PDF Arbitrary Code Execution - vulnerable by design.
Didier Stevens, who probably knows the PDF format better then most and has written some great PDF analysis tools, published a very interesting and concerning blog post [1].
In this post, he outlines how PDFs can be used to execute code. Nothing new you may say... plenty of exploits have done this in the past. This is different: He is not using a vulnerability, but a feature. Evidently, PDFs have the ability to execute code by design. Since this is not an implementation, but a design problem, various PDF readers are vulnerable. In his blog, Didier show a video of the exploit using Adobe's PDF reader. Adobe's reader will show a warning and ask the user for permission. However, the wording of this warning may be changed by the attacker. Foxit, a popular alternative to Adobe's reader, will show no warning.
At this point, Didier does not provide a public PoC exploit. However, he says he is in contact with vendors.
[1] http://blog.didierstevens.com
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Sharing the Tools
In the malware analysis world, you have to have your tools that you feel most comfortable to use, otherwise, a task that could be
accomplished in 10 minutes would take hours.
But sometimes, finding the right tool for the task can be quite a challenge. This is one of the reasons that I decided to create a site,
called www.mysectools.com, where I am able to share some tools that were quite valuable on my day by day malware analysis tasks.
Now, I would like to comment on two tools that I was recently introduced.
The first one is not directly related to Malware Analysis (at least on the concept), since it is more a develpment tool. It is called
WinAPIOverride32 .
It is actually a package/suite with 3 different tools, but the one that I like most is the dumper.exe, because sometime you want more
than just a click and dump application. This one gives you the freedom to chose what/how you want to dump a module, for example.
The second one is an Anti-Rootkit tool, called XueTr , which honestly I didnt try
outside a controlled environment (vmware,etc...).
This is another quite powerful tool, which in some point reminds me IceSword which if you dont know, I would recommend to check.
Happy Malware Analysis!
----------------------------------------------------------------
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure
www.mysectools.com
3 Comments
Zigbee Analysis Tools
At today's SANS SCADA Conference in Orlando Josh Wright of InGuardians gave a very interesting talk on Zigbee security. Josh is leading a project to build a framework for Zigbee analysis tools that he calls "Killerbee". From the project website:
KillerBee is a Python based framework and tool set for exploring and exploiting the security of ZigBee and IEEE 802.15.4 networks. Using KillerBee tools and a compatible IEEE 802.15.4 radio interface, you can eavesdrop on ZigBee networks, replay traffic, attack cryptosystems and much more. Using the KillerBee framework, you can build your own tools, implement ZigBee fuzzing, emulate and attack end-devices, routers and coordinators and much more.
Let us know via our contact page or via the comment link below if you are doing any Zigbee experimentation and what you've learned so far.
Marcus H. Sachs
Director, SANS Internet Storm Center
0 Comments
VMWare Security Advisories Out
Update: Tuesday :
...and there is New Java patches too... http://java.sun.com/javase/6/
--------------------------------------
Yes, today is monday, but we can already call it a week of patches/advisories.
We already got the Apple advisories , we already know about MS OOB patch release tomorrow (March 30th), and today VMWare has released the following new and updated security advisories:
New - VMSA-2010-0005
http://lists.vmware.com/
Updated - VMSA-2009-0016.5
http://lists.vmware.com/
Update - VMSA-2010-0002.1
http://lists.vmware.com/
Enjoy! Today is monday!:)
------------------------------------------------------------------
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure
http://www.mysectools.com
1 Comments
OOB Update for Internet Explorer MS10-018
Microsoft Security Bulletin MS10-018 - Critical
This update resolves 10 different vulnerabilities in Internet Explorer, of which the most severe impact can be execution of arbitrary code. All versions of IE from 5.01 to 8.0 are affected to varying degrees. Both servers and workstations should be updated. The update replaces MS10-002, and addresses the MS Advisory 981374 vulnerability. Time to patch! It is a cumulative update.
Here is a listing of the related vulnerabilities and CVE entries:
Uninitialized Memory Corruption Vulnerability - CVE-2010-0267
Post Encoding Information Disclosure Vulnerability - CVE-2010-0488
Race Condition Memory Corruption Vulnerability - CVE-2010-0489
Uninitialized Memory Corruption Vulnerability - CVE-2010-0490
HTML Object Memory Corruption Vulnerability - CVE-2010-0491
HTML Object Memory Corruption Vulnerability - CVE-2010-0492
HTML Element Cross-Domain Vulnerability - CVE-2010-0494
Memory Corruption Vulnerability - CVE-2010-0805
Uninitialized Memory Corruption Vulnerability - CVE-2010-0806
HTML Rendering Memory Corruption Vulnerability - CVE-2010-0807
http://blogs.technet.com/msrc/archive/2010/03/30/security-bulletin-ms10-018-released.aspx
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
2 Comments
Nmap 5.30BETA1 released
Nmap 5.30BETA1 is out. Many new features, new NSE scripts, nping, some syntax changes, some bug fixes and more. Nmap is hands down one of my favourite tools and a must have for any technical information security professional. Much more information and downloads available as always at: http://nmap.org/
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
0 Comments
OpenSSL V 1.0.0 released!
OpenSSL 1.0.0 is now available, a major release!
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
0 Comments
APPLE-SA-2010-03-29-1 Security Update 2010-002 / Mac OS X v10.6.3
Apple has published a security update covering a number of issues, with varying impacts.
Security Update 2010-002 / Mac OS X v10.6.3 is now available and addresses the following:
AppKit: CVE-ID: CVE-2010-0056
Application Firewall: CVE-ID: CVE-2009-2801
AFP Server: CVE-ID: CVE-2010-0057, CVE-2010-0533
Apache: CVE-ID: CVE-2009-3095
ClamAV: CVE-ID: CVE-2010-0058
CoreAudio: CVE-ID: CVE-2010-0059, CVE-2010-0060
CoreMedia: CVE-ID: CVE-2010-0062
CoreTypes: CVE-ID: CVE-2010-0063
CUPS: CVE-ID: CVE-2010-0393
curl: CVE-ID: CVE-2009-2417, CVE-2009-0037
Cyrus: IMAP CVE-ID: CVE-2009-2632
Cyrus SASL: CVE-ID: CVE-2009-0688
DesktopServices: CVE-ID: CVE-2010-0064, CVE-2010-0537
Disk Images: CVE-ID: CVE-2010-0065, CVE-2010-0497
Directory Services: CVE-ID: CVE-2010-0498
Dovecot: CVE-ID: CVE-2010-0535
Event Monitor: CVE-ID: CVE-2010-0500
FreeRADIUS: CVE-ID: CVE-2010-0524
FTP Server: CVE-ID: CVE-2010-0501
iChat Server: CVE-ID: CVE-2006-1329, CVE-2010-0502, CVE-2010-0503, CVE-2010-0504
ImageIO: CVE-ID: CVE-2010-0505, CVE-2010-0041, CVE-2010-0042, CVE-2010-0043
Image RAW: CVE-ID: CVE-2010-0506, CVE-2010-0507
Libsystem: CVE-ID: CVE-2009-0689
Mail: CVE-ID: CVE-2010-0508, CVE-2010-0525
Mailman: CVE-ID: CVE-2008-0564
MySQL: CVE-ID: CVE-2008-4456, CVE-2008-7247, CVE-2009-2446, CVE-2009-4019, CVE-2009-4030
OS Services: CVE-ID: CVE-2010-0509
Password Server: CVE-ID: CVE-2010-0510
perl: CVE-ID: CVE-2008-5302, CVE-2008-5303
PHP: CVE-ID: CVE-2009-3557, CVE-2009-3558, CVE-2009-3559, CVE-2009-4017, CVE-2009-3557, CVE-2009-3558, CVE-2009-3559, CVE-2009-4142, CVE-2009-4143
Podcast Producer: CVE-ID: CVE-2010-0511
Preferences: CVE-ID: CVE-2010-0512
PS Normalizer: CVE-ID: CVE-2010-0513
QuickTime: CVE-ID: CVE-2010-0062, CVE-2010-0514, CVE-2010-0515, CVE-2010-0516, CVE-2010-0517, CVE-2010-0518, CVE-2010-0519, CVE-2010-0520, CVE-2010-0526
Ruby: CVE-ID: CVE-2009-2422, CVE-2009-3009, CVE-2009-4214, CVE-2009-1904
Server Admin: CVE-ID: CVE-2010-0521, CVE-2010-0522
SMB: CVE-ID: CVE-2009-2906
Tomcat: CVE-ID: CVE-2009-0580, CVE-2009-0033, CVE-2009-0783, CVE-2008-5515, CVE-2009-0781, CVE-2009-2901, CVE-2009-2902, CVE-2009-2693
unzip: CVE-ID: CVE-2008-0888
vim: CVE-ID: CVE-2008-2712, CVE-2008-4101, CVE-2009-0316
Wiki Server: CVE-ID: CVE-2010-0523, CVE-2010-0534
X1: 1 CVE-ID: CVE-2009-2042, CVE-2003-0063
xar: CVE-ID: CVE-2010-0055
To download: http://www.apple.com/support/downloads/
For more information:
http://support.apple.com/kb/HT1222
http://support.apple.com/kb/HT4014
http://support.apple.com/kb/HT4015
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
0 Comments
Honeynet Project: 2010 Forensic Challenge #3
If you like a good InfoSec puzzle the good people over at the Honeynet Project are at it again. They have just released Challenge #3 in their 2010 Forensic Challenge series.
This time they want you to analyze an image from a suspected infected workstation for a user who has discovered suspicious banking transactions. There is swag involved, and submission are due by April 18th.
Results of the previous two challenges are available from the Honeynet Project Challenges page.
Have fun!
-- Rick Wanner - rwanner at isc dot sans dot org
0 Comments
Create a Summary of IP Addresses from PCAP Files using Unix Tools
Every once in a while we collect large PCAP files for analysis. However, there are times when we are looking for a summary list of either source or destination addresses in those PCAP that were seen over a period of time in those files. The two examples shown here represent two suspicious ports that I noticed targeted this week and wanted to know the source IPs of this traffic.
First, if needed, we need to remove the IP or IPs we don't want to include in our summary. If we are going to reuse a PCAP filter several times, it is better to create a libpcap filter in a file and use tcpdump -F filter to use it. (tcpdump -nr file.pcap -F parsing_filter).
Breaking down the filter
In order to be able to manipulate the data to our advantage, we need to determine what we are looking for. With our two examples, we are going to find which source IP addresses sent a TCP SYN packet to our gateway IP 192.168.21.32 to port 465 and 2522 with the number of occurrence that happened in each of the PCAP files.
My complete traffic parsing looks like this:
guy@seeker$ tcpdump -ntr 2010032501 'dst host 192.168.21.32 and tcp[13] = 0x02 and dst port 2522' | awk '{print $2}' | tr . ' ' | awk '{print $1"."$2"."$3"."$4}' | sort | uniq -c | awk ' {print $2 "\t" $1 }'
reading from file 2010032501, link-type LINUX_SLL (Linux cooked)
XX.169.170.84 10
Breaking Down each Sections
- Part 1 is the tcpdump switches and we are using -n (don't resolve), -t (don't print date/time) and -r 2010032501 (file name to replay).
- Part 2 is the libpcap filter ('dst host 192.168.21.32 and tcp[13] = 0x02 and dst port 2522') which filter all inbound TCP SYN packets (tcp[13] = 0x02) to our gateway (dst host 192.168.21.32) to TCP port 2522.
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,nop,wscale 3,nop,nop,timestamp 895725079 0,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,nop,wscale 3,nop,nop,timestamp 895725088 0,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,nop,wscale 3,nop,nop,timestamp 895725098 0,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,sackOK,eol>
- Part 3 we add a pipe with awk (| awk '{print $2}') to print only the source IP from our tcpdump result. Field $2 (source IP) could be changed to $4 to use the destination address.
reading from file 2010032501, link-type LINUX_SLL (Linux cooked)
xx.169.170.84.50316
xx.169.170.84.50316
xx.169.170.84.50316
xx.169.170.84.50316
xx.169.170.84.50316
xx.169.170.84.50316
xx.169.170.84.50316
xx.169.170.84.50316
xx.169.170.84.50316
xx.169.170.84.50316
- Part 4 we add a pipe with tr (| tr . ' ') to change the period to a space so we can remove the source port (50316) in the next step.
reading from file 2010032501, link-type LINUX_SLL (Linux cooked)
xx 169 170 84 50316
xx 169 170 84 50316
xx 169 170 84 50316
xx 169 170 84 50316
xx 169 170 84 50316
xx 169 170 84 50316
xx 169 170 84 50316
xx 169 170 84 50316
xx 169 170 84 50316
- Part 5 we add a pipe with awk (| awk '{print $1"."$2"."$3"."$4}') to reconstruct the source IP address(es).
reading from file 2010032501, link-type LINUX_SLL (Linux cooked)
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
- Part 5 we add a pipe with sort ( | sort) to sort our traffic by IPs. In this case we only have one source.
reading from file 2010032501, link-type LINUX_SLL (Linux cooked)
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
- Part 6 we add a pipe with uniq -c (| uniq -c) to count the number of times a source IP was see in the PCAP file.
reading from file 2010032501, link-type LINUX_SLL (Linux cooked)
10 xx.169.170.84
- The last part is just for formatting purposes, we reverse the order of the last output and insert a tab (| awk ' {print $2 "\t" $1 }') to show the IPs in the first collumn and the number of time seen in the second.
reading from file 2010032501, link-type LINUX_SLL (Linux cooked)
xx.169.170.84 10
Another example with its results to destination port TCP 465.
guy@seeker$ tcpdump -ntr 2010032508 'dst host 192.168.21.32 and tcp[13] = 0x02 and dst port 465' | awk '{print $2}' | tr . ' ' | awk '{print $1"."$2"."$3"."$4}' | sort | uniq -c | awk ' {print $2 "\t" $1 }'
reading from file 2010032508, link-type LINUX_SLL (Linux cooked)
XX.237.148.241 3
XXX.197.208.107 3
XXX.199.183.68 3
XXX.22.87.36 3
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
8 Comments
HP-UX Running NFS/ONCplus, Inadvertently Enabled NFS
HP issued a security bulletin for HP-UX 11.31 (running NFS/ONCplus version B.11.31_08 or prior), where a remote user can access NFS shares on the target system if NFS/ONCplus is running, NFS maybe inadvertently enabled. The complete list of affected versions and resolution is available here.
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
0 Comments
SIFT2.0 SANS Investigative Forensics Toolkit released
SANS Faculty Fellow Rob Lee created the SANS Investigative Forensic Toolkit(SIFT) Workstation, which is also featured in the SANS FOR 508 course, in order to show that advanced investigations and investigating hackers can be accomplished using freely available open-source tools. The new version of SIFT was just released and is a VMware Appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination. More information on the SANS forensics curriculum and SIFT2.0 can be found on https://computer-forensics.sans.org/ , respectively the download section on that page.
9 Comments
Getting the EXE out of the RTF again
Since we got some mails from readers who had trouble getting the malware extraction technique described in http://isc.sans.org/diary.html?storyid=6703 to work on yesterday's malicious "copyright lawsuit" sample , here's a quick walk-through again on how to carve an EXE out of a DOC or RTF file.
$ file suit_documents.doc
suit_documents.doc: Rich Text Format data, version 1, ANSI
Hmm, looks like this DOC is an RTF ... Let's see what it contains
$ head suit_documents.doc
{rtf1ansiansicpg1252deff0{fonttbl{f0fswissfcharset0 Arial;}}
{*generator Msftedit 5.41.15.1515;}viewkind4uc1pardlang1033f0fs20{objectobjemb{*objclass Package}objw795objh765{*objdata
01050000
02000000
08000000
5061636b61676500
00000000
00000000
6f740000
0200646f63732e70646600433a5c446f63756d656e747320616e642053657474696e67735c4164
OK .. looks indeed like an RTF with an embedded object. The pile of numbers are all ASCII codes in Hex, but before we can convert them to readable characters, we first have to strip away the initial two lines, because their presence would confuse the Perl statement that follows later.
$ cat suit_documents.doc | sed '1,2d' > suit1.temp
$ head suit1.temp
01050000
02000000
08000000
5061636b61676500
00000000
00000000
6f740000
0200646f63732e70646600433a5c446f63756d656e747320616e642053657474696e67735c4164
Now, we are ready for the transformation from Hex ASCII codes to printable characters:
$ cat suit1.temp | perl -ne 's/(..)/print(chr(hex($1)))/ge' > suit2.temp
So far, the old method still seems to work: We locate "objdata" in the RTF document, strip out everything in front, then feed the blob into Perl to convert the hexadecimal codes to actual ASCII characters. I changed the Perl command slightly compared to the earlier diary on the subject, because one of the problems that people seem to have is related to how "end of line" is treated on Windows vs Unix. The earlier version
$cat detail.rtf | sed -e '1,3d' | perl -ne 's/(..)/print chr(hex($1))/ge' > detail.bin
kept any DOS line terminators unchanged, which doesn't bode well for the resulting executable. The new version
$ cat suit1.temp | perl -ne 's/(..)/print(chr(hex($1)))/ge' > suit2.temp
is now really only printing out converted hex codes, and is dropping all the CR/LF line terminators that are present in the original file after every line. The resulting file is still in "Object Package" format, but if you look closely, you can see the tell-tale "MZ" that marks the start of an executable:
What makes this case a bit more convoluted than last year's example is that the bad guys tried real hard to disguise the contents. This time, the initial file had a .DOC extension, but was in fact an .RTF format, which contained an embedded COMPLA~1.EXE that had a harmless looking Icon (3.ico) and was displayed to the user as "docs.pdf". Yup,pretty sneaky. You can see all these file names in the hex output above.
Now, how to get the EXE out. According to the mentioned earlier diary, the numbers between the EXE filename and the "MZ" header mark the size of the executable that we need to cut out. In this case, we have "00 10 74 00 00" in that position:
00000070 4c 41 7e 31 2e 45 58 45 00 10 74 00 00 4d 5a 90 |LA~1.EXE..t..MZ.|
What my earlier example didn't make clear is that these numbers have to be read "right to left" to determine the size. In the current case, the size is 007410hex, which converts to 29712 bytes.
Let's carve it out. We need to skip to position 0x7D (=125) at the beginning of the file to get to the "MZ" marker, and from there, the EXE should be 29712 bytes long.
$ dd if=suit2.temp of=suit2.exe skip=125 count=29712 bs=1
29712+0 records in
29712+0 records out
29712 bytes (30 kB) copied, 0.15203 s, 195 kB/s
$ md5sum suit2.exe
ead062fb0aca0e3d0e8c12c4cf095765 suit2.exe
Voilà! Now, we can use this hash on http://www.virustotal.com/buscaHash.html to see if someone else has analyzed this file before :)
1 Comments
Zeus wants to do your taxes
I've received reports of suspicious emails claiming to be from the IRS. It's a common scheme to get a user to click and run an executable.
It looks like zeus/zbot to me (more on that here: https://zeustracker.abuse.ch/faq.php their cert is a little non-standard,) but I can't share the details yet. If you've received one of these emails and don't mind sharing the details with our readers, please submit a copy (via: http://isc.sans.org/contact.html)
If you want to check out your own logs in the meantime, I'd suggest looking for domains that look like www.irs.gov.<stuff> and downloaded executables with the word "tax" in them.
For those with enough free-time to try to track the different groups using zeus, this one has an Avalanche feel to it.
0 Comments
Responding to "Copyright Lawsuit filed against you"
The Scenario:
Let's say you're responsible for responding to an email like that reported here: https://isc.sans.org/diary.html?storyid=8497
Assess:
Is this email a problem?
It certainly appears to be appealing to the recipients fears with the scary legal language. There's a typo or two in there that might make you suspicious. Real or not, a document like this should be brought to the attention of your security/legal departments. So it's likely a problem of one sort or another.
What is it?
You could start by checking into the source of the email and the domain hosting the link. In this case, the originator appears to be a mail-server for a small city. The domain has been around for nearly a year, but was just updated a few days ago. Domaintools.com is your friend.
If you're equipped for it, you may ant to start by checking out the document by pulling down to a safe machine. In my case it's a unix box since it appears to be a word document. I craft a simple wget script to pull the file down looking like a vulnerable version of IE.
wget --save-cookies=./cookies -U "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)" $1
Curiosity getting the better of me, I look at the file a bit and see:
{rtf1ansiansicpg1252deff0{fonttbl{f0fswissfcharset0 Arial;}}
{*generator Msftedit 5.41.15.1515;}viewkind4uc1pardlang1033f0fs20{objectobjemb{*objclass Package}objw795objh765{*objdata
01050000
02000000
08000000
5061636b61676500
00000000
00000000
6f740000
0200646f63732e70646600433a5c446f63756d656e747320616e642053657474696e67735c4164
6d696e6973747261746f725c4465736b746f705c332e69636f000000030010000000433a5c434f
4d504c417e312e45584500107400004d5a90000300000004000000ffff0000b800000000000000
400000000000000000000000000000000000000000000000000000000000000000000000d00000
000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072
756e20696e20444f53206d6f64652e0d0d0a240000000000000009d117d84db0798b4db0798b4d
b0798b4db0788b51b0798b2faf6a8b48b0798b4b93728b49b0798b8ab67f8b4cb0798bb2907d8b
4cb0798b526963684db0798b00000000000000000000000000000000504500004c0104000fd8a9
4b0000000000000000e0000f010b010600001e00000052000000000000c02a0000001000000030
00000000400000100000000200000400000000000000040000000000000000a000000004000000
000000020000000000100000100000000010000010000000000000100000003033000052000000
...
Yeah, that doesn't look good. Let's calculate an md5sum and see what others think of it.
$ md5sum suit_documents.doc
6db76304a2aff6bef94364b86abd8b7f suit_documents.doc
Since you're a lone responder and don't have an army of reverse engineers on your staff, we'll leverage this information to see what the group-mind knows about this.
I use the hash-search at virus total to see if someone's already working on this: http://www.virustotal.com/buscaHash.html
In this case, this yields the following results: http://www.virustotal.com/analisis/9b762ff9d2103022bf1476f2c55db91475f31526522716e827875801f92a0d87-1269529133
Some interesting things come back, we know that this is likely some sort of downloader disguised as a document.
I'll also search through http://www.threatexpert.com/ by the md5sum to see if it has already been analyzed. In this case it hasn't. I could ship it off there for analysis or one of the other fine sandbox tools such as Anubis (http://anubis.iseclab.org) or CWSandbox (http://mwanalysis.org/)
Looking at the earlier diary entry we see results from Anubis showing some network activity. Now we have a couple of things to look for to measure impact:
- Email details to search our mail-logs to determine who received the lure message.
- The URL of the initial downloader to see who clicked on it and brought it into the network.
- The network behavior of a system that executed the code.
How bad is it for us?
Using those details it's time to evaluate the impact this attack has had on your firm. If you have anyone who downloaded the file, or evidence of a machine reaching out for the next-stage then you pull your Malware Incident response document off of the shelf and follow that. We all have differing levels of documentation to refer to, but there's always some sort of plan, even if it's "update resume."
Protect
While you're assess the impact (greps take a while to run sometimes) you have some information that you can leverage to protect the people in your network. You have email addresses and URLs to block and malware to submit to your vendor (assuming they're not on the virustotal list like mine wasn't.) Acting quickly on this protection phase makes your clean-up phase go easier.
Respond/Clean-up
Now that you have your list of machines that were exposed and your Malware incident response document handy, you follow that to make your systems and network all shiny and clean.
Report
This step is important.
In my environment, my boss likes to know what it is that I'm doing in the dark data closet. So keeping track of the event, it's impact, etc. is good for not only tracking the incident, but also review time.
When you were researching the IP that sent the email and hosting the URL (you still have that up in a browser, right?) it is also critical that you report that to the abuse contacts. Send a kind email reporting the issue, (because they'll likely get a few reports, and most of them might not be so kind.) which helps more than just your own environment.
Learning from Others/Helping Others
You will want to follow a similar process in response to events reported here and in other blogs and media. It not only helps protect you from what is hitting other folks, but you may also uncover a gap in your internal detection process.
By submitting malicious URLs to proxy-filter vendors, and malware to AV vendors you help protect not only your environment, but also your neighbors. If fewer of your neighbors are getting infected, then that's fewer spam-bots, and phishing-sites the eventually target you.
3 Comments
"Copyright Lawsuit filed against you"
Overview
An email is being sent out warning the recipient of a "Copyright Lawsuit filed against you." We received a copy here and a number of .EDUs have reported it's receipt. It looks something similar to:
March 24, 2010
Crosby & Higgins
350 Broadway, Suite 300
New York, NY 10013
To Whom It May Concern:
On the link bellow is a copy of the lawsuit that we filed against you in court on March 11, 2010.
Currently the Pretrail Conference is scheduled for April 11th, 2010 at 10:30 A.M. in courtroom #36.
The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Touchstone Advisories Inc is a victim of Copyright infrigement
hXXp://www.touchstoneadvisorsonline.com/lawsuit/suit_documents.doc
Touchstone Advisories Inc has proof of multiple Copyright Law violations that they wish to present in court on April 11th, 2010.
Sincerely,
Mark R. Crosby
Crosby & Higgins LLP
The law-firms named in the email, header, and sending server all appear to be a mish-mash of existing firms.
If a user clicks on the link and opens the document it will attempt to download additional payload.
Initial Detection
Currently only a few AV solutions detect the initial document: http://www.virustotal.com/analisis/9b762ff9d2103022bf1476f2c55db91475f31526522716e827875801f92a0d87-1269486837
Behavioral Notes
Following Daniel's process (http://isc.sans.org/diary.html?storyid=6703) one could extract the executable and determine what it's up to.
It appears to reach out to 121.14.149.132:80 to make a request similar to:
GET /fwq/indux.php?U=1234@1014@1@0@0@c791d4a4a147b2cd1843fe4f7f27f3a1df63f95daf0c3ddcd5f1b1e4538fd803
5 Comments
Cisco security updates
Cisco released 7 new security updates to various different products today. More information at their site: http://ww.cisco.com/en/US/products/products_security_advisories_listing.html
-Kyle Haugsness
0 Comments
Wax nostalgic - commodore64 updated to present time
Slow news/incidents day.... So I will post something slightly off-topic. Yes, the story was on Slashdot and it may never come to fruition (or even be suitably priced), but the news that Commodore USA was releasing a new PC embedded into a keyboard had me reminiscing of my first computer, the commodore64. New site here: http://www.commodoreusa.net
I can't tell you how many times I read "syntax error" in response to my prodding of the BASIC language. Hmm, how do I make this into a security-related article? It would be difficult to install a keyboard logger on these things!! So perhaps it fits into your physical security strategy? Does anyone conquer physical security threats with creative choices of hardware? For instance, if you have a policy of no USB flash drives do you enforce that through hardware restrictions?
-Kyle Haugsness
6 Comments
".sys" Directories Delivering Driveby Downloads
Our read Paul observed malware being delivered from the ".sys" directory of various web sites. The URL follows the scheme:
http://evilexample.com/.sys/?action=....
In response to clicking on the link, the user is asked to install the software. According to Paul, he observed the link being delivered via Facebook which of course makes the message more plausible and it is likely that users install the software thinking it came from a "Friend". Before adding a specific block for ".sys", Paul's web filter caught about 60% of these exploits.
Once a user follows the link, additional exe files are downloaded from ".sys" directories. The file names Paul observed are p.exe, go.exe and v2captcha21.exe.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
7 Comments
The Top 10 Riskiest US Cities for Cybercrime
A study by Symantec's Security Response Group and Sperling's BestPlaces was published that indicated the top 10 riskiest US cities for being a victim of cybercrime. The study does have some assumptions that all might not agree with but one of the key points is that the prevalence of "free wi-fi" is a risk factor for cybercrime.
If you think about it, the one thing that makes electronic crime appealing is that it can be done anonymously with few fingerprints. A few years ago I was trying to convince an information security officer at a public institution that there were threats with free wireless internet that he was not addressing. To demonstrate, I associated myself with the access point and then sniffed all the traffic back and forth. I saw IM conversations, GMail (which by default is all over HTTP but can be forced to HTTPS), Facebook, etc. Sadly, convenience trumped security (even the few security measures that could have been used at the time and still allow convenience).
Another aspect is that free wireless is an attractive resource for those who want to be anonymous. If you wanted to commit online crime, what better place than a public wireless hotspot with hundreds of people using them that is wide open? For instance, what was believed to be the first arrest for theft of wireless service was an individual who was using an unprotected residential wireless access point to download child pornography from his vehicle in the street.
What does this mean for you? If you are using a public wi-fi hotspot, don't do anything you would mind other people snooping in on or fire up the corporate VPN before you do anything. If you want to shop online, you might want to consider doing that at home. And if you operate a public wi-fi hotspot, track and log all MACs that access your network and monitor outbound traffic for malicious use.
--
John Bambenek
bambenek at gmail /dot/ com
2 Comments
Responding To The Unexpected
We all know that having an Incident Response plan in place helps to minimize the damage caused by a security incident.
We also know that not everyone has one.
I was fortunate to attend fellow handler Lenny Zeltser's talk on "How To Respond To An Unexpected Security Event" at SANS 2010 in Orlando earlier this month.
If you don't have an IR plan in place, take a look at his presentation, which is available in pdf form on his web site.
Christopher Carboni - Handler On Duty
0 Comments
Skipfish - Web Application Security Tool
Michal Zalewski (lcamtuf), a Polish security researcher and author of many tools and books, is at it again. On Friday, he released a fully automated, active web application security tool known as skipfish. This tool allows developers and security professionals to have a solid reconnaissance tool which scans at high speed tools, easy to use, and has a number of different security checks with limited false positives. In my particular environment, we are extremely budget poor (taking a 2nd budget cuts within under 6 months left in the fiscal is bad and I know others have it worse than we do). So having the possibility to increase my tool set without spending a lot of money sits very well with our administration. From my initial testing yesterday, it did detect a few issues within a sample website which had not been detected prior. So in my book, this is a great plus.
The tool is under the Apache 2.0 license and is located at http://code.google.com/p/skipfish/ . I see that today there has been a number of changes today to correct a number of issues since it was initially released yesterday. I expect that this tool will be much more stable within the next few days.
Scott Fendley ISC Handler
2 Comments
BitDefender 2010 Update Problem
We have started to receive reports this morning concerning a popular consumer antivirus product has caused some grief today. BitDefender 2010 appears to have released a set of bad definitions. Unfortunately, these bad virus definitions appear to detect core DLL files and even parts of BitDefender, itself, as infected by "Trojan.FakeAlert.5". There is quite a thread discussing this issue on the BitDefender Forums.
If you or your organization uses BitDefender, I would heavily recommend that you disable auto-update of the definitions until corrected ones are released soon. Also, I would recommend preparing to do a lot of hands-on clean up to reverse those files which were quarantined by accident.
Scott Fendley ISC Handler
0 Comments
Firefox 3.6.2 to be released March 30
In the past month, there has been lots of discussions involving an unpatched security vulnerability in Firefox 3.6. Unfortunately, there was very limited information released on the vulnerability and much of the discussions revolved around if the reports were real or just FUD. Mozilla eventually received enough information where they could reproduce the problem and posted an advisory late on 3/18/2010 (yes I know that I missed this being released yesterday, and I blame the NCAA tourney for that).
In any case, Firefox 3.6.2 is scheduled for release on March 30, but the beta build is available from their nightly candidate area. More information is located at Mozilla Security Blog. Please schedule some time to test this version and get this into your update pipeline for user workstations.
Scott Fendley ISC Handler
1 Comments
I Know What Your Office Equipment Did Last Summer...
Yesterday there was a great article in the Toronto Star that discusses a potential security
risk that may not be obvious to some Business owners. You can find that article here.
G.N. White
ISC Handler on Duty
1 Comments
Dangers of copy&paste
One of our readers, Bill, wrote in to let us know about a pretty dangerous batch script that was posted on a web site that he visited. The script is supposed to help users get rid of print jobs which are still in the spooler, but a couple of obvious errors were done. I am pasting the original, as it was on the web site below (of course, do not run this):
@echo off
echo Stopping print spooler.
echo.
net stop spooler
echo deleting stuff... where? I'm not sure. Just deleting stuff.
echo.
FOR %%A IN (%systemroot% system32 spool printers *.*) DO DEL %%A
echo Starting print spooler.
echo.
net start spooler
The script is, as you can see, very simple – all it does is stop the printer spooler (the spooler service) and then it is supposed to delete all files in the %systemroot%system32spoolprinters directory. Unfortunately, the author (accidentally?) added couple of white spaces so this script became extremely dangerous: it will try to delete all files in the %systemroot% directory, in C: and in the current directory.
This simple error shows how dangerous it can be to just blindly copy&paste stuff off the Internet and run it in your environment. While in this case it was easy to spot the error since the whole script is only 10 lines long, in other cases we should be very careful.
I also noticed another thing very popular today – in order to faster download stuff off the Internet (legal stuff, such as Linux distributions), people tend to use a lot of different utilities that are supposed to provide faster download speeds. Such utilities can be simple Bittorrent clients or dubious utilities that will download unverified things from even more dubious web sites. And this leads me to a question: how many of you verify integrity of files you download? It would be interesting to compare the number of downloaded ISO images of popular Linux distributions with the number of downloaded checksum files – I fear that less than 1% people verify what they download. I hope in time this number will increase!
--
Bojan
5 Comments
Spam was killing us! Here is what we did to help!
I work for a smallish ISP in the Midwest. In late September and the month of October we began getting blasted with spam and DHA's from all over the world. We had been utilizing a spam filtering service but it was not keeping up. We billed the customers for the service and they were starting to complain. They were getting so much spam in their inboxes that they felt like they were wasting their money. In October when the problem became so bad that it started affecting our mail servers ability to process mail any longer we knew we had to do something. We had been "test driving" a spam filter device by Red Condor. The accounts that had been moved over to the Red Condor filter were virtually spam free. We decided to implement the Red Condor solution across the board on the server that was being hammered the worst. This server has just over 9,000 accounts on it. We turned up the Red Condor box at about 4pm and by 7:00am the next morning the quarantine boxes had been created for all customers. No interaction required, it simply verified each inbox as the emails arrived for the account. If the account did not exist it threw the spam away, if the account did exist it created the inbox and then determined whether the email was spam or was legit (autodiscover does not work with Exchange Servers).
We decided to "give the service away" as part of the customers Internet service. In reality we have been the ones to benefit from the service. The mail server has been purring along for months now and our customers are much happier. They literally have had no spam hit their inboxes. We have been in the learn mode for a while and slowly started migrating other customers over to the device. It has not missed a hit. The other thing that is amazing is the ease in setting up the "accounts" on Red Condor. With the previous service it was about a 15 minute process to setup each domain. It was a series of long drawn out steps to setup the accounts. With Red Condor it takes less than a minute to setup a new account/domain. If I can use autodiscover to create the inboxes then the setup task is done. Change the MX record and I am good to go.
Now here is the amazing part. The reporting available with the product is unbelievable. At a glance I can see just how much work this single device is doing. Here is a report for the domain that has just over 9,000 accounts. This is a summary of the transactions handled for the domain since March 1, 2010. You see that out of almost 20 million emails handled only 713,222 (3.6%) were actually delivered.
March 2010
|
Disposition |
|
||||||
Category |
Deliver |
Markup |
Quarantine |
Block |
Total |
|
Size |
|
OK |
638,116 |
|
|
|
638,116 |
3.2% |
108GB |
32.1% |
Unprotected |
2,905 |
|
|
|
2,905 |
0.0% |
60MB |
0.0% |
Friends |
72,201 |
|
|
|
72,201 |
0.4% |
17GB |
5.2% |
Enemies |
|
|
176 |
|
176 |
0.0% |
31MB |
0.0% |
Virus |
|
|
|
55,587 |
55,587 |
0.3% |
7,109MB |
2.1% |
Phish |
|
|
434,661 |
2,218 |
436,879 |
2.2% |
1,165MB |
0.3% |
Keyword |
|
|
|
|
0 |
0.0% |
0 |
0.0% |
Adult |
|
|
|
106,296 |
106,296 |
0.5% |
270MB |
0.1% |
Spam |
|
919 |
13,412,089 |
42,939 |
13,455,947 |
68.1% |
154GB |
45.9% |
Junk |
|
1,718 |
349,796 |
697 |
352,211 |
1.8% |
9,223MB |
2.7% |
Blank |
|
|
489 |
2 |
491 |
0.0% |
1,073KB |
0.0% |
Foreign |
|
|
12,707 |
33 |
12,740 |
0.1% |
159MB |
0.0% |
Risky Attachment |
|
|
16 |
|
16 |
0.0% |
18MB |
0.0% |
Unresolved Sender |
|
|
|
|
0 |
0.0% |
0 |
0.0% |
Invalid Recipient |
|
|
|
4,623,107 |
4,623,107 |
23.4% |
38GB |
11.3% |
Total |
713,222 |
2,637 |
14,209,934 |
4,830,879 |
19,756,672 |
|
335GB |
|
|
3.6% |
0.0% |
71.9% |
24.5% |
It isn't hard to understand now why my poor mail server was weeping on a daily basis. We are now in the process of moving the remaining customers, accounts and domains over to the Red Condor system.
Spam and viruses have become such a big problem for ISP's world wide. Until we can clean up the infected machines that are generating this spam and shut down the bad guys that are pushing this garbage at us, it is good to know that these types of systems exist.
I would like to hear from our reader's. What has helped your organization deal with spam and the pr
14 Comments
Trojan outbreak on a College Campus
One of our readers just advised us that the college that he is associated with has had a major outbreak of
2 Comments