Once again this week I had the opportunity to look at a computer that had been visited by the world of NEWdotNET.

The initial complaint from the computer's owner was that they couldn't connect to the Internet anymore.  The error they were getting was "An error occurred while renewing interface Local Area Connection: the requested service provider could not be loaded or initialized.", along with various protocol errors.  Another error indicated that there was a socket error.  Upon initial investigation I found that NEWdotNET was installed on the computer. 

This is not the first time that I have dealt with a computer that had been lured in by NEWdotNET, so I head to NEWdotNET's website to check the removal instructions.  Of course, I can not find removal instructions easily, so I search the web to see what removal instructions I could find.  There in the search I did find NEWdotNET's webpage with removal instructions.  Following the instructions on the NEWdotNET removal website proved to once again leave me less than satisfied with their removal procedures.  In researching the removal of the "garbage" installed by NEWdotNET, I discovered that they are now changing the winsock and tcp/ip stack with their own code.  Of course, now when you attempt to remove the programs and settings made by their installs you are left with a computer that can no longer connect and lots of socket errors.  In spite of the claims from their website that following the removal procedures will remove the software,  I found that it does not.

Off to Microsoft Knowledge Base to find out what can be done to return the computer to the settings that Microsoft intended XP to have.  I came across a knowledge base article that has the steps needed to determine and recover winsock corruption.  So step by step I made my way through the process to recover the winsock and repair the corruption.

Ok now the winsock is reset. What about TCP/IP?  I found another article on Microsoft's Knowledge base that dealt with the TCP/IP stack and the need to reset it after a winsock error.  So now, step by step I repair the TCP/IP stack as well.

http://support.microsoft.com/kb/299357/en-us

All is well the computer is once again running. All of the NEWdotNET leftovers have been removed. 

So what is NEWdotNET?  As far as I can tell they are a DNS provider. From their website "NEW.NET seeks to become the world's leading domain name registry by introducing and selling domain names with new extensions that offer greater relevance and meaning than current Web site addresses ending in .com, .net, and other existing top-level domains. We are making this possible initially by encouraging millions of users to activate their Internet browsers to recognize NEW.NET domain names and partnering with leading Internet Service Providers to activate our domain names automatically at the network level."

Sounds innocent enough, however, in order for me to see those web pages that have the other extensions, I have to have their software installed.  Their software is a plug-in to the browser that you are using.  According to Counter Exploitations site:

http://www.cexx.org/newnet.htm

"The NewDotNet software is what we like to call Foistware: it's something that you probably didn't ask for, and never felt a need for, but it came along anyway with an unrelated program you downloaded. NEWdotNET accomplishes this by compensating the authors of unrelated third-party software, which has ranged from media players to peer-to-peer file sharing programs, for "bundling" the browser plugin with their program. At one time, NEWdotNET advertised a 5 cent commission for each system the plugin was successfully installed on; however, we are unable to find current published figures for compensation."

It appears that NEWdotNET is not happy about the adverse publicity that their software has received over the years.  They claim that their software is not being installed without the permission of the owner of the computer.  I really take issue with this.  Of the computers that I have worked on that have had the software installed, I can not find one person who confirmed that they knew that NEWdotNET was being installed and agreed to the installation. 

From the website… they themselves claim to have 174,661,619 enabled users.  My question is how many of the nearly 175 million users even know that the software is installed?  How many agreed to the installation?  How many realize that the software leaves the computer open so that newdotnet can update the software whenever an update comes along (and by the way doesn't inform the user that an update is being done)?

(I would really like to know how many people actually remember being asked to install the newdotnet software.)

This computer may well have been the biggest challenge that I dealt with in 2006.  Some of you are probably saying, "Man why don't you just format and reinstall".  Sometimes I do, but if I didn't go through these types of exercises I would never know how this stuff works, I would not understand what to look for next time and would not be able to help people understand the importance of things anti-virus software, anti-spyware software and firewalls. 

I encourage each of our readers to take a look at what programs are running on your computers.  Make sure that the computers in your home, especially community computers are free from spyware, viruses and the like.  Make a resolution for 2007 to clean up your computers, check out the programs that are running on them and make sure that you understand what they are.  Make sure that your Anti-virus software, anti-spyware software is up-to-date and that you have a good firewall in place.

With that I wish each and every one of you a Happy New Year and a safe and prosperous 2007.

Relax, you pundits of the pristine ISC blog, we are not going off-topic again. This story is about what can happen when you use a popular search engine in an attempt to look up side effects of a prescription drug. Thus happened, when Louis entered "Percocet" (a pain medication) and made the mistake to click onto the least sensible search result: http://www. pharmacy. topsearch20.net/search.php?q=percocet
I recommend you continue reading before you do like Louis and click on the above. Because the page returned, in addition to peddling cheap drugs, also includes two nifty IFRAMEs:


Again, these are - at the time of writing - live URLs, hosting bad stuff. Dont go there. Or, if you must, at least don't complain to us if you turn your PC into a brick while "investigating" the site.

statrafongon[dot]biz resolves to 81.95.148.35, which in itself already is an indication that something fishy could be waiting there - this IP range (81.95.148.0/20) is one of the address segments used by the CoolWebSearch gang in Russia to propagate their toys. Let's look at what they serve this time:

new.php?adv=8 contains a copy of the MS06-014 (MDAC/RDS.Dataspace) exploit. The exploit used is lifted pretty much in verbatim from the Metasploit framework, in fact the successful exploit would even write the downloaded malware as "metasploit.exe" to the disk.

strong/08/index.html contains obfuscated Javascript:



While the Tom Liston Method(tm) to unravel such scripts is highly effective, I still prefer to do my unstuffing in Perl under Unix: $cat index.html | perl -pe 's/\%(..)/chr(hex($1))/ge' does the trick easily, and shows us that the page includes no less than five IFRAMEs, named exp1.htm to exp5.htm. Downloading and looking at each of these files individually, we found the following:

exp1.htm contains a different exploit for the same MS06-014 (RDS) vulnerability already seen above.
exp2.htm contains yet another stab at MS06-014.
exp3.htm goes after the WebViewFolderIcon (MS06-057) hole, again borrowing the code practically unchanged from Metasploit
exp4.htm contains an exploit of the VML vulnerability (MS06-055).
exp5.htm goes after the recent XML core services bug (MS06-071), and is using a copy of the PoC code posted at milw0rm.

The strategy to use five exploit variants seems to work - when I tested these files with some AV products, none was able to spot all five attempts. When successful, all five exploits would try to download and run a "win32.exe" off the same site. At the time of discovery (when Louis stumbled onto the site), win32.exe brought back a blank screen at Virustotal. By now, the situation has improved a bit.

The lesson learned? As far as we could determine, nothing happened to Louis' PC. Not because of his Antivirus, only because his PC was diligently patched. Otherwise, this pain reliever could have had serious side effects.

• Vista has what's called "defense in depth" by Microsoft. Most of us think of something with multiple devices creating layers, but Microsoft uses the term for a way they use inside a machine to give processes and resources a level of trust. Low level processes cannot access higher classified assets.
  
  • IE has been given a low trust level. After asking questions it was still unclear if outlook would be low as well. It seemed the answer pointed to the attachments being low but outlook and the emails themselves not. But I might have misunderstood.
  • User processes are at a medium trust level.
  • Service processes are at a high level.
  • System is still the highest trust level.
• Even when logged on with local admin rights, processes are not started by default with those rights. The demo was rather convincing with notepad refusing to save a file in c:\windows\ even though the user had admin rights. To start the application the local admin needs to right click and start notepad with additional rights.
  
• There is a "secure desktop" used for switching users, logging in and being prompted for allowing additional rights needed by processes. The normal desktop is grayed out during such prompts making them rather hard to ignore. Note: the default is not accept but cancel. This secure desktop should somehow (unspecified how) make it more secure to do these prompts.
  
• Signed application can voluntary say in their profile what they are expected to do and not to do. Vista will enforce that profile and terminate processes stepping outside of their profile. Eg.:
  
  An MTA could have a profile that it's only going to listen to port tcp/25.  Suppose the process gets exploited and starts to listen on another port to open up a backdoor: Vista could terminate the process right there.
  Since the thing is voluntary I'm wondering where the incentive will be for developers to use the belt and suspenders approach.
• Virtualization: Once you tried once to get your users to give up local admin rights, you know it's a pain. For the least bit they need help and additional permissions. And just about any application you need won't play nice without a 10 round fight. Vista addresses this by virtualizing the filesystem for older "legacy" applications. If the application wants to drop an .ini file in c:\windows\, it's not given an error, but the file is dropped in an user owned directory instead. Reading obviously matches this to cheat the misbehaving application into working without having write access to critical directories.
  
• The well publicized locking of kernel mode additions on 64bit kernels only (32bit would break drivers apparently, there are no to very few 64bit drivers that would break according to the presenter. Not in the presentation obviously, but there' the entire fight between Microsoft and the antivirus industry over this as well.
  

    A number of days ago, a reader pondered about the possibility of an SNMP "Slammer Worm" based on the vulnerability described in MS06-074.  What would it take exactly for there to be another "Slammer"-like event?  A worm outbreak requires two major components: an internet worm, and a vulnerable population.  The model for the internet worm is made up of further sub-components: the scanner, the propagation code, and the exploit. Scanning routines influence the success and impact of a worm.  Poorly written scanning routines have limited many promising young worms in the past.  A lot of time has been spent studying the scanning methods of worms, I've wasted an hour or two on it myself, take a glance through www.wormblog.com to see the number of white-papers and academic works on the topic.  The propagation code must be written to accommodate any limitations placed upon it by the vulnerability exploited (such as size limitations, and NOP codes, or other constraints on the injected data.)  Some overcame these limitations by using a staged approach.  This workaround has its drawbacks, as the secondary stage can add its own limitations to the worm since the transfer may fail because of firewall rules or, the source of secondary payload my make a lucrative target for incident handlers.  Finally, the vulnerability must allow for unauthenticated remote execution of arbitrary code.  Since proven scanning routines are publicly available, and there are multiple examples of propagation code in circulation, the announcement of any network-visible vulnerability that allows unauthenticated remote execution of arbitrary code creates a potential situation.

     A quick review of MS06-074:

SNMP Memory Corruption Vulnerability (CVE-2006-5583)

CVSS (Base)  : 10.0 http://nvd.nist.gov/cvss.cfm?name=CVE-2006-5583&vector=(AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N)

Exploit code: Privately Available

     Now, some special things about SNMP are since it's UDP, the source IP address can be spoofed without affecting delivery of the exploit, also, knowledge of the SNMP community string may or may not be required to successfully deliver the exploit.

     This brings us to our second requirement for an "outbreak event," a vulnerable population.  Although a lot of systems are running SNMP, not that many are running with UDP/161 open to the internet.  On the other hand, there are a class of networks that may have UDP/161 allowed in from "trusted" 3rd party networks.  Which, based on the spoofability of UDP, isn't such a sound security practice.  These particulars alone would have limited impact on worm development, though the general inaccessibility to the SNMP port is a major limiting factor on the success of the potential worm.

    The limited size of a vulnerable population severely limits the possibility of a generalize Internet worm with "slammer"-like impact.

    If there was a large population ripe for an MS06-074 worm, I still reason that there would not be a "slammer"-like worm exploiting this vulnerability.  I left out one important criterion for a worm in the model above.  In addition to Scanning routines, propagation methods, a vulnerability exploit, and a vulnerable population, a worm also needs a motivated creator in order to come into existence.  (I'm chagrined to admit that malware follows a model of intelligence design, and not Darwinian evolution.)

    The model of the malcode author has changed these past years.  Monetary gain has now outpaced the egotistical quest for fame/notoriety, etc. as the driving motivation behind malcode creation.  A malcode author wants to be able to leverage their creation, so now you see botnets, not internet worms.

    So, we will not likely see an SNMP "slammer" worm.  The question should be: "will we see an SNMP 'SDbot'?"  Because of how SNMP is often implemented, I don't see a large chance of that either.

    With exploit toolkits like metasploit and webattacker, every new vulnerability that is discovered runs the possibility of becoming an "event."  Neither of these toolkits will create an internet worm like slammer.  Instead they make smaller, harder-to-detect events that can be leveraged by the criminal to cause more damage in the long run.

Maybe no mice, but if the internet is on, plenty of things are flowing.

First, reports of a few million break and enter in Australia, New Zealand and some of the pacific Islands, possibly related to the unauthorised air traffic in the same regions.  Also wanted for littering (not collecting animal droppings).

On a packet note:  
Cheat Trojan

Robert reported that a friend downloaded a Battlefield cheat which proceeded to infect his system. We'll be having a look at that one. 

Webmin
Gordon has reported that he is seeing some packets with flags (CWR ECE) set, going towards webmin ports. There was a new release back on the 28th of November, but currently no reported vulnerabilities.

Port 855/2967
Port 8555 and 2967 activity has tapered off (for the moment).  This specific instance we were looking at looks like a variation of  the SAV activity of recent weeks.  If your corporate AV is not yet up to date (that is software, not just patterns) then you may still be vulnerable.  The timing of this was exquisite, just the few days of the year on which corporate types would be on the net and checking emails, finishing off that last report etc.

SPAM

Spam in AU has tapered off a little as well over the last day or two.  One or two readers have reported similar results in their region.  Everybody probably has already bought their, medicine, extensions, reductions, software and penny stock for the year.   Maybe with the January sales it will start ramping up again.

Happy holidays to all from the ISC

• Christmas.exe
• Christmas+Blessing-4.ppt
• Christmas_Puzzle.exe
  
• ...

With thanks to Michael for sending in the powerpoint sample.

The abuse of the season greeting habit by the bad guys isn't somthing new. We warned about it last year (Dec 2005) already. It's still just as a valid as it was then.

--
Swa Frantzen -- Section 66

• Check for the avatar upload directory reinforced
  
• Changes to the criteria for "bad" redirection targets
  
• Fixed a non-persistent XSS issue in private messaging
  
• Fixing possible negative start parameter
  
• Added session checks to various forms
  

The packet challenge is going well, with people in alternate time zones favoured or those of us that have no life, sorry I meant to say work late.

The first correct response was received by Morgan (wd), smartly followed by Mike and Kenny and his colleague M.

Check the list twice as this little Santa got the order wrong initially and that seems to be a common thing.

Cheers

Mark

Shearwater

Challenge Link

Vulnerabilites that are widely known and/or actively exploited are of great interest to our readers, here we try to keep an overview of them

--
Swa Frantzen -- Section 66

Heise brings us "Offline Update 3.0" to do offline installations of Microsoft patches.

Read more about it at: http://www.heise-security.co.uk/articles/80682

Now this is a great concept. You can actually make a DVD to install the patches before you connect a PC (that's out of date on patches) to the Internet. If you think you can safely do that without this tool, take a second and think it through knowing that some of your friends needing a house call might have a USB connected DSL or cable modem and therefore not be using NAT, next take a look at the survival time and think how long it takes to get a windows system from original media to a fully patched status.

So, if you're going to visit parents, family or friends over the holidays, start your preparation now and make that disk today to take along. It'll improve the obligatory "Could you take a look at our computer while you're here?" response time dramatically and gives you a safe way to reinstall systems without a hardware based firewall.

If you have networks that you do not want to connect to the Internet cause the risks involved of doing that are just too big for the sensitivity of the involved data this might also become a way to patch those off-line machines.

--
Swa Frantzen -- Section 66

It seems like there is a revival going on of the botnet exploiting the Symantec Anti-Virus vulnerability. It was originally reported on by Joel on Nov 27th.

But the traffic scanning for port 2967 is back. It seems new Command and Control centers are active for it as well.



--
Swa Frantzen -- Section 66

• block port 161/udp and 162/udp at your permiter (snmpv3 may use tcp).
• use a hard to guess community string (anything but "public").
• disable snmp listeners if you do not need them.

Overview of the December 2006 Microsoft patches and their status.

--
Swa Frantzen -- Section 66

One of our readers is reporting a fairly recent increase in ICMP packets hitting his firewall. If you're seeing the same we'd like some data:

• on the importance and timeframe of the increase;
• the type of ICMP packets you're receiving;
• some idea of how it correlates (sweeping your address range, just hitting one IP, coming from all over, coming from specific hosts, ...);
• if possible a small sample of some out of the ordinary packet captures.
  

--
Swa Frantzen -- Section 66

Will drew our attention to an interesting read in Stefan Esser's blog. It's about his resignation from the PHP Security Response Team. It's interesting to note that he both discovered and reported about PHP vulnerabilities in the past.

It seems the bottom line will be that we can expect some changes in how vulnerabilities in PHP are going to be handled in the future. It might include advisories about vulnerabilities without there being patches available. It might also mean an increase in the number of reported vulnerabilities.

Anyway it'll be worth it to add his PHP security blog to your routine if you need to know about PHP vulnerabilities.

Announcements about security vulnerabilities in widely deployed open source software without the matching patch is a very dangerous situation, so we hope this doesn't escalate too far.

--
Swa Frantzen -- Section 66