Handlers - Down and Out in the Magic Kingdom
Once upon a time, eight handlers traveled to a Magic Kingdom, leaving their friends behind to sweep the floors, empty the ashes from the fireplace, and mind the store. And lo, while their friends did labor long and hard, the eight naughty handlers danced and played among the inhabitants of that Magical place until they began to look and act... well... right at home. Of course they moaned and complained that their time in the Magical Kingdom wasn't fun at all, but the friends they left behind knew better.
So, if you happen to be attending SANS 2006 and you see either Snow J or any of the dwarves... tell 'em we said "hi." (Note: Sincere apologies to Walt, his heirs, and assigns... Corporate lawyer-types: It's parody. Lighten up.)
Trouble Brewing? - Port 106 Activity
0 Comments
An Assignment From Professor Packetslinger of the School of Loose Screws
Update #1
We have received an overwhelming number of emails as a result of this diary. This is to clarify a couple of things. Yes this professor could have set up its own system for the students to use, yes they could have been instructed that they were to get permission from the owners of the systems first, yes they could have done any number of things to make this a valuable, worthwhile learning experience. That was not done unfortunately.
We have also received several emails asking us to release the name of the institution that this refers to. We won't do that as we were asked not to in the diary. It is our policy at the ISC to provide confidentiality when requested. That is what allows us to cover such controversial subjects as we do. Yes what is being done by this Institution of Higher Education is incorrect. We are pursuing a satisfactory resolution to this as best we can. We also have not and will not publish the entire document.
John Bambenek one of our handlers that works at University of Illinois had this to say on the subject:
It's high time that the principles of academic freedom stop providing shields for felonious conduct or eventually the people and the government will take it away all together.
We also have received a number of emails suggesting that we have a legal obligation to report this. We are aware that this maybe a possibility. We will assure all of our readers that we will indeed do what is right. We may not talk about what we did but we will do our best to make sure that this type of activity does not continue to go on. We truly want the Internet to be a safe place for all to work and play.
Hopefully this will answer some of the questions and concerns that are arising from this article.
Update #2
We have received indications there has been a partial callback of the assignment. We're inviting the professor to contact us directly for any statement and/or clarification he might want to offer.
If he does contact us with a statement we will update the diary again. Again thanks to all who did contact us concerning this. Both the good and the bad. We have responded to as many as we could (of course not to the ones that gave us phony email addresses). We at the ISC appreciate the participation of everyone, whether you agree with us or not. We learn a lot from the pro's and the con's and enjoy the interaction.
We received an email today from a concerned colleague at one of the state colleges in the US. We promised the colleague that we would not reveal name or school so I won't. It is tempting, but I won't. This is an actual assignment. I am not making this up, this IS the real thing.
So here is the story of the assignment from Professor Packetslinger. In a Computer Security class in the Winter of 2006 (which by the way is next year if I remember correctly) the students have been given an assignment. The assignment is worth 15% of the final grade for the class. (So refusing to do the assignment very well could drop a student from an A to a B or worse in the blink of an eye).
The "TASK"
Student is to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain.
You got it. This is verbatim. Professor Packetslinger wants the students to conduct illegal activity involving port scanning and vulnerability scanning. He wants them to write an evaluation of what they find: what ports are open and what service could be running on them, Host names and IP addresses, OS, version, last update, patch status, what shares are available, what kind of network traffic and what vulnerabilities they see.
Hmm – seems to me that Professor Packetslinger wants the students to do all of the background work for him.
Ok so now what must the students submit in writing to Professor Packetslinger?
Let's see what he wants:
What the student must submit
The note to the students:
In conducting this work, you should imagine yourself to be a security contracted by the owner of the computer system(s) to perform a security evaluation.
(This tells me that Professor Packetslinger is well aware of the laws and the fact that doing this without express permission and authorization IS against the law in most countries and municipalities. The same laws that the students are being asked to violate).
The student must provide a written report which has the following sections: Executive summary, description of tools and techniques used, dates and times of investigations [AKA break ins, our words], examples of data collected, evaluation data, overall evaluation of the system(s) including vulnerabilities.
Can you believe it? Amazing, simply amazing. One important thing Professor Packetslinger failed to request:
Dates of student's incarceration so that they can be excused from class and not counted absent.
Ok, so the concerned colleague who contacted us about Professor Packetslinger and his assignment went on to explain:
"We've barked this one up our own tree of management. Word came down this morning that no direct action will be taken against the professor, but if we catch any students doing these scans against our computers we will not be exempting them from our existing procedure. Specifically, disabling their student account and referring them to the Student Dean of Corrections."
In other words, we won't discipline Professor Packetslinger, we won't stop the assignment from going forward. As long as the students don't scan our computers, it is ok. If they scan our computers they will be reprimanded and lose their privileges on campus.
This is incredible; this University is encouraging illegal activity. They are encouraging students to do something that is, in the words of fellow Handler Adrien:
Illegal, unethical, immoral.
How about just plain stupid and ignorant.
And handler Swa had this to say:
Doing it is illegal in many parts of the world. But using authority to have somebody else do something illegal is in some places on this world even worse than the act itself and any decent prosecutor should chop the prof in fine pieces over this.
Actually inciting somebody to do something illegal (even if the act isn't performed) might be a case on its own. Now if he fails a student over this, they might have no more reason not to put down an official complaint for being asked to perform illegal acts.
First thing to do: recall the assignment; tell the students they should not even consider it. Next (public) apologies from the professor are the least. But at the _very_ least don't let him near kids anymore, as an educator he's a miserable failure.
This from our resident comedian Tom:
Spamming for Fun and Profit.
It is hard for me as a security professional to understand the logic of Professor Packetslinger. I have relatives in the fair city in which this prestigious state university resides. I am going to ask them to keep an eye on the local paper and shoot me off articles about the arrests. And I definitely will not recommend this school to my friends and relatives. My sympathy goes out to the students that will be forced into completing this assignment. My sympathy to their families, especially those who are caught and charged with computer crimes. I just hope that the dear professor gets to experience the full impact of his illegal, unethical and immoral acts and he too gets to spend some time behind bars.
How about the school?
As fellow Handler Lorna put it
Wonder how the school would feel about a law suit launched against THEM because of this assignment!
The school is allowing this assignment to go forward. They are as guilty of this crime as the professor and the students. They too need to pay the price and a lawsuit against them would be a small price to pay.
0 Comments
Deja Vu - Snow.A
Other - "first attempts to infect files which are running processes", "its main .EXE component respawns when it is terminated, making termination more difficult."
W32/Snow.a
http://vil.nai.com/vil/content/v_138727.htm
PE_SNOW.A
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_SNOW.A
0 Comments
Followup on challenge "Spam, Recon or ??"
First (which was the reason for this diary orginally) is not become complacent when looking at traffic. That is one that will bite you in the end (no pun intended:>). For example, remember in the diary that I initially wrote for this challenge I said "It has often been said that if you want to hide something, hide it in plain sight." Well, that is so true and if you have read that diary entry called Malware: When "comments" become commands it reinforces the same concept. The malware is going to a specific website repeatedly. However if you looked at the site, you would see nothing out of the ordinary. Many folks don't even look at normal web traffic. This is one that would fly under the radar, even with seasoned analysist as the malware spaced out the visits since it was on a timer. However if you did an analysis of all your web traffic, this site might show up and might cause red flags. The whole point is the author of this malware, hid everything in plain site and made it look like normal web traffic.
Second is to always try to detemine if there is a logical reason for the traffic before you don your tin foil hat and procede to think that there are folks everywhere who are after you. A happy medium is required. You need to determine for your organization and its security needs what is the best fit. However, I hope this has made you think twice about just hearing a port and saying "oh it has to be ....." and never looking at it. Or just seeing traffic and assuming that it is something without investigating it.
Let me start off by saying that alot of folks did alot of good work on this. Even if your analysis was not on target, that's ok. There were several things about this that led me down the same path that many of you took. My analysis proved wrong later when we finally got captures of what it actually was. However, kudos goes to fellow handler Don Smith, who nailed it right off the bat.
So, without any more ado.....the results of the analysis. As a refresher you can read the diary that started this all:
Spam, Recon or ??: You make the call!!
The packets turned out to be what some folks (to include Don) thought it was and that was pop-up spam rejects where the spammer was spoofing the IP range of our submitter, which is why he got the ICMP responses back. Here is a capture of the payload of some of the traffic: Payload of ICMP Packets
There were several things that many of you caught that made you wonder if this was indeed pop-up spam. Some made me wonder too such as three types of ICMP messages (can expect this if you are probing the security of the network), source port of 0, DF (Don't Fragment) flag set on a few of the packets (seemed strange when you are doing UDP and such a small payload on it), TTL timeouts on some (why would you set it so low if you want to get spam through and ensure it doesn't timeout), ICMP Type 11 (Time Exceeded) had IPs getting two packets each while the ICMP Type 3, Code 13 (Communication Administratively Prohibited) did not duplicate IPs.
Yeah, many things caught my eye on this traffic the same as it did yours. From all indications though, its just pop-up spam. Here are some of your thoughts and analysis on the traffic. Some of these do not have a name associated out of honoring the submitter's request. Other requests were submitted, but folks asked not to be included. To everyone who submitted an analysis, I thank you! If I accidently skipped someone, please let me know and I'll be happy to include you in here. It was fun and I hope everyone learns from it. We'll have to play again sometime!
0 Comments
Out of cycle oracle patch part II
Integrigy published a report that might be of use to our readers.
--
Swa Frantzen
0 Comments
Security Awareness (from students point of view)
Greetings everyone,
Sorry it has been so quiet the last 48 hours. It is a rare that there isn't something to report in that time. Perhaps this is the long quiet before a storm?
As many of you realize, I work in Academia so a lot of my time is spent keeping your sons and daughters from doing stupid things on the nice brand new computers you bought them for graduation/birthday/Christmas. The rest of my spare time, I usually spend time trying to balance two seemingly opposite things: securing our network and anything connected to it and at the same time respect the need for our traditionally open network environment. So anytime something comes out to help me in the security awareness world, then I am usually looking for ways to leverage it for the good of campus.
Last fall, the EDUCAUSE/Internet2 Computer and Network Security Task Force and the National Cyber Security Alliance had a video contest for students to come up with creative ways to raise awareness about security issues and recently announced the winners. Their press release is located at http://www.educause.edu/PressReleases/1175&ID=1280 and the winner's videos are located at http://www.educause.edu/SecurityVideoContest/7103 . It is very interesting to see security through the eyes of the younger generation. And to think in a few short years, they will most likely be working for you or your company. Most of the videos are good and have my creative juices going of how to better educate the students and the faculty alike.
I hope that in the corporate environment, maybe some of these may spawn better/newer security awareness ideas for educating your staff. Perhaps some of the companies are large enough that you can create your own creative videos involving your specific security problems of the year. Maybe you aren't that large, but I do encourage you to think outside the box for creative ways to raise awareness.
For those not ready do develop their own awareness program, SANS offers awareness training over the Internet for the corporate environment. It comes complete with motivational posters and on-line exams.
NOTE: the security videos above do have a terms of use associated with them. So, please do not steal them for your own commercial uses unless you have the permission of the owners. However, if there is one you really like, send the owners a scholarship or offer them a job at your company after graduation. You never know they might let you use it directly in your security training or record one especially for you.
0 Comments
Winamp buffer overflow
0 Comments
Plugin auto-installation a good thing?
0 Comments
Malware: When <!-- comments --> become commands
I started to look at the malware and got it unpacked in my faithful debugger when I saw some strings that always peak my interest...those that give you a command shell. I always like those. There was also a URL in the strings, so I fired the malware up in my VM and saw that it indeed wanted to go to that URL. I looked at the source code for the actual URL and found nothing really unique about it. There were two .htm files in that websites directory structure. One we'll call "File.htm" and the other "file2.htm". A regular user gets "file.htm" when they visit the site, but the malware wanted "file2.htm". The only difference between the two files were 8 little characters commented out at the top using html comments "<!--" and --> which seemed interesting.
Well, if it wants a website...give it a website (isn't VM great). I set up a website for my malware using copies of the htm files from the actual site and sent it on its happy way. A packet capture showed the malware going to the website, establishing a connection, getting thefile it wanted, sending an ack for it and then a rst ending the connection. My curiosity was peaked but what exactly was the purpose of it going to that specific site? So when I encounter something new and cool and really need an expert on the code.....what do I normally do.....find my fellow handler Tom Liston and see if he has time to play!
Tom (many thanks to you Tom!) and I spent alot of time looking at this and the mystery is not yet solved as to how it is working in its entirety. But its scary as it currently exists. Not the delivery of it, but the malware itself. The malware gets installed by a user clicking on a link in the email to download a file and then opening that file or by opening the attachment and running it. The .exe installs itself and runs as a service. The malware contacts the site and does a GET, the site passes the page back and looks just like normal web traffic to the casual observer. The malware however parses the first 64 bytes of that page it gets which means it grabs those unique little characters at the top and a little more. Then it uses a delimiter of <!-- for the left side and --> for the right side and pulls the characters out of the middle. It runs them through several commands, but it doesn't appear that the string on the page is the one its looking for right now. Nothing is happening with it at this point. We have theories as to what the malware is doing and we are working to confirm them.
However it doesn't take take much to realize that it is a unique approach and many nasty things could be done. Its really just another sad indicator as to the direction that malware is going and the more difficult our battle is to keep our networks secure.
0 Comments
Out of cycle Oracle patch?
T. Brian Granier
Handler on Duty
0 Comments
OS X is clearly on the radar of exploit-developers.
Love it or hate it, OS X users need to exercise increased vigilance.
Soon, even your beloved little Mac laptop will be spending its spare CPU cycles sending out advertisements for Viagra and Cialis.
The recent news of these vulnerabilities in the OS is getting plenty of attention. Some would argue that things are being blown out of proportion. I think there is some lazy journalism, and sensationalism afoot. Yet, like any FUD-storm there is usually some kernel of truth. In this case, this kernel is not so small and insignificant.
A quick review of some critical points:
- The OS X Finder issue allows arbitrary execution of code.
- There exists proof-of-concept code that demonstrates this vulnerability.
- There exists easy-to-use tools in the wild to actively exploit this vulnerability.
- The Bluetooth Directory traversal vulnerability (Bugtraq ID 13491) allows an attacker to access arbitrary files on the system.
- There exists malicious code in the wild that exploits this (OSX.Inqtana.A –no CME available)
- OS X has a disparity of controls when it comes to file headers and file icons.
- This was exploited by OSX.Leap.A
Secure or Easy-to-Use: Pick one. "Security is a compromise" is a well-known axiom. In an effort to use as little hype as possible I only suggest that now is the time for Mac users to seriously consider anti-virus, personal firewalls, and safe browsing habits. It is the time for Mac sysadmins to develop strong patch management policies. This likely means that a Mac is no longer the no-brainer-choice for what computer to get for your parents.
It would also be simply splendid if Jobs would release his patch clusters on any day other than MS Tuesday.
0 Comments
A Sad-day for Customer Service
Today at the day-job we crossed a threshold. Some would say we took a step backward. As of today, everyone who sends an email to our abuse@dayjob address will receive an auto-response. The old days of a human response within 24 hours are now forever-gone at my organization. The increased load of traffic and the plummeting percentage of messages that actually needed a response have brought us to this decision.
Let there be a Moment of Silence.
0 Comments
Where are all of the articles?
There's quite a bit going on that we can't publish (not everyone who writes in wants their name in lights.) Nothing worth changing the InfoCon over. Suitably-obfuscated reports will be released later.
0 Comments
Mwcollect and Nepenthes merging
1 Comments
Antiphishing.org Trend Report
0 Comments
W32/Feebs again
If some of these domains sound vaguely familiar.... http://isc.sans.org/diary.php?storyid=1035
Update 1023 UTC: Looks like it spreads as an email with subject "Secure Message from GMail.com user", and contains a ZIP attachment (data.zip in the sample at hand), which in turn contains a file "Encrypted Html File.hta", which contains the heavily obfuscated Javascript exploit code that triggers the W32/Feebs download from the above sites.
Update 1700 UTC: AV detection is available by now, at least from some of the "bigger" vendors.
BitDefender|7.2|02.22.2006|Win32.Worm.Feebs.1.Gen
Kaspersky|4.0.2.24|02.22.2006|Worm.Win32.Feebs.cb
McAfee|4703|02.22.2006|W32/Feebs.gen@MM
Panda|9.0.0.4|02.22.2006|Suspicious file
Sophos|4.02.0|02.22.2006|W32/Feebs-Gen
Symantec|8.0|02.22.2006|W32.Feebs
0 Comments
Sophos false positives on Mac OS X
Files were detected as infected with OSX/Inqtana-B (Sophos' analysis).
We've been also informed that Sophos pulled the incorrect IDE file and fixed the problem. If you experience these false positives, be sure to download the latest IDE files.
0 Comments
Serious flaw on OS X in Apple Safari
Full text of the article: http://www.heise.de/english/newsticker/news/69862
Proof of concept from the original discoverer (Michael Lehn): http://www.mathematik.uni-ulm.de/~lehn/mac.html
The problem is due to a feature that is activated by default: Open Safe Files after downloading. A zip file is considered safe and so they will be opened automatically. Subsequently, a shell script with no #! at the beginning of the script will be executed automatically. No user interaction!
Recommended action: disable the option "Open 'safe' files after downloading" in the "General" preferences section in Safari.
0 Comments
Getting viruses out of the AVG virus vault
Here are the steps I documented.
I loaded a test virus named eicar on my system to work out the details.Its not really a virus. It will not spread, infect or damage your computer. Rather its a string that nearly every antivirus product recognize as a virus.
More information on eicar is available here: http://www.eicar.org/anti_virus_test_file.htm
This process includes disabling portions of your antivirus software. Don't forget to reenable it and I would recommend you disconnect from ALL networks while your av scanner is disabled.
AVG's virus vault is located in a hidden folder at the "top" of the C drive.
Its called C:\$VAULT$.AVG.
Steps to export viruses from the AVG vault for analysis.
1: Create a directory to store the files in.2: Open avg.
3: Select the virus vault.
4: Click on the virus you wish to restore.
5: Choose restore, that will prompt you for the directory to restore the virus into.
6: Select the directory created in step 1
7: avg will alert again if its in active monitoring mode. choose continue.
8: Turn off avg resident shield protection if you plan to package the viruses up for submittal for malware analysis.
9: Select the AVG resident shield and unselect "turn on avg resident shield protection", Click apply.
Remember to turn resident shield back on as soon as your done with the virus.
Steps to package up a directory of infected files for submittal malware analysis.
1: open winzipIf its not installed you can get a 45 day trial version here http://www.winzip.com/.
If you use it more then 45 days please pay for it.
I wrote these directions assuming you will choose classic winzip not the wizard during installation.
2: Select new
3: Select a filename and location. C:\bad is the one I used. This is where the zip file will be created.
4: In the options portion select the box that says encrypt added files.
5: In the "look in" bar go to the directory you saved the virus in (infected).
6: Type a password. You will have to verify it. Any encryption is usually acceptable. "infected" is the
most commonly used password for anti-virus vendors and malware analysis professionals.
0 Comments
DHS wants your comments.
DHS wants to improve software security.
They have put up a website to help programmers make more secure software.They would also like comments on two documents.
The Software Lifecycle, and The Software Assurance Common Body of Knowledge.
The documents and an online comment form are available at the Build Security In Website.
Comments on the two documents are due by Tuesday, February 21.
https://buildsecurityin.us-cert.gov/portal/resources/
0 Comments
The 866-PC-SAFETY poll
You can find the international support numbers at http://support.microsoft.com/common/international.aspx
Also see http://www.microsoft.com/gp/securityhome for other ways of contacting/getting info from Microsoft about security-related problems.
-----------------------------------
Jim Clausing, jclausing --at-- isc.sans.org
0 Comments
New variant of mambo exploit making the rounds
-------------------------
Jim Clausing, jclausing --at-- isc.sans.org
0 Comments
More spam for your inbox
It's nice to see that all the spam countermeasures that we deploy actually are effective. How do we know that? Well, spammers are constantly trying to exploit new tricks against various spam detection methods, with more or (usually) less success.
One of the latest "tricks" from their bag consists in sending extremely short e-mails in order to starve the decision matrix of the Bayesian classifier.
The sample e-mail below looks like a desperate move by a spammer in order to evade spam detection.
We can see that in the e-mail body there is only couple of words, but there is a ZIP archive as well. In the archive there is a HTML web page, together with some disclaimers(!!). The HTML web page is the actual spam content (this time being some porn spam advertisement with links to PayPal; they're obviously trying to make some money).
The disclaimer is even more interesting:
 XXX Content Warning
 .............................................
 Please read and comply with the following conditions
 before you continue:
 .............................................
 I am at least
 21 YEARS OF AGE.
And so on. This is probably some kind of legal defense as they are advertising porn web pages.
We've seen two variants of this spam. They are basically similar, but in the other case the ZIP archive is actually password protected and password is listed in the message body. This can cause various e-mail gateways to alerts (as this looks pretty much like a worm).
0 Comments
Apple's Ode to Hackers
So, I have to wonder if the poetry embedded into OS X is funny to anyone but me.
0 Comments
Mac OS X Bluetooth Worm
0 Comments
Multiple Exploits Avaliable for MS06-005 and MS06-006
In the last 24 hours a total of four exploits have been released - two each for MS06-005 and MS06-006.
MS06-005 - Vulnerability in Windows Media Player Could Allow Remote Code Execution
MS06-006 - Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution
0 Comments
Mac OS X trojan - OSX/Leap
You almost have to work hard to get infected, seems like this is just the beginning of more Mac OS X malware to come in the future with stronger capability to spread.
Details can be found at:
http://www.ambrosiasw.com/forums/index.php?showtopic=102379
http://www.macrumors.com/pages/2006/02/20060216005401.shtml
http://vil.nai.com/vil/content/v_138578.htm
------------
Jason Lam
0 Comments
Malware Analysis Quiz 6
I enjoyed to create it, as I hope that you enjoy to answer it!
Check it here! Any comment can be done to me at pbueno //&&// ( isc. sans. org ).
0 Comments
MS06-005 proof of concept exploit released
------------
Jason Lam
0 Comments
Linux kernel 2.6 ICMP bug resulting in remote DoS
Over a week ago, the 2.6.15.3 Linux kernel included a patch to address a bug in the icmp_send function that would crash the kernel resulting in a DoS. The current latest stable Linux kernel is 2.6.15.4 available from http://www.kernel.org/. Details are available at http://www.securityfocus.com/bid/16532/.
For mitigation, I choose to quote HD Moore since he has put it most simply 'The easy fix is to block ICMP until you upgrade your kernels...'. 'nuff said.
0 Comments
SANS ISC Receives Award
Marcus H. Sachs
Director, SANS Internet Storm Center
0 Comments
OS X Software Update to 10.4.5, and now I wonder if I missed one?
I do find it interesting that at the time of my viewing of the following URL for the apple.com knowledge base detailed information Security Update page the most recent entry is from Jan 10th. There is no mention of a Kernel issue there, though I'm sure they'll catch up. http://www.info.apple.com/kbnum/n61798/
A worrisome observation that may simply be my failing senses, is that my Powerbook which as of this writing is running 10.4.3, and today we have the 10.4.5 release. I'm pretty good about paying attention to software updates, did anyone else experience this loss of awareness?
I unfortunately do not have a test subject (i.e. coworker) to have patch their OS X installation first, so I'm going to bite the bullet and go for broke. Software Update here I come... <<CONNECTION TERMINATED>>
:) Just kidding. I really do like my powerbook.
0 Comments
Problems with MS patch KB913446 (for the IGMP issue, MS06-007)
0 Comments
Happy Valentines Day and Black Tuesday
Stay tuned for the updates on the little fellars.
0 Comments
New IE 0-Day Drag-N-Drop-N-PopUnder-N-GrabFocus-N-DoTheHokeyPokey Vuln.
0 Comments
Phollow the Phlopping Phish
Strap in, boys and girls... it's gonna be a bumpy ride.
You grab a line, and I'll grab a pole...
"It just isn't fair," thought Joe Sixpack as he sat grumbling at his desk. His boss and the Director of IT had just spent the last 40 minutes chewing him out over something that wasn't even his fault. He needed more space on his computer for his MP3s, and those stupid .DLL files had been taking up so much room... How was he supposed to know they were important?He was in the middle of a particularly good daydream involving the boss, a cattle prod, the hot little receptionist from accounting, and a Labrador retriever, when he was distracted by his freshly re-installed computer's brainlessly chipper pronouncement: "You've got mail!"
Now Joe Sixpack was no dummy. He knew all about those online scams that tried to trick you into giving out your personal information... what were they called... "phoning"... "pharting"... "phishing"... That was it: phishing!
He was going to be really, really careful.
The email looked to be authentic... it had the Mountain America logo, and it certainly sounded authentic, especially when it warned him that his credit card would be "disabled" if he didn't do what it asked. Those bankers... Type-A personalities, all of them. He couldn't let his credit card be disabled! He had just gotten his cable bill set up to be paid through his Visa!
Joe pulled out his wallet and looked carefully at his Mountain America Visa card, and it did indeed have the correct numbers, just like those shown in the email. He was pretty certain that the only way anyone could know that his card had those numbers on it was if they were Mountain America, but he decided that he had still better be careful. What was it that his boss had said earlier?... Something about Joe being so stupid that if he saw a sign saying "wet floor," that he would. Well, he wasn't stupid, and he would prove it.
Looking at the email, he saw that there was a link in it. He thought back to the in-service that the Director of IT had held a few months back. It was a particularly memorable experience for Joe, because he managed to sit right next to the hot little receptionist from accounting, and he was able to spend most of the boring talk peeking down her blouse. While he remembered little of the actual meeting (beyond the receptionist's taste in lacy undergarments) Joe thought he recalled something about links in email being bad. Yes... yes... that was it. You were never supposed to click on a link in an email... clicking on link was a bad thing but the exact reason it was bad was somehow all mixed up inside Joe's brain with hazy visions of something hot-pink from Victoria's Secret.
In any case, he wouldn't click on the link... he would re-type the address of the website.
As he typed in the address, https://www.mountain-america.net, Joe thought that it seemed a bit odd. He thought that he remembered that the correct address for the Mountain America website was different. But he also remembered a few months back, in the midst of a similar "I'm not stupid" episode following a similar butt-chewing from the IT Director, he had tried to prove that the real Credit Union site was bogus because it contained links to another site with a funny name. The IT Director had patiently explained that while it wasn't a good thing, sometimes banks and credit unions used other "special purpose" sites for...well... special purposes. He explained that those sites could cause people to be confused, just as Joe had been, and because of that, it wasn't a good idea. He had also showed Joe how to confirm that the site did indeed belong to the bank.
Because, on that occasion, the IT Director wasn't competing with cleavage and lace for his attention, Joe actually remembered exactly what he had said and done. Keeping that in mind, and after carefully typing the website address, Joe checked out the page that appeared before him:
Sure enough, there at the bottom of the screen, he saw what the IT Director had clicked on: the little lock. Joe clicked, and was presented with a new window that explained that the site was indeed legit... someone called Equifax (that was trusted by his browser) vouched for them.
"Cool," though Joe, "I'm really getting the hang of this whole Internet thing!" And, just to prove that he was... what was it his son always said?... oh yeah..."leet,"...he clicked on another button on the window. This brought up an entirely new window, filled with mind-numbing gobbledygook.
Â
Joe puzzled over this window for a few moments, trying to make sense of it.  It appeared to have something to do with proving that this website was really owned by his credit union, but most of it seemed to be written in a foreign language. He looked it over a few more times and was just about to close the window when he noticed what looked to be a website address on one of the lines. The address pointed to something called "businessprofile.geotrust.com," and although he didn't know if it was important or not, he typed it into his browser's address bar to see what he could find.
Wow... he really was "leet."Â It appeared that he had found even further confirmation that this website was legit, this time from a company called "ChoicePoint."Â Right there, it said that the website address was part of Mountain America of Salt Lake City, UT.
Joe knew that the headquarters of his credit union was indeed located in Salt Lake City... it said so on every quarterly statement that he received.
If his credit union thought that it was important that he registered for this Verified by Visa program, then hey, he'd do it. He was humming to himself and thinking happily of the hot little receptionist from accounting as he typed in his Visa card's number...
...and we'll go phishin' in the crawphish hole...
So, what did Joe do wrong? Well... for once: nothing.He went above and beyond what we could possibly expect an end user to do. And yet he still got phished.
He didn't follow a link. He checked the certificate. He even went so far as to double-check the certificate issuer's facts.
Joe was let down by the very infrastructure that was supposed to be there to protect him.
What happened?
I talked earlier today to a representative of Equifax/GeoTrust, and asked a simple question: how do you confirm that someone really is who they claim to be when issuing an SSL certificate? I got a response that sounded really quite good. There was official documentation required: copies of business licenses, articles of incorporation, etc... There was official confirmation required: checks made with the Secretary of State's Office in the state of incorporation, a requirement that the business be in good standing, etc... Â
And still, some scummy phisher got an SSL certificate that appears to link him back to the actual credit union.
I asked about the ChoicePoint information and whether it was used as verification and was surprised to learn that ChoicePoint wasn't a "source" of data for the transaction, but rather was a "recipient" of data from Equifax/GeoTrust. According to Equifax/GeoTrust, "as part of the provisioning process with QuickSSL, your business will be registered with ChoicePoint, the nation's leading provider of identification and credential verification services."
What more could any burgeoning identity thief ask for?
What is going on here? How can this be happening? Internet e-commerce is founded on SSL, and SSL is founded on the trust that the companies handing out SSL certificates are doing their homework and are verifying that the companies sitting behind their certs are who they say they are.
To paraphrase one of my favorite movie lines: "What we have here is a failure to authenticate..."
Finally, banks and credit unions that send out email with clickable links teach their customers incredibly dangerous habits. Financial institutions that use multiple domain names are setting their customers up for disaster. And, of course, any financial institution that isn't checking their referrer logs for odd and unknown sites is a time bomb waiting to explode.
Come on folks. It's hard enough to keep the end users from shooting themselves in the foot... don't give them a loaded gun.
0 Comments
Exploit #2 released for for Windows Services Insecure ACLs Local Privilege Escalation
0 Comments
Targeted Trojan attacks?
I received a number of responses to the Diary entry below reporting similar _emails_. The reports showed or pointed to HTML emails with similar contents and construction. Examining the emails after setting MS email clients to "text" only will render a GIF attachment to the email.
In a few cases the html emails were flagged as phishing email by various AV products. In one case the email was flagged as both a phish email and seperately as a trojan/pwstealer/keystrokelogger.
I received analysis summary results of the Sun site's illicit.GIF file from two AV sources. Their analysis were similar. Since they were similar, quoting one "The only thing I would add is that it has been verified the GIF is not some executable code, but just a 'clean' image inside an HTML email where the image is hyperlinked. Clicking on the image takes one to a phishing site."
Thanks Mugg and Eric Chien for taking the time to follow up on the Diary .
So that leaves me with many other protection, detection and incident response questions that the results of their analysis begs, I'll look at those and report any results as resources allow.
Thanks again to everyone who submitted information, samples and pointers to samples.
Original Diary Entry Follows;
You have to love it when malware blows through your ISP's Email gateway AV, hits your desktop, and only 2 vendors flag it. This has been occuring regularly over the last few months. Some of todays email details are below. At this time only F-Secure and Kaspersky catch it, F-Secure says "malware found Trojan-Spy.HTML.Bayfraud.in (virus)".
After Googling the Subject of the email I'm writing about, "eBay Customer Notice: Details Confirmation", I saw a few returns, one was at archives.java.sun.com. Sun has been notified.
That page also references the trojan I was sent, only the image name is different, at the sun site it's named illicit.GIF [image/gif] and there's date/time visible on the page display [Fri, 21 Oct 2005 23:44:45 +0100], who knows how trustworthy that date information is. If it's accurate and based on the Jotti and Virustotal results next, it's a touch troubling.
If you're seeing any of these please drop us a note. Thanks!
illicit.GIF analysis results at Jotti and Virustotal.
Jotti.Org says
File: illicit.GIF
Status: INFECTED/MALWARE
MD5 15492310e33e16810c4d880b8f343f8d
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Spy.HTML.Bayfraud.in
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
This is a report processed by VirusTotal on 02/12/2006 at 20:13:06 (CET) after scanning the file "illicit.GIF" file.
Antivirus Version Update Result
AntiVir 6.33.0.81 02.11.2006 no virus found
Avast 4.6.695.0 02.10.2006 no virus found
AVG 718 02.10.2006 no virus found
Avira 6.33.0.81 02.11.2006 no virus found
BitDefender 7.2 02.12.2006 no virus found
CAT-QuickHeal 8.00 02.11.2006 no virus found
ClamAV devel-20060126 02.12.2006 no virus found
DrWeb 4.33 02.12.2006 no virus found
eTrust-InoculateIT 23.71.74 02.11.2006 no virus found
eTrust-Vet 12.4.2074 02.10.2006 no virus found
Ewido 3.5 02.11.2006 no virus found
Fortinet 2.54.0.0 02.12.2006 no virus found
F-Prot 3.16c 02.09.2006 no virus found
Ikarus 0.2.59.0 02.10.2006 no virus found
Kaspersky 4.0.2.24 02.12.2006 Trojan-Spy.HTML.Bayfraud.in
McAfee 4694 02.10.2006 no virus found
NOD32v2 1.1404 02.11.2006 no virus found
Norman 5.70.10 02.10.2006 no virus found
Panda 9.0.0.4 02.12.2006 no virus found
Sophos 4.02.0 02.11.2006 no virus found
Symantec 8.0 02.12.2006 no virus found
TheHacker 5.9.4.094 02.10.2006 no virus found
UNA 1.83 02.09.2006 no virus found
VBA32 3.10.5 02.11.2006 no virus found
Some Email details;
Return-path: <support_num_3381305590018@ebay.com>
**snip**
Received: from ppp85-141-237-194.pppoe.mtu-net.ru ([85.141.237.194])
by orngca-mx-08.mgw.rr.com with SMTP; Sun, 12 Feb 2006 13:52:34 -0500
Date: Sun, 12 Feb 2006 14:43:23 -0400
From: eBay <support_num_3381305590018@ebay.com>
Subject: eBay Customer Notice: Details Confirmation [Sun, 12 Feb 2006 21:46:23 +0300]
To: pnk@nycap.rr.com
Message-id: <4oomdf$ha2v4r@orngca-mx-08.mgw.rr.com>
MIME-version: 1.0
X-Accept-Language: en-us, en
Fcc: mailbox://support_num_3381305590018@ebay.com/Sent
X-Identity-Key: Id7
X-Virus-Scanned: Symantec AntiVirus Scan Engine <=== Gateway AV
Original-recipient: rfc822;pnolan
Content-Type: multipart/mixed;
boundary="----=_cKusyvfBPGgnaHbQBgKUeaDHKTZHAlKYr"
Attachment name patch.GIF
Subject eBay Customer Notice: Details Confirmation
UPDATE I received a different piece of malware five minutes later ( ; ^ ), through the ISP Email Gateway AV undetected. There was no attachment, Subject is "Please Check Your Account !"
0 Comments
Honeyd 1.5 Released
0 Comments
New Exploit for HTML Help Workshop vulnerability
Windows XP SP2 is not vulnerable in its default configuration. Microsoft noted that the HTML Help Workshop SDK has to be installed in order for the exploit to work. This SDK is a self contained download and at this point we are not aware of anything that would bundle this SDK. Given that is is an issue with this particular application, there is a chance that it may be exploitable on Windows versions other then XP SP2.
Summary:
- Vulnerability in HTML Help Workshop SDK, which is not installed by default.
- Exploit tested on Windows XP SP2.
- Exploit may work on other platforms that have HTML Help Workshop SDK installed, but we haven't tested it yet.
Please let us know if you have this SDK installed, in particular if it came bundled with other software.
See this URL for more details:
http://users.pandora.be/bratax/advisories/b008.html
http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/htmlhelp/html/vsconhh1start.asp
Tony Carothers
Handler on Duty
0 Comments
Google Desktop Has New Features
We have gotten alot of questions and concerns over the new functionality implemented with Google Desktop.
Here is a short blurb on Google's site about the functionality:More information about it can be found at: http://desktop.google.com/features.html
The Google Desktop is a tool which users can choose to use or choose not to use it. They simply offer a service. By default, the functionality is not turned on. To search other computers they have to be running Google desktop and have the "Search Across Computers" preference turned on each one of them as well as you have to have the same Google account to access them.
To download the tool, you have to agree to their "terms and conditions" and their "privacy" policy. If you have questions, Google has a webpage for questions.
I think fellow handler Lenny Zeltser sums it up best in this statement:0 Comments
Check Point Outbound Traffic Mystery
Once the service starts and the first login attempt is completed the interface of the machine starts blasting the captured information to two targeted destination IP's.....Installation is from a Checkpoint supplied CD."
I did ask about the base OS being a fresh install and here are his comments as well:
Here is a short synopsis of the traffic being observed:
There are 4 UDP packets being sent to one IP address then switching to the other and sending 4 more. This repeats itself over and over. The one IP 48.28.223.239 doesn't appear to have anything assigned to it but belongs to Prudential Securities Inc. The other IP 152.96.109.99 belongs to:
descr: HSR Hochschule fuer Technik Rapperswil
descr: Rapperswil, Switzerland
Dst Port is 57327/UDP
Src port is 32768
If you would like to see two example packets, you can view them here:
http://isc.sans.org/diaryimages/packets for checkpoint.txt
The issue went away with new CDs being obtained from the vendor.
This is the only report we received about this so far. If you have observed similar traffic or have any ideas, please let us know.
0 Comments
Spam, Recon or ??: You make the call!!
It has often been said that if you want to hide something, hide it in plain sight. It makes perfect sense. If you want traffic to get through, make it look close enough to something else that no one bothers to take a second look at it.
Today we got some logs submitted to us with some questions on the ICMP traffic. Even though it's not a packet capture, there was enough data to do some analysis. Here are the links to the files for your viewing pleasure:
http://isc.sans.org/diaryimages/icmpType3.log
http://isc.sans.org/diaryimages/icmpType11.log
It is interesting to note that several handlers looked at the traffic and many conclusions were reached. I won't share with you our conclusions at this time, but I would like to see what the rest of you come up with. Maybe you don't have an answer as to what it is (something you have to learn to accept when you analyze network traffic), but maybe you notice something unique about the traffic. Here is a short summary. ICMP error messages arrived at a host. However, that host did not have any outbound traffic that would have generated the ICMP error messages. Each of the error messages does contain the rough headers of the packet that caused the ICMP error messages. I'll post later the analysis done by some of the handlers and the results that everyone else came up with.
So, get ready to have fun and do some analysis!
0 Comments
Blackworm/Nyxem Animation of Infections
0 Comments
Microsoft Security Advance Bulletin (7 updates, at least 2 Critical)
0 Comments
Sun Java JRE sandbox bypass vulnerability
These vulnerabilities are also related to the "java bug" warned by US-CERT and AUSCERT couple weeks ago, see here for details.
Sun advisory: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1
------------
Jason Lam
0 Comments
IE + WMF security advisory released by Microsoft (913333)
MS advisory: http://www.microsoft.com/technet/security/advisory/913333.mspx
------------
Jason Lam
0 Comments
New Windows service ACL security advisory released (914457)
MS advisory: http://www.microsoft.com/technet/security/advisory/914457.mspx
This issue seems to be the same as the one reported few days ago. Look here for more details.
------------
Jason Lam
0 Comments
Old Cisco exploit tries to make a return:
GET /level/16/exec/-///pwd HTTP/1.0
He reported seeing this traffic from many sources.
This has been fixed in IOS some time ago. However someone thinks they can get lucky and find some out of date routers.
Handler Don Smith advises: "Reporting this to the ISPs is a good idea.
They are often interested in anyone who is trying to break into a router:)"
One interesting property of this traffic is that it is not spoofed, a TCP 3-way handshake must be completed with the target before sending HTTP data such as a GET. That is true of all TCP based scans. TCPDUMP shows a P for PUSH so both ends are really talking. In a spoofed scan you never get farther than SYN. The SYN-ACK is sent back to the spoofed source who drops it most likely.
AAA.BBB.CCC.DDD.1873 > WWW.XXX.YYY.ZZZ.http: P [tcp sum ok] 99999
13645:1403813683(38) ack 221455884 win 64860 (DF) (ttl 107, id 46390, len 78)
2. The exploit is an old one, so why is it in circulation again?
Here is the original advisory form Cisco:
http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html
Best practices dictate turning off all unused services on a host. So go to your border router and if it does now have
"no ip http server"
in the configuration add it now. This will prevent this or any new http exploit from working on your router.
Some old tricks keep coming back, and Patrick thanks for sharing.
0 Comments
Update Firefox to 1.5.0.1, the exploit is out
See http://isc.sans.org/diary.php?storyid=1091 for more details.
In addition, Thunderbird is vulnerable if Javascript is enabled. It is not by default. There is no update for Thunderbird available at this time.
0 Comments
Corrupted Nyxems
Message bodies in these samples are completely the same as those being sent with working attachments, and the only difference seems to be in corrupted attachments.
If you remember, in some cases Nyxem will send MIME attachments; this was probably an attempt by the author to circumvent various filtering engines which may not expect an uuencoded file embedded in a base64 encoded MIME message part.
Beginning of those encoded files is almost always OK, and after couple of lines it gets corrupted.
The corrupted part will look similar to the one below (first line is from the good version, second from corrupted):
M3%!T;T10``!#;U1A<VM-96U&<F5E````1V5T1$,`````````!X;<,@````#V
M3%!T;T10``!#;U1A<VM-96U&<F5E````1V5T1$,`````````````````
The letter 'M' at the start of each line indicate the unencoded line length, which in this case should be 60 (77d - 32d = 45d = M; 45 characters were encoded to 60). You can see that the line length in the second example is less than 60, so it is clear that the encoding is damaged.
If you now try to decode this (for example, uudecode will try to decode this and will complain about an error), you'll get a corrupted executable. This file still has a valid header, so if you policy dictates blocking of executables on the e-mail gateway, this will be blocked.
Majority of AV vendors doesn't detect this. Of course, the file is harmless so theoretically there is no reason why they should detect this, but it would probably be nice to add definitions for these corrupted attachments, just so they don't confuse end users.
We've received submission from one of our readers that McAfee detects this as Generic Malware.a!zip.
Thanks to Mark Ackermans for a nice analysis of what's going on with the corrupted attachments.
0 Comments
A Bump in the Wire
Update
We got quite a number of responses regarding the TCP 7212 traffic. Jose Nazario si reporitng that he traced the scans to a proxy called "Ghostsurf". This proxy is frequently left open allowing others to hide behind it.
A netcat listener recorded traffic that supports this idea:
GET http://umsky.com/prx.php?p=p1234 HTTP/1.0
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: umsky.com
Connection: Keep-Alive
Only a small set of sources is currently scanning for this port.
0 Comments
CAIDA Report on Blackworm
0 Comments
Cyber Storm Exercise
0 Comments
DShield is Famous
See the photo or read the article. The image you see behind the NSA Director is the Talisker Security Wizardry Portal, which includes the DShield world map along with other security information.
By the way, that DShield image doesn't just get there by magic. It's the result of thousands of volunteers around the globe running sensors that feed information about data flows to a central database repository. From there, DShield can detect early indications of new threat tools, worm activity, and other malicious trends. It's no wonder that the NSA likes showing it off to the President! But to make it work we need more volunteers. Even if all you have access to is a SOHO router in your house you can probably submit logs to DShield. Instructions are online at DShield and if you have any questions please drop us a note via our contact form.
Can you tell that Sunday was a slow day? I suppose that everybody was preparing for the Super Bowl or recovering from the five computers affected by the CME-24 virus on Friday.
That's OK. We needed the breather.
Marcus H. Sachs
Handler of the Day
0 Comments
Recovering LOST files from a hardrive
Help I have lost data files from my harddrive (due to CME-24 or other reasons).
First if at all possible TURN off the computer and put the infected drive on another system that is not infected.If for one reason or another you can not you should cosider one of the cdrom or floppy based
recovery systems and an extra drive.
You should preform recovery to a different filesystem then the one being recovered from other wise you risk overwriting some files as you recover others.
Be aware some companies offer demos that identifies "lost" files but doesn't save the files it finds.
Here is a short list of forensic tools and data recovery tools.
Windows:
http://www.x-ways.net/davory/index-m.htmlThe free version is limited to recovering files of 200k or smaller.
Linux/Unix based tools:
http://www.sleuthkit.org/autopsy/
CDROM based Bootable images
FCCU GNU/Linux boot CD 10.0 from the Belgian "Federal Computer Crime Unit"http://www.lnx4n6.be/index.php?sec=Downloads&page=bootcd
Fire from SourceForge
http://fire.dmzs.com/
FoRK from Vital Data
http://www.vitaldata.com.au/modules/tinycontent1/index.php?id=9
Requires a registration.
Here is a good list of forensic's tools.
http://www.forensics.nl/toolkits0 Comments
CME-24 aka blackworm update
but we are still getting reports of CME-24 infected emails
being blocked inbound from several sources so the infection continues.
We are also getting a few reports of loss data due the malicious payload.
Many people have commented on the high counts of reported CME-24 in Puru and India.
One possible explanation comes from the way the worm updates the counter.
The worm hits its counter every time it starts up. Such as when a computer is rebooted.
So countries would have a higher hit count if they had
Older compters that require fequent rebooting.
dynamic IPs with a high rate of change
Systems that charge by the hour for connections (internet cafe')
0 Comments
eXchange POP3
The good news is that it took the vendor about 2 weeks to issue a fixed version for download.
From the description the vendor makes a product that's to be installed on or close to a real exchange machine. So we're not out of the woods yet. The product offers connections between an exchange server and an external POP3 or IMAP mailbox. Yet it's SMTP service has a buffer overflow in it's handling of the "RCPT TO:" command. The exploit has been made public.
--
Swa Frantzen
0 Comments
Looking for samples of W32.Kiman.A
If you have any please consider uploading it using our contact form.
--
Swa Frantzen
0 Comments
Windows local privilege escalation - Windows access control
Princeton University titled Windows Access Control Demystified. It took the hacker tool developers just a few days to publicly release their first exploit referencing it. The exploit allows local escalation of privileges. On an OS typically used by users who are all administrators that might not be considered the biggest thing ever. Still, it should be fixed by all vendors involved.
Now for the average administrator it might seem nearly ridiculous that allowing just one right too many can escalate that user begin able to run an arbitrary executable with all local rights he could wish for. Worse the problem is so obscure that many applications including some made by Microsoft and bundled with Windows XP did have that one too many right in it (uPnP and SSDP). Not only did they goof on it, so did Adobe, AOL, Macromedia and probably a few more.
I cannot help but notice the whole system of access control used in windows is rather complex and that might very well be the core of the problem. KISS is after all a principle that has proven through the years to work best in many cases.
Anyway that document and its implications are mandatory reading if you want to take away local admin rights of any user with any success. The consequence is as well that installing any software for any user needs to be done with extreme caution and security verification. Even is that one user needing the extra software is not your most restricted user, it still needs the full verification.
It is also mandatory for any developer making any application to understand this fully.
And as I said, I don't think it's easy to fully comprehend.
--
Swa Frantzen
0 Comments
Mozilla Firefox vulnerabilities and upgrade
See the release notes and the list of security fixes.
--
Swa Frantzen
0 Comments
CME-24 Analysis: The destruction does not appear to spread across Windows network shares
I now have changed my initial thoughts on how the destruction would occur. Here are some of my notes from my testing of this concept. Here is the MD5 from the file I was using:
1c66904ecb846da5b1fb2072f9ea6e0e *New WinZip File.exe
The first test I did led me to believe that the destruction would be carried out via the shares and mapped drives. In my intial test, I had two infected systems (one XP and one W2K) with drives mapped to each other. I infected each box, changed the system time to Feb 2 at 11:50pm, launched ethereal, filemon and ran the the first shot using RegShot. After an hour, I stopped the captures and launched my second shot of the hard drive with RegShot. All my data files were now over written, zip files were corrupted, etc. Everything was happening as I thought it would. All my mapped drives had corrupted files. The security logs from each box showed accesses from the other.
Then I looked at regshot. It showed the following registry key was created and pay close attention to the middle value that was added:
----------------------------------
Keys added:1
----------------------------------
HKEY_USERS\S-1-5-21-2052111302-839522115-2092228675-1004\Control Panel\BMale
----------------------------------
Values added:3
----------------------------------
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent\LastTaskRun: D6 07 02 00 05 00 03 00 02 00 3B 00 01 00 00 00
HKEY_USERS\S-1-5-21-2052111302-839522115-2092228675-1004\Control Panel\BMale\Update: "z: [\\192.168.6.130\c$]\"
HKEY_USERS\S-1-5-21-2052111302-839522115-2092228675-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}
\Count\HRZR_EHAPCY:gvzrqngr.pcy: 08 00 00 00 06 00 00 00 60 C0 9A 42 D7 26 C6 01
Regshot showed a registry key being created on each that referenced my mapped drive to the other box. Ethereal has traffic to from each box their respective mapped drives. Everything pointed to the data being accessed via mapped drives. However, to be sure I ran two more tests.
This time I tested from an infected W2K box to a clean XP box with mapped drives and some shares. The malware placed copies of itself on all the mapped drives and shares. I followed the same test procedures as described above using ethereal, filemon and regshot. I set the time for each of these to be at 11:50pm on 2 Feb and waited. The destructive payload occured right at 12:30am both times. I think 12:30 is right on the money. The second time was 12:31, but I think filemon was logging slow due to the load. So the 30 minutes is right on target.
According to the filemon results, it searches for each file type before moving on to the next file type. However I did not see it search the same directories for each file type. It appears some directories get searched for one file type, but not another. The order it occurred was:
*.doc
*.xls
*.mdb
*.mde
*.ppt
*.pps
*.zip
*.rar
*.psd
*.dmp
Here is something of interest that I noted which I have not seen documented anywhere. It also searched for two other files a *.ppl and *.exe files. Below you see the last lines when it is looking for the *.dmp files.
Update.exe:992 OPEN C:\WINDOWS\system32\1037\ SUCCESS Options: Open Directory Access: All
79190 12:32:44 AM Update.exe:992 DIRECTORY C:\WINDOWS\system32\1037\ NO SUCH FILE FileBothDirectoryInformation: *.dmp
79191 12:32:44 AM Update.exe:992 CLOSE C:\WINDOWS\system32\1037\ SUCCESS
79192 12:32:44 AM Update.exe:992 OPEN C:\WINDOWS\system32\1037\ SUCCESS Options: Open Directory Access: All
79193 12:32:44 AM Update.exe:992 DIRECTORY C:\WINDOWS\system32\1037\ SUCCESS FileBothDirectoryInformation: *
79194 12:32:44 AM Update.exe:992 DIRECTORY C:\WINDOWS\system32\1037\ SUCCESS FileBothDirectoryInformation
79195 12:32:44 AM Update.exe:992 DIRECTORY C:\WINDOWS\system32\1037\ NO MORE FILES FileBothDirectoryInformation
79196 12:32:44 AM Update.exe:992 CLOSE C:\WINDOWS\system32\1037\ SUCCESS
79197 12:32:44 AM Update.exe:992 OPEN C:\WINDOWS\system32\1041\ SUCCESS Options: Open Directory Access: All
79198 12:32:44 AM Update.exe:992 DIRECTORY C:\WINDOWS\system32\1041\ NO SUCH FILE FileBothDirectoryInformation: *.dmp
A few lines later, this occurs:
80626 12:32:51 AM Update.exe:992 OPEN C:\Program Files\ SUCCESS Options: Open Directory Access: All
80626 12:32:51 AM Update.exe:992 DIRECTORY C:\Program Files\ NO SUCH FILE FileBothDirectoryInformation: *.exe
80627 12:32:51 AM Update.exe:992 CLOSE C:\Program Files\ SUCCESS
80628 12:32:51 AM Update.exe:992 OPEN C:\Program Files\ SUCCESS Options: Open Directory Access: All
80629 12:32:51 AM Update.exe:992 DIRECTORY C:\Program Files\ NO SUCH FILE FileBothDirectoryInformation: *.exe
80630 12:32:51 AM Update.exe:992 CLOSE C:\Program Files\ SUCCESS
80631 12:32:51 AM Update.exe:992 OPEN C:\Program Files\ SUCCESS Options: Open Directory Access: All
80632 12:32:51 AM Update.exe:992 DIRECTORY C:\Program Files\ NO SUCH FILE FileBothDirectoryInformation: *.exe
80633 12:32:51 AM Update.exe:992 CLOSE C:\Program Files\ SUCCESS
80634 12:32:51 AM Update.exe:992 OPEN C:\Program Files\ SUCCESS Options: Open Directory Access: All
80635 12:32:51 AM Update.exe:992 DIRECTORY C:\Program Files\ SUCCESS FileBothDirectoryInformation: *
80636 12:32:51 AM Update.exe:992 DIRECTORY C:\Program Files\ SUCCESS FileBothDirectoryInformation
80637 12:32:51 AM Update.exe:992 DIRECTORY C:\Program Files\ NO MORE FILES FileBothDirectoryInformation
80638 12:32:51 AM Update.exe:992 CLOSE C:\Program Files\ SUCCESS
80639 12:32:51 AM Update.exe:992 OPEN C:\Program Files\ SUCCESS Options: Open Directory Access: All
80640 12:32:51 AM Update.exe:992 DIRECTORY C:\Program Files\ NO SUCH FILE FileBothDirectoryInformation: *.ppl
80641 12:32:51 AM Update.exe:992 CLOSE C:\Program Files\ SUCCESS
80642 12:32:51 AM Update.exe:992 OPEN C:\Program Files\ SUCCESS Options: Open Directory Access: All
80643 12:32:51 AM Update.exe:992 DIRECTORY C:\Program Files\ NO SUCH FILE FileBothDirectoryInformation: *.exe
80644 12:32:51 AM Update.exe:992 CLOSE C:\Program Files\ SUCCESS
80645 12:32:51 AM Update.exe:992 OPEN C:\Program Files\ SUCCESS Options: Open Directory Access: All
80646 12:32:51 AM Update.exe:992 DIRECTORY C:\Program Files\ NO SUCH FILE FileBothDirectoryInformation: *.exe
80647 12:32:51 AM Update.exe:992 CLOSE C:\Program Files\ SUCCESS
80648 12:32:51 AM Update.exe:992 OPEN C:\Program Files\ SUCCESS Options: Open Directory Access: All
80649 12:32:51 AM Update.exe:992 DIRECTORY C:\Program Files\ NO SUCH FILE FileBothDirectoryInformation: *.exe
80650 12:32:51 AM Update.exe:992 CLOSE C:\Program Files\ SUCCESS
It only occured in this small burst and only searched the one directory. However, it occurred right after the last search for the *.dat files. However, none of the searches were directed to my mapped drives or shares. They were only searching on the local hard drive.
If that wasn't exciting enough, I recorded lots of activity to my mapped drives. Keep in mind that it did access them easily to put copies there on the initial infection. Here are some excerpts:
Update.exe:992 OPEN Z:\ [\192.168.6.130\c$]\ PATH NOT FOUND Options: Open Directory Access: All
80560 12:32:49 AM Update.exe:992 OPEN Z:\ SUCCESS Options: Open Directory Access: 00000000
80561 12:32:49 AM Update.exe:992 CLOSE Z:\ SUCCESS
80562 12:32:49 AM Update.exe:992 OPEN Z:\ [\192.168.6.130\c$]\ PATH NOT FOUND Options: Open Directory Access: All
80563 12:32:49 AM Update.exe:992 OPEN Z:\ SUCCESS Options: Open Directory Access: 00000000
However, the only files that were destroyed were those on the local system. None of the files on the shares or mapped drives were touched. I'm not sure why at this point. I have packet captures during this time from that correlate with access to those drives occuring, but no destruction. In the search for files, I never saw any searches being conducted via shares and/or mapped drives. It only occured on the local hard drive.
I again ran the same test from an infected XP box to a clean W2K and repeated the above process. I still have registry keys being created and traffic to the shares/mapped drives, but no file modification happening. The results were almost identical. Remember the registry key above? It was not pointed at the mapped drive on this test, but rather at the D:\ which is the CDROM.
At this point, I do not believe that the destructive payload will occur via shares and/or mapped drives. Infected boxes however, will have all their files destroyed if they fall into one of the file types above. As for the *.ppl and *.exe, I have no good explanation for at this time. Good luck folks!
0 Comments
It is already Feb 3rd!
If you know any story related to this event, please share with us .
0 Comments
Preparing for Feb 3rd(CME-24)
We received a lot of suggestions about measures against CME-24. In other words,
how to prepare for Feb 3rd, in despite of the Anti-virus.
What follows bellow is a compiled list of those. Some were tested, but some not.
Update:
Javier Romero sent a link to a Spanish Article regarding CME-24 detection:
"Cómo detectar el virus CME-24 Kamasutra /Nyxgen / MyWife / Blackworm antes del 3 febrero"
- The rule bellow, made by Per Kristian Johnsen with Telenor Security Center,
is said to detect attempts to copy WINZIP_TMP.exe to shares. According to the author,
they are being able to detect infected machines where the already published
snort/sourcefire rule couldn't:
alert tcp any any -> any 135:139 (msg:"Nyxem attempting to copy WINZIP_TMP.exe to shares"; flow:to_server,established; content:"|57 00 49 00 4e 00 5a 00 49 00 50 00 5f 00 54 00 4d 00 50 00 2e 00 65 00 78 00 65|"; reference:url,www.lurhq.com/blackworm.html; classtype:trojan-activity; sid:5000173; rev:1;)
- We had another user that used sms to scan drives files with a size of 95,690 named
%Windir%\Rundll16.exe
%System%\scanregw.exe
%System%\Winzip.exe
%System%\Update.exe
%System%\WINZIP_TMP.EXE
%System%\SAMPLE.ZIP
%System%\New WinZip File.exe
movies.exe
Zipped Files.exe
- A security Dweeb at a large California municipal government agency wrote a batch script that:
"1) looks for the infected file names existence
on %windir% and %sysdir% using simple DIR /B commands. Output is sent to
uniquely named text file (with a non-standard extension). Infected
workstations will show a non-zero file size. Batch file is below; uses
environment vars that are unique to user and computer name.
2) The batch file will be placed in the login script for all
computers.
3) Ensure that verified backups are completed tonight (Wed).
Batch file:
@echo off
dir /b %WinDir%\system\\Winzip.exe >> %username%_%computername%.rgh
dir /b %WinDir%\system\Update.exe >> %username%_%computername%.rgh
dir /b %WinDir%\system\scanregw.exe >> %username%_%computername%.rgh
dir /b %WinDir%\Rundll16.exe >> %username%_%computername%.rgh
dir /b %WinDir%\winzip_tmp.exe >> %username%_%computername%.rgh
dir /b c:\winzip_tmp.exe >> %username%_%computername%.rgh
dir /b %Temp%\word.zip .exe >>
%username%_%computername%.rgh
Although dangerous, we think we have a very low chance of a problem.
According to LURQ, there are only 15K computers in US that have
contacted the "counter" site. And we have other protections in place
(blocking of all executables in mail attachments, current anti-virus
updates, etc.)"
Update: Another user suggested quotes in the script above, as showed bellow:
dir /b "%Temp%\word.zip .exe" >>
%username%_%computername%.rgh
-----------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org )
0 Comments
nmap 4.00 released
I am using it as I type this :)
From nmap-hackers:
Hot on the heels of 3.9999 (you could probably guess this was
coming), I am pleased to announce that Nmap 4.00 is now available!
Documentation: http://www.insecure.org/nmap
Download: http://www.insecure.org/nmap
Release Announcement:
http://www.insecure.org/stf
Cheers,
Adrien
0 Comments
Cisco VPN 3000 crafted HTTP attack
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_security_advisory09186a00805f0147.shtml
Apparently version 4.7.2(C) resolves this issue.
The workaround is to disable HTTP.
This remote exploit involves sending a small stream (less than 50 packets) of tcp/80 traffic to a Cisco VPN 3000 Concentrator appliance running the WebVPN service. After this occurs, all sessions currently accessing the appliance are dropped, and no further communication is possible until the system is powered down and restarted. No authentication or credentials are required to exercise this vulnerability.
By default, the WebVPN Service permits both tcp/80 (HTTP) and tcp/443 (HTTPS) inbound; the appliance performs a redirect from the HTTP query to the HTTPS. The vulnerability exists within the code base responsible for the redirect.
From: http://www.esentire.com/news/vuln-cisco-vpn.html
Update (06 Feb 2006)At present, we recommend that all users of firmware that uses Cisco's WebVPN upgrade to the newest version (currently 4.7.2D) AND disable inbound tcp/80 access as a fix for this exploit.
Thanks Eldon!
Cheers,
Adrien
0 Comments
Recommended Block List
Based on feedback from Intercage customers, we no longer
recommend to block them. Please let us know if you see any problems from 69.50.160.0/19 and we will try to facility contact and a resolution.
Updated Update:
Sunbelt posted this blog documenting the issues with Intercage. As a comment: We do not say that Intercage is a safe and clean network now. However, they appear to have some valid customers. Please decide for yourself if you need the valid sites badly enough to risk exposure to the malware hosted at Intercage.
I hate block lists... maybe because I have been on the 'wrong end' of them in the past. But after careful consideration, we do recommend blocking traffic from these two netblocks:
InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)
The list may be updated later. We do not expect to make this a "regular feature". But at this time we find that it is necessary to point out these particular two netblocks.
They have been associated with a number of high profile criminal activities in the past. A good number of WMF exploits use name servers or other resources in these netblocks. They have been non responsive to current and past requests to remove malicious content.
0 Comments
0 Comments