Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Bloodhound.Exploit.52 (Flash Player 7) detections

Published: 2005-11-11
Last Updated: 2005-11-12 11:39:57 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
We received a report of multiple alerts from an enterprise Symantec user, the alerts are Bloodhound.Exploit.52 detections, "a heuristic detection for the Flash Player 7 Improper Memory Access Vulnerability, as described in MPSB05-07.

Samples of the files triggering the detections are not available at the moment.

If you're seeing this or any other related alerts please drop us a note.


The submitter has sent the following information;

"We are using Symantec Corporate Edition scan engine: we also use rapid release definition files and the version 11/10/2005 rev. 39 and a version from 11/11/2005 unknown revision. The trick is that you have to have flash player 7.0.19 any newer version of flash player does not trigger the Symantec alert. Hope that helps."

We received a second report, similar to the first. Based on the websites reported at this point, they do not involve any domains I'm familiar with that have been known to dish out malware. More to come!

UPDATE Symantec's write-up says "Files that are detected as Bloodhound.Exploit.52 may be malicious. We suggest that you submit to Symantec Security Response any files that are detected as Bloodhound.Exploit.52.".

FINAL UPDATE - We received this information from a contributor who asked for anonymity - "I checked with my Symantec Technical Account Manager regarding Bloodhound.Exploit.52.  They've only had false positive submissions on that heuristic so they've revised it.  The revised heuristic is available in the Rapid Release definitions.  Certified definitions will have the revised heuristic tomorrow."

Thanks for all the reports.

0 comment(s)

phpAdsNew log items, vulnerabilities, fix and patch information

Published: 2005-11-11
Last Updated: 2005-11-11 15:12:02 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Fotis Kouretas submitted log information related to phpAdsNew with the observation that "While xmlrpc scans are common for the last 2 days, these log snips has something special. It doesn't scan all the web servers and it know the locations of a specific target : phpAdsNew".

There were no other event log correlations, Fotis's log submission showed:

"POST /apps/media/ads/adxmlrpc.php HTTP/1.1" 406 278 "-" "-"
"POST /media/adxmlrpc.php HTTP/1.1" 406 349

The log entries may be related to a Nov 10 2005 phpAdsNew vulnerability announcement:
[Full-disclosure] [FS-05-01] Multiple vulnerabilities in phpAdsNew
phpAdsNew Affected versions:
Atleast 2.0.6, most likely others versions also.
A remote attacker could exploit this to learn installation paths on
server, as well as to locate new files and possible manually modified
If magic_quotes_gpc is off, a remote attacker can also compromise the
integrity of the database.

According to Matteo Beccati at phpAdsNew "The fix is on CVS REL_2_0 branch for now, I'll be able to make the final test and do the release in the weekend." (2005-11-12, 2005-11-13)
Project: phpAdsNew: CVS

We will post additional information from contributors as it's developed.

Thanks Fotis!
0 comment(s)

Stolen Laptops

Published: 2005-11-11
Last Updated: 2005-11-11 13:08:34 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Once more, we heard about a stolen laptop (MAC address 00-0E-35-08-62-6E). If you got a second today, in particular if you are travelling, see if  you can pick up the signal from its wireless card.

However, the bigger question: How do you recover stolen laptops? There are now a number of "calling home" systems. Are there any MAC address registries for stolen laptops? Please let  us know if you have any experience with any of these systems, how they worked (or did not work) for you.

 Update: Didn't take long. Kalev sent us a small BAT file that can be used to track the location of a laptop. The script will upload information like IP address and traceroutes to an ftp server on boot and at regular intervals. It works in Windows NT, 2000 and XP. I made it available here: (md5sum: 3cc8a3fea825bf94645ee7ab627126ec). Make sure you read the 'readme' file and customize the script to use your own ftp server.

0 comment(s)

Port 13722 hacktool log scan report- NetBackup clients and servers - Did You Patch?

Published: 2005-11-11
Last Updated: 2005-11-11 12:10:41 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
We have received a submission from a contributor, Vlad A., of files taken from a compromised system that has a log detailing extensive scanning for Port 13722, exclusively. That's right, the log showed Internet scanning configured exclusively for Port 13722 and it had quite a surprising (maybe not too surpising) number of results. The logs were generated by a relatively newer "hack tool". DShield results for Port 13722 show a small number of systems scanning for this port. Recently. Since the vulnerability announcement. Thanks for the files Vlad!.

NetBackup clients and servers use Port 13722 and TippingPoint's Zero Day Initiative (ZDI) says the discovered "vulnerability allows remote attackers to execute arbitrary code on vulnerable NetBackup installations. Authentication is not required to exploit this vulnerability." And "This specific flaw exists within the bpjava-msvc daemon due to incorrect handling of format string data passed through the 'COMMAND_LOGON_TO_MSERVER' command. The vulnerable daemon listens on TCP port 13722 and affects both NetBackup clients and servers." They acknowledge "Credit: This vulnerability was discovered by Kevin Finisterre with exploitation assistance from JohnH.".

Patch and workaround information is at Veritas


0 comment(s)

Real Player critical patch for two vulnerabilities

Published: 2005-11-11
Last Updated: 2005-11-11 00:11:06 UTC
by Patrick Nolan (Version: 2)
0 comment(s)
RealNetworks has issued a critical patch for two vulnerabilities reported by eEye. The vulnerabilities affect a large number of RealNetworks' applications.

eEye RealPlayer Zipped Skin File Buffer Overflow II
"A RealPlayer skin file (.rjs extension) can be downloaded and applied automatically through a web browser without the user's permission."

eEye RealPlayer Data Packet Stack Overflow
"By specially crafting a malformed .rm movie file, a direct stack overwrite is triggered, and reliable code execution is then possible."

RealNetworks Update to Address Security Vulnerabilities.

0 comment(s)
Diary Archives