Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-09-23 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

No more Bagel, Bagle, Beagle

Published: 2005-09-23
Last Updated: 2005-09-23 22:02:25 UTC
by donald smith (Version: 1)
0 comment(s)
This is the BEST news I have heard all week.
I knew this was coming but did not realize they were this close to implementation.
US-CERT, the U.S. Computer Emergency Readiness Team, will begin issuing uniform names for computer viruses, worms and other malicious code next month, as part of a program called the Common Malware Enumeration initiative.
http://www.eweek.com/article2/0,1895,1862266,00.asp
To malware fighters, researchers, and many others this will be a very good thing.
There will be some issues but it will make my job easier.

Keywords:
0 comment(s)

Patch Mozilla ASAP

Published: 2005-09-23
Last Updated: 2005-09-23 21:42:54 UTC
by donald smith (Version: 1)
0 comment(s)
An exploit for the recently patched IDN bug in mozilla's firefox is circulating.
http://www.informationweek.com/story/showArticle.jhtml?articleID=171200310
Keywords:
0 comment(s)

Cisco IOS Firewall vulnerability update.

Published: 2005-09-23
Last Updated: 2005-09-23 20:44:10 UTC
by donald smith (Version: 1)
0 comment(s)
Cisco released an update to the sept 7th vulnerability release with regards to Cisco IOS Firewall Authentication Proxy for FTP and Telnet Sessions Buffer Overflow. This one could be a MAJOR issue for people runningn Cisco IOS firewall with authentication proxies for ftp and telnet. However so far I have not met anyone who is doing that.
 
http://www.cisco.com/en/US/products/products_security_advisory09186a00805117cb.shtml#software
Revision 1.1
2005-September-22
Added 12.2SG, 12.2SEC, and 12.2SXF releases to Software Version and Fixes

Keywords:
0 comment(s)

Hurricane Rita Scams ALREADY!

Published: 2005-09-23
Last Updated: 2005-09-23 19:00:03 UTC
by Ed Skoudis (Version: 4)
0 comment(s)

Sadly, Hurricane Rita charity scams have already started.  Several handlers at the ISC, including Tom Liston and Johannes Ullrich, are working with others, such as US-CERT, on coming up with lists of scam sites. 

Watch the diary over the next few days for such a list.  Also, if you find a bogus-looking "charity", feel free to report it to us at handlers-rita@sans.org or to US-CERT at soc@us-cert.gov.


Also, you may want to check out our collaborative reporting system to help sort out bogus sites posing as hurricane charities.

Update
Due to an initiative born from the 'mwp' list, a number of domain name registrars, anti-phishing, anti-spam groups and national CERTS are working together to have these sites closed down as fast as possible.

The RedCross  has set up a special email address for reporting suspicious sites fraudalert@usa.redcross.org

Also, here is a current list of the RedCross's official donation sites:


http://www.redcross.org/sponsors/donationsites/official_donation_sites.html

You can of course just go to
http://www.redcross.org as the starting page if you wish to give to the
American Red Cross. That is probably the safest method.

Keywords:
0 comment(s)

FinCen NOT hacked

Published: 2005-09-23
Last Updated: 2005-09-23 18:36:14 UTC
by donald smith (Version: 2)
0 comment(s)
First while this affected the news portion of their site FinCEN was NOT hacked here is a portion of their statement.

The "FinCEN QuikNews" system, a subscriber-based e-mail service that is part of the Financial Crimes Enforcement Network's public website and is hosted externally, appears to have been compromised this morning. We are investigating this incident. This system resides outside FinCEN's security perimeter and is not connected to any other FinCEN systems. Bank Secrecy Act data, and all other sensitive information maintained by FinCEN, was in no way, shape or form compromised by this incident.

To read the rest goto http://www.fincen.gov/quiknews_statement.pdf
Keywords:
0 comment(s)

Korean Mozilla and Thunderbird Distro Site Woes

Published: 2005-09-23
Last Updated: 2005-09-23 16:34:13 UTC
by Ed Skoudis (Version: 1)
0 comment(s)
The trend of putting trojaned downloads on software distribution sites continues unabated.  A Korean site, officially **unaffiliated** with the Mozilla, Thunderbird, and Firefox development teams, distributes a Korean version of Mozilla Suite 1.7.6 and Thunderbird 1.0.2.  Turns out, a couple of days ago, evil versions of Mozilla and Thunderbird for Linux appeared on this site.  When installed, they would infect ELF binaries in /bin.  The malware included a backdoor, although it had little spreading potential.  Still, that's why, when you upgrade, make sure you download from a couple of mirrors and check that hash!  Md5sum and SHA-1 are your friend.  And, if you are really paranoid, RIPEMD-160 is a good acquaintance to have.

Update: According to information we've received (thanks, Roel!), Korean versions of Mozilla and Thunderbird distributed through **official** Mozilla FTP sites were also infected.  So, if you use Korean Mozilla or Thunderbird, and downloaded the latest versions of thunderbird or mozilla, you may have been compromised.  I suggest a good file integrity check, and perhaps a reinstall of your operating system and apps.  Thanks again, Roel, for the clarification.
Keywords:
0 comment(s)

Speaking of Said Upgrades Firefox 1.0.7

Published: 2005-09-23
Last Updated: 2005-09-23 14:20:36 UTC
by Ed Skoudis (Version: 4)
0 comment(s)

The latest version of Firefox is available, including some important security fixes.  Get it here.  This one fixes a few big security issues, including MFSA 2005-57, IDN heap overrun using soft-hyphens.

Keywords:
0 comment(s)

New Handler: Mohammed Haron

Published: 2005-09-23
Last Updated: 2005-09-23 13:13:33 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Please welcome Mohammed Haron to our volunteer handler team.

Mohammed is currently working for Intel Corp. in Penang, Malaysia. His duties at Intel include a wide array of security responsibilities from IDS to Forensics. He holds a GIAC GSEC and GCIA certification, and has been a local mentor for both.

His interest in security got jump-started by a group of Brazilian hackers defacing his perosnal web site (gr33tz to P3dr0).

Keywords:
0 comment(s)

Winners of Bonus Points from Yesterday?s FTBM

Published: 2005-09-23
Last Updated: 2005-09-23 00:15:07 UTC
by Ed Skoudis (Version: 1)
0 comment(s)

Yesterday, Tom Liston posted his latest Follow the Bouncing Malware.  In it, he posed a question for extra credit, namely:

"Those of you with taped, horn-rimmed glasses who were in the AV club in Jr. High will note that the numbers assigned to o(0) look strangely familiar.  [They were 4d5a] They're the hex equivalents of the "magic values" that begin every program on the PC (extra-credit: anyone know what they stand for?)."

We had several readers point out the answer, but the first was Frank Knobbe:

"Actually, it is every MSDOS program. Every Portable Executable (PE) file starts with a header. The first two bytes is a 'magic' that identifies the file as an MSDOS executable. The magic is 0x5A4D which is MZ in ASCII. MZ are the initials of Mark Zbikowski, one of the original architects of MS-DOS. :)"

Tom described this as the ultimate in vanity-license-plate equivalents for geeks.  Indeed it is.  And, I might point out that the file encryption solution built into modern Windows systems is called?.

Signing out?

Edward Frank Skoudis

Intelguardians, www.intelguardians.com

Keywords:
0 comment(s)

Wi-Fi Worm Rumors

Published: 2005-09-23
Last Updated: 2005-09-23 00:14:30 UTC
by Ed Skoudis (Version: 1)
0 comment(s)
A couple of diligent readers pointed us to this initial report of a worm attacking Windows XP boxes, spreading only through Wi-fi, not the Internet.  While it hasn't been confirmed (nothing is confirmed until we get packets or code!), it's an intriguing possibility.  The first I heard about this concept was several years ago, over Thai food and beers with a fellow handler, whom I won't name.  Okay? his name is an anagram of "A JUG HIS WORTH."  Any way, Mr. JUG mentioned the possibility of a worm that attacks via wireless and leaves the Internet alone for a while.  That way, it would miss our detection mechanisms for a while, as it spreads in airports, coffee houses, and urban centers.  Perhaps we are facing such a thing now, or perhaps not.  Something wicked might be brewing in Newark, New Jersey.
Keywords:
0 comment(s)

Hurricane Katrina Follow-UP

Published: 2005-09-23
Last Updated: 2005-09-23 00:14:20 UTC
by Ed Skoudis (Version: 1)
0 comment(s)

Got this message from some fine folks at DHS:

"In responding to recent natural disasters and state of emergencies due to Hurricane Katrina, and now Rita, the DHS US-CERT in collaboration with the Control Systems Security Center (CSSC) has released a Hurricane Katrina Control System Assistance Informational Paper. The US CERT Control Systems Security Center (CSSC) has placed this informational bulletin here.  Please go to this site and click on the link under reports for "Hurricane Katrina Control Systems Assistance (PDF)."

This paper describes how to get physical and electronic operations back on-line in a time of crisis.

Keywords:
0 comment(s)
Diary Archives