts lately. This gent was afraid of the quiet before the storm. While many of us are happy with a bit of quiet, this e-mail brought up a really good point. If your IDS and/or IPS sensors seem a little too darn quiet, it might be a good idea to fire some freakazoid packets at them to see if they are still running. It's possible that they have simply died, or perhaps have been purposely disabled by an attacker.



Two months ago, I was having a conversation with an IDS researcher whose name may or may not rhyme with "Pike Moor" about the concept of killing an IDS in a stealthy fashion. The idea here is that we all know that on occasion an IDS or IPS tool has an unfortunate buffer overflow in a packet parser. However, if an attacker exploits it carelessly, the IDS/IPS crashes, and the incident response team of the target organization usually finds out pretty quickly. But what if the evil bad guy (that's the worst kind, by the way) sends specially crafted buffer overflow packets designed to make the IDS/IPS crash so that it goes into an endless (and rather alive-looking) loop? The response team of the target would be none-the-wiser, while the evil bad guy could go about his business unfettered by pesky handlers. Such an attack would be far more insidious than just crashing the IDS.



For this reason, if you've got an overly quiet IDS or IPS, you might want to test it with some real evil packets, such as a Metasploit hit just to make sure it is lovingly protecting your network. Of course, please make sure you get appropriate permission before conducting such an exercise!



***Persistent Netcat Listeners for Honeypots***



The other day, we asked readers to set up honeypot listeners using Netcat to capture some of the malicious code trying to hit TCP port 41523. Now, one of the problems with the most popular Linux/UNIX implementation of Netcat (that is, Hobbit's original) is that it does not create a persistent listener. Unlike the Windows version of Netcat (with its -L option for "Listen Harder"), the original UNIX/Linux version doesn't do this. Once one client connects and drops, the listener dies.



There are many ways to get around this problem, such as using a different version of Netcat. However, one of my favorite simple ways to deal with this is to set up the Netcat listener in a while loop as follows:



$ while [ 1 ]; do echo "Started"; nc -l -p 41523 >> capture.txt; done



This will listen on TCP 41523, append whatever it receives to capture.txt, and then start listening again.



If you'd like to go further and actually log out while keeping this thing running, you can simply dump this while line in a file, called honeypot.sh. Then, chmod it so that it is executable (chmod 555 honeypot.sh). Finally, invoke it as follows:



$ nohup ./honeypot.sh &



Then, logout and go watch some TV. Take a nap. Run naked through the park. Do whatever it is that you do...



Come back, and your little Netcat buddy will be running with its results stored in capture.txt. To kill it, you could simply kill the pid of the nc listener itself. Thanks to Don Smith for the nohup idea. Note that Don did NOT suggest the park idea.



That's it for now!



Have a great weekend--

--Ed Skoudis

ed (at) intelguardians.com

0 Comments

Published: 2005-02-17

New mydoom variant; ARCserve exploitation has begun... got Port 41523 TCP packets?



New MyDoom variant peaked early, then phizzled


It has been reported that a new variation of MyDoom has been spreading on the Internet tonight. Like many of the previous variations of the MyDoom virus, the email appears to come from the ISP of the recipient and contains an executable or zipped attachment. Based on observations by many of the handlers and readers of the ISC, this new variant peaked around 5pm eastern wednesday, and started to get picked up by new anti-virus definitions around 10pm eastern.
Below is an example of the body

######### example ##############
Dear user <insert email address>,

Your email account has been used to send a huge amount of unsolicited
commercial email messages during this week. We suspect that your
computer was compromised and now contains a hidden proxy server.

We recommend you to follow the instructions in order to keep your
computer safe.

Have a nice day,
<insert domain name> support team.
######### /example ##############


An interesting note about this mydoom, bagle, beagle, netsky phenomenon is that there is a such a discrepancy between antivirus companies on naming/identifying these nasties. Granted, IDS vendors have the same issues with naming detects, as do Vulnerability Scanners. Funny thing is that since many of these bugs names have wrapped the alphabet twice, we may now start to append unicode chars to the end of them :-)

Here is a sampling of names submitted by one of our handlers:

AntiVir 6.29.0.16 02.17.2005 Worm/MyDoom.BB

AVG 718 02.17.2005 I-Worm/Mydoom.AP

BitDefender 7.0 02.17.2005 Win32.Mydoom.AQ@mm

ClamAV devel-20050130 02.16.2005 Worm.Mydoom.M-2

DrWeb 4.32b 02.17.2005 Win32.HLLM.MyDoom.54464

eTrust-Iris 7.1.194.0 02.17.2005 Win32/Mydoom.AU!Worm

eTrust-Vet 11.7.0.0 02.17.2005 Win32.Mydoom.AU

Fortinet 2.51 02.17.2005 W32/Mydoom.BB-mm

F-Prot 3.16a 02.17.2005 W32/Mydoom.AY@mm

Kaspersky 4.0.2.24 02.17.2005 Email-Worm.Win32.Mydoom.am

NOD32v2 1.1000 02.16.2005 probably unknown NewHeur_PE virus

Norman 5.70.10 02.17.2005 MyDoom.AQ@mm

Panda 8.02.00 02.17.2005 W32/Mydoom.AO.worm

Sybari 7.5.1314 02.17.2005 I-Worm.MyDoom.AX

For more information on this variant of mydoom, please see:

http://secunia.com/virus_information/15463/mydoom.bb/
http://vil.nai.com/vil/content/v_131856.htm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.BB
http://www.sarc.com/avcenter/venc/data/w32.mydoom.ax@mm.html
http://www.sophos.com/virusinfo/analyses/w32mydoomo.html

Thanks to the always 31337 handlers: Scott Fendley and Tom Liston for helping out with this one :-)
ARCserve POC exploit has been released, Scanning has begun

Yet another target for the kiddies... there is a published exploit for CA's BrightStor ARCserve Backup buffer overflow and ISC readers are already noticing scans for it on TCP port 41523. (URLs updated by Jim Clausing, previous APAR withdrawn in favor of this new one)

http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO64538&startsearch=1

(Added by Ed Skoudis): More detail can be found here: http://supportconnect.ca.com/sc/solcenter/sol_detail.jsp?aparno=QO64538&os=NT&returninput=0

Port 41523 TCP, got packets?

http://isc.sans.org/port_details.php?port=41523

A number of people have written in with concern over an upswing in TCP port 41523 packets inbound. Has anyone seen any of these packets egressing from your network? ISC Handlers would be very interested in finding the malware (especially if it is different from the published exploit on k-otik) for this traffic. If you have seen this traffic, please save packets in tcpdump format. Also, if you see this traffic communicating inbound (not just SYN probes), we would be interested in seeing this too.

Mike Poor

echo "mikepoorhandlerondutyisageek" | sed -e s/poor/\@/g -e s/isageek/\.com/g -e s/handleronduty/intelguardians/g

0 Comments

Published: 2005-02-16

New MyDoom Variation; SHA1; an increase in port scanning on ports 137 and 445; port 41523 captures

New MyDoom Variation


It has been reported that a new variation of MyDoom has been spreading on the Internet tonight. Like many of the previous variations of the MyDoom virus, the email appears to come from the ISP of the recipient and contains an executable or zipped attachment. Below is an example of the body
Dear user <insert email address>,

Your email account has been used to send a huge amount of unsolicited
commercial email messages during this week. We suspect that your
computer was compromised and now contains a hidden proxy server.

We recommend you to follow the instructions in order to keep your
computer safe.

Have a nice day,
<insert domain name> support team.


For more information on this variation, please see:

<A href="http://secunia.com/virus_information/15463/mydoom.bb/">http://secunia.com/virus_information/15463/mydoom.bb/

<A href="http://vil.nai.com/vil/content/v_131856.htm">http://vil.nai.com/vil/content/v_131856.htm

<A href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.BB">http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.BB

<A href="http://www.sarc.com/avcenter/venc/data/w32.mydoom.ax@mm.html">http://www.sarc.com/avcenter/venc/data/w32.mydoom.ax@mm.html

<A href="http://www.sophos.com/virusinfo/analyses/w32mydoomo.html">http://www.sophos.com/virusinfo/analyses/w32mydoomo.html

SHA1


Reports of the demise of the SHA1 hashing algorithm are abound today.
Little is actually known about the attack just that a paper is being circulated and it is "bad".

Here are some realistic actions that can be taken now while this begins to reveal itself:
- Inventory where SHA1 is in use in your organization

- Determine which uses may be at risk. Early reports say that the HMAC function is not affected so your VPNS and SSL are in good stead.

- Check for measures that can be used in parallel with SHA1 to protect valuable data (such as combining MD5 with SHA1 side by side.)

- Be prepared to update or replace systems using (dependant on) SHA1 when it becomes available. (In many cases this means waiting on a vendor).


That said the world is not ending today. Your applications that depend on SHA1 (or MD5 for that matter) are still going to work and protect your data for the most part. By employing the principles of defense in depth and practicing due diligence we will find most of our cryptographic needs will be met until a vetted replacement for SHA1 is available.

It will be interesting to see how NIST and other government agencies (both US and abroad) handle this. We will update the diary as more information becomes available.

ports 137 and 445


Ports 137 and 445 scans are on the rise. There are also some reports of vast scanning on port 1026. These should all be blocked at the firewall of course.
They may be related in part to Symantec's release of new information on spybot/agobot/phatbot variants.
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.jpb.html
Thanks Deb!

port 41523


We have had one submission of packets for port 41523, thank you. We need some more. If anyone can get a complete 3 way handshake that would really help us out.
One useful technique that I am running is with netcat:

$nc -l -p 41523 > port41523.txt

I also have tcpdump running at the same time. I am not seeing any of this traffic in my neck of the Internet though.

Dan Goldberg

MADJiC Consulting, Inc.

dan at madjic dot net

0 Comments

Published: 2005-02-15

Port 41523; Linux Exploit; Phishing Name server; New Feature: tcp %; ssh attacks; MSRC blog

Port 41523/tcp



Port 41523/tcp is still the port to watch today.
http://isc.sans.org/port_details.php?port=41523

The small number of sources indicates that this is likely not a worm, but
a recognizance/target list acquisition operation. An exploit against ARCServe,
which is commonly listening on this port, is easily available.

The Top 10 IPs scanning for this port right now:

+-----------------+-----------+
| IP | AS Number |
+-----------------+-----------+
| 129.120.055.067 | 589 |
| 066.243.030.084 | 16852 |
| 066.011.128.151 | 11817 |
| 148.245.198.131 | 6503 |
| 062.058.035.115 | 13127 |
| 062.073.174.092 | 2914 |
| 156.054.253.023 | 3269 |
| 217.059.017.034 | 3269 |
| 024.157.087.120 | 812 |
| 195.172.166.182 | 4589 |
+-----------------+-----------+


a more comprehensive list may follow later.

Linux exploit



An exploit was released for the recently discovered local privilege escalation
vulnerabilities. The vulnerability information was released today as well.

Vulnerability details:

http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html

Phishing Name Server



The DNS server 'NS1.SPX2K.com' currently hosts the following domains
CITIFINANCUPDATE.com, SAFE-KEYNET.com, WAMU4U.com, WAMUCORP.com
which appear to be phishing related. The use of actual 'valid' domains
like this opens up the possibility that they are used with SSL certificates.
The whois info for these domains appears to be fake.

New Feature: tcp %



We do get requests, to better differentiate between tcp and udp in our
port reports. One reason we don't do this much is that for most ports, only
udp or tcp is actually used (e.g port 80 is almost exclusively tcp,
However, for some ports this is not so clear. All 'port detail' pages now
include a new column (see the 'raw data' section below the graph) which
shows what % of the reports are TCP. As a sample see port 53:

http://isc.sans.org/port_details.php?port=53

Only about 2% of the traffic reported to DShield on this port is tcp. Of
course, in this case this may be the interesting traffic.

New RSS Feed Test



I am experimenting with a different RSS feed format. To see a preview,
check http://isc.sans.org/rssfeed_new.php and let us know if it works
better/worse for you.

ssh attacks



still the same thing. Brute forcing tons of common usernames. This time,
Neil sent us a log showing about 300 usernames. The best way to report ssh scans
is via DShield. See http://www.dshield.org/howto.php for details.

MSRC Blog



Members of the Microsoft Security Response Center started posting
their own blog at http://spaces.msn.com/members/msrc/ which
includes some nice insights about issues with patches, security
response and neat tools.

-----------------
Johannes Ullrich, jullrich\\;-)//sans.org

CTO SANS Internet Storm Center

0 Comments

Published: 2005-02-12

MSN Messenger; Notable Activity on Port 903, 1063, 1978; Steps to Beat Phishing

MSN Messenger


Microsoft has now restricted access to the MSN Messenger service to updated versions only. Users will be prompted to update their software if they are using outdated version.

Microsoft has also provided a KB article on http://support.microsoft.com/kb/889829">How to disable MSN Messenger and MSN Web Messenger in a corporate environment. This will be helpful to those corporates who wish to block access to .Net Messenger or MSN Web Messenger.


http://www.microsoft.com/technet/security/Bulletin/MS05-009.mspx

http://support.microsoft.com/kb/889829

http://www.microsoft.com/security/incident/im_info.mspx

Notable Activity on Port 903, 1063, 1978


There have been spikes on these ports over the last few days. If this is the same trend you have seen on your end, do let us know.


http://isc.sans.org/port_details.php?port=903

http://isc.sans.org/port_details.php?port=1063

http://isc.sans.org/port_details.php?port=1978

Steps to Beat Phishing


Some of the handlers have a discussion on the techniques for website owner to detect and beat phishing attack. One way is to monitor referral URLs. Progressively, phishers have taken great pain to include real code from the real site that they are spoofing. For example, if you click on any of the links of the phishing/fake site, it will take you to the actual real site pages. But over at real site, the real site should be able to see the referral URL that sent you there. If the real site is getting visitors referred by any URL other than their own, then they should actively create a page with a big fat warning banner at the top saying that it is likely that the user was just at a fake site previously. Note that referring URLs can come from legitimate locations, like a local business directory or something similar. Here are some of the techniques discussed that website owner can consider to detect whether their sites could be possibly targeted by phishers:



* Use cookies to track deep-linking visitors (set a cookie for visitors arriving at the main page, then use it to track state; alarm visitors who do not have a top-level non-persistent cookie).

* Filter referral URLs coming from sites unrelated to the bank (easier said than done, but a default deny rule would be a good place to start, particularly for the deep links).

* Provide an email address to handle questions and a FAQ.

* Use warning banners to educate users.

* Even better - issue all of your customers an X.509 cert that they install in their browsers and don't accept business transactions unless the certificate is valid (also easier said than done).

* Equipping all the customers with a hardware token generating a OTP (though another easier said than done, but it has been implemented on one of the site).



We have in fact a document on . Check this out.



If you have other useful inputs, send to us. Thanks to Marcus Sachs, Swa Frantzen and Johannes for the great discussion.
Published: 2005-02-11

F-Secure Vulnerability; Symantec Patch/Update; Microsoft patch set; IDS Vendor Review

More antivirus vendor vulnerabilities. Follow up on how to get Symantec product fixed. Microsoft patches may break video drivers. Personal experiences with various Network detection (IDS/IPS) vendors.

F-Secure ARJ Vulnerability



In a late update to today's diary, it was released today that F-Secure AntiVirus (and related products) is vulnerable to similar problems to that of Symantec's in the past 2 days. The prime difference is that F-Secure's problem involves the ARJ archive format instead of UPX. For more details about the vulnerability and affected products please see the following URLs:







I have a feeling, that ISS is going through all antivirus products and testing them for various vulnerabilities.


As more information is released, we will add information to the diary entry. -- The Internet Storm Center Team

Symantec UPX vulnerability, ongoing



Several of you wrote in with your own thoughts and experiences on how to patch/update your Symantec software. It appears for atleast the corporate edition, you have to call Symantec, have a valid support contract, and they will provide you with an upgrade.



The handler's list was largely focused on the
. Symantec's web site seems to
indicate that they actually do have a patch for this:



"Note: Virus definitions version 70209af (extended version
2/9/2005 rev. 32) or greater contain this heuristic."




It's well worth running LiveUpdate if you haven't already.



Older unsupported versions of Symantec Anti-Virus may not have
updates available. You may be able to work around the vulnerability by
disabling compressed file scanning, but this should be a temporary fix.


Microsoft patch set: NVidia, rebooting



Dmitriy noted that the recent
block caused problems with his NVidia drivers; the system would not
go beyond VGA resolution. Simply re-installing the
drivers solved the problem.



John wrote in that around 20% of his systems entered a constant
reboot cycle after applying the Microsoft patch set. Here's what he
said:



"It turns out that the culprit is KB885250. One of the actions
the update attempts is to replace rdbss.sys. If the blue
screen/rebooting problem occurs it will be because the Windows File
Protection system detects the replacement of that file and restores it.
Of course, the update does not work with the restored version of
rdbss.sys. Hence, the blue screen/perma-reboot. The "solution" (that
is, the way to get your Windows 2000 machine functioning again) is to
enter Safe Mode and remove KB885250 via Add/Remove Programs. It will
complain that its removal will cause problems for other updates, but if
you ignore that message and click OK, your system will work again...
After KB885250 has been uninstalled, it can be installed manually
without incident."


Recent IDS deployment



In the recent past I’ve been fortunate enough to be able to deploy various Network detection technologies. Having spent the last 5 years working with these technologies I’ve seen the technology grow and change (for better or worse) I've deployed both IDS and a new IPS, and it should be getting better, right?



That being said, I recently had the opportunity to re-deploy a commercial IDS system into our environment. And let me tell you. Coming from working with Snort and other vendors product, this is by far the most cumbersome deployment I’ve seen to date. It wanted things like an IP assigned to the monitoring interface, wanted to have RMON control over the switch etc.. etc.. Before building this system, I took it out of operation, and now I can see as to why the “Previous System Administrators” had it setup the way they did. If you didn't know better than it would seem ok to assign the IP to the monitoring interface.



Where is this story going. Well you need to do research before buying a product. There are several out there, one personally that I like is the NSS groups reports http://www.nss.co.uk"> http://www.nss.co.uk Also “Coporate” may not always know the best product for your own environment. They may have only struck a deal with leading vendor’s, but you can always challenge this.



Again, do your research, plan and if all else fail’s use SNORT ;-)



The views expressed here are those of the handler, and do not reflect the views of the ISC.

0 Comments

Published: 2005-02-10

F-Secure Vulnerability; More on Symantec UPX and Microsoft patch set


F-Secure ARJ Vulnerability



In a late update to today's diary, it was released today that F-Secure AntiVirus (and related products) is vulnerable to similar problems to that of Symantec's in the past 2 days. The prime difference is that F-Secure's problem involves the ARJ archive format instead of UPX. For more details about the vulnerability and affected products please see the following URLs:




As more information is released, we will add information to tomorrow's diary entry. -- The Internet Storm Center Team

Symantec UPX vulnerability, ongoing



The handler's list was largely focused on the
. Symantec's web site seems to
indicate that they actually do have a patch for this:


"Note: Virus definitions version 70209af (extended version
2/9/2004 rev. 32) or greater contain this heuristic."


It's well worth running LiveUpdate if you haven't already.


Older unsupported versions of Symantec Anti-Virus may not have
updates available. For these, upgrading to SAV 9 or above might be
appropriate. You may be able to work around the vulnerability by
disabling compressed file scanning, but this should be a temporary fix.

Microsoft patch set: NVidia, rebooting



Dmitriy noted that the recent
block caused problems with his NVidia drivers; the system would not
go beyond VGA resolution. Simply re-installing the
drivers solved the problem.


John wrote in that around 20% of his systems entered a constant
reboot cycle after applying the Microsoft patch set. Here's what he
said:


"It turns out that the culprit is KB885250. One of the actions
the update attempts is to replace rdbss.sys. If the blue
screen/rebooting problem occurs it will be because the Windows File
Protection system detects the replacement of that file and restores it.
Of course, the update does not work with the restored version of
rdbss.sys. Hence, the blue screen/perma-reboot. The "solution" (that
is, the way to get your Windows 2000 machine functioning again) is to
enter Safe Mode and remove KB885250 via Add/Remove Programs. It will
complain that its removal will cause problems for other updates, but if
you ignore that message and click OK, your system will work again...
After KB885250 has been uninstalled, it can be installed manually
without incident."


-- Handler on Duty,
Published: 2005-02-09

* Updated: Serious Symantec Vulnerability, 1-day exploits, and the missing 13th patch

Serious Symantec Vulnerability



Update:
It appears that Symantec has not actually released the patches as is mentioned on their web site. We have not found any patches for the Symantec Antivirus Corporate Edition 8 and 9. We are investigating this futher.


http://www.sarc.com/avcenter/security/Content/2005.02.08.html



ISS X-Force has found a serious heap overflow vulnerability in many
versions of the Symantec UPX decompression engine. As some of you may
be aware, most modern trojans are packed with a combination of
obfuscating and compression methods to evade detection; a component of
which is UPX compression. It is conjectured that malware will
soon take advantage of this attack to evade, disable, and possibly
damage Symantec security products. Please examine the list of
products posted by SARC and take immediate action to remedy any
vulnerability you might be exposed to. Hotfixes are available.
Stop reading and go patch now. This webpage will be here when you
get back, which is more than we can say for your browsing experience
should you decide NOT to take action.

Further information is available at http://xforce.iss.net/xforce/alerts/id/187




PoC's available for MS05-005 and MS05-009


Proof of concept code has been released for the MS05-005 (Microsoft Office
URL handling) and MS05-009 (Multiple PNG file decode problems) issues.
Both of these are on the critical patch list, and we expect to see malware
utilizing either of these attacks in the near future. The portion of
MS05-009 that relates to MSN Messenger; the CAN-2004-0597 libpng vulnerability,
is especially serious, as CORE Security has determined that this attack may
be possible to execute in a completely undetected manner to the end user
with little to no user interaction, depending on MSN client settings.


Major antivirus vendors have signatures posted or nearly complete
for both of these issues, and you can get snort signatures for MS05-009 over
at http://www.bleedingsnort.com/

The 13th Patch


In all the ruckus yesterday, many of us missed the fact that Microsoft
quietly issued an update to the MS04-035 SMTP server DNS validation
overflow issue from October, 2004. It appears that Exchange 2003 and
the "Exchange-Lite" SMTP Server bundled with Windows Server 2003 are
also suceptible to this attack. Get'cher patch on.
http://www.microsoft.com/technet/security/bulletin/ms04-035.mspx

0 Comments

Published: 2005-02-08

* Microsoft Releases 8 Critical Security Patches, etc.

Microsoft Releases Security Patches



True to its word, Microsoft released several security patches today. Eight of the patches are marked "critical." You can find information about today's patches at the following URLs:

http://www.microsoft.com/security/bulletins/200502_windows.mspx

http://www.microsoft.com/technet/security/bulletin/ms05-feb.mspx



Our team compiled the following technical summary of today's patch cluster. This was written by several people working in parallel, so please excuse the differences in style across the segments.


Bulletin	Severity	Impact			Supersedes
MS05-004 Important Information Disclosure, N/A
Elevation of Privilege
MS05-005 Critical Remote Code Execution MS04-028
MS05-006 Moderate Remote Code Execution N/A
MS05-007 Important Information Disclosure N/A
MS05-008 Important Remote Code Execution N/A
MS05-009 Critical Remote Code Execution MS03-021, MS04-010
MS05-010 Critical Remote Code Execution N/A
MS05-011 Critical Remote Code Execution N/A
MS05-012 Critical Remote Code Execution MS03-010, MS03-026, MS03-039
MS05-013 Critical Remote Code Execution N/A
MS05-014 Critical Remote Code Execution MS04-038, MS04-040
MS05-015 Critical Remote Code Execution N/A


Our handlers prioritized today's patches in the following order:



Priority #1:

Make sure that all machines have standard Microsoft networking ports blocked from access by unknown parties.



Priority #2:

To protect from automated attacks (in priority order):

MS05-011: Vulnerability in Server Message Block Could Allow Remote Code Execution (885250)

MS05-010: Vulnerability in the License Logging Service Could Allow Code Execution (885834)

MS05-004: ASP.NET Path Validation Vulnerability (887219)



Priority #3:

To protect from attacks by malicious websites or email (in priority order):

MS05-013: Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (891781)

MS05-014: Cumulative Security Update for Internet Explorer (867282)

MS05-015: Vulnerability in Hyperlink Object Library Could Allow Remote Code Execution (888113)

MS05-009: Vulnerability in PNG Processing Could Allow Remote Code Execution (890261)

MS05-005: Vulnerability in Microsoft Office XP could allow Remote Code Execution (873352)

MS05-012: Vulnerability in OLE and COM Could Allow Remote Code Execution (873333)



Priority #4:

To protect other issues (non-prioritized):

MS05-008: Vulnerability in Windows Shell Could Allow Remote Code Execution (890047)

MS05-007: Vulnerability in Windows Could Allow Information Disclosure (888302)

MS05-006: Vulnerability in SharePoint Could Allow Cross-Site Scripting and Spoofing Attacks (887981)

"Critical" Vulnerabilities



MS05-005: Vulnerability in Microsoft Office XP could allow Remote Code Execution (873352)

http://www.microsoft.com/technet/security/bulletin/ms05-005.mspx



A buffer overrun in exists in office XP activated by a special URL which could be hosted on a web site. When the user follows the link to the malicious link the malware is auto executed by the browser using components of Office XP to gain access to the system.



Impacted systems are Office XP, Project and Visio 2002, and MS Works. This patch is available at officeupdate.microsoft.com.


Microsoft offers the following workaround:

Enable prompting for office documents. By default, Internet Explorer will prompt the user to Open/Save As the document. Note: If this functionally has been turned off the documents will automatically be opened. To re-enable this functionality, follow these steps:

1. Double-click on the My Computer icon on your desktop or in the start menu right-click My Computer and select Explore.

2. From the Tools menu, select Folder Options.

3. On the File Types tab, for each Office file type, highlight and click Advanced.

4. In the dialog box that is displayed, verify that the Confirm open after download setting is checked. Also, uncheck Browse in same window if it is checked.



The workaround causes Internet Explorer to prompt the use to Open or save the file. Picking Open will still cause the file to be executed.



Related CVE ID: CAN-2004-0848:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0848




MS05-009: Vulnerability in PNG Processing Could Allow Remote Code Execution (890261)

http://www.microsoft.com/technet/security/bulletin/ms05-009.mspx


Successful exploitation of these vulnerabilities may allow a remote attacker to execute arbitrary code when the victim views a maliciously-crafted PNG image. One of the two vulnerabilities that this patch corrects is CAN-2004-0597, which was announced earlier this year in connection with a buffer overflow bug in libpng 1.2.5. At the time, the vulnerability was only discussed in the context of UNIX systems; apparently Windows platforms are vulnerable to this as well.



The CAN-2004-1244 vulnerability affects Media Player 9. The other vulnerability that this patch addresses, CAN-2004-0597, affects Windows Messenger and MSN Messenger 6.1 and 6.2. See Microsoft's bulletin for detailed information on which versions are affected on which operating systems.



Microsoft's bulletin provides several suggestions for mitigating the risk associated with these vulnerabilities.



This set of vulnerabilities, and the associated threats, is reminiscent of the MS04-028 announcement, made in the fall of 2004, which affected the processing of JPG/JPEG files.



Related CVE IDs: CAN-2004-1244 and CAN-2004-0597:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1244

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597




MS05-010: Vulnerability in the License Logging Service Could Allow Code Execution (885834)

http://www.microsoft.com/technet/security/bulletin/MS05-010.mspx



Remote code execution vulnerability in License Logging Service. This (understandably) only affects Windows server offerings.

Affected Software: NT Server 4.0 & 4.0 Terminal Server, SP6a

2000 Server SP 3 & 4

Server 2003, x86 & Itanium



Not Affected:

2000 Pro, XP, 98 & ME



The impact is listed as Critical for NT 4 & 2000 Server SP3, Important for 2000 Server SP4, and Moderate for Server 2003. This is likely due to the fact that the License Logging Server is not enabled by default on Server 2003, and only authenticated users can connect to the License
Logging Service on 2000 SP4 and Server 2K3. Microsoft believes this vulnerability is limited to a denial of service on Server 2003.



Additionally, on Small Business Server 2000/2003 this service *is* enabled by default. SBS 2003 limits access to this service to the local network. From my interpretation of this bulletin, users of SBS are at the most risk from this vulnerability, as they are the most likely to be utilizing the License Logging service.



Workarounds include disabling of the License Logging service (if you haven't already), limiting access to ports 139/445 via a
firewall (if you haven't already), and preventing unauthenticated users from accessing the License Logging Service by removing the 'Llsrpc' value from the 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes' registry key.



MS Gives shouts 'n' greets to Kostya Kortchinsky from CERT RENATER for reporting this issue.



Related CVE ID: CAN-2005-0050:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0050




MS05-011: Vulnerability in Server Message Block Could Allow Remote Code Execution (885250)

http://www.microsoft.com/technet/security/bulletin/ms05-011.mspx



The Server Message Block (SMB) protocol is used by Windows to share files, printers, serial ports, and also to communicate between computers. There is a problem with the way affected operating systems validate certain SMB packets.



From MSFT's vague description of the issues, it appears that the vulnerability lies in the handling of broadcast SMB packets, which mitigates the possibility of this being used for an automated remote attack (i.e., a worm), because broadcast SMB packets should not be routed. However, according to the documents available, this may be exploitable by other means (clicking on a specifically crafted URL) and so there is a possibility of having malicious code exploiting this vulnerability dropped into a local network.



Affected Software: Win2K (SP3 & 4), WinXP (SP1 & 2), WinXP64-bit (SP1), WinXP64-bit (2003), WinServer2003 and WinServer2003 for Itanium. Folks on Win98, Win98SE and WinME are in the clear. Win95 is probably also OK, but is currently not supported.


Does this finally clear up eEye’s outstanding advisory???

http://www.eeye.com/html/research/upcoming/index.html




MS05-012: Vulnerability in OLE and COM Could Allow Remote Code Execution

http://www.microsoft.com/technet/security/bulletin/ms05-012.mspx



This bulletin contains two vulnerabilities one of which allow for remote code execution (OLE) and the other is privilege escalation(COM). This bulletin replaces MS03-010, MS03-26 and MS03-39. It affects basically every Microsoft Operating System and Office product. Check the bulletin to be sure if you are affected.

It is important to note that Microsoft classifies these as critical on systems with Exchange Server running on them. According to Microsoft, "Exchange Servers are primarily at risk because an attacker could try to exploit this vulnerability without any required user interaction, and because Exchange Servers typically run with elevated user rights."



OLE: The first is an "unchecked buffer in how OLE validates data" (sounds like buffer overflow). If exploited the attacker gains the same privileges as the logged on user. OLE provides the ability to link and embedded (think layered) items within a document. Microsoft has also
used it to allow "in-place" editing. This allows for the current window to be modified when a new application is launched instead of opening a new window.



COM: This vulnerability exists "affected operating systems and programs access memory when they process COM structured storage files or objects." COM allows for a file to contain a structure to the objects contained within its self. The vulnerability definition isn't real clear, but it appears that the vulnerability is allowing COM files or objects to access areas of memory they shouldn't. The threat lies in a allowing a special program to be run that would lead to complete take over of the system.




MS05-013: Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (891781)

http://www.microsoft.com/technet/security/bulletin/ms05-013.mspx



A vulnerability exists in the DHTML Editing Component ActiveX Control. This vulnerability could allow information disclosure or remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited that page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.



Affected Software:

Windows 2000 SP3 and SP4

XP SP1 and SP2

XP 64-Bit Edition Service Pack 1 (Itanium)

XP 64-Bit Edition Version 2003 (Itanium)

Windows Server 2003

Server 2003 for Itanium-based Systems

Windows 98, Windows 98 Second Edition, and Windows Millennium Edition



Mitigation: Ensure HTML e-mail is opened in the Restricted sites zone if using Outlook Express 6, Outlook 2000, Outlook 2002, and Outlook 2003. Run IE with the Enhanced Security Configuration enabled on Server 2003 systems XPsp2 Systems should ensure that IE is operating in the Local Machine Lockdown Zone. For details see:

http://msdn.microsoft.com/security/productinfo/XPSP2/securebrowsing/locallockdown.aspx



Related CVE ID: CAN-2004-1319:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1319




MS05-014: Cumulative Security Update for Internet Explorer (867282)

http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx



Vulnerability:
This is an aggregate patch to deal with the following vulnerabilities that could allow remote code execution: Drag and Drop Vulnerability - CAN-2005-0053, URL Decoding Zone Spoofing Vulnerability - CAN-2005-0054, DHTML Method Heap Memory Corruption Vulnerability - CAN-2005-0055, Channel Definition Format (CDF) Cross Domain Vulnerability - CAN-2005-0056.



Affected Software: Every combination of Windows 98/2000/XP/2003, with IE 5, 5.5, and 6 is vulnerable to at least one of the vulnerabilities that this cumulative patch addresses.



Drag and Drop Vulnerability - CAN-2005-0053: A privilege elevation vulnerability exists in Internet Explorer because of the way that Internet Explorer handles drag-and-drop events. An attacker could exploit the vulnerability by constructing a malicious Web page. This malicious Web page could potentially allow an attacker to save a file on the user's system if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.



Decoding Zone Spoofing Vulnerability - CAN-2005-0054: A remote code execution vulnerability exists in Internet Explorer because of the way that it handles certain encoded URLs. An attacker could exploit the vulnerability by constructing a malicious URL. This malicious URL could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. The URL could be made to look like a link to another Web site in an attempt to trick a user into clicking it. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, significant user interaction is required to exploit this vulnerability.



DHTML Method Heap Memory Corruption Vulnerability - CAN-2005-0055: A remote code execution vulnerability exists in Internet Explorer because of the way that it handles certain DHTML methods. An attacker could exploit the vulnerability by constructing a malicious Web page. This malicious Web page could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.



Channel Definition Format (CDF) Cross Domain Vulnerability - CAN-2005-0056: A cross-domain vulnerability exists in Internet Explorer that could allow information disclosure or remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a malicious Web page. The malicious Web page could potentially allow remote code execution if viewed by a user. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, significant user interaction is required to exploit this vulnerability




MS05-015: Vulnerability in Hyperlink Object Library Could Allow Remote Code Execution (888113)

http://www.microsoft.com/technet/security/bulletin/ms05-015.mspx



An attacker can execute arbitrary code, by having the victim click on a specially crafted URL. The vulnerability takes advantage of an unchecked buffer in the "Hyperlink Object Library," and it can be triggered by clicking a hyperlink in various programs like e-mail clients and web browsers.



To mitigate the vulnerability, Microsoft recommends disabling HTML email and only using plain text email. Further, for the web-based vector, a proxy server may be able to intercept the malicious link.



All versions of Microsoft Windows are vulnerable. The use of an alternative browser may not protect you from this vulnerability.



MS05-005 fixes the same problem for users of Microsoft Office, which includes a copy of this library.


"Important" Vulnerabilities



MS05-004: ASP.NET Path Validation

http://www.microsoft.com/technet/security/bulletin/ms05-004.mspx



If you are running an ASP.NET website, an attacker can access parts of your site that are secured via passwords. In order to gain access to these parts of your site, the attacker will have to replace a '/' in the URL path with %5C or a backslash.



This vulnerability has been widely known since Sept. 2004. As a workaround, other authentication methods can be used, or additional filters like URLScan can be used to normalize and filter requests before they are interpreted by the web server.



Related CVE ID: CAN-2004-0847

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0847



Prior diary about this topic:

http://isc.sans.org/diary.php?date=2004-10-06




MS05-007: Information Disclosure Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms05-007.mspx



Only Windows XP (including SP2) is vulnerable. A successful exploit will allow an attacker to read usernames of users connected to a given resource. The vulnerability can only be exploited if the "computer browser service" is enabled. The service is enabled if you enabled file or printer sharing. You can disable the computer browser service on the work station directly, or via group policies. But note that you need to reboot the system to make the change affective. Windows 2000 and XP networks can replace the computer browser service with active directory.



The vulnerability can be mitigated by blocking port 139 and 445. However, these ports should already be closed. IPSec policies can be used as a "make shift" (but effective) firewall.



Details about computer browser service:

http://support.microsoft.com/kb/188001



Using IPSec policies on Win2k (applies to XP as well)

http://support.microsoft.com/kb/313190

http://support.microsoft.com/kb/813878



Related CVE ID: CAN-2005-0051:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0051




MS05-008: Vulnerability in Windows Shell Could Allow Remote Code Execution (890047)

http://www.microsoft.com/technet/security/bulletin/ms05-008.mspx



The update for the "Drag-and-Drop Vulnerability" (CAN-2005-0053) comes in two parts. It is addressed in part in this security bulletin. This security bulletin, together with security bulletin MS05-014, makes up the update for CAN-2005-0053. These updates do not have to be installed in any particular order. However, we recommend that you install both updates.



Drag-and-Drop Vulnerability - CAN-2005-0053: A privilege elevation vulnerability exists in Windows because of the way that Windows handles drag-and-drop events. An attacker could exploit the vulnerability by constructing a malicious Web page. This malicious Web page could potentially allow an attacker to save a file on the user's system if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0053


"Moderate" Vulnerabilities



MS05-006: Vulnerability in SharePoint Could Allow Cross-Site Scripting and Spoofing Attacks (887981)

http://www.microsoft.com/technet/security/bulletin/ms05-006.mspx



This is a cross-site scripting and spoofing vulnerability. The cross-site scripting vulnerability could allow an attacker to convince a user to run a malicious script. If this malicious script is run, it would execute in the security context of the user allowing the attacker access to the any data on the affected system. Attempts to exploit this vulnerability require user interaction, though it may also be possible for an attacker to exploit this vulnerability to modify Web browser caches and intermediate proxy server caches, and put spoofed content in those caches.



As this does allow for remote code execution with the intervention of the end user, Microsoft classified this as a Moderate severity. However, it should be considered critical as with any remote code execution vulnerability.



Thanks to all the handlers who contributed to this write-up! The period at the end of this sentence marks the end of our overview of today's Microsoft Security Bulletin.

The IDN Browser Problems Follow-Up



This note is a follow up to yesterday's diary post regarding the International Domain Names (IDN) problem announced by Shmoo. Though some would not classify this as a "vulnerability," the it does affect non-Internet Explorer browsers, and can aid in phising attacks. If you want to check whether you're vulnerable, you can go to the following URLs:

http://www.shmoo.com/idn/

http://secunia.com/multiple_browsers_idn_spoofing_test/



Note that a workaround for this issue in Mozilla-based browsers, mentioned in Shmoo's advisory, is to disable IDN support by setting "network.enableIDN" to false via "about:config". However, as Mark Stingley reported to us, making the change via "about:config" in Firefox doesn't actually prevent the exploit from working in all instances. Mark directed us to the following blog, which explains how to make the change slightly more permanent by editing the compreg.dat file:

http://users.tns.net/~skingery/weblog/2005/02/permanent-fix-for-shmoo-group-exploit.html



Some reports suggest that changes to the compreg.dat file may end up being overwritten when you install a Firefox extension.



Lenny Zeltser

ISC Handler of the Day

http://www.zeltser.com

0 Comments

Published: 2005-02-07

Etymology; Homographic Attacks; and other BIG words

8181 theories continue



We’re still requesting binary captures of the TCP/8181. Ideally it will be in binary libpcap format which will give us the best view of what is going on.

My gut instinct tells me that the intent of this traffic is infrastructure mapping—it’s not traceroute, and it’s not the preliminary scan for a firewalk, but it is definitely modulating the TTL.

Shmoocon ends with a “state of homographic attacks” announcement



Many readers sent in the Shmoo Group’s (of airsnort fame) announcement and proof-of-concept code that exploits many non-Internet Explorer web browsers (http://www.shmoo.com/idn/homograph.txt). The issue arises from how these browsers parse International Domain Names (RFC 3490.) Like any good handler, I’m running a non-IE web browser. Here was my experience with their proof of concept. I tried the SSL version of the demonstration, and a simple click of the link will take me to their “0wned” page, and the URL window looks like I’m at the spoofed site. The certificate even appears to have the spoofed URL. The only difference is that the victim site’s certificate is signed by Verisign, while the fake site is signed by “The USERTRUST Network.” If I tried to get tricky by copy/pasting the provided URL, the fake site was still reached.

More Firefox issues



Michael Krax released three new Firefox weaknesses that may aid in a Phishing attack. You can read more about his research at http://www.mikx.de/

I suppose the good news is that Firefox is gaining enough usage/popularity to get more eyes looking at its vulnerabilities and issues. He also makes up great new words for the issues, like “Fireflashing.” Which brings me to…

Pharming: the son of Phishing



Another step in the exciting etymological developments that occur in this field was made today when I first heard the term “Pharming.” What is it? I refer back to the February 2, 2005 diary (http://isc.sans.org/diary.php?date=2005-02-02) where a Dutch magazine released an article on DNS hijacking. Apparently the use of such a technique to bring users to your fake site is referred to as “Pharming.”

In other non-Microsoft application news



Eudora has some important updates available: http://www.eudora.com/email/upgrade/index.html

------------------------------------------------


Kevin Liston

kliston AT isc.sans.org

0 Comments

Published: 2005-02-06

TCP Port 8181 Puzzle

Still investigating TCP Port 8181 Activity



While we are still looking for more captures of TCP port 8181, "Frealek" suggested today that we are looking at a "personal scanner of some strange software". Another idea submitted by Frealek is a "way to find last hop that routes packets". This technique is most commonly referred to when discussing a mapping tool called "Firewalk"



http://www.packetfactory.net/projects/firewalk/



Firewalk works using *incrementing* TTL's versus the decrementing we are seeing. So the puzzle continues; anybody that has thoughts, comments, questions, or suggestions is welcome to submit anytime.




Tony Carothers

Handler on Duty

0 Comments

Published: 2005-02-05

Port 8181 update; Trojan.Comxt.B; Mail Bag

Port 8181 Update


Jason Friend sent us a capture of traffic destined for port 8181. Here are some of the characteristics noted:



The TTLs decremented by 1 each time, however the following fields remained constant:

Checksum: decimal 11609

Flags and Offset: hex 4000

IP ID: decimal 55211



If anyone has any ideas, we would be interested in hearing them. We would still like to see more captures as well, so grab your favorite tool and let's see if we can figure this one out.

Trojan.Comxt.B


Okay, this one is not a wide spread Trojan, but it is a very creative one. I just wanted to point it out because of the efforts to hide itself. If anyone has a copy of it, please pass it our way! Here is what Symantec says:


"Trojan.Comxt.B is a Trojan horse program that downloads remote files. The Trojan uses alternate data streams and rootkit technology to hide its presence on the compromised computer."


For more information see:


http://securityresponse.symantec.com/avcenter/venc/data/trojan.comxt.b.html

Mail Bag


We really appreciate our readers and the efforts they put forth to help us out. It is a team effort and we are all trying to make the Internet safer! Here is an email sent in by Colin Keith with some of his observations:



"Just been looking through the scams filtered by my mail server and wanted to pass on a note about a trend I've been seeing by Phishing scamers. They've recently started using domain names that look like the bank's URL instead of using browser exploits (%00/^A hack, image-maps, etc). Perhaps they're learning that we simply trap this kind of nonsense and that its less effective as more people patch these security holes?



Some example domains include:



logon.personal.wamu2k.com

wamu.us2k.net

wamu.ofiga.com

signin.ebay.com.aw-cgi.ebayisapi.dll.signinsecure.ssl1.0.port5.com



(Hmm, had others for usbank and keybank but they've disappeared from my logs now)



The last two are those stupid "free subdomain" things ISP's offer when they're desparate to boost their number of "customers". All of these have been reported, the first to to the domain registrars too for domain names registered in violation of the ICANN agreements (trademark infringement/registered to be used for committing a crime) so hopefully they'll go soon if they haven't already.



Also stuff for people to scan for in incoming mails - check if the URLs are hosted on port 87 (common on dial up accounts) or 6180 (common on server). I suppose the scammers have yet to write the phishing kits so that they use a randomly selected port? Also noticed are the URL's of the phishing target site in the URL/directory of the hosting site. E.g.:



webmail.faef.br/db/login.personal.wamu.com/logon/logon.asp/



Strangely spammers seem to be getting their scams mixed up lately too. I've seen mails claiming to be from suntrust printing a keybank.com URL via a window.status call and the

URL saying suntrust...



Nothing exciting, but I thought I'd pass on the observations in case they might be of some use to anyone :)"


Thanks for reading and enjoy the Super Bowl!



Lorna Hutcheson

Handler on Duty

http://www.iss-md.com

0 Comments

Published: 2005-02-04

Microsoft non-patch; 8181 TCP; Safer Internet Day

Patches Microsoft may or may not be releasing



eEye has a web page which brings attention to at least one vulnerability that Microsoft has been advised of, but for which there has been no patch for over 6 months now. While this might be one of the patches scheduled for release this coming Tuesday there isn't enough information available yet to know either way. Although 13 patches in one day might be enough for anyone. Stay tuned.

'Happy patch day!'

http://www.eeye.com/html/research/upcoming/index.html

TCP port 8181 spike


Something is definitely up with TCP port 8181, the graph on Dshield is showing a major spike, and still climbing. If you have packets, or are aware of what tool or malware is causing this please drop us a line. One theory is that someone is looking for Windows boxen infected by Zafi.d, probably in order to install more lovely code.

http://www.dshield.org/port_report.php?port=8181

Making the Internet a Safer Place



I applaud the announcement for a new site launch 08 Feb 2005 of a brand new Internet safety awareness portal. Although primarily a European site the Insafe network intends to raise Internet safety awareness. Which is always a good idea.

http://www.saferinternet.org/

-------------------------------------------------------------------------------

Adrien de Beaupré

Handler of the Day

abeaupre - at - isc.sans.org

http://www.cinnabar.ca

0 Comments

Published: 2005-02-03

Microsoft's Surprise Box / Port 42 and 8634 / My personal poll

Microsoft's Surprise Box





Next tuesday will be Microsoft monthly security bulletin release. I have the feeling that I will not be the handler on duty on this day. According the Microsoft Advance Notification, they are planning to release nothing less than 13 Patches! and at least 4 are rated as Critical! I feel kind of sad, (not for me, my linux uptime is 6:04pm up 59 days, 1:39, 1 user, load average: 0.00, 0.00, 0.00, which is kind of ok...), but for the users that will not apply and that they will be the first victims of exploits and, who knows, worms...

Maybe I am been too dramatic, but maybe in this way I could convince someone to pay attention an apply the next patches that will be released...



Just a brief of the releases:



- 9 Microsoft Security Bulletins affecting Microsoft Windows. The greatest aggregate, maximum severity rating for these security updates is Critical. Some of these updates will require a restart.


- 1 Microsoft Security Bulletin affecting Microsoft SharePoint Services and Office. The greatest aggregate, maximum severity rating for this security bulletin is Moderate. These updates may or may not require a restart.


- 1 Microsoft Security Bulletin affecting Microsoft .NET Framework. The greatest aggregate, maximum severity rating for this security bulletin is Important. This update will require a restart.


- 1 Microsoft Security Bulletin affecting Microsoft Office and Visual Studio. The greatest aggregate, maximum severity rating for this security bulletin is Critical. These updates will require a restart.


- 1 Microsoft Security Bulletin affecting Microsoft Windows, Windows Media Player, and MSN Messenger. The greatest aggregate, maximum severity rating for these security updates is Critical. These updates will require a restart.



In a words of our friend Adrien, Happy patch Day!






Ports 42 and 8634





We noticed an upswing on probes for port 42.

Port 42, as much discussed here, is the one used by WINS and that got a vulnerability disclosed some days ago. One report that we got today was about probes for port 42 with SOURCE port 80.


Did you notice that or ,as our fellow handler Don likes to say, "got packets?"




On another topic, but also related to our good friends ,also called packets, we received a question about probes on port 8634. It didnt ring the bell here, but you may be getting anything...if so, please let us know!




My personal poll



This is not related to the ISC poll, just part of my curiosity.
If you are a home adsl user and have the opportunity to have 16 mb link, what would you do with that amount of bandwidth? If you want, use the email address bellow.

I am kind of worried because I think that it is too much bandwidth for a home user. And I am worried about what the bad guys could do with that (DoS comes to my mind)...In fact, I think that I miss my 300 bps modem times...


-----------------------------------------------------------------

Handler on Duty: Pedro Bueno (pbueno@isc.sans.org)

0 Comments

Published: 2005-02-02

Bright(?) FUD, Heise bounty, Google thinks you are malware, Tom Liston sees his shadow, and more

Dutch "news" exposes DNS spoofing



ISC reader Tony van der Togt sent us a link to (and translation of the salient portions) which is spreading rapidly through the Dutch media regarding a super secret group of k-rad organized hackers subtly herding innocent web surfers away from their intended targets.


Tony's translation is below, and is followed by a review of the article by ISC Handler Swa Frantzen (thanks Swa!)



----



AMSTERDAM - Criminals have taken control over the major arteries of Internet, and can do as they like. They do if they get paid for it. This is what the new tech glossy maganize, Brights, announces in its first number.


The hackingtechnique is called 'DNS spoofing' and has been made public by Toine Verheu, owner of an international porno search portal. He was approached by a ciminal who promised him a million visitors (hits) in a single day, for 1000 dollar. This is an unusually large number in such a timeframe, even for the most popular sites in the Netherlands.


The story was checked by Internet experts as Ted Lindgreen of NLnet Labs, Olaf Kolkman of RIPE-NCC and Jaap Akkerhuis who until recenty worked for the Stichting Internet Domeinregistratie Nederland who confirmed the hole in Internet's heart.


From the 'Bright'article: 'I can decide where the users of internet are pointed to, the American said. 'Give me your ip-number and go to Google. 'Verheul typed a specific search term and clicked 'search'. After that, he didn't get the usual list with searchresults, but was redirected to a porn site, just by clicking 'search'.



Bright ?



A brand new so called "tech glossy" to be in stores tomorrow in Holland gave a preview of an article called "Criminals manipulate the internet's arteries" (Our translation).
is in Dutch and rather long.



Aside from the content where an owner of a porn search engine claims to have seen his browser hijacked by some even more shady characters, the most interesting part of the story is that quite some reputable newspapers in Holland have copied the article in a shorter form.



The article itself claims people on the net offer shady sites traffic skimmed off of the normal flow, one hit a victim, one URL, inside a site like Google of CNN ... pretty advanced sounding scheme if it is true. However the article next jumps to DNS tricks like cache poisoning. True, DNs cache poisoning is real and they have plenty of experts to talk about DNS issues. But the thing is that no DNS trick will redirect just one URL of CNN.com. Something else will be needed to achieve that.



To us it sounds to good (or should I say bad) to be true.



Nice marketing campaign though, with that level of press coverage the magazines will be sold out much faster. But should we loose sleep over it ? Not yet.


Should we fix broken DNS servers, sure. Check for
every so often. Should newspapers do a bit more research themselves before reprinting material, even if it quotes half a dozen of experts ? Probably. To be clear -before our next handler has a full mailbox to handle-: the experts are right, there is just no link to the fancy story.



As for Bright, perhaps they are, perhaps not, time will tell.


Heise.de bounty



Today the ISC received news of a
for information leading to the capture of the perpetrator(s) of the DoS attack they suffered yesterday (as mentioned in the .



ISC Reader Jochen was kind enough to supply the ISC with a translation of the announcement.



----



Distributed search for heise-online attacker



The 'Heise Zeitschriften Verlag' asks network administrators to assist them in analysing the Denial-of-Service attacks against 'heise online' (www.heise.de). In particular we need concrete information about machines that actively took part in the attacks to acquire the malware program that has been used.



The main wave of the attacks took place on february 1st between 8:41am and 5:00pm CET. It consisted of TCP-SYN packets targeting port 80 with a size of 40 byte and a TCP header length of zero. The packets first targeted 193.99.144.71 and later 193.99.144.85. Sender addresses were spoofed, even addresses of unassigned networks were used. Simultaneously, between 1:14pm and 2:33pm CET, an attack of similar type hit the Heise mailserver 193.99.145.50 on port 25.



Many firewalls 'complain about' these packets due to the invalid IP header. The logs of routers may show accumulations of exactly 40-byte-long packets. Please send relevant information to hinweise@heise.de. The publisher is offering a reward of 10,000 Euro for information that leads to the capture of the perpetrator.



----



I'm not up on exchange rates but I think 10,000 Euro is approximately a zillion USD, so I expect to be cut in if any ISC readers collect the bounty.



To Google, you are malware



This just in - Google thinks I am malware! At first I thought it was just a case of radically good judgment, but other handlers have confirmed the report of an ISC reader who wishes to remain anonymous.



----


I noticed today that a simple search in Google using
inurl causes Google to display this message when you
try to access the second page:



===================================================



We're sorry...

... but we can't process your request right now. A
computer virus or spyware application is sending us
automated requests, and it appears that your computer
or network has been infected.



We'll restore your access as quickly as possible, so
try again soon. In the meantime, you might want to run
a virus checker or spyware remover to make sure that
your computer is free of viruses and other spurious
software.



We apologize for the inconvenience, and hope we'll see
you again on Google.



==================================================



No, i do not have a virus or spyware, tested that
already ;-)



This as been attempted from multiple Internet
connections.



Basicly, any name that as an entry in Google and ends
with "php" will cause this.



Ex: inurl:admin.php

inurl:test.php

inurl:whatever.php


I've tried it with cgi, html, asp, sh, pl and this
does not happen.



I find it odd that they would display a "panic" message not really knowing the actual facts :-(



What searches will they decide to restrict next ???



----


Our testing shows that this behavior isn't automatically triggered - there appears to be a sliding scale (searches per minute per IP?) that causes this to activate. This is an apparent reaction to recent PHP web-application based malware using Google to find targets, and I can't say I disagree with their tactics in this case. What do the ISC readers think?



The Future is 0-day(?)



There's been an interesting discussion on the
over the past couple of days in reaction to a by Dave Aitel (who puts the "Dave" in Dailydave). The point he's making is (and I'm sure I'll hear about it if I'm wrong) that nearly all current defense techniques and technologies are based on defending against known vulnerabilities. This model of the world is rapidly losing any relevance it may have once had, as 0-day reigns supreme from the attacker's side. I'd be interested in hearing any opinions the ISC readers have on this.



For the record, I think he's right. ;)


Critical Eudora Vulnerability



NGSSoftware has discovered several code-execution vulnerabilities in Eudora 6.2.0 and below. Eudora has released a fixed version, available
. NGGSoftware's advisory is available . Per their disclosure policy, details on the flaw will be will not be published until May 2nd.



But if you're running Eudora, go ahead and fix it now.


Tom Liston sees his shadow!



Today, in what I can only hope will become an ISC tradition, Tom Liston was blindfolded, transported to an undisclosed subterranean location (internally referenced as the Danger Burrow), and forced to run a horrific gauntlet of infosec challenges in order to return to the surface of the Earth.* Upon poking his head out of the burrow, he removed the blindfold only to be greeted by the giant orange ball in the sky, and a very very long shadow. Horrified onlookers shrieked at the realization that this could mean only one thing:



Six more weeks of IRC bot wars.



I'd like to sidestep any criticism about the previous piece with the following: we're the Internet Storm Center. If the Weather Channel gets to dedicate streaming video to rodent weather predictions, we get to put a handler underground.



**********************

Cory Altheide

caltheide@isc.sans.org

**********************


*No Tom Listons were harmed during the 1st Annual ISC Groundhog's Day Spectacular.
Published: 2005-02-01

New FTP Brute Force? - German publisher DOSed

New FTP Brute Force?


One of our readers (thanks Dan!) told us about some unusual traffic to his FTP server.


I've received some strange traffic on my FTP server in the last few days, or at least this is the first time I've noticed this traffic.



I'm running [OS DELETED], last patched within the week, and I've got my directories locked for outside writing. Evidently some program is attempting to connect to the server and create a directory. I say it's a program because it's polling for a particular set of directories including /wwwroot/ and /wwwhtml/ by using the 'CWD' command. If it receives a response of 'command successful', it then tries to create a directory using the 'MKD' command.



The last series looked for 38 different directories and found /pub/, /usr/, and /. In each of these, it tried to create a directory using 'MKD', but only after a reply of success to the CWD command. The exchange took less than ten seconds to complete.



The two attempts were evidently different sources, at least they had different name resolutions.



The server had permissions locked down to prevent a successful compromise or inappropriate use by anyone using this particular malware. While I have broadband, my router is only forwarding unsolicited traffic designated for port 21 of the server address. Updated patching and port/ip router are the only protections currently employed for this server, and no filtering is being applied at the router. I am monitoring traffic using Ethereal, however.



The attack, looks like this:



USER anonymous

331 Guest login ok, type your name as password.

PASS Zgpuser@home.com

230 Guest login ok, access restrictions apply.

CWD /pub/

250 CWD command successful.

MKD 050131161412p

550 050131161412p: Permission denied.

CWD /public/

550 /public/: No such file or directory.

CWD /pub/incoming/

550 /pub/incoming/: No such file or directory.

CWD /incoming/

550 /incoming/: No such file or directory.

CWD /_vti_pvt/

550 /_vti_pvt/: No such file or directory.

CWD /

250 CWD command successful.

MKD 050131161414p

550 050131161414p: Permission denied.

CWD /upload/

550 /upload/: No such file or directory.

CWD /_vti_txt/

550 /_vti_txt/: No such file or directory.

CWD /_vti_cfg/

550 /_vti_cfg/: No such file or directory.

CWD /_vti_log/

550 /_vti_log/: No such file or directory.

CWD /_vti_cnf/

550 /_vti_cnf/: No such file or directory.

CWD /_private/

550 /_private/: No such file or directory.

CWD /public/incoming/

550 /public/incoming/: No such file or directory.

CWD /public_html/

550 /public_html/: No such file or directory.

CWD /wwwroot/

550 /wwwroot/: No such file or directory.

CWD /mailroot/

550 /mailroot/: No such file or directory.

CWD /ftproot/

550 /ftproot/: No such file or directory.

CWD /home/

550 /home/: No such file or directory.

CWD /images/

550 /images/: No such file or directory.

CWD /web/

550 /web/: No such file or directory.

CWD /www/

550 /www/: No such file or directory.

CWD /html/

550 /html/: No such file or directory.

CWD /cgi-bin/

550 /cgi-bin/: No such file or directory.

CWD /usr/

250 CWD command successful.

MKD 050131161417p

550 050131161417p: Permission denied.

CWD /usr/incoming/

550 /usr/incoming/: No such file or directory.

CWD /temp/

550 /temp/: No such file or directory.

CWD /~temp/

550 ~temp: No such file or directory.

CWD /tmp/

550 /tmp/: No such file or directory.

CWD /~tmp/

550 ~tmp: No such file or directory.

CWD /outgoing/

550 /outgoing/: No such file or directory.

CWD /anonymous/

550 /anonymous/: No such file or directory.

CWD /anonymous/_vti_pvt/

550 /anonymous/_vti_pvt/: No such file or directory.

CWD /anonymous/_vti_cnf/

550 /anonymous/_vti_cnf/: No such file or directory.

CWD /anonymous/incoming/

550 /anonymous/incoming/: No such file or directory.

CWD /anonymous/pub/

550 /anonymous/pub/: No such file or directory.

CWD /anonymous/public/

550 /anonymous/public/: No such file or directory.

CWD / /

550 / /: No such file or directory.

CWD / /

550 / /: No such file or directory.

221 You could at least say goodbye.



A reader from New Zealand dropped us a note and mentioned that this is the work of a known FTP scanner, Grim's ping. Thanks for the note Simon!



A reader from New Zealand dropped us a note and mentioned that this is the work of a known FTP scanner, Grim's ping. Thanks for the note Simon!



German Publisher DOSed?


Thomas writes:

i just read about a big ddos attack in germany. www.heise.de, one of the biggest german online publisher, has gone offline.


When checked, the site seems to be non responsive.


isc dot chris -at- gee mail dot com

0 Comments