Published: 2007-05-31

Symantec pattern fires on Spybot Search & Destroy 1.3

We have received a couple of reports that Symantec Antivirus triggers on the file 'blindman.exe', part of the SpyBot Search & Destroy package. Apparently only the file included with version 1.3 was detected as a trojan, not the one included with the more recent version 1.4

Symantec has confirmed this issue occurred in the 05/30/2007 rev.020 Intelligence Update and LiveUpdate definitions. They've made available Rapid Release definition build 69173 (extended version 05/30/2007 rev. 035) to resolve the issue. LiveUpdate definitions that correct the issue were also published, version 90530ao (Sequence number: 69179; extended version 05/30/2007 rev.041).

Thanks to Matt and Scott for reporting the issue, and Symantec for their fast response.


Published: 2007-05-31

An inside look at a targeted attack

With targeted attacks becoming regular news items, it might be a good time to have a closer look at a sample of a somewhat older one. Recently I received a potentially malicious e-mail that was originally distributed early 2006. After one year, the dropper, a Word document exploiting MS05-035 was recognized by only 9 out of VirusTotal’s 36 AVs as malicious.

This attack was clearly targeted through the scope of its distribution, limited to members of a specific organization, and the purported/spoofed source and content of the e-mail message. Each of these taken together created a valid context in which the message was interpreted by the recipient.

A hex dump of the file indicated an embedded executable at the end:

00010200 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 |MZ..............|
00010240 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
00010250 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
00010260 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
00010270 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|

By removing everything in front of the magic ‘MZ’ signature using a hex editor, the executable was easily extracted. 15 of the AVs detected the binary as a Troj/Riler.J variant. Interesting, as Riler.J was listed in the then-NISCC's 2005 warning.

The file was packed with UPX. It turned out to be an installer which created the following files:

The latter file contains the filename from which installation originally took place, while the former contains the bulk of this Trojan. The executable also registers a new instance of the Non-IFS service provider support environment (WS2IFSL) and installs the Trojan as a layered service provider. The following key gets added:

HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem: 43 3A 5C 57 49 4E 4E 54 5C 53 79 73 74 65 6D 33 32 5C 53 4E 6F 6F 74 65 72 6E 2E 64 6C 6C 00 00 00 00 67 00 6E 00 61 00 74 00 75 00 72 00 65 00 3D 00 22 00 24 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 20 00 4E 00 54 00 24 00 22 00 0D 00 0A 00 43 00 6C 00 61 00 73 …

The first few HEX values decode to:
C:\WINNT\System32\SNootern.dll (…)

Upon a reboot, the host performs a DNS lookup for a host registered on 3322.org (a Chinese dynamic DNS provider). It then makes a TCP connection to this server on a hard coded port number.

As grand finale… it appears that more than one year after the initial attacks, the hostname is still successfully resolving and the box on the other end is actively picking up the phone.

It would prove quite interesting to know what someone infected with this piece of malicious code could expect. Running the tool using a debugger such as Ollydbg quickly shows a number of decision trees similar to the following:

Closer review shows that commands exist to allow the remote host to create files, search for files, and more importantly, gain a command line shell on the box (“LIKE”).

After a bit more testing with the malware, the connection protocol appeared fairly obvious as well. The infected host makes an outbound connection to the US based server, both parties identify, open a log and go dormant. Until, that is, the control server issues a command supported by the Trojan.

NAME: DIMASHK.VER: Stealth 2.6.MARK: fl510 .OS: NT 5.0.L_IP: NoID
ERR code = 0
ERR code = 0

When the file was first received, we distributed it to the major anti virus vendors, and coverage has much improved since. What this example shows best, though, is that information sharing is vital in identifying these types of attacks. Only when information on them is shared and patterns are identified can detection and response improve. 

Maarten Van Horenbeeck


Published: 2007-05-31

New Firefox releases fix five security vulnerabilities

Firefox and were released yesterday, fixing five security vulnerabilities. While not confirmed, the most significant of these could potentially allow arbitrary code execution:

MFSA-2007-17 Parts of the browser chrome could be spoofed or hidden
MFSA-2007-16 Script injection (High impact)
MFSA-2007-14 Two issues with cookie handling
MFSA-2007-13 Denial of service against 'form autocomplete'
MFSA-2007-12 Crash with potential memory corruption (High impact)


Published: 2007-05-30

Signature Blocks (Part 2)

It seems I am not alone in this pet peeve.  I received enough email to do an "Email etiquette" diary.  I'll save that for later.

Here's the general consensus:

1.  4 lines
    <phone number or web address>
2.  Quote are okay as long as:
    a) It's kept to a minimum
    b) it's kept to PERSONAL email only
    c) It's does not have a racial or religious theme.  (duh?)
    d) plain text
3.  Plain text
4.  Plaxo and LinkedIn are bad.
5.  jpg's/gif's/png's are bad. (no HTML!)
6.  Apparently in some parts of the .eu, you HAVE to put stuff in your Sig block like, company name, web site, email, for disclaimer purposes. 
7.  CERTS are okay, but as one reader pointed out, "Why tell people what you don't have?"
8.  Addresses are to be kept out, if I want your address, I'll ask you for it.  Email addresses should also be kept out, since it's going to be in your Reply-To:
9.  The only thing worse than big long Sig blocks is OOOR.  (Out of Office Replies)
10.  Last but DEFINITELY not least.  The Disclaimers that say stuff like:


Has anyone ever seen one of these enforced?  Do you have a link to case law?  I'd like to make fun of it.

Bottom line from the group?

Keep it short, plain text, and simple.  HTML, logos, quotes, disclaimers, etc..  are not necessary and do nothing but keep short email replies long.

Oh, and for those email clients that don't recognize that "--" is the start of the Sig block (Outlook, Lotus), please, fix your stuff.  (from a reader). 

Oh, and if you are replying to a reply..  trim your Sig.

Thank you all for writing in, hopefully I've influenced enough of you to take a look at your sig lines and trim them up.  They are getting out of control.


Joel Esler


Published: 2007-05-30

Google Counter ... isn't

Those of you who have seen the "google-analytics" URL in your logs before might be tempted to assume (as I was) that google-counter[dot]com is just another incarnation of the same. I even at first discounted that my anti-virus complained about "obfuscated javascript", thinking that Google must have cooked up some really complicated Ajax mess again that misled my AV to a false positive.

But no. On a second look, the site tries to download an ANI cursor exploit. And wait - there is lots more IFRAMES. Ouch! This definitely ain't Google!

z-014-1.php contains an obfuscated exploit for MS06-014
z-014-3.php contains another exploit for MS06-014
z-create-o.php contains the IE CreateObject exploit (as seen on Metasploit TV)
z-cs-an.php is an obfuscated exploit for MS07-017
z-java1.php is an oldie, Java-ByteVerify exploit

All of these try to download and run a file "down.exe" off the same site, which in turn downloads and runs a Browser Helper Object (BHO) off someplace else. The BHO is a key logger / banking trojan. We have decoded the configuration file that tells the trojan what to do - you can look at the file under http://handlers.sans.org/dwesemann/decoded-bho-helper.txt . Yes, lots of banks...    Thanks to fellow handlers Lorna and Pedro for help with the analysis.

Caution: The google-counter site is still live at the time of writing. Sink yourself at your own risk.


Published: 2007-05-30

BBB goes IRS

Just a quick heads-up - the Better Business Bureau (BBB) malware we've reported on earlier seems to have mutated into one that claims to come form the Internal Revenue Service (IRS).  Still using RTF attachments with embedded malware as vector, though.


Published: 2007-05-30

Virus detection - vector vs. payload

In a previous diary, we've written about the surprising prevalence of those exploit "iframes" which in the end download a file called "funny.php" off a server in Russia, Panama or Ukraine, etc. "funny.php" is an EXE sailing in disguise, and usually a
password stealing spyware of the "Bancos" family. The file changes frequently and cleverly enough to keep the majority of anti virus products perpetually in the dark. The only two things that tend to "save the day" if a user happens across one
of these IFRAMEs is that firstly, the vulnerabilities exploited are pretty old (and patched). Secondly, the anti-virus detection for the exploit iframe (the infection "vector") is significantly better than detection for the spyware (the "payload").

Some anti virus products apparently trigger on the "obfuscation" of the exploit, (it is encoded Javascript), risking a higher false positive rate by doing so, but also making it less likely that a tiny change in the exploit code renders the signature useless. Others apparently trigger on the exploit itself. The obfuscation and exploits used have been pretty much the same for the past three months, so one would reasonably expect anti virus coverage to be well in place.

When today a user of mine "found" another one of these funny.phps, I decided to pass both the vector and payload files through Virustotal to see who was up to snuff:

Virustotal results for the obfuscated exploit file ("forum.php")

Virustotal results for the payload ("funny.php")

The results speak for themselves, with quite a few prominent vendors competing for the coveted "Sees No Virus" award :). I'm constantly amazed at how anti-virus ever could grow into a multi-billion dollar industry.


Published: 2007-05-29

Quicktime Security Update for 7.1.6

/** Hope you Windows guys have better luck with this update than other Apple Updates in the past **/


Security Update (QuickTime 7.1.6)


CVE-ID: CVE-2007-2388

Available for: QuickTime 7.1.6 for Mac OS X and Windows

Impact: Visiting a malicious website may lead to arbitrary code execution

Description: An implementation issue exists in QuickTime for Java, which may allow instantiation or manipulation of objects outside the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of Java applets. Credit to John McDonald, Paul Griswold, and Tom Cross of IBM Internet Security Systems X-Force, and Dyon Balding of Secunia Research for reporting this issue.


CVE-ID: CVE-2007-2389

Available for: QuickTime 7.1.6 for Mac OS X and Windows

Impact: Visiting a malicious website may lead to the disclosure of sensitive information

Description: A design issue exists in QuickTime for Java, which may allow a web browser's memory to be read by a Java applet. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to the disclosure of sensitive information. This update addresses the issue by clearing memory before allowing it to be used by untrusted Java applets.

(Information came from Apple's website)


Joel Esler


Published: 2007-05-29

Signature Blocks

Just thought i'd share with you all a pet peeve of mine.  Signature Blocks in email.

How much is too much?  At what point do these things become a security hazard?  At what point are you putting too much information about yourself out on the internet?

Well wait, you ask, what does this have to do with security?  What if your email client has a vuln to some client side jpg/png/gif parsing thingy, and all I have to do is send you an email with an html signature block (or html at ALL), and execute some code?

Do you put certs in your signature block?  Should you? 

Do you put quotes in your signature block?  Should you?

Do you put your phone number in your signature block?  Email addresses?  Titles?

I've stuck to the rule of '4 lines is enough' in a signature block.  But what are your thoughts?

Does your company have a policy against signature blocks?  What about those Plaxo signature blocks?  What about LinkedIn signature blocks?

Share your thoughts.  I'll collect the consensus for the night and publish a diary with your thoughts.


Joel Esler

P.S.  For those of you that are wondering, my email signature block is one line.


Published: 2007-05-29

Global Crossings having some network issues

Eric wrote in to tell us:

"Global Crossings has a major outage in Dallas, TX which is causing more issues within their core.  500+ms latency and 10%+ dropped packets."

http://internethealthreport.com/  is showing issues with GC.  GC is aware of the issue and is working to resolve it. 

The Internet is not melting yet.


Joel Esler


Published: 2007-05-29

Apple Security Update 2007-005

According to this page:
Apple Security Update 2007-005 updates the following components:

Time for updates.  This is especially critical for the mDNSResponder update!


Joel Esler


Published: 2007-05-25

Better Business Bureau targeted malware spam

We are receiving more reports about targeted attacks claiming to be from the Better Business Bureau. The spam always comes with an RTF attachment. Does this ring a bell? If you’re a frequent reader of ISC you might remember that I already post an analysis of such an attack back in March – you can find it here: http://isc.sans.org/diary.html. BBB also posted an alert about this quite a while ago (http://www.bbb.org/alerts/article.asp).

Basically the attackers use an application called Object Packager to embed an executable in a RTF document. The executable is typically a downloader which, when executed, downloads a second stage malware. The attackers keep changing both the downloader and second stage malware, together with sites they are using. It is worth pointing again that this attack does not exploit any Office vulnerability; instead it relies on social engineering (see the screenshots in the old diary).

While the attack itself is not very interesting, what is interesting is that the spam e-mails carrying this seem to be targeted. In fact, almost all reports we’ve received lately (and Sunbelt blogged about the same thing at http://sunbeltblog.blogspot.com/2007/05/seen-in-wild-extremely-dangerous-better.html) claimed that only couple of users in attacked organizations received this and that they were almost always CEOs or CFOs.

So what can we do here? As you can see from my old diary, AV detection of embedded objects in RTF documents seems to be very weak. The detection of the downloader I extracted at that point in time was a bit better but this was still far away from perfect, especially when we’re talking about the last line of defense – the AV program on the desktop machine.

If possible, you can block RTF files on your e-mail gateways, but this might have a counterproductive effect as we’ve been encouraging users for years to use “more friendly” text formats such as RTF (and who thought that objects can be embedded this easily in them).

As always, the best defense here is user education. Besides general awareness, it might be good to warn your users (especially the C*O levels) about this particular attack as it does rely purely on social engineering (the user has to confirm that he wants the executable opened).


Published: 2007-05-24

Cross-Platform OpenOffice Virus Proof of Concept

A virus writer sent a proof-of-concept virus called BadBunny to Sophos that uses vulnerabilities in OpenOffice to infect Windows, Linux and Mac OS X. Depending on the host operating system, the virus will perform different actions to infect the target machine. In this case, it downloads a lewd image of a scantily clad woman and a dude in a big ol' bunny suit. It's not the first or last attempt at such cross-platform virus writing (or the inclusion of bizarre graphics in malware) but the limitation of seeing much of this cross-platform work lies in the fact that few applications are widely deployed and run on multiple operating systems. Few people use OpenOffice (in comparison to MS Office) to make it worth the while of a would-be attacker looking for anything other than bragging rights. However, viruses are possible for a variety of operating systems (yes, including Mac OS X) and the day may come when those users will have to be just as vigilant as those on Windows.

John Bambenek / bambenek {at} gmail [dot] com
University of Illinois at Urbana-Champaign


Published: 2007-05-23

cisco crypt lib vulnerability

What appears to be a fairly far reaching ANS.1 DOS vulnerability in Cisco products was recently announced.
It is in a 3rd party crypto library that appears to have been used in lots of different Cisco products.
This affects SSH, SSL, EAP-TLS, SIP-TLS, TIDP, IPSEC, CAPF and TAPI on several different platforms depending on usage and OS.
It appears the vulnerable services/protocols may be enabled by default in some instances.
After a discussion with an informed source cisco IOS less then 12.3(2)T is not vulnerable unless a crypto map has been applied to the interface.

All the text in italics is quoted from the cisco advisory available here:

Affected Products
Cisco IOS
Cisco IOS XR
Cisco PIX and ASA Security Appliances (only 7.x releases are affected)
Cisco Firewall Service Module (FWSM), all releases prior 2.3(5) and 3.1(6) are affected
Cisco Unified CallManager

Affected protocols in Cisco IOS
In Cisco IOS two features rely on ISAKMP - IPSec and Group Domain of Interpretation (GDOI).

Prior to IOS version 12.3(2)T, IKE was enabled by default, with no crypto configuration needed for the IOS device to process IKE messages.

12.2SXD versions of Cisco IOS have IKE enabled by default. To ensure that IKE processing is disabled, enter the global configuration command no crypto isakmp enable.

As of IOS version 12.3(2)T (which includes all 12.4-based versions), crypto configuration is required to enable IKE message processing.
In order for an IOS device to be vulnerable crypto map must be explicitly configured and applied to an interface

Affected protocols in Cisco IOS XR

Internet Security Association and Key Management Protocol (ISAKMP)
In some IOS XR releases the Secure Socket Layer (SSL) may also be affected
Secure Shell (SSH)

Affected protocols in Cisco Firewall Service Module (FWSM)

Internet Security Association and Key Management Protocol (ISAKMP)

Affected protocols in Cisco Unified CallManager
Certificate Authority Proxy Function (CAPF)
Cisco TAPI Service Provider (Cisco Unified CallManager TSP)

See the advisory for mitigations, fixed software and a complete list of which products are vulnerable.


Published: 2007-05-23

Auscert day 3 update

Well the last day of the main conference has passed at Auscert and those not staying behind for the tutorials are winging our way back home.  Quite a number delicate heads this morning after the gala dinner last night, but the day forged on.

Keynote - Web 2.0 - Securing the Brave New World
The keynote today was Mary Ann Davidson (Oracle Corporation).  Mary Ann discussed a number of the challenges facing us in the web 2.0 world. Where perimeters fade, more and more data is available, there is more to defend and the “need to share trumps the need to know”. She also discussed some of the social aspects regarding the information that is readily available to people, both within organisations as well as on the internet and the need for stronger control over who has access to this information (at least within the organisation).

  • Know thy Enemy: deconstructing a multi-billion message spam attack & the criminals behind it - Patrick Peterson (Ironport Systems) gave an interesting presentation on the world behind spam and how it works. Patrick went into some of the specifics of how the spam is delivered, changed and again delivered. How some pieces of spam change every 15 minutes or so and how the domains associated with them are registered and used.
  • The Cyber Criminal Economy - Stas Filshtinskiy (ANZ) gave an insight into the cyber criminal economy, which in turn explained why certain things happen in our environment.
  • Large Scale Flow Collection and Analysis - Mike Newton’s (Stanford University) presentation gave us information on how the university uses Argus to collect and analyse large amounts of data at the university. The information was used for multiple purposes which included identifying compromised hosts, but also to identify the firewall rules required within their infrastructure.
  • Traditional IDS should be dead - Richard Bejtlich (TaoSecurity). Richard’s presentation went into some of the shortcomings of Intrusion Detection Systems. Essentially providing an alert regarding an event is not enough. To identify if there is really an issue the information has to be correlated, ideally from sources other than the one providing the alerts.
Those are pretty much all the sessions I was able to attend today. This was my first Auscert event and I enjoyed it, caught up with some old friends, made some new ones. On to the next one.



Published: 2007-05-23

Microsoft Advisories

Microsoft has just released two security advisories
The first actually states that does not address a security vulnerability,it provides a fix for Windows installer.  The second one is a conversion tool for office 2003  to convert documents to the new xml format used by  2007 and a file block utility.   The details are in the respective advisory.  There is also an entry on the msrc blog with more information on MOICE.


Published: 2007-05-22

Multiple vulnerabilities in Cisco IOS SSL implementation

Cisco published an advisory about multiple vulnerabilities in their IOS SSL implementation (http://www.cisco.com/en/US/products/products_security_advisory09186a0080847c49.shtml).
Several SSL messages (ClientHello, ChangeCipherSpec and Finished), when malformed, can cause Cisco IOS devices to crash.

Cisco said that this is only a DoS attack (no code execution seems to be possible) but as there are a lot of affected devices you should either install the patch or follow the workarounds (which are to disable the affected service(s)).

Thanks to Marc, CJ and Jim.


Published: 2007-05-22

Followup to packet tools story

As promised (several weeks ago) here is the followup to my earlier story asking for suggestions of tools for capturing, generating/modifying, or replaying IP packets.  The response from our readers was overwhelming and I wanted to thank all who responded.  Since the day job and family life got in the way of posting this sooner, I'm just going to post the list of tools today.  Later this week, I hope to update this story and categorize the tools a little bit.  Because of the tremendous response, I plan to look at a couple of the tools in more detail on my next HOD shift (unless there is some massive breaking story that requires my attention then).

  • netdude
  • nemesis
  • ettercap
  • daemonlogger
  • netcat
  • dsniff
  • yersinia
  • hunt
  • bittwist
  • scruby
  • sing
  • rain
  • nbtscan
  • netwox
  • thc-rut
  • ntop
  • scanrand
  • CommView (commercial tool)
  • xprobe2
  • lft
  • tcpflow
  • tcpxtract
  • kismet
  • queso
  • fragrouter
  • amap
  • thcipv6
  • thcscan
  • juggernaut
  • gspoof
  • aldeberan
  • dhcping (there are apparently 2 different tools by this name)
I would also be remiss if I didn't include a pointer to fellow handler Bill Stearns' page of pcap tools (why didn't I just ask him first....?) at http://www.stearns.org/doc/pcap-apps.html.  Again, thanx to all those who responded.


Published: 2007-05-22

Auscert day 2 update

The second day of Auscert has passed with a number of interesting presentations. I didn’t quite get to all the sessions I wanted to due to meetings and clashing times, but that’s the way it goes.

The keynote today was delivered by Howard A. Schmidt (R & H Security Consulting, LLC), an interesting speaker, known to many of us.  He brought up a number of interesting ideas.  One observation was that organised crime has changed focus somewhat over the last few years. It used to be “grab all the information you can” and see what can be sold. Nowadays it is more targeted, specific types of accounts or details are harvested and sold.

Another area Howard explored was quality control in coding. He posed the question “30 years after the first buffer overflow, why do we still have to deal with it today?” He also provided an explanation as to why patching was more expensive for a software house, than proper quality control and testing.

Howard touched on IPv6 as an opportunity to get it right the first time as well issues relating to wireless networks that are being deployed around the world by council’s, etc.

He finished by discussing Peer 2 Peer networks where personal and corporate information is being shared, evident through searches on these types of networks.

Nelson Murilo (Pangeia) is the author of chkrootkit.  He explained where the idea came from and took us through the different generations of the products over the last 10 years.

ISO 27001 Certification Process
Tammy Clark (Georgia State University) took us through the process that Georgia State University went through to implement an Information Security Management System (ISMS). The presentation discussed some of the basic steps needed and some of the challenges faced by the university.

There was an R&D stream where students presented papers on their research, which made an interesting change from the main stream presentations.

Tomorrow is the last day before the tutorial sessions on Thursday and Friday.


Published: 2007-05-22

Analyzing an obfuscated ANI exploit

Some time ago one of our readers, Andrew, submitted an interesting ANI exploit sample. Unless you’ve been under a rock for the last couple of months, you heard about the latest ANI vulnerability.

Most of the exploits we’ve seen so far (and we’ve seen thousands of them) didn’t try to obfuscate the exploit code. The exploit code itself almost always contained a downloader that downloaded the second stage binary from a remote site and executed it on the victim’s machine.

As the exploit wasn’t obfuscated, running a simple string commands was enough to see the URL of the second stage binary. So, in order to see the second stage binary, Andrew ran the strings command on the new ANI exploit, however, this time no URL was present:

$ strings 123.htm


Those experienced analysts amongst you will immediately notice the string starting with jvvr< and will comment that this must be a XOR-ed URL (http://something). In other words, it appears that this exploit is obfuscating the target URL. Andrew came to the same conclusion and tried to crack the XOR code.

If you try to XOR jvvr to get http, you will see that the correct XOR value is 0x02. The easiest way to do this is to use a nice little utility by Didier Stevens called XORSearch (http://didierstevens.wordpress.com/programs/xorsearch/). This utility allows you to brute force a file in order to find a XOR key for any string in the file. So I downloaded the utility and ran it on the ANI exploit sample and indeed, the correct XOR value for the http string is 0x02, but the rest of the URL was still not there:

D:\>XORSearch.exe 123.htm http
Found XOR 02 position 01FB: http>3360921:02;62803;03RSTEPAD2EXE

We can see something at the end as well that looks like notepad.exe. This means that the URL is either XOR-ed with multiple keys or some other obfuscation is used. At this point you have couple of options: you can play with brute forcing, you can infect a goat machine and just see what happens (it’s easy enough to capture network traffic of a goat machine and see what the target URL is) or you can try to analyze the exploit code itself – and that’s what we’ll do.

The trick with the latest ANI exploit was that the two bytes after the “anih” section define how many bytes are to be copied. As the vulnerable function reserved only 36 bytes on the stack it was easy to cause a buffer overflow (I won’t go into details now but the first section copy function was patched previously). So, let’s see what we have in this file:

$ xxd 123.htm
0000000: 5249 4646 0004 0000 4143 4f4e 616e 6968 RIFF....ACONanih
0000010: 2400 0000 2400 0000 ffff 0000 0a00 0000 $...$...........
0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000030: 1000 0000 0100 0000 5453 494c 0300 0000 ........TSIL....
0000040: 1000 0000 5453 494c 0300 0000 0202 0202 ....TSIL........
0000050: 616e 6968 a803 0000 0b0b 0b0b 0b0b 0b0b anih............
0000060: 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b ................

We sure have two anih section. The buffer size of the second section (highlighted above) is 0x03a8 which is actually 936 bytes – right to the end of the file. We can also see that this section starts with a lot of 0x0b bytes. After a bunch of 0x0b bytes we can see something that looks like real code:

00000a0: 0b0b 0b0b 0b0b 0b0b 17a2 4000 0b0b 0b0b ..........@.....
00000b0: 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b ................
00000c0: 31c9 6681 c138 02eb 035e eb05 e8f8 ffff 1.f..8...^......
00000d0: ff83 c609 802e 0246 e2fa ea02 0202 025f .......F......._
00000e0: 83ef 2f14 4202 ea8a 0302 028f 872b 1542 ../.B........+.B
00000f0: 02ea 0202 0277 746e 6f71 7030 666e 6e02 .....wtnoqp0fnn.

So what we’ll do now is take this code and disassemble it. It looks like the real code starts at 0x00000c0, so let’s get rid of everything before that:

$ dd if=123.htm of=code ibs=1 skip=192

Now there are various ways on how to disassemble this. If you are lucky and have a license for IDA Pro you can just load this file into it (actually, you can even load the 123.htm file and then manually tell IDA Pro to start disassembling the code around 0x00000c0). As I really like OllyDbg, I tend to do everything with it but in order to load this code into OllyDbg we have to create a PE file. The process now is same as when you analyze a shellcode so the easiest way is to use iDefense’s Malcode Analysis Pack and its Shellcode2Exe utility (http://labs.idefense.com/software/malcode.php#more_malcode+analysis+pack).

Once you’ve done this you will have an executable file with proper sections and headers that actually executes your code. This is how it looks in OllyDbg:


So what do we have here? The real code starts at 0x00401020. It first zeroes the ECX register (the XOR command) and adds 0x238 to it. Then it does couple of jumps and a CALL in order to get the address of the ADD ESI,9 instruction into the ESI register. This is a standard method to get the code address into a register (a CALL instruction followed by a POP instruction). The code skips 9 bytes and then loops for next 0x238 bytes. In the loop, each byte is decreased by 0x02! Aha, so this is how they obfuscated it – the code modifies itself completely (both the URL and the actual code).

You can now execute this in OllyDbg and see what happens (you will have to set a breakpoint after the loop and then tell OllyDbg to re-analyze this section). Or, if you are just interested in the final URL, we can use perl to subtract 0x02 of every byte in this file:

$ perl -pe 's/(.)/chr(ord($1)-0x02)/ge' < code > final

$ strings final

And here we are! You can see that the code loads urlmon.dll, uses URLDownloadToFileA() function to download the URL at the bottom and saves this as c:\boot.inx.

Luckily, the AV vendors where on the ball this time – almost all AV vendors detected the ANI file properly (I do wonder if they had specific signatures for this or used a generic/heuristic one).


Published: 2007-05-22

Opera fixes the torrent vulnerability

Opera Software has released Opera 9.21. This version fixes a buffer overflow vulnerability that can be exploited with malicious torrent files and lead to arbitrary code execution. According to Opera’s advisory available at http://www.opera.com/support/search/view/860/, the vulnerability can be exploited only when the user right-clicks on the malicious torrent entry in the transfer manager – just clicking on the torrent link is ok.

New version can be downloaded from http://www.opera.com/download/.

Thanks to Juha-Matti.


Published: 2007-05-21

Estonia, Botnets, and Economic Warfare

Now that the Estonia cyber attacks have waned somewhat, a wealth of discussion is being had on the implications of electronic warfare. Arbor Networks has a good technical analysis available on this. In this case, Russia tends to be blamed for the attacks over a row between Estonia and Russia over a cold-war era statue. My personal hunch is that this is more of a case of hacktivism. There was plenty of protest and boycotts from the pro-Russian side to indicate there were plenty of people spun up with fervor over the issue to put their botnets to work. Running a botnet and firing off an ICMP DDoS isn't difficult to pull off compared to say, poisoning a critic with Polonium 210. This is more likely a case of a bunch of people getting really torqued off and wanting a piece of the action (call it the "Blue Security treatment").

However, now that this has happened on a national scale, there will likely be more incidents of hacktivism on a large scale trying to take down organizations in the wake of some political or social controversy. I'd bet money that we'll see some of this with the general election in 2008 in the United States on a larger scale, certainly if the candidates are in any way controversial. Since botnets are only growing and will likely branch away from IRC-based controllers to other methods that are more quiet, it'll be a persistent problem for a long time... at least as long as it takes for us to figure out how to harden consumer PCs that often have no protection at all and are the low-hanging fruit for gibbering packet apes wanting to spew ICMP love.

John Bambenek - bambenek /at/ gmail (dot) com


Published: 2007-05-21

Aucert 2007 Update

Johannes, Marc and I are currently at the Auscert Conference on the Gold Coast in Queensland Australia. It brings together a number of speakers from all over the world and is attended by over 1100 delegates.  I'll be summarizing some of the information here.  Both Johannes and Marc had their presentations today, both of which were very well attended and received.

The keynote today was delivered by Ivan Krstić (One Laptop Per Child).  Ivan's presentation was thought provoking for many of the attendees.  One of the ideas he presented is that the security industry as a whole has failed our users.  We are asking people to make decisions that they really should not have to make.  For example the bad certificate warning that we are all familiar with.  The majority of users will click yes or OK because that makes things work.  One of the problems is, Ivan suggests, that we are living with a concept from 1971,  user based permissions.  "Why do programs have to run with the permissions of the user?" he asked us.  Programs typically do not need the same permissions, for example mine sweeper does not need to download files, calc does not need to save files.  

Another thought he presented was that in the security industry we don't look enough into the past.  Better models than the user permissions model were available as far back as 1959.  When scientists need answers they often look into the past to see what has gone before.  In security it seems that everything is a new idea, even though it has been done before.  For example virtualisation, a hot concept, but to ex-mainframe people like myself it is certainly not new concept.  It has been around for years, and is done well.

Ivan also talked about one of the solutions they developed (bitfrost) to have a system that can run any code, malicious or not, that will not damage the underlying system, basically using virtualisation for each piece of code, essentially a sandpit for each program.  An interesting talk and a good start to the day.

Toxbot Takedown
Scott McIntyre (FIRST, KPN-CERT, XS4ALL) presented on the Toxbot takedown.  An entertaining presentation where he not only demonstrated his aptitude in Australian, but also showed us some home truths regarding the size and complexity of this botnet.  Toxbot received quite a lot of press with a large number of bots and the perpetrators eventually ending up with jail sentences and fines.   The presentation went into some of the numbers of machines infected, which BTW is very high, as well as information on the number of machines that are still infected today.  He discussed the large number of variations and how new exploits were tagged on to the malware as they became available.   Scott also went into  PHP attacks seen and how botnets use both legit IRC services as well as setting up their own C&Cs.  He also suggested that many ISPs can do  a lot better in the incident handling and security space, which makes commercial sense for them as customers increasingly ask for this.  

Exploits, rootkits, bootkits, fruitkits!
Paul Ducklin (Sophos) showed people some static malware analysis tricks and pulled apart the ANI exploit.  Explaining that a number of exploits that we see are often because IE will blindly execute things that it "trusts".

More tomorrow.



Published: 2007-05-18

Symantec AV problem on XP SP2 Simplified Chinese

We received a report that Symantec Antivirus was identifying two system files (netapp32.dll and lsass.exe) on the Simplified Chinese version of Windows XP SP2 as a virus (Backdoor.Haxdoor) and deleting them.  This prevents the machines from booting correctly.  News reports are limited at this time, so it's difficult to confirm.  But the following sources are available:



Published: 2007-05-17

Dell Phish

Dell Phish

We've received a few reports of an e-mail claiming to be from Dell confirming an order.

The e-mail tells the reader to click on a link (http://147.202.x.x) to check the order.

Clicking on the link downloads a trojan to the user's PC.

More information is available from AusCERT (http://www.auscert.org.au/render.html?it=7595) and Websense (http://www.websense.com/securitylabs/alerts/alert.php?AlertID=774)
-Chris Carboni


Published: 2007-05-16

People Will Click On Anything

Didier Stevens documented an interesting experiment, in which he purchased a Google ad that encouraged people to click on the ad to be infected. (Thanks for the pointer, Johannes!) Didier was curious to see how many people would actually click. More than you might think. It turns out, the "ad was displayed 259,723 times and clicked on 409 times. That’s a click-through-rate of 0.16%." Not bad at all, considering that the campaign cost around $23.

The ad said:
Drive-By Download
Is your PC virus-free?
Get it infected here!
Enticing potential victims via ads to visit a site that turns out to be malicious is  a popular attack vector. Exploit Prevention Labs documented one such example a few weeks ago, where a Google ad that seemed to advertise the Better Business Bureau took the victim to a malicious site before forwarding him or her to the actual BBB website. The malicious site used "a modified MDAC exploit to try to install a backdoor" and a keylogger on the victim's system.

Another example comes from Google's research paper that describes a malicious ad found on a video sharing site in December 2006. The page included a banner ad from a "large American advertising company. The advertisement was delivered in form of a single line of JavaScript that generated JavaScript to be fetched from another large American advertising company. This JavaScript in turn generated more JavaScript pointing to a smaller American advertising company..." The ad "resulted in a single line of HTML containing an iframe pointing to a Russian advertising company. When trying to retrieve the iframe, the browser got redirected, via a Location header" that directed the browser to retrieve malicious JavaScript.

Perhaps there is no need for attackers to create advanced redirection chains or elaborate deception schemes. As Didier Stevens' experiment confirmed, people will click on anything.

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC


Published: 2007-05-16

Scammers Use Social Networks for Increased Effectiveness

In an insightful interview captured on the ha.ckers.org site, a phisher emphasizes the benefits of targeting users of social networking sites such as MySpace and Facebook, LinkedIn, and so on. He claims that his efforts yield him $3,000-$4,000 per day. (If you have any data supporting or refuting this figure, please let us know.)

The phisher's money-making activities involve the following actions:
  • Capturing logon credentials via a fake social networking site that resembles the one being spoofed.
  • Using captured contact information or compromised accounts to send advertising, profiting from Cost Per Action (CPA) deals.
  • Accessing the victim's email accounts using captured logon credentials. (Most people use the same credentials on multiple sites.)
  • Using compromised email accounts to gain access to commercial sites such as PayPal, E-gold, eBay and selling access to these accounts.
Why focus on users of social networking sites? Because social networks provide a trusting context within which the victims will be more likely to take the phisher's bait. Ultimately, this means that the phisher's activities will yield higher profits.

One such campaign was made public in February, when MySpace sued Scott Richter for allegedly compromising MySpace accounts via phishing schemes and then using MySpace to send unsolicited messages to the victim's friends advertising Polo shirts, ringtones, and other products.

According to an Indiana University study, 72% of individuals who received phishing messages spoofed to come from their social network acquaintances were fooled. In contrast, only 15% of the recipients were fooled when the messages came from an unknown party. Clearly, scammers have a strong incentive to data-mine social networks when crafting phishing campaigns. As I mentioned in a diary a while back, social networking sites have a small neighborhood feel that makes the participants comfortable with revealing personal details that make attacks more effective.

The inclusion of personal details in phishing messages seems to be on the rise. For instance, MesssageLabs observed an increase in the number of phishing messages that include personal details, such as names, addresses and zip codes. This data can be harvested from social networking sites with relative ease with website crawlers or website worms, such as those that have targeted MySpace and Orkut.

An attacker wishing to use a social network for a targeted attack can gain access to profile information with relative ease even without compromising accounts. In a study conducted by CSIS Security Group, a researcher set up a test account in LinkedIn, and specified in the profile that he worked at the large company he selected as the target for the case study. He was able to use the account to connect to other LinkedIn users from the same company, and even received unsolicited invitations from the employees to link to them. In less than 2 weeks, he was able to build a substantial network with email addresses, names, and other information about companies he could target for a subsequent attack.

According to a CA/NCSA study, 73% of adults who use social networking sites have given out personal information such as email address, name and birthday. Apparently, some even provided their social security number. Almost half of the respondents chose not to restrict access to their profile, even though they knew how to do that.

What can you do to mitigate the risks of social networks being used to aid in an attack against you or your organization? We're open to suggestions, but here are a few ideas that come to mind:
  • Limit the information you make available in profiles on social networking sites.
  • Restrict who can view your profile to the individuals you trust.
  • Only accept "let's connect" invitations from people you trust to see your profile information.
  • Educate users in your organization about the risks of using social networking sites promiscuously.
  • Create enforceable policies in your organization governing the use of social networking sites. (Sometimes a bit of guidance can go a long way.)

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC


Published: 2007-05-15

Full-Width/Half-Width Unicode Bypasses HTTP Scanning

The US-Cert has a vulnerability note out that describes how Full-Width and Half-Width Unicode encoding manages to bypass many HTTP content scanning engines (739224). This would allow remote attackers to hide malicious HTTP traffic by encoding it and have it slip happily past your IDS/IPS. This isn't an exploit itself, but allows exploits that would normally be detected (or blocked) to get through your IDS/IPS undetected. The only vendor who has a verified vulnarability to this is Cisco who has their own advisory out. However, many vendors have either not responded or not verified whether their software is vulnerable to this... including desktop anti-virus software. The vulnerability has been known since April 16th (apparently) and was made public yesterday.

UPDATE: 3:45 pm CDT, 5/15/07 - Tipping Point has confirmed they are vulnerable as well.

John Bambenek - bambenek /at/ gmail (dot) com
University of Illinois - Urbana-Champaign


Published: 2007-05-14

New Samba release fixes three important vulnerabilities

The Samba project has just released version 3.0.25 of their SMB/CIFS server software. As this is widely used to serve printer and filesystem access from Unix servers to networks with Windows clients, we suggest reviewing whether you may need to upgrade.

CVE-2007-2446 is a remote code execution vulnerability through multiple heap overflows. It applies to versions 3.0.0 through 3.0.25rc3.

CVE-2007-2444 can allow a user to temporary escalate his privileges to root. It applies to versions 3.0.23d through 3.0.25pre2.

CVE-2007-2447 allows for remote code execution through unescaped input parameters to /bin/sh. A workaround consists of removing all external script invocations from the SMB configuration file. It applies to versions 3.0.0 through 3.0.25rc3.


Published: 2007-05-14

Information security awareness videos

What would happen if you gave a number of talented and motivated students an information security awareness message, and got them to spread the word.

This is exactly what the Research Channel did, together with EDUCAUSE and the National Cyber Security Alliance. They gave away cash prizes to university students that created videos on basic but important information security awareness messages. Who would be in a better position to bring the message of INFOSEC across to their fellow students?

The winners were announced last week, and can be viewed here. Enjoy!


Published: 2007-05-14

Interesting German pump-and-dump spam

If you have a European e-mail address, you may have received some interesting pump and dump spam over the last few days, related to a stock on the Frankfurt stock Exchange. So far these messages have been mildly succesful: while the stock value hasn't changed dramatically, there has been very high trade volume, indicating potential high profit from even the slightest change. It seems that after a recent SEC operation, foreign stock exchanges are now preferred.

These new pump-and-dump spam messages do not carry random text as content, but consist of copies of complete text found online. So far, content of these messages has been reported in English, German, Dutch and Esperanto. They are parts of newsgroup messages, books that are published online and even software manuals.

The actual message has always been in German and did not only appear at the top of the message, but also at the bottom. In combination with the valid and unique text (appears to be crafted for each mail separately), this makes it quite difficult to detect the messages through spam filtering.

As listed in a previous diary entry, Bafin is the German authority responsible for investigating price manipulation.


Published: 2007-05-12

BEA 10 users, May 14 may not be your day

A reader reported a BEA support link to us regarding a licensing update for the product.
The support article reports an erroneous license check which will cause the BEA server license to expire on May 14 2007.
There is a patch available.

  • boot a WebLogic Server or Portal version 10 prior to May 14, then you will get a <your license will expire...> message
  • boot it after May 14 and it will not boot
  • if booted before May 14, policy changes will fail
Only version 10 is reported to be affected.

Mark H - Shearwater


Published: 2007-05-11

Nokia Intellisync Mobile Suite

Users of the Nokia Intellisync Mobile Suite may want to check out the following CVEs:
(Thanks Juha-Matti for the info)
The issues boils down to multiple cross site scripting issues (2592), a vulnerability allowing user account modification (2591) and  disclosure of user information (2590).  All are reported as being remotely exploitable.

Mark H


Published: 2007-05-10

Mailbag: MS Patches / Symantec Vuln

Some readers reported 99% CPU eaten up by svchost.exe after they had applied the recent batch of MS updates. Cause and effect are not quite clear, but a common thread seems to be that MS recommend a look at KBID 927891 and some readers have also pointed us to the WSUS Blog where the same issue is mentioned.

Some of the retail user versions of Symantec AV come with an ActiveX component that can be exploited to allow remote code execution. More on Symantec's Website . According to the advisory, running the built-in "LiveUpdate" of the product should be sufficient to fix the vulnerability.


Published: 2007-05-10

Malware from dot-CN

Disclaimer: Visiting any of the URLs listed might turn the hard drive of your PC into a peanut butter sandwich or do any other evil thing that will painfully remind you that you didn't do any backups for a while. You have been warned.

Nothing happened in the particular case when a reader stumbled by accident over the evil IFRAMEs amended - most probably without the firm's knowledge - to the home page of murraysz.cn, but only because the reader's anti-virus already stopped the very first stage of the exploits. The Malware buffs that some of us are, we of course couldn't resist to start pulling on that thread to see where it would lead us.

Step #1:
murraysz.cn includes malicious IFRAMES from cqcqcqcq.com  (which is currently not reachable),  user.free.77169.net and www.haogs.cn. 

Step #2:
The 77169.net site uses an old exploit to download vq.exe off the same site. The file is packed with UPX and reliably recognized as Password Stealer (PWS-QQPass) by most AV software. The haogs.cn only returns 76 bytes, another IFRAME that downloads more code from www.h148.cn.

Step #3:
h148.cn .. now we're talking ... opens three IFRAMES coming from qq.520sf.org: 
- 588.htm opens xjz2007.js off the same site, which in turn opens xjz2007.htm and xjz2007.bmp. Both (the latter is an ANI exploit) try to download and run 8xz.exe.
- 06014.htm tries to download and run 8xz.exe as well. This file did not have AV coverage. When run, it downloads another bunch of EXEs off the same site, again with little to nonexistent AV coverage, but identified as more password stealers of the QQPass family
- ok.htm opens an IFRAME from www.down988.cn

Step #4:
Coming from down988.cn, we have 0614.js. This file was using a Javascript encoding technique that I hadn't seen before, but of course no matter what the bad guys try to do, JavaScript is an interpreted language and no amount of obfuscation can really hide the code. I have added this JavaScript as an example to the "Decoding Javascript" series that we maintain to accompany an earlier diary entry on the subject. The exploit downloads a file "down.exe", which in turn goes and fetches another couple of hostile EXE files.

Bottom line: The exploits used are rather old and none too worrying, but if someone with a vulnerable PC surfs to any of these pages, the PC will end up completely infested with password stealing keyloggers.  And this is only the point where we stopped digging further -- each of the keyloggers has an auto-update function, and also contains one or more addresses to where the more interesting captured keystrokes are sent.  In other words: Patch early, patch often -- or use an operating system with better survival skills when visiting the haunted realms of the 'net.


Published: 2007-05-09

Many Thanks to All of our Readers/Contributors

I personally want to thank all of our readers that have contributed to todays diary and all of the diaries through out the year.

To Scott for the information on the End of LifeCycle issues, to Kent for the great information on the Trend Micro problems, Jeff for the information on the malicious FTP, Don for the CISCO vulnerabilities, and everyone else that contacted us with their input and information.  It is because of our terrific readers and their willingness to share that we Handler's at the ISC are able to bring to everyone, everyday the terrific insight that we can.  Keep up the good work team.

Handler On Duty


Published: 2007-05-09

Microsoft Ends Support for Windows Server 2003 RTM/Gold

We received an email today from one of our readers (Scott) with the following information:

"It might be worth mentioning that Microsoft has ended support for Windows Server 2003 RTM/"Gold" (no Service Pack). The new patches applicable to Windows 2003 (MS07-027, -028, -029) will only install on 2003 SP1 or later. So if any readers haven't fully deployed SP1 or SP2 yet, now would certainly be a good time to do so. If that's not possible, patches might be available from Microsoft (for a fee) under the Extended Support program."

I checked with Microsoft for confirmation on this and received this information back:

The dates for W2K3 SP0 (RTM/Gold), SP1, SP2

Product Name Service Pack Gen. Avail. Date Support Retired
Windows Server 2003 Service Pack 0 (RTM) May 28th 2003 April 10th 2007
Windows Server 2003 Service Pack 1 March 30th 2005 April 14th 2009
Windows Server 2003 Service Pack 2 March 13th 2007 Not Applicable

For SP2:
See Note Support ends either 12 or 24 months after the next service pack releases or at the end of the product's support lifecycle, whichever comes first. Visit the Lifecycle page to find the support timelines for your particular product.

Microsoft has some information about the Main LifeCycle at:

And the page with the various dates is here:

Thanks to Scott for calling this to our attention and to Microsoft for getting back to us with the information.


Published: 2007-05-09

Microsoft Update Problems

For our readers that have problems with Microsoft Update or with things breaking after the updates have run, please call Microsoft Product Support Services at 1-866-PCSAFETY.  Explain your problem to them. They will give you a support ID.  (There is no charge for this service if it is related to the Security Updates from Microsoft.)

Then if you would like you can contact us through our contact page, explain the problem you are seeing and give us the support ID number.  We will then use that information in our research and communications with Microsoft in regards to the problems that folks are seeing.


Published: 2007-05-09

Upgrade to Norman Virus Control version 5.90

For those that are using Norman Virus Control, you may be experiencing problems with the upgrade that happened yesterday. It is being reported that some computers are "freezing up" after the update.  It is a confirmed problem and Norman is working on it.

Check out the information from Norman at:



Published: 2007-05-09

Cisco Security Advisory: Multiple Vulnerabilities in the IOS FTP Server

Advisory ID: cisco-sa-20070509-iosftp


For those that have enabled the IOS FTP service on their CISCO devices, you may want to take a look at the advisory from CISCO.  CISCO indicates that there are multiple vulnerabilities in the IOS.  From CISCO Advisory:

"Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information."

See the link above for the complete advisory.


Published: 2007-05-09

Ramp up on Port 5168

We received an email today from one of our readers, Kent, indicating that they had an intrusion. Investigation indicates that they have a ServU FTP serving masquerading as javavm.exe. The program is listening on port 1999. It also is trying to connect to port 3389 (Windows Terminal Server Service).

Kent says: “The machine is off the net now, but the attacker keeps trying to connect to it, e.g. on port 1999 and port 3389. He also tries to connect to port 5168 on another machine (harmless, it turns out).”

Kent says that they are running Trend Micro Anti Virus. A quick look at DShield for current port activity reports confirms that there is something going on with port 5168.  The sources and targets have escalated rapidly in the last 3 days.


At this point nothing definitive but I suspect that it has something to do with:

Trend Micro ServerProtect EarthAgent Stack Overflow Vulnerability

Trend Micro ServerProtect AgRpcCln.dll Stack Overflow Vulnerability

Trend Micro has issued these advisories for ServerProtect v5.58. It appears that there are some vulnerable installations of Trend Micro ServerProtect out there that may be getting snagged.

We have had other reports of some snooping for the open port 5168 devices on the net. If anyone is seeing an increase in activity on either port 5168 or 3628, and you can capture some packets for us, we would appreciate it. Also, if anyone else has had this intrusion and you can identify the executable involved, we would like copies of the exe files as well. Please zip and password protect the exe files if possible. All of these can be uploaded to our malware site at:


We will keep you updated on what we find out.


Published: 2007-05-08

419 death threat scam

A relatively new scam is circulating on the Internet:

There are a number of variation on the text, but it all boils down to (I've chosen a short version as an example):

I wish to let you know that i have been paid by a client to assasinate you at convenience,and i have signed a contract of $650,000 yesterday for this.I have never met you before,but they gave me the full description of your identity and contact,together with your photograph which my boys have used to trace you.

The reason why they want you Dead is not disclosed to me as i was not allowed to know,but you are now not better that the dead ok.

My BOYS are now contantly watching you,they are following you-home,office,everywhere.....,you go and they are waiting for my instruction to terminate you.And they will strike at convenience.


LISTEN VERY WELL !!!!,the Police cannot do much to help you out in this right now because you are being watched,any such attempt is very risky cause you will push us to terminate your life without option. Your calls are not safe also.In fact you are traced.
I have no business with you but at least i have cleared the way as a pro-,but you may have one chance to live again if you can contact me not latter that 24 hours after this mssage.

[Spelling and Grammar enthusiasts, please abstain, the errors were in the original)

Some versions ask for more "realistic" amounts, are longer, have less spelling mistakes etc.

Basically there is a drop box on some free email provider where they expect you to contact them.

The best possible advice: DO NOT MAKE CONTACT. These guys will just spam you if you do not respond, once you respond they've spotted somebody who might fall for the scam and they'll be much harder and annoying to get rid of.
This is the classical "don't be the easiest target".

This is becoming known as a "419 death threat", use that term when reporting.

How to report:
  • the abuse contact of the drop mailbox where they try to make contact
    gmail: gmail-abuse/AT/google.com
    yahoo: abuse/AT/yahoo.com
  • If you can get them to give attention, report it as an attempted scam with the appropriate authorities for the part of the world you live in.
    In the USA, from the FBI: "If you have experienced this situation, please notify your local, state, or federal law enforcement agency immediately. Also, please notify the IC3 by filing a complaint at www.ic3.gov."

Swa Frantzen -- NET2S


Published: 2007-05-08

May 2007, Black Tuesday patch overview

Overview of the May 2007 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
Multiple vulnerabilities allow remote code execution, replaces MS07-002

KB 934233 No known exploits Critical Critical Important
MS07-024 Multiple vulnerabilities allow remote code execution, replaces MS07-014

KB 934232 Actively exploited
Critical PATCH NOW Important
MS07-025 Lack of input validation in MSO.DLL allows remote code execution, replaces MS07-015

KB 934873
No known exploits Critical Critical Important
MS07-026 Multiple vulnerabilities allow remote code execution, information leaks and DoS replaces MS06-019 and MS06-029

KB 931832
No known exploits Critical Important(**) Critical
MS07-027 Cumulative Internet Explorer update, replaces MS07-016

KB 931768
Publicly disclosed (some)
Critical PATCH NOW Important
MS07-028 Input handling vulnerability in the handling of certificates leading to remote code execution
CAPICOM and BizTalk server

KB 931906 No known exploits Critical Critical Critical
MS07-029 RPC vulnerability allows remote code execution

KB 935966 Actively exploited

Microsoft Security Advisory (935964)
Critical Important(**) PATCH NOW

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
(**)Further clarification from the more generic text above: typical clients would not use DNS or exchange servers. If they are, questions as to them being used as a client should be posed.

Swa Frantzen -- NET2S


Published: 2007-05-07

More IE7 Beta spam/malware

A new wave of "Internet Explorer 7.0 Beta" spam is currently being reported. All links to an "update.exe" file, which is hosted on various URLs. The e-mail message is adopting spam methods by "hiding" the image link among chunks of text copied from web sites.

From: admin@microsoft.com
Subject: Internet Explorer 7.0 Beta

we have seen these so far (but there are likely many more):
httx://xoozee. cd/update.exe
httx://merzingo. cd/update.exe
httx://endfriends. cd/update.exe
httx://netdesks. cd/update.exe
httx://pleasedostock. hk/update.exe
httx://wordcasts. cd/update.exe
httx://abyssrecycling. co.uk/images/update.exe
httx://accentstaffing. com/images/update.exe
httx://bcweblist. com/images/update.exe
httx://actorsandactresses. co.uk/images/update.exe
httx://mikelike .cd/update.exe

It doesn't look like a feasable idea to block all these sites. However, you probably should filter e-mail from 'admin@microsoft.com' (that particular "From" address has been used in the past).

update.exe itself is a downloader which will install a second stage binary upon execution.


Published: 2007-05-06

Poll Ideas - Thanks!

We received a ton of new poll ideas from Adrien's request yesterday.  Thanks, everybody.  No need to send more notes.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2007-05-05

We need a new poll




Published: 2007-05-04

New PHP releases

Fellow handler, Swa, points out that new versions of PHP 4 (4.4.7) and PHP 5 (5.2.2) have been released which address many of the issues identified during the month of PHP bugs.  You'll probably want to consider updating as soon as practical.



Published: 2007-05-04

Packet tools

There are times in my work, both here for the Internet Storm Center and at the day job, when I need to either capture, generate, or replay IP (generally IPv4, but more and more IPv6) packets.  Over the years, I've found a number of tools to assist in the process.  I just discovered a new (to me) one (scapy, it has apparently been around for a year or two, but I just started playing with it in the last week), so I figured I'd ask our readers for suggestions.  What are your favorites?  Post your suggestions to the contact page and I'll summarize next week.  No need to mention the ones listed below.

* nmap
* ethereal/wireshark
* tcpdump
* hping2
* p0f
* snort
* tcpreplay
* tcptraceroute
* ngrep


Published: 2007-05-04

Cisco PIX/ASA DHCP relay agent vulnerability

For those who didn't notice it.  On Wed, Cisco posted a bulletin about a potential memory exhaustion (denial of service) vulnerability with PIX and ASA (but not FWSM) devices running software version 7.2 configured as DHCP relays.  Updating to 7.2(2.15)  fixes the issue.



Published: 2007-05-04

Pidgin 2.0 (previously gaim) released, victim of its own success?

Yesterday was the official release of pidgin 2.0 (used to be called gaim, an IM client that can speak AIM, ICQ, IRC, Yahoo! Messenger, MSN, jabber, etc.).  Today, its website (http://pidgin.im) seems to be unreachable (I was trying to figure out how to send a comment on a feature I like from gaim 2.0.0b6 that is missing in the pidgin release).  Is this a result of its success or a hosting issue or DoS?  I have no idea, I haven't heard back from anyone yet.


Published: 2007-05-03

Announcement for Upcomming Microsoft Patches

Microsoft has issued the advance warning on patches coming out next week.  Looks like security and system admins will have their work cut out for them.  We have Two Critical for Windows, two critical for Office, one Critical for Exchange and one critical patch for CAPICOM and BizTalk.  Two non-security patches are scheduled for Microsoft Update (MU) and Windows Server Update Services (WSUS).

Here is a link to the announcement:


And an excerpt on the patches:

Security Updates
Two Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
Three Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
One Microsoft Security Bulletin affecting Microsoft Exchange. The highest Maximum Severity rating for these is Critical. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
One Microsoft Security Bulletin affecting CAPICOM and BizTalk. The highest Maximum Severity rating for these is Critical. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool.
Microsoft Windows Malicious Software Removal Tool
Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
Note that this tool will NOT be distributed using Software Update Services (SUS).
Non-security High Priority updates on MU, WU, WSUS and SUS
Microsoft will release 1 NON-SECURITY High-Priority Update for Windows on Windows Update (WU) and Software Update Services (SUS).
Microsoft will release 6 NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS)

Mike Poor


Published: 2007-05-03

Update on Apple fix

A number of readers wrote in to let us know that we had reported two updates for Apple, one for the Quicktime bug, and another Security Update.  When users clicked on Software Update, they only got the Quicktime patch.  From the Apple webstie describing the security update, it is indicated that Security Update 2007-004 v1.1 is just an updated patch to 2007-004.  If users already had that patch installed, there was no need to install the new one.  Read the official verbiage below:

"Mac OS X 10.4.9 (client) and Mac OS X Server 10.3.9 systems that have installed Security Update 2007-004 do not require Security Update 2007-004 v1.1. If the security update has not yet been installed on these systems, then they should be updated using Security Update 2007-004 v1.1."

From: http://docs.info.apple.com/article.html?artnum=305445

Mike Poor


Published: 2007-05-02

Winamp 0-day

A remote code execution vulnerability and exploit for Winamp 5.34 has been released.

The vulnerability exists within Winamp's MP4 decoding.  Successful exploitation will allow an attacker to execute arbitrary code under the context of the logged in user.

After install Winamp is associated with .MP4 files. However, Winamp does not open .MP4 files embedded within websites. This forces would-be attackers to deliver the .MP4 directly to the user’s host. E-mail or a website link that would require the download of the .MP4 file in order to play are the most likely exploit vectors.

Removal of the association of .MP4 files to Winamp will mitigate this vulnerability until a vendor supplied patch is available.



Published: 2007-05-02

APPLE-SA-2007-05-01 Security Update 2007-004 v1.1

In addition to the Quicktime patches, Apple also released APPLE-SA-2007-05-01 Security Update 2007-004 v1.1 which contains the following:

Security Update 2007-004 v1.1 includes the contents of Security Update 2007-004, plus the following fixes:


Available for: Mac OS X v10.3.9

This update corrects an issue where the AirPort connection may be lost after waking from sleep. This issue only affects Mac OS X v10.3.9 with Security Update 2007-004.


CVE-ID: CVE-2007-0745

Available for: Mac OS X Server v10.4.9

Impact: Users with ftp access may be able to navigate to directories outside the normal scope

Description: Security Update 2007-004 applied an incorrect ftp configuration file for Mac OS X Server v10.4.9 systems. Users with ftp access, who would normally be restricted to certain directories, may be able to access directories outside the normal scope. This update addresses the issue by restoring the correct version of the ftp configuration file. This issue only affects Mac OS X Server v10.4.9 with Security Update 2007-004.

Mac OS X 10.4.9 (client) and Mac OS X Server 10.3.9 systems that have installed Security Update 2007-004 do not require Security Update 2007-004 v1.1. If the security update has not yet been installed on these systems, then they should be updated using Security Update 2007-004 v1.1.

Security Update 2007-004 v1.1 may be obtained from the Software
Update pane in System Preferences, or Apple's Software Downloads web
site: http://www.apple.com/support/downloads/

For Mac OS X v10.4.9 (PowerPC) and Mac OS X Server v10.4.9 (PowerPC)
The download file is named: "SecUpd2007-004Ti.dmg"
Its SHA-1 digest is: 60319316b3eba0de37f7ea747e59decfafe1ea81

For Mac OS X v10.4.9 (Universal) and
Mac OS X Server v10.4.9 (Universal)
The download file is named: "SecUpd2007-004Univ.dmg"
Its SHA-1 digest is: fb6ec6a7d8729bd21d1431192ecb7665e9fd2b80

For Mac OS X v10.3.9
The download file is named: "SecUpd2007-004Pan.dmg"
Its SHA-1 digest is: 39b9be13a82ea546f18ff4958cfd69b0d37947e8

Original announcement http://docs.info.apple.com/article.html?artnum=61798



Published: 2007-05-02

Quicktime patches up to 7.1.6

Thanks all for writing in, we've been patching ourselves.

Quicktime's update for the vulnerability discovered at CanSecWest came out today.  Yes, this is the now-infamous Java/Quicktime/Browser vulnerability that Dino Dai Zovi discovered during the "pwn-2-own" contest, that TippingPoint bought for 10,000 dollars for their Zero-Day initiative.  This was initially covered by Deb Hale back in this diary.

If you have been following the blog over at Matasano Chargen where Thomas Ptacek has been doing a great job covering it on the Matasano blog: http://www.matasano.com/log/
(This is one of those blogs that you should put in your rss reader if you have one)

Apple's writeup on this says:
  • QuickTime

    CVE-ID: CVE-2007-2175

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9, Windows XP SP2, Windows 2000 SP4

    Impact: Visiting a malicious website may lead to arbitrary code execution

    Description: An implementation issue exists in QuickTime for Java, which may allow reading or writing out of the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously-crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional bounds checking when creating QTPointerRef objects. Credit to Dino Dai Zovi working with TippingPoint and the Zero Day Initiative for reporting this issue.

Time to update!  12 days to put out an update for Apple.  Not too bad.
(Yes, I am an Apple Fanboy)

Joel Esler


Published: 2007-05-01

vmware 5.5.4 released

A new version of vmware workstation has been released (5.5.4).
It addresses several security vulnerabilities including overwriting
host os files, DOS and potential stack corruption.
CVEs: 2007-1337, 2007-1877, 2007-1069, 2007-1876, and 2007-1744.
Download it here:

Review security issues addressed here:


Published: 2007-05-01

VNC 'scans' with windows size of 55808

One of our readers wrote in with the following:
"Over the last couple days I've noticed a different type of 5900/TCP (VNC?) portscan/attack.
Port 5900 scans are not new, but this one is triggering a TCP Window size 55808 filter on our IPS.
The filter is patterned after:
Reference: CERT Incident http://www.cert.org/current/archive/2003/06/25/archive.html
Most of the source hosts are EDU's in the US and Taiwan."

So if you don't already have an IDS signature that looks for windows size of 55808 you may wish to add one.
If you do and you notice this I suspect its a bot probably sdbot but would like confirmation.


Published: 2007-05-01

www.virustotal.com minor web outage

www.virustotal.com is suffering from a minor web outage.
They are aware of the issue and it should be resolved soon.
In the mean time the email interface should still be working
so you may want to submit new viruses to them at scan@virustotal.com.

UPDATE www.virustotal.com is back on line and
when using the email submital method remember to put scan in the subject line.


Published: 2007-05-01

freeftpmanager p2psharing.biz trojan site!

WARNING do not visit this site nor attempt to download freeftpmanager you are likely to get infected.
Steve reported downloading “freeftpmanager”. He submitted it to virustotal.com and it is a virus but it is not well recognized.

Following his lead I see that wwwDOTfreeftpmanagerDOTcom redirects to wwwDOTp2psharingDOTbiz/freeftpmanger
So what is freeftpmanager?
Only two of the virus engines at VirusTotal recognize it. The rest came back clean.
File: freeftpman.exe
SHA-1 Digest: 793bcfefaf4f2a0f36c24aa823a5bf242a6873fa
Packers: Unknown
Status: Infected or Malware

Scanner Scanner_Version Result Scan Time
F-Secure 1.02 Trojan-Downloader.Win32.PurityScan.eg [AVP] 7.62644 secs
Sophos Sweep 4.16.0 Troj/Istbar-Fam 12.5367 secs

p2psharingDOTbiz also hosts Shareazalite and several other suspicious looking files.
It's ip is
The abuse dept has been notified and is working on it at this time.