Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Storm worm with 4th of July subject lines

Published: 2007-07-03
Last Updated: 2007-07-05 03:26:32 UTC
by Maarten Van Horenbeeck (Version: 3)
0 comment(s)

Update - Some new links added (see below). 
If you have the ability to block exe in downloads now is a pretty good time to be implementing it. 


We've been receiving numerous mails from readers reporting new subject lines being featured by the Storm Worm. Below is a brief overview of those gathered so far (thanks to Michael, Frederic, Robert, Jonathan, Timothy, Jay, Chandragupta and everyone else who wrote in with feedback).

4th Of July Celebration
America the Beautiful
America's 231 Birthday
American Pride, On The 4th
Americas B-Day
Celebrate Your Independence
Celebrate Your Nation
Fireworks on the 4th
Fourth of July Party
God Bless America
Happy 4th July
Happy B-Day USA
Happy Birthday America
Happy Fourth of July (new)
Independence Day At The Park
Independence Day Celebration
Independence Day Party
July 4th B-B-Q Party
July 4th Family Day
July 4th Fireworks Show (new)
Your Nations Birthday

0 comment(s)

Port 5901 scanning

Published: 2007-07-03
Last Updated: 2007-07-03 22:28:54 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

Will the internet come to a grinding halt on July 4th ? Should we start preparing the first 'crackberry' detox centres? Not really. However, according to media reports something does seem to be amiss. Some outlets have reported on the major increase in port 5901 scanning we're seeing in our (your) logs. This increase is not uncollaborated. Others are reporting very similar increases.

Port 5901 is generally used as the first VNC (Virtual Network Computing) display on Linux machines, and the second one on Windows hosts. There are a number of popular implementations of VNC, of which the most popular are UltraVNC, TightVNC and RealVNC. A number of recent security vulnerabilities have added incentive for attackers to start indexing hosts running this service. In 2006, for example, RealVNC allowed authentication bypass, while UltraVNC was plagued by a number of buffer overflow vulnerabilities.

No reason for panic just yet. It likely indicates attackers may have been succesful in compromising a number of hosts using vulnerabilities in this service, increasing their belief in VNC as a viable attack vector. It could also indicate the release of new attack tools.

As such, if you notice any machines on a network under your control scanning for port 5900 or 5901/TCP, we'd be very interested in hearing what the result of your investigation was. Did you find any new tools, or was it the same old "VNC_bypauth" ? Get in touch with us here. Thanks!

0 comment(s)

New mutation of PDF spam

Published: 2007-07-03
Last Updated: 2007-07-03 21:04:05 UTC
by Maarten Van Horenbeeck (Version: 2)
0 comment(s)

A few weeks ago we reported on new spam using PDF attachments. These were professionally designed and contained graphs and detailed information on the stock in question. In general, they covered one stock on the Frankfurt stock exchange each.

During the last two days, we've received continuous reports of new PDF spam. This time the pages attached are generally of different size each time (no longer A4, but 4x3 inch or 6x1 inch). The text also has been obfuscated which makes it much less readable, but also more difficult for spam filters to assess through OCR.  Stocks mentioned are now listed on NASDAQ instead of the European exchanges.

UPDATE: Two readers sent in some interesting observations, which appear to match most samples we currently have available. Nathan discovered most PDF stock spam has a corrupted XREF table. He runs incoming PDF files through Ghostscript and searches for error messages to classify them as potential spam. He does note that some PDF creators are not fully compliant with the Adobe standard and seem to cause false positives. WillC reported that each of the PDF scam messages he received had an identical user agent of "Thunderbird (Windows/20070509)".

0 comment(s)

Incident response for the mobile enterprise

Published: 2007-07-03
Last Updated: 2007-07-03 08:23:28 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

A lot of chatter has appeared on the security of Apple’s new iPhone. As with any new technology, it is to be expected that some security issues will be identified and fixed.
More importantly though, the phone’s release indicates we as security professionals should be prepared to investigate security incidents on mobile devices. This new generation of smartphones is much more likely to be purchased or requested by employees as a status symbol than is the average laptop. As such, it may be used to transport corporate data and could fall within the scope of a forensic investigation.
Unfortunately, mobile phone technology is technically harder to investigate:
  • There may not be a clear distinction between which memory space is used for data and which is used for processes. Loss of battery power generally leads to loss of evidence;
  • In most cases you can only acquire data ‘logically’, by requesting it through the phone software. In those rare cases where you can ‘physically’ dump memory as an image, this may still depend on phone functionality that can be ‘flashed’. As such, integrity of evidence could be a serious issue;
  • An attacker could still be able to connect to the device remotely if it is not kept in a shielded environment.
Organizations should therefore take a number of decisions regarding the use of cell phones: one example is whether they should provide employees with cell phones or support a number of acceptable ‘employee-owned phones’ over which they may have less control? Policies should also be developed to govern the use of mobile devices.
Incident response groups should commence the first step of the incident handling cycle: Prepare! This includes adding the necessary tools, skills/procedures and hardware to fully support investigations on mobile devices:
  • Tools can include free software such as Tulp2g, or one of the many commercial packages. The NIST offers a great tool review for mobile forensics;
  • Skills and procedures can be gathered through training or exercise. One great resource is the NIST site;
  • Hardware should include a SIM/USIM card reader (generally a regular smartcard reader which supports the smaller format), the necessary cables to connect your supported cell phones to the analysis workstation, as well as an RF shielding bag to prevent evidence compromise.

Some other issues may require review with your legal team. Some of the data stored on a SIM/USIM card, for example, some data may allow an investigator to assess broadly the past physical location of a cell phone user. This could be a very significant privacy issue.

Maarten Van Horenbeeck

0 comment(s)
Diary Archives