Published: 2004-04-30

-UPDATE- Sasser Worm , Week in Review; LSASS Exploit Analysis; SANSFIRE 2004

Sasser Worm

ISC is aware of the LSASS Sasser worm.
This worm is spreading through the MS04-011 (LSASS) vulnerability.
According to AV companies, this worm will generate traffic on ports 445, 5554 and 9996. Also, it will copy itself in the windows folder, under the name of avserve.exe, create a file at c:\ called win.log and add the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe
Another sign of infection is frequent crashes of 'LSASS.EXE'.
Expect frequent updates.
References: http://www.f-secure.com/v-descs/sasser.shtml


Due to the release of this worm, we moved to infocon yellow for the next
24 hrs. The exact impact is not clear at this point.

Week in review. Many organizations including the Storm Center have been predicting a wide-spread malware outbreak that would exploit one or more of the vulnerabilities contained in the April Microsoft security bulletins. So far this week we have not seen any worm code, but the Ago|Gao|Phatbot family continues to grow and mutate. There are now several hundred variations of this bot family and there does not appear to be an end in sight. The family added tcp/1025 to its list of ports to scan, apparently hunting for RPC/LSASS and RPC/DCOM vulnerabilities. Increased scanning reported by DShield users on port 135, 139, 445, 1025, 1433, 2745, 3127, and 5000 is probably related to this family of bots. File names reported to the ISC this week that appear to be versions of the bot family include wmiprvsw.exe, wmipsvsc.exe, msiwin84.exe, and msiwin98.exe.

Other items included new versions of the Bagle and Netsky viruses plus increased scanning for open mail proxies on ports 559 and 65506.

LSASS exploit analysis. At the beginning of the week a Windows RPC/LSASS (MS04-011) remote exploit began circulating. Later in the week a universal exploit for lsasrv.dll was made public. Kyle Haugsness, one of our incident handlers, assembled the following analysis:

The Microsoft LSASS vulnerability released on April 13, 2004 is currently being exploited in the wild. At least two published exploits have been confirmed to gain full remote administrative privileges on Windows 2000 (Pro and Server) and Windows XP (see http://www.k-otik.com/exploits/ ). Due to the nature of the vulnerability, the exploit can be launched against several TCP/UDP ports (see list below). Exploit code in the wild has been observed attacking TCP 1025. Additionally, a working exploit appears to have been included in recent versions of the Phatbot/Agobot family of malware, which spreads in a wormlike fashion.

A machine infected with Phatbot/Agobot has been known to scan some of the following TCP ports in rapid succession (and not necessarily this order): 2745 1025 80 3127 6129 1433 5000 445 443 135

In addition to TCP 1025, the following ports are vulnerable to the LSASS
TCP 135, 139, 445, and 593.
UDP 135, 137, 138, and 445.

The patch for the vulnerability (MS04-011) can be installed through Windows Update or located at the following URL:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx The vulnerability has been assigned CVE reference number CAN-2003-0533,

SANSFIRE 2004 Finally, I'd like to put in a plug for this summer's hottest computer security conference - SANSFIRE in Monterey California. Come meet several of the ISC handlers and attend one of SANS' 14 training tracks the first week in July. See you there! http://www.sans.org/sansfire2004/

Marcus H. Sachs

The SANS Institute

Handler on Duty


Published: 2004-04-29

Port 1025 increase, MS04-11 update problems

Microsoft has released a KB article on problems with the MS04-11 update causing problems on some machines including losing the ability to login or failure to respond after rebooting. If you've ran into this problem, or are preparing to deploy MS04-11, you can read up on the problem and the solution here:


There's been an increase in Port tcp/1025 activity. NetCat data shows that the increase was from dcom exploit - something included in the Metasploit 2 framework, which could explain the increase. Traffic shows the typical 'MEOW' string.

Handler on Duty, Davis Ray Sickmon Jr


Published: 2004-04-28

Another wave of virus / New Gaobot / HP Web JetAdmin Vulnerability exploitation


Some news about yesterdays diary about "Phatbot exploiting LSASS".
The binary was identified today by Symantec beta virus definition as

This is the not the end...we received information about another yet variation that is not identified by this beta virus defs. As reported in previous diaries, the source code of the worm is available on the underground, and continuous and more controlled / dangerous versions are expected.

Bagle.aa/Beagle.X and Netsky.AB on the wild

A new version of the Beagle worm was discovered today. Besides the common
behavior of spreading itself by file-sharing and email, this version also opens a
backdoor on port 2535.
Also, versions of the newest version of Netsky (Netsky.AB) is reported to
be on the wild.
At this time, some of the major AV companies already have updated the virus
definitions file that allows the detection of them.
Reference: http://www.sarc.com/avcenter/venc/data/w32.beagle.x@mm.html


HP Web JetAdmin vulnerability exploitation

We received a report about the exploitation of the HP Web JetAdmin vulnerability posted at the Bugtraq mailing list.
This vulnerability affects version 6.5. Also, versions 6.2 and 7.0 are partially affected.
Reference: http://www.securityfocus.com/archive/1/361535/2004-04-24/2004-04-30/0


Handler on duty: Pedro Bueno (bueno_AT_ieee.org)


Published: 2004-04-27

PhatBot exploiting LSASS?

PhatBot exploiting LSASS?

The ISC has come into possession of what appears to be a new version of PhatBot that contains code to exploit the LSASS (LSASS: Local Security Authority Subsystem Service) vulnerabilities patched under MS04-11. Reference these old diary entries:



We are currently focusing on some keywords found in the executable that indicate that an LSASS exploit has been added, specifically, the command string "CScannerLSASS".

We are currently investigating the code, and will update the diary as new information becomes available.

Traffic matching this bot was first observed yesterday evening (EDT) at multiple US .edu's.

The bot appears to inherit all other functions usually associated with 'phatbot'.

Handler on duty: Tom Liston ( http://www.labreatechnologies.com )

Happy 11th Birthday to Mary Liston!


Published: 2004-04-26

LSASS exploit, SSL PCT exploits, port 559 (tcp) proxy hunter, Bagle.Z

LSASS Exploit (MS04-011 / CAN-2003-0533)

An exploit targeting the recently released vulnerability in Windows' Active Directory service functions in LSASRV.DLL (LSASS: Local Security Authority Subsystem Service) was made public today.

The exploit is effective against some versions of Windows 2000 with SP3 or SP4
installed. The patch released earlier this month as part of MS04-011 will fix this vulnerability.

If you have not done so already, please apply the MS04-011 patch as soon as possible. Even if no worm is released, we expect that all Internet facing systems will be probed with this exploit over the next couple of days.

The exploit will allow full remote control via a remote shell. The port used by the remote shell can be changed via a command line option.

(update: we just received a report of the exploit being used in the wild.)

More SSL PCT exploits

We did receive more reports about exploits of systems using the IIS SSL PCT exploit (CAN-2003-0719, MS04-011). So far, it appears that the exploit is
only used against IIS servers. But the observations indicate that networks
are systematically scanned and vulnerable systems are exploited immediately,
indicating an automated tool.

The exploit will leave the following message in your windows event log:

" The security package Microsoft Unified Security Protocol Provider generated an exception. The package is now disabled. The exception information is the data. "

While a reboot of the system will restart IIS and permit access to the https site, it will not necessarily remove code uploaded by the attacker.

DShield data shows an increase in port 443 scanning, further supporting the widespread use of the SSL PCT exploit against IIS servers.
However, the number of observed sources for these scans is still small.

Port 559

Our sensors noted a significant increase in scans against port 559

Simple netcat honeypots on selected sensors revealed that these scans are searching for open proxy servers. At this point, we do not know if any of the recent viruses or trojans will open proxy servers on this port.


A new version of Bagle was released today, bringing Bagle up to version Z.


Johannes Ullrich, jullrich_AT_sans.org


Published: 2004-04-25

New LSASS RPC exploit; Port 443; The Week Ahead

New LSASS RPC Exploit

The exploit code has been posted (not confirmed as functional yet) that would allow an attacker to take advantage of an remote buffer overflow in the Local Security Authority Subsystem service(LSASS). In the recent release of MS04-011 by Microsoft ( http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx )one of the vulnerabilities affects the LSA service. The LSASS provides an interface to manage local security, domain authentication and active directory processes. LSASS fails to check the length of the message before passing it on to the correct service. This exploit would allow an attacker to execute code and gain complete control of the system. It is imperative that the patch is applied if you have not already done so.


Port 443

In light of the recent vulnerability with the PCT protocol in SSL, we have been watching traffic on Port 443. As of now, traffic is up on for the targets and records and the sources are slightly elevated. This activity is consistent with increased scanning. So far there are no reports of any worm-like activity. This could change in the near future, so please be alert and if you see an increased activity on port 443, please let us know.

The Week Ahead

With all of the new vulnerabilities, viruses, worms and exploit code that has been recently published, it is important that everyone stays alert. It is easy to become complacent when you hear about potential activity and it doesn't materialize. The week ahead may prove to be very active with all of the recent events. Watch your network traffic and stay alert!! Please let us know if you see anything unusual happening on your network.

Lorna J. Hutcheson
Handler on Duty


Published: 2004-04-24

Phatbot/Agobot/Gaobot; More on MS SSL exploit; Mailbag

Phatbot/Agobot/Gaobot; More on MS SSL exploit; Mailbag


On yesterday diary on "Possible New Virus", it was identified to be W32.HLLW.Gaobot.gen (Symantec) or w32/sdbot.worm.gen (Mcafee).

According to Symantec, the worm can exploit systems using various vulnerabilities, including:

* Weak passwords on network shares.

* The DCOM RPC vulnerability: http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

* The WebDav vulnerability: http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

* The Workstation service buffer overrun vulnerability: http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

* The Microsoft Messenger Service Buffer Overrun vulnerability: http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx

* The Locator service vulnerability: http://www.microsoft.com/technet/security/bulletin/MS03-001.mspx

* The UPnP vulnerability: http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx

* The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit: http://www.microsoft.com/technet/security/bulletin/MS02-061.mspx

* The backdoor ports that the Beagle and Mydoom families of worms open.

It also opens backdoors to the infected computers through IRC.
More on MS SSL exploit

Microsoft has issued information about code that attempts to exploit PCT in SSL:

"All programs that use SSL could be affected. Although SSL is generally associated with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected platform is likely to be vulnerable. These services include, but are not limited to, Microsoft Internet Information Services 4.0, Microsoft Internet Information Services 5.0, Microsoft Internet Information Services 5.1, Microsoft Exchange Server 5.5, Microsoft Exchange Server 2000, Microsoft Exchange Server 2003, Microsoft Analysis Services 2000 (included with SQL Server™ 2000), and any third-party programs that use PCT. SQL Server 2000 is not vulnerable because it specifically blocks PCT connections."

"Windows 2000 domain controllers that are installed in an Active Directory domain that also has an Enterprise Root certification authority installed are affected by this vulnerability because they automatically listen for secure SSL connections."

There is a chance of using the exploit against IIS running Microsoft SSL to get inside a network. Once inside the network, it could use the same technique to compromise other systems running Microsoft SSL which may be supposely protected by the firewall.

We received an email on the use of MS SSL exploit. From the report, after the successful K-OTIK exploit via port 443, the victims called back a shell to another host via port 53. Commands such as net start, net stop, net view, ipconfig, net share, ftp, dir, del were seen to be executed. One of the victims also initiated with another host on port 80 to get some backdoors. From the filename, one of them is the stealthy backdoor hxdef084.exe:

We also received an email on the seeing Phatbot/Agobot/Gaobot variants spreading:


Published: 2004-04-23

Move to Yellow, Potential PCT worm, No Osama has NOT been captured, New Virus, Symantec Firewall Vulnerability

Potential Microsoft PCT worm (MS04-011)

In response to observed active exploit [1] of the PCT vulnerability [2], announced in Microsoft Bulletin MS04-011[3], some AV vendors have raised alert status. The IT-ISAC reports that some IDS are "detecting and blocking attacks against many institutions. The attacks are attempting to steal data and/or break into payment systems."

US-CERT has reported that it is "aware of network activity that is
Consistent with scanning and/or exploit attempts against this vulnerability. Reports indicate increased network traffic to ports 443/tcp and 31337/tcp. The PCT protocol runs over SSL (443/tcp) and the known exploit code connects a command shell on 31337/tcp."

REN-ISAC monitoring of port 443 traffic [4] on the Internet2 Abilene network does indicate elevated levels of activity.

According to the US-CERT overview of the vulnerability: "A vulnerability exists in the Private Communications Transport (PCT) protocol, which is part of the Microsoft Secure Sockets Layer (SSL) library. Exploitation of this vulnerability may permit a remote attacker to compromise the system.

An exploit for this issue currently being used to compromise vulnerable
systems running SSL-enabled IIS 5.0. Note the vulnerability exists in any SSL-enabled program which is running on vulnerable Windows systems.
Windows 2003 Server is not affected if PCT is disabled."

MS04-11 is effective in patching against the exploit.

http://www.us-cert.gov/current/current_activity.html#pct [1]
http://www.kb.cert.org/vuls/id/586540 [2]
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx [3]
http://www.ren-isac.net/monitoring/port.cgi?port-443 [4]

Possible New Virus

We have received several reports today of possible virus release. It has been reported it is first recognized by a slowing down of the server and ended with a dbs corruption. We are receiving reports of network scans on port 443. This is likely to be an interesting weekend as all of these surface. Stay tuned for more information.

Osama Bin Laden Captured

An email is circulating on the internet today that claims to be from CNN or BBC. The email utilizes this exploit to download a file pics.chm that in turn contains and executes a Trojan. McAfee has identified this as Exploit-MhtRedir.gen and Norton identifies it as Backdoor.Nibu.D. The Trojan once executed attempts to steal passwords and bank account information.

Symantec Firewall Vulnerability
http://www.eeye.com/html/Research/Advisories/AD20040423.html :


eEye Digital Security has discovered a severe denial of service vulnerability in the Symantec Client Firewall products for Windows.
The vulnerability allows a remote attacker to reliably render a system inoperative with one single packet. Physical access is required in order to bring an affected system out of this "frozen" state. This specific flaw exists within the component that performs low level processing of TCP packets.

Possible move to Yellow

We are closely monitoring the IIS exploit and may move to Yellow this evening.

Thanks to all for their contributions.

Deb Hale

Handler on Duty


Published: 2004-04-22

Witty Traffic Request / Mailbag

Witty Traffic Request
Witty came out 4 weeks ago. We do hear rumors of variants, but have no confirmation so far and would like to request traffic samples of unusual traffic with source port 4000.
Some users are already reporting the use of the IIS SSL exploit for remote compromise. However there is not sign of a worm yet. The reports are currently based on one known tool and this tool currently only targets English and German versions.
New tools are being released to explore the TCP and MS SSL vulnerabilities. Now that some virus are 'open source'(i.e. Phatbot), may be question of time to see it incorporated into them.

So, once again, patch your systems!
Reference: http://www.f-secure.com/weblog/
Sample Packet:
00 EB 0F 54 48 43 4F 57 4E 5A 49 49 53 21 32 5E ...THCOWNZIIS!2^

BE 98 EB 23 7A 69 02 05 6C 59 F8 1D 9C DE 8C D1 ...#zi..lY......

4C 70 D4 03 F0 27 20 20 30 08 57 53 32 5F 33 32 Lp...' 0.WS2_32

2E 44 4C 4C 01 EB 05 E8 F9 FF FF FF 5D 83 ED 2A .DLL........]..*

6A 30 59 64 8B 01 8B 40 0C 8B 70 1C AD 8B 78 08 j0Yd...@..p...x.

8D 5F 3C 8B 1B 01 FB 8B 5B 78 01 FB 8B 4B 1C 01 ._<.....[x...K..

F9 8B 53 24 01 FA 53 51 52 8B 5B 20 01 FB 31 C9 ..S$..SQR.[ ..1.

41 31 C0 99 8B 34 8B 01 FE AC 31 C2 D1 E2 84 C0 A1...4....1.....

75 F7 0F B6 45 05 8D 44 45 04 66 39 10 75 E1 66 u...E..DE.f9.u.f

31 10 5A 58 5E 56 50 52 2B 4E 10 41 0F B7 0C 4A 1.ZX^VPR+N.A...J

8B 04 88 01 F8 0F B6 4D 05 89 44 8D D8 FE 4D 05 .......M..D...M.

75 BE FE 4D 04 74 21 FE 4D 22 8D 5D 18 53 FF D0 u..M.t!.M".].S..

89 C7 6A 04 58 88 45 05 80 45 77 0A 8D 5D 74 80 ..j.X.E..Ew..]t.

6B 26 14 E9 78 FF FF FF 89 CE 31 DB 53 53 53 53 k&..x.....1.SSSS

56 46 56 FF D0 97 55 58 66 89 30 6A 10 55 57 FF VFV...UXf.0j.UW.

55 D4 4E 56 57 FF 55 CC 53 55 57 FF 55 D0 97 8D U.NVW.U.SUW.U...

45 88 50 FF 55 E4 55 55 FF 55 E8 8D 44 05 0C 94 E.P.U.UU.U..D...

53 68 2E 65 78 65 68 5C 63 6D 64 94 31 D2 8D 45 Sh.exeh\cmd.1..E

CC 94 57 57 57 53 53 FE C6 01 F2 52 94 8D 45 78 ..WWWSS....R..Ex

50 8D 45 88 50 B1 08 53 53 6A 10 FE CE 52 53 53 P.E.P..SSj...RSS

53 55 FF 55 EC 6A FF FF 55 E0 SU.U.j..U.

Handler on duty: Pedro Bueno (bueno_AT_ieee.org)


Published: 2004-04-21

Possible new wave of worms, TCP reset tool for Windows released, New IIS 5 SSL Remote Root Exploit - patch now.

Today 3 new versions of NetSky, and one new version of MyDoom was released into the wild. Over the past week, that makes a total of 5 new Netsky (.V - .Z) versions, two new MyDooms (.I & .J), and a Blaster (.T) (along with all the other new stuff like W32.Opasa and other updated worms) This could be an indication of another increase in activity among these worms that already have a history of high activity.


While anti-virus software is important, because of the frequency of and the game of oneupmanship that's occurring, it's just as important to make sure users understand safe practices while dealing with these, and that OS and application level patches are kept up to date, along with the obvious anti-virus updates.

A new TCP Reset vulnerability toy was released for Windows today. Existing snort signatures based on previous tools may not pick this one up, so keep an eye out for new signatures based on this one. While tools to exploit the TCP Reset situation have been released, the Infocon is remaining at Green for the moment. The Windows release of a tool does indicate that a broader range of less-skilled attackers can now make use of it, but use of these tools has not become widespread enough to necessitate change in the Infocon status. We'll be keeping an eye on the situation, and change the Infocon status if the situation necessitates it.

A new IIS 5 SSL Remote Root exploit tool has been released - this has elevated the situation from a DoS situation to root access. Be sure to install the MS04-011 Security Update or be prepared to rebuild the IIS server later. The tool is new so full impact of this one may not be felt for a couple of days. The MS04-011 Update is also important because this particular exploit, now that it's moved to root access, has a very high likelihood of someone writing a new worm (or as the current trend is, patch one of the current worms or bots) to take advantage of this one.

There have also been a mention of probes and scans to ports 1024 - 1029. However, this does not appear to be widespread based on the current port trends, except for port 1024, which is probably unrelated traffic:


But if you happen to be seeing a new trend for 1024 - 1029, it may be worth mentioning. Same goes for increased activity for the TCP Reset vulnerability and IIS 5 SSL DoS and exploit situations.

Handler on Duty, Davis Ray Sickmon, Jr ( http://www.midnightryder.com )


Published: 2004-04-20

SNMP Issues in Cisco Routers; Vulnerability Issues in TCP; SANS Top-20 Call for Experts

When it rains, it pours. Earlier today we saw the public release of vulnerabilities in the implementation of BGP with respect to TCP reset attacks. This evening Cisco published an advisory concerning vulnerabilities in their implementation of SNMP in some versions of the 12.x IOS. The impact of any successful attacks against the vulnerability might result in a denial of service condition. Because of the popularity of Cisco devices and the widespread use of this version of their IOS, the Storm Center urges all Cisco router and switch administrators to check their IOS version and patch if needed by following the instructions on the Cisco web site at
The UK National Infrastructure Security Co-Ordination Centre (NISCC) released a vulnerability advisory today on issues in the TCP protocol.

The full advisory is available at http://www.uniras.gov.uk/vuls/2004/236929/index.htm

According to NISCC, The Border Gateway Protocol (BGP) is judged to be potentially most affected by this vulnerability. BGP relies on a persistent TCP session between BGP peers. Resetting the connection can result in medium term unavailability due to the need to rebuild routing tables and route flapping. Route flapping may result in route dampening (suppression) if the route flaps occur frequently within a short time interval. The overall impact on BGP is likely to be moderate based on the likelihood of successful attack. If the TCP MD5 Signature Option and anti-spoofing measures are used then the impact will be low as these measures will successfully mitigate the vulnerability.

Cisco and Juniper are scheduled to publish announcements about vulnerabilities in the implementation of the BGP code in their respective routers this week. The problem is unauthenticated resets of BGP sessions; a full fix requires replacing the router operating system. The respective advisories will include details on where to get updated operating system images.

A temporary workaround to the problem is to enable MD5 checksums on BGP sessions so that BGP peers can authenticate each other's packets and ignore spoofed TCP resets.

TCP resets can be sent without knowing the exact sequence number used on the TCP connection; by simply landing somewhere in the current TCP window, the RST will succeed.

The SANS Internet Storm Center encourages all BGP enabled Juniper or Cisco router administrators to turn on MD5 checksums as soon as possible while testing the patch supplied by router vendors. A widespread attack on BGP sessions and routing tables has the potential to destabilize the Internet, however most ISP's have already applied the appropriate patches and reduced the probability of such an attack.

Below are instructions on how to enable MD5 checksums for several router platforms, additional details on Unix platforms and routing daemons, and reference links with more information on BGP MD5 checksums.
Cisco IOS configuration:

To enable MD5 checksums between BGP peers, enter the following commands from global configuration mode:

router bgp {your_AS_number}

neighbor A.B.C.D password {long_password_value}

So for example, to configure a router that is part of AS 64512 to peer with the router at using the password "a1b2c3d4e5f6g7h8", you would enter:

router bgp 64512

neighbor password a1b2c3d4e5f6g7h8

Please note that the router at would also have to be configured to use the password a1b2c3d4e5f6g7h8 during the peering session as well.

The specific commands to use, including a directive to log when a neighbor joins or leaves a peering arrangement would be:

rtr1#! router 1, local peering address is

rtr1#conf term

Enter configuration commands, one per line. End with CNTL/Z.

rtr1(config)#router bgp 64512

rtr1(config-router)#neighbor password a1b2c3d4e5f6g7h8

rtr1(config-router)#bgp log-neighbor-changes


rtr1#copy running-config startup-config

The step of copying the running-config to the startup-config needs to be performed at some point. You may wish to wait until the connection is confirmed to be stable before performing this step, which makes the change persist even when the router is powered off.
Juniper router configuration:

On Juniper routers, the

authentication-key a1b2c3d4e5f6g7h8

statement can be used globally, on a particular group, or for an individual BGP peer, using one of the following choices:

edit protocols bgp

edit protocols bgp group {groupname}

edit protocols bgp group {groupname} neighbor {address}

Other platforms:

General-purpose Unix platforms also include BGP peering software in the Zebra and Quagga cross-platform daemons and OpenBSD's bgpd. The MD5 checksum checks need to occur in the operating system kernel, so support for MD5 checksums depends on the operating system kernel as well as on the routing software.
Zebra routing daemon ( http://www.zebra.org ):

This routing package for Linux, FreeBSD, NetBSD, and OpenBSD does not appear to support RFC2385 MD5 checksums.
Quagga routing daemon ( http://www.quagga.net ):

According to the documentation, this routing package for Linux, FreeBSD, NetBSD, OpenBSD, and Solaris does not appear to natively support RFC 2385 MD5 checksums. Please see FreeBSD for some patches for that operating system and Quagga.
Bgpd routing daemon:

OpenBSD's bgpd routing daemon supports rfc 2385 checksums.
Tcpdump packet sniffer ( http://www.tcpdump.org ):

The CVS repository for the tcpdump package includes support for RFC 2385 MD5 checksums via the "-M" command line parameter.
Linux operating system ( http://www.kernel.org ):

The Linux kernel does not support RFC 2385 MD5 checksums natively. There is support in the form of a kernel patch and additional library at

FreeBSD ( http://www.freebsd.org ):

FreeBSD contains output-only support for RFC 2385. This allows it to connect to a router over a signed connection, but does not accept incoming RFC 2385 connections.

OpenBSD ( http://www.openbsd.org ):

The OpenBSD kernel in OpenBSD 2.6 and above contains RFC 2385 support.
NetBSD ( http://www.netbsd.org ):

The NetBSD operating system does not appear to have RFC 2385 support.
Solaris ( http://www.sun.com ):

The Solaris operating system does not appear to have RFC 2385 support.

Because Cisco implementations only allow 80 character passwords, we recommend you stay under that limit if you either use or peer with any Cisco routers. Juniper routers will go up to 255 characters. The RFC recommends 12 to 24 character passwords. Remember that the password needs to be applied to _both_ peers in a BGP session. If one of the peers does not support RFC 2385, MD5 checksums must be left off for the BGP session between them.

BGP passwords are case sensitive and should not include spaces.

NISCC advisory: http://www.uniras.gov.uk/vuls/2004/236929/index.htm

Cisco announcement:


Juniper announcement (none yet, will be updated when available):


CERT advisory:


CVE entry: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0230

Configuring BGP on Cisco:


Configuring BGP authentication on Juniper:




Global Instability Index, a measure of change in BGP routing tables:


Protect BGP sessions with the TCP MD5 option:



RFC 2385, Protection of BGP Sessions via the TCP MD5 Signature Option


Restricting BGP sessions to specific AS numbers on Cisco:


BGP vulnerability discussion: http://www.nanog.org/mtg-0306/pdf/franz.pdf

Permanent location for this advisory:



- Bill Stearns, the SANS Institute

- Marcus Sachs, the SANS Institute

- Chris Brenton

- Josh Wright, the SANS Institute

- Thanks to the SANS incident handlers for additional notes and

- Thanks also to the authors of the above web resources.

(Version 0.3.2, 4/20/2004)


Call For Experts, SANS Top 20 List for 2004

SANS is looking for experts to participate in the development of the 2004 list of Top 20 Vulnerabilities. If you are interested in helping drive and develop the 2004 research please contact the Editor, Mr. Ross Patel (rpatel@sans.org), with the following details:

• your name

• organisation you represent

• contact details (inc. email and phone)

• a very brief synopsis of your sphere of specialism


Marcus H. Sachs

The SANS Institute


Published: 2004-04-19

Spyware Report Disected and Thanks For The Malware

Spyware Report

Several news outlets are reporting on a study done by EarthLink, which claims that the average number of Internet connected computers infected with so-called “spyware” software tops 90%. Additionally, the study claims that the average number of instances of “spyware” found on each scanned PCs is 27.8 instances/machine.

While these figures sound astounding, it is important to understand exactly how the term “spyware” is defined for the purposes of this report. A review of the data itself shows that there are four categories of items which are considered “spyware.” These categories, and the number of instances discovered by scan are:

System Monitors: 184,559

Trojans: 184,919

Adware: 5,344,355

Adware Cookies: 23,826,785


As you can see, the vast majority of the “spyware” discovered on these “infected” machines consists of adware cookies; not at all a surprising find. In fact, the number of cookies represents nearly 100 times the number of system monitors and trojan programs combined.

While the numbers are certainly not encouraging, when looked at closely, they certainly don’t represent the kind of drastic situation that is being presented in the media.

Thanks For The Malware

We have received several samples of variations of bots/malware today. Thank you for taking the time to forward them to us for analysis. In many instances, we have been able to forward them to AV vendors who will be making updated signatures available to their customers.


Handler On Duty: Tom Liston ( http://www.labreatechnologies.com )


Published: 2004-04-18

New {Phat|Ago|Gao}bot Variant(s) ? - Followup on port 1981 increase

B> New Phatbot/Agobot/Gaobot perhaps

We have had a few reports that makes it appear that a new version of the phatbot is running around the Internet today. Along with probes on tcp ports 2745, 1025, 3127, 6129, 5000, 80 and MS netbios (rpc/dcom attacks), we have now seen reports of port 1433 being included as well. This may lend itself to a new variant that attempts to break SQL server ports as well as the other vulnerabilities already exploited. If anyone has full packet captures or is able to grab the executable for analysis, please contact the ISC with the information you can provide.<Br>

There has also been conjecture that the port 1981 increase is potentially also connected to another variant of phatbot. We are actively attempting to capture packet traces and/or executables that will prove this or help otherwise determine wether the conjecture is correct.

Scott Fendley, Handler On Duty


Published: 2004-04-17

Combined exploits of MS vulnerabilities, port 1981 increase

Possible combined exploits of MS vulnerabilities

It has been a very quiet day, but we are hearing rumors of possible "super" exploits that may target several of the vulnerabilities announced by Microsoft on Tuesday. We've been contacted by an individual who have have been infected such an exploit, but investigation of this is still underway.

Increase in port 1981 activity

There has been an increase in scanning activity targetting port 1981 (possibly Bowl or Shockrave trojan activity, perhaps not) over the last 10 days or so. If anyone has captured any of this activity, we'd like to see the captures.

Yet another signature for sslbomb

We have yet another signature for the sslbomb exploit, some of the earlier ones have been prone to a fair amount of false positives. We'd be interested in how well any of these signatures are working.

alert tcp $EXTERNAL_NET any -> $HOME_NET 443 ( \
msg: "handlers - alpha - SSL DoS Short Client Handshake"; \
content: "|0d06 092a 8648 86f7 0d01 0104 0500 3081|"; depth: 64; \
content: "|0b30|"; distance: 2; \
content: "|0355|"; distance: 2; \
sid: 1090006; rev: 1;)


Jim Clausing, handler on duty


Published: 2004-04-16

New Snort signature for SSL Bomb DoS; Continued MS Exploit Development; Port 905 Slight Increase

New Snort signature for Microsoft SSL Bomb DoS

The following Snort signature may have better detection for the
Microsoft SSL Bomb DoS attack than the ones previously published. This
was contributed by an external organization, where the signature has
been running without false positives for the duration of the day.
Please report any successful detections and/or false positives.

There is also an indication that attackers may be changing the
published exploit code to avoid detection. The below signature is
designed to alert on the root cause of the vulnerability, not a
specific trait of the published exploit.

alert tcp any any -> $HOME_NET 443 (msg: "SSL Bomb DoS Attempt"; \

content:"|16 03 00|"; offset:0; depth:3; content:"|01|"; distance:2; \

within:1; byte_jump:1,37,relative,align; byte_test:2,>,255,0,relative; \

flow:to_server,established; classtype:attempted-dos; \

reference:cve,CAN-2004-0120; \

reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; \

sid:999999; rev:1;) \

Functional remote LSASS exploit available in CANVAS

It has been reported that the LSASS exploit developed by Immunity, Inc.
( http://www.immunitysec.com/ ) is functional against Windows 2000 SP4.
The vulnerability is fixed by MS-04-011.

There was a posting to the "Full Disclosure" mailing list with the
claim of a different exploit, but this was false.

Local Exploit Released for Windows 2000 Utility Manager Vulnerability

A functional local exploit has been released for CAN-2003-0908. This
vulnerability was released on April 13, 2004. The vulnerability is
patched with MS-04-011 (835732).

The exploit was successful against Windows 2000 SP4. No log entries
were found in the system logs. At this time, it appears the exploit is
NOT successful against Terminal Server logins because the utility
manager program cannot be run remotely. If you have additional
information about this vulnerability or exploit, please send it to


Port 905 Increase

There has been a small surge of scanning for port 905. It appears to
be an attempt to find the Netdevil.B backdoor/trojan that listens on
this port. If you have packet captures of this activity, please submit



Published: 2004-04-15

Exploits Available For MS04-11 Vulns – **PATCH NOW**

MS04-11 Exploits Released

Dave Aitel of Immunity Security has stated publicly that they have released working exploits of two vulnerabilities patched by MS04-011 to their CANVAS customers:


The LSASS.EXE vulnerability can be exploited to run arbitrary code with “system” privileges on vulnerable servers. eEye Digital Security has more details and also confirms the ability to run arbitrary code with “system” privileges using this vulnerability:


Immunity’s claim that they have a working ASN.1 exploit has not been directly confirmed, but we have several anonymous confirmations that working exploits exist.

IT IS IMPERATIVE THAT THE PATCHES PROVIDED BY MICROSOFT IN ITS APRIL SECURITY RELEASE BE APPLIED TO SYSTEMS AS SOON AS POSSIBLE. It is our belief that the likelihood of a worm being released SOON that exploits one of the vulnerabilities addressed by these patches is VERY HIGH.



We have finally been able to reproduce the DoS against an IIS SSL/TLS server mentioned in yesterday's diary. The following is a VERY preliminary "version 1" snort signature that will log an attempted DoS by the exploit that we know is in the wild. It will survive only the most cursory alteration of the exploit, and better versions are in the works (watch your favorite snort signature site). Caveat Emptor, YMMV, Standard Disclaimers Apply, etc..., etc...

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"IIS Malformed \

SSL DoS (MS04-011)"; content:"|14e9 667b 5823 a235 0fd4 317c aec6 8764 \

384e abaa|"; offset: 590; rawbytes;reference:cve,CAN-2004-0120; \

reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; \

sid:1040414; rev:1;)

IIS SSL/TLS DoS : UPDATE #3 (4/16/04 02:45 UTC)

A much better signature:

alert tcp any any -> $HOME_NET 443 (msg: "ssl_bomb DOS attempt"; \

content: "|1603|"; offset: 0; depth: 2; content: "|01|"; distance: 3; \

within: 1; byte_test: 4,>,2147483647,5,relative;flow: \

to_server,established; classtype:attempted-dos;)


Various AV vendors are reporting on the latest NetSky variant, NetSky.V, which exploits vulnerabilities in the Outlook/Internet Explorer HTML rendering engine (MS03-032 and MS03-040) to launch itself without requiring the user to click on an attachment. The virus itself arrives as an email message with no attachment, and exploits the vulnerabilities to download and run malicious code.








Thanks to: Erik Fichtner, Ed Skoudis, Mike Poor, and Joshua Wright


Handler on duty : Tom Liston - ( http://www.labreatechnologies.com )


Published: 2004-04-14

IIS Exploit released / Gagobot.XZ

IIS Exploit Released
Today an exploit for a vulnerability on IIS became public available. This exploit targets one of the 14 vulnerabilities fixed on Microsoft MS04-011 Security Update, the SSL Vulnerability (Denial Of Service).
Although this is a DoS exploit, due the amount of vulnerabilities fixed on the recent patches, exploits with remote code execution may be expected soon.


We are still receiving complaints about users having problems downloading MS Patches released yesterday. This behavior could be due to the load caused by the updates released yesterday.


A new variant of Gaobot is also scanning port 5000 besides the common ports, trying to explore an old vulnerability of the UPnP service , described in Microsoft Security Bulletin MS01-059.

Judging by the recent variants, looks like the virus writers are trying, more than usual, get unpatched machines, both exploring services,a la UPnP , and applications , i.e. Netsky.P, which was exploring a vulnerability in Internet Explorer, released in 2001.

References: http://www.sarc.com/avcenter/venc/data/w32.gaobot.zx.html

ISC WebCast

Did you miss the monthly ISC webcast? Check http://www.sans.org/webcasts/archive.php


Handler on duty: Pedro Bueno (bueno_AT_ieee.org)


Published: 2004-04-13

Microsoft Security Bulletins Released for April, ISC Webcast on Wednesday

As expected, Microsoft released several security bulletins today. What was unexpected was the volume of fixes they have been working on. We'll go through these tomorrow in more detail on the ISC webcast. Be sure to join us at 1 pm EST (that's 1700 UTC), http://www.sans.org/webcasts/

The bulletin summary can be found at

Because several of these updates address issues that can result in the remote execution of arbitrary code, it is imperative that patches be applied as soon as possible. Recall that only three weeks passed from the July 2003 announcement of the issues in Microsoft's RPC/DCOM module (MS03-026) and the release of the Blaster worm in early August. A similar volatile situation exists today. The amount of time before another significant malware release is never predictable, but what is certain is the fact that efforts are currently underway to write code that exploits one or more of these new vulnerabilities. Considering that an updated version of MetaSploit was recently released; that there is widespread understanding of how Blaster worked (including methods of improving the spreading algorithms); and the fact that there are eight issues in today's basket of patches that allow for remote code execution, we can predict with high confidence that rapidly spreading and potentially damaging malware will appear in the next few days or weeks. Read the updates carefully, and examine all options including the mitigation steps that can be taken before the patches are applied. There have been some early reports that the patches do not install correctly on the first attempt. Patching a test machine is highly recommended before applying patches to a sensitive production computer.

The individual updates are:

MS04-011 Security Update for Microsoft Windows (835732) Critical

This one fixes A LOT of problems:

LSASS Vulnerability (Remote Code Execution)

LDAP Vulnerability (Denial Of Service)

PCT Vulnerability (Remote Code Execution)

Winlogon Vulnerability (Remote Code Execution)

Metafile Vulnerability (Remote Code Execution)

Help and Support Center Vulnerability (Remote Code Execution)

Utility Manager Vulnerability (Privilege Elevation)

Windows Management Vulnerability (Privilege Elevation)

Local Descriptor Table Vulnerability (Privilege Elevation)

H.323 Vulnerability (Remote Code Execution)

Virtual DOS Machine Vulnerability (Privilege Elevation)

Negotiate SSP Vulnerability (Remote Code Execution)

SSL Vulnerability (Denial Of Service)

ASN.1 “Double Free” Vulnerability (Remote Code Execution)

MS04-012 Cumulative Update for Microsoft RPC/DCOM (828741) Critical

More problems with RPC/DCOM:

RPC Runtime Library Vulnerability (Remote Code Execution)

RPCSS Service Vulnerability (Denial Of Service)

COM Internet Services (CIS) – RPC over HTTP Vulnerability (Denial Of Service)

Object Identity Vulnerability (Information Disclosure)

MS04-013 Cumulative Security Update for Outlook Express (837009) Critical

The details make this one sound like it only applies to Outlook Express, but if you examine the CVE entry (currently a CAN) it appears to be a fix for the ".chm" problem we've been discussing lately.

MHTML URL Processing Vulnerability (Remote Code Execution)

MS04-014 Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) Important

Jet Vulnerability (Remote Code Execution)

Marcus H. Sachs

Handler on Duty


Published: 2004-04-12

Mailbag - Malware Everywhere, IE Unauthorized Printing

Mailbag – Malware Everywhere

We have received several additional reports of malware being distributed from a banner server at sm1.passthison.com ( This site is reportedly exploiting the Internet Explorer CHM flaw to compromise systems by including JavaScript in banner advertisements. It isn’t immediately obvious is this is the result of intended action by this site, or the result of a system compromise. Attempts to contact the administrators of the passthison.com domain and the upstream ISP (servint.com) were not immediately returned.

There is some evidence of an automated tool to generate Internet Explorer exploitative code from the following source code comment:
<!-- NEW Z.D.E.-D.B.D. w/ vu083003-H.P.S. (c) April 2004 SmartBot -->

If anyone has any additional information about this tool, please contact the Internet Storm Center.

Another suspicious user identified the presence of malware in a SCR attachment to several public USENET news groups, purportedly offering adult content of a popular pop singer. No malware is reported by Symantec Anti-virus with signatures from 4/12/2004, but strings in the executable content indicate the malware has an embedded Trojan dropper called “ExeStealth”.

Administrators should utilize anti-virus tools with malicious script blocking features and updated signatures to mitigate IE CHM attacks. Be prepared to deploy patches to resolve this serious issue once available.

IE Unauthorized Printing

A post on the BUGTRAQ mailing list indicates that an attacker can force Internet Explorer to print browser content without authorization by the user. Sample code to exploit the flaw was also made available. While this flaw does not allow an attacker to compromise a vulnerable system, it demonstrates another weakness in the popular web browser. Testing on Mozilla 1.7b on Windows XP indicates that it is not vulnerable to this flaw. Sarcasm omitted.

--Joshua Wright/Handler on duty


Published: 2004-04-11

University Security Problems and Another CHM exploit in the Wild

Despite a mostly quiet weekend, the Internet Storm Center has seen some notable activity. The activity noted for the most part falls in the category of old news to most, but I believe is worth exploring further.
University Security Problems - Solaris and Linux

It was brought to my attention that several University environments have been getting attacked and compromised in the past week. This is a daily occurrence for most of us working in the academic world, except recently it has been primarily tied to Microsoft based operating systems. The recent activity being noted is that the trend has started to push toward Solaris and Linux based systems. These systems tend be better connected on most academic networks and are much more capable systems for launching larger scale attacks without needing to distribute the Denial of Service attack vector of choice. Additionally, many of these systems are connected to "instrumentation" machines used in research and are not heavily patched due to patch clusters that adversely affect research software. A security breach on one of these machines can have numerous effects on the research, including loss of time and data, potential leaks of confidential data and potential use of the systems for causing more security problems locally or outside the local network.

Over the weekend, it came to my attention that Stanford University has had a number of security incidents from these Unix systems, reversing the trend of the recent past. From Stanford's security alert it appears that the attacks have been local accounts being used for privilege escalation to root account. And that the local exploits have included "do_brk() and mremap() exploits on Linux and the sadmind, arbitrary kernel loading modules and passwd vulnerabilities on Solaris."

It is highly recommended that everyone, especially those in academic settings, take the time to audit your Unix based systems for rootkits, unnecessary services, and prepare for a continued trend of hacker activity in the Unix world. For more information on the Stanford security announcement please see the following URL:

I also recommend that those academic security people please participate in the unisog mailing list hosted by SANS, or the Educause Security list ( http://www.educause.edu/security ).

Another CHM Exploit in the Wild (?)

<I>[ The below information is very vague purposefully as analysis has not proved concretely whether the below is coincidental, or is truly another CHM Exploit in production via an ad server. It is believed that the below should be noted to raise awareness to a potential place of exploiting web browser vulnerabilities. ]</i>

A concerned end user today stumbled across a very odd error while browsing a very normal scifi website. The website in question has a number banner ads throughout their site from a variety of science fiction and technology areas. One particular banner ad caused an error message for this end user that is somewhat suspicious in nature. The error message from the ad reported via Internet Explorer as a scripting error involving a file called "exploit.chm". At the present time, it has not been confirmed that this is not just a coincidence in names or is consistently reproducible. However, the ad company which owns the particular server has had some some bad press for a number of years for questionable activity web page marketing tactics. As the exploit.chm file is being analyzed, it is worthwhile to note that the CHM vulnerability has seemingly showed up in 2 or 3 different places in the last week. As such, if Microsoft releases an appropriate patch on Tuesday, it is the Internet Storm Center's recommendation that you patch quickly. More details on the banner ad with exploit.chm will be detailed later as more analysis has been permitted.
Scott Fendley, Internet Storm Center - Handler on Duty
Easter Sunday 2004


Published: 2004-04-10

An unpatched IE exploit invokes a second older unpatched IE exploit

An unpatched IE exploit invokes a second older unpatched IE exploit

It has been a quiet day. One of the handlers (Patrick Nolan) mentioned another unpatched IE exploit has a first part "incorrect handling of HTML files embedded in CHM files" that invokes a second older unpatched IE exploit (ADODB) to run code of attackers choice.

According to the Trunlow Trojan described in Symantec website (http://securityresponse.symantec.com/avcenter/venc/data/trojan.trunlow.html):

The first part of this exploit - "HTML component: This is a piece of html code that downloads and executes the VBScript component. This code may be added to pages on legitimate Web sites whose security has been compromised. Some versions use the exploit described in Bloodhound.Exploit.6."

The second part exploit ADODB stream object vulnerability to download and execute files.

"By embedding a specially crafted URL in a Web page and having that URL refer to a CHM file containing an HTML file with scripts in it, an attacker could force the user who views the Web page with a vulnerable version of Internet Explorer to download and execute files."

As usual, follow the best practices (patch IE, do not follow unsolicited links, update virus definition etc).


Published: 2004-04-09

Law, spam, and 4899/tcp

Friday April 9th, was moderately busy; there was some discussion
on a new french law. Scanning patterns were largely stable, with the
exception of 4899/tcp. A new Anti-spam resource was announced today.

A bugtraq post from K-Otic claimed that a new law in France
could make it illegal to post vulnerability information or hacking
techniques. The "loi pour la confiance dans l'economie numerique"
(loosely translated, the "Confidence law for the Digital Economy") is
claimed to make hacking and vulnerability posts illegal in France.

The handler's consensus seems to be that this may not be as
severe a law as K-Otic would seem to present. If your company or
organization does work in the realm of vulnerability analysis and has
branches in France, a french lawyer can get you much better advice than
you'll find on either the handler's list or Bugtraq.

A new anti-spam RBL was announced today. Jeff Chan noted that
the SURBL is now live. Unlike traditional RBL's which focus on the
sender domain or intermediate relays, this blocklist focuses on the
URL's embedded in spam messages. The SURBL pulls domains from recent
multiply reported spams and republishes them as subdomains of the
sc.surbl.org domain. See
for more information.

The sa-blocklist manual domain project will be live in this URL
RBL format within a few days.

Scott Fendley reports that scanning for 4899/tcp is quite heavy
at his location. Dshield confirms that 4899/tcp is spiking again after
a few quiet weeks.
There is speculation that there may be an exploit circulating for

Agobot is also scanning heavily.
---- Handler on duty, William Stearns wstearns@pobox.com
http://www.stearns.org/ (security papers and tools)


Published: 2004-04-08

Cisco Malformed IKE Packet Vulnerability

Cisco released information detailing a vulnerability in Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router. Malformed IKE Packets will cause the router to crash and reboot presenting an opportunity for sustained DoS attempts against this hardware. Full details of which software versions are vulnerable and under what circumstances can be found at:


For software versions that are vulnerable, there is no work around - you must patch.

Hander On Duty, Davis Ray Sickmon, Jr ( http://www.midnightryder.com )


Published: 2004-04-07

2 Cisco Vulnerabilities, New Auto-Executing Virus Capabilities (Bugbear.C), MacOS X Security Update, Metasploit Framework Release

Cisco LEAP Authentication Protocol Vulnerability Exploit Tool Released

A tool that exploits vulnerabilities in the Cisco LEAP authentication protocol was released into the public. The tool purports to actively compromise Cisco LEAP networks
by mounting an offline dictionary attack against weak user passwords. For those organizations still using the Cisco LEAP protocol on your wireless network, it is heavily recommended that this tool be used to assess the security posture of your network. If possible, migration to the Cisco EAP-FAST protocol may be the appropriate course of action. For more information, please see :

Cisco Default Username and Password in WLSE and HSE

Cisco released a security advisory today detailing software packages that have a default username and password pair with full administrative access of the device or even cause a denial of service. The username cannot be disabled and no workaround for this vulnerability.

The affected software releases of WLSE (Wireless LAN Solution Engine) are 2.0, 2.0.2, and 2.5.
The affected software releases for HSE (Hosting Solution Engine) are 1.7, 1.7.1, 1.7.2, and 1.7.3.
As this vulnerability can allow a multitude of possible security issues, it is heavily recommended that patches be installed quickly. For more information on the vulnerability and the potential impacts, please see:

Bugbear.C using IE CHM Exploitation

Handlers at the Internet Storm Center noted today a revision to the Symantec Security Response web site involving the Bugbear.C virus. According to the web page…

"The malformed email from the worm uses the Microsoft Internet Explorer
Unspecified CHM File Processing Arbitrary Code Execution Vulnerability
(CAN-2004-0380) in Internet Explorer to run a malicious program. There is no
patch that is currently available for this vulnerability."
From the reports we have gathered, this vulnerability can be used to autoexecute the Bugbear.C virus. The recent discovery of this attack vector appears to pose a distinct security risk for the immediate future. While Anti-Virus vendors can quickly release updates to protect many security conscious users, this virus and any new virus variants using this attack vector _may_ have a window of opportunity to be exceptionally malicious. It is hoped that this vulnerability will have an appropriate patch released as part of the Microsoft patch cycle next week. For more information about the Bugbear.C virus, please see:

For more information about the Internet Explorer CHM Vulnerability along with workarounds, please see the CERT Vulnerability Note VU#323070
(Microsoft Internet Explorer does not properly validate source of CHM
components referenced by ITS protocol handlers) available at:
Apple MacOS X Security Bulletin (2004-04-05)

Apple released a security update bulletin on Tuesday that lists a number of security patches available for the MacOS X operating system. Among the patches listed are fixes for the CUPS Printing system, libxml2, Mail, and OpenSSL. None of the patches appear to be overly critical, but should be addressed by those MacOS X users as a part of their maintenance procedures. For more information, please see:

Metasploit 2.0 exploit framework released
The Metasploit Framework purports to be an advanced platform for developing and using exploit code. As this framework can be used for both good purposes (vulnerability assessment and auditing), or could help in prototyping malicious purposes, it is noteworthy to mention that this has become available to the public. There is some speculation that we may see a noticeable increase of attacks or malware using this software over the next few months. For more information concerning the release of this framework, please see:


Scott Fendley, University of Arkansas (Handler On Duty)


Published: 2004-04-05

Continuous multi-exploit scanning / Sadmind exploit

Continuous multi-exploit scanning

Still receiving reports about multi-exploit bot or worm scanning various different ports: 1025, 135, 139, 2745, 3127, 445, 6129, 80, 8080.
References: http://isc.sans.org/diary.php?date=2004-04-01

We received a report about a solaris machine that was compromised by the recent sadmind vulnerability. In SUN's advisory about this flaw, it states that versions 7 and 8 including trusted versions, and version 9 are vulnerable, but that previous versions shipped with sadmind are also vulnerable.

The user had version 2.6 and states that the machine had the latest and greatest security patches from SUN, so he didnt take the mitigation steps from the advisory. Also SUN apparently only released patches for versions 7,8 (including trusted) and 9.
Even that you dont have Solaris version 7,8 (including trusted) or 9, you should carefully read the advisory and use the proper workaround suggestion.
References: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740&zone_32=sadmind

Handlers on Duty: Pedro Bueno (bueno_AT_ieee.org)


Published: 2004-04-03

W32.Netsky.Q@mm Code indicates a DoS attack


According to Symantec's Security Response Website the W32.Netsky.Q@mm
virus is set to perform a DoS next week. Here is an excerpt from

Symantec's Website information:

If the system date is April 8th, 2004 through April 11th, 2004 it will
attempt to perform a Denial of Service (DoS) attack against the following






This worm is taking advantage of unpatched systems to exploit the

Incorrect MIME Header Can Cause IE to Execute E-mail Attachment.


Symantec has a removal tool available at:

If you are not absolutely sure that your computer is free from the Netsky
worm, you should download and run the removal tool on your computer.

According to Trend Micro it also contains the following encrypted

internal text strings embedded within its code:

We are the only SkyNet, we don't have any criminal inspirations.

Due to many reports, we do not have any backdoors included for spam

relaying. and we aren't children. Due to this, many reports are wrong.

We don't use any virus creation toolkits, only the higher language

Microsoft Visual C++ 6.0. We want to prevent hacker, cracking, sharing
with illegal stuff and similar illegal content.

Hey, big firms only want to make a lot of money.

That is what we don't prefer. We want to solve and avoid it.

Note: Users do not need a new av-update, they need

a better education! We will envolope...

- Best regards, the SkyNet Antivirus Team, Russia 05:11 P.M -

For more information see:


Deb Hale
Handler on Duty


Published: 2004-04-02

More agobot/phatbot/polybot variants, cPanel resetpass exploit

More agobot/phatbot/polybot variants

We've received e-mail today of several sites reporting infections of machines that are apparently current on patches and running current anti-virus signatures that have been infected with what appear to be agobot/phatbot/polybot variants. We're still awaiting more detailed forensic examination of the infected machines.

cPanel resetpass exploit

We also received e-mail today from an individual who has captured evidence of attempts to exploit the cPanel resetpass vulnerability described at


in order to propagate a bot of some sort.


Jim Clausing


Published: 2004-04-01

Possible new multi-exploit bot or worm (request for information), Rose IP Fragmentation, Scammers making use of backdoored machines

Possible new multi-exploit bot or worm (request for information), Rose IP Fragmentation, Scammers making use of backdoored machines

There have been multiple reports of a new multi-exploit bot or worm, however none of the handlers have been able to get a code capture yet. This new item has been attempting an overflow on the following ports:

1025, 135, 139, 2745, 3127, 445, 6129, 80, 8080

Though there have been very minor variations in the ports that have been reported. (Port 8080 and 139 were missing in two reports, for instance). The ports listed are either ports typically open for other services, or, opened by MyDoom and the other flurry of competing worm versions.

Reports of this particular traffic go back as far as March 25th by some accounts. If you have more information on this, especially code captures, please contact the handlers.

While this diary entry was being written, someone provided what could be more information on the subject: this may be a modified W32/Agobot-EM that doesn't show up in current Sophos & Symantec definitions. The same reg keys, file names, and hosts file modifications are made. More information can be found here, if this is indeed the same item:


There's a new fragmentation attack (called the Rose Attack) that affects a variety of systems. The attack can cause dropped (legitimately fragmented) packets, rejected fragmented packets, or CPU hanging depending on the system. The announcement of this technique is here:


While many of the worms out there are being used to create great places for Spammers to do thier dirty work, a new use these machines have surfaced. Scam creators are using these machines to run fake online stores and credit card scams from them. Utilizing home machines makes the job of tracking the scams down just a little bit harder:


Handler On Duty,
Davis Ray Sickmon, Jr (http://www.midnightryder.com)