Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-09-19 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

xmlrpc.php - Are you patched?

Published: 2005-09-19
Last Updated: 2005-09-19 18:46:05 UTC
by Tom Liston (Version: 1)
0 comment(s)
We're seeing increased scanning / exploit attempts against the xmlrpc.php vulnerabilities noted in our June 30th diary.  This function library is used in various web-based packages such as PEAR, postnuke, drupal, TikiWiki, and b2evolution.  If you aren't patched yet... well... what are you still sitting here reading for?
Keywords:
0 comment(s)

Updated Twiki Snort Sig

Published: 2005-09-19
Last Updated: 2005-09-19 17:40:28 UTC
by Tom Liston (Version: 2)
0 comment(s)

This is an update to a snort sig that we posted earlier for the recently announced TWiki vulnerability that allows for remote code execution:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\
"BLEEDING-EDGE WEB twiki rev access"; flow:to_server,established; \
uricontent:"/TWikiUsers?"; nocase; pcre:"/rev=\d*[^\d\&\n]/Ui"; \
classtype:web-application-activity; reference:url,secunia.com/\
advisories/16820/; sid:2002366; rev:3;)

Note: This is a single line that has been broken to allow for better formatting in the diary.  The "\" characters at the end of the lines above show where the line breaks have been added.  Many thanks to Joe Esler, Chas Tomlin, Jason Brvenik, and Frank Knobbe (who, coincidentally, ported LaBrea to Win32 before I did...) and all the folks from Bleeding Edge (you guys rock!).

Keywords:
0 comment(s)

New Bagle Making the Rounds?

Published: 2005-09-19
Last Updated: 2005-09-19 16:13:56 UTC
by Tom Liston (Version: 9)
0 comment(s)
It looks like there is a new Bagle variant making the rounds.  The (preliminary) information that we have is:
  • The file arrives as a zipped attachment with a filename including the word "price" (price.zip, price2.zip newprice.zip, 09_price.zip, etc...).
  • Creates two files: C:\WINDOWS\system32\winshost.exe and C:\WINDOWS\system32\wiwshost.exe
  • Launches winshost.exe from the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key
  • This has been classified (by at least one AV vendor) as:  TROJ/BAGLEDL-U
While you're waiting for your AV signatures to catch up, you might want to try the following snort sig submitted by ISC reader Mark T (Thank you, Mark!):
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"VIRUS Bagle.CJ SMTP Inbound"; \
flow:to_server,established; content:"UEsDBBQAAAA"; content:"EEkIAAAG"; \
distance:12; within:20; reference:url,isc.sans.org/diary.php?date=2005-09-19; \
classtype: trojan-activity; sid: 15239638; rev:1;)

An alternate snort rule (provided by the folks at Bleeding Edge):

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Possible \
Bagle.AQ Worm Outbound"; flow: to_server,established; content:"filename="; \
nocase; pcre:"m/(price2|new_price|08_price|09_price|newprice|new_price|price_new|\
price|price_08).zip/"; classtype: trojan-activity; reference:url,\
securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html; \
sid: 2001065; rev:6; )
Keywords:
0 comment(s)

Important Clam AV Update

Published: 2005-09-19
Last Updated: 2005-09-19 15:34:14 UTC
by Tom Liston (Version: 1)
0 comment(s)
The GPL antivirus toolkit for Unix, Clam AV released version 0.87 late friday afternoon GMT.  This update fixes two problems in dealing with packed executables, one which could allow execution of arbitrary code.  Details on the issues can be found here.
Keywords:
0 comment(s)
Diary Archives