This is the after-lunch update, I usually like to have a morning, afternoon, and closing commentary updates, but wanted to let Lorna?s fine overview on the risks of moving and Identity Theft get a bit more eye-ball time. One should go back and read the weekend?s Diaries as a part of their Monday morning exercises.
MS05-026 exploits in the field?
The first incident of my shift involved an active exploit of MS05-026 (ED: no, Kevin, it?s actually MS05-001 as we see below.) A spam message was blasted out to potential ?customers,? including the link to the poisoned website. It leveraged the MS05-026 (MS05-001, see above) (http://www.microsoft.com/technet/security/bulletin/MS05-001.mspx) HTML Help remote code execution (no, Security zone bypass) vulnerability to install a Haxdoor variant on the visitor (well, I got one part right.)
Update: The following AV tools detect the initial Help Control Exploit
Antivirus Version Update Result
ClamAV devel-20050501 06.20.2005 Exploit.Helpcontrol
eTrust-Iris 126.96.36.199 06.19.2005 HTML/HelpControl!Exploit!Trojan
eTrust-Vet 188.8.131.52 06.20.2005 HTML.HelpControl!exploit
Fortinet 184.108.40.206 06.20.2005 VBS/Phel.A-trM
Sybari 7.5.1314 06.20.2005 HTML/HelpControl!Exploit!Trojan
The following AV tools detect the Trojan dropped:
Antivirus Version Update Result
AntiVir 220.127.116.11 06.20.2005 BDS/Haxdoor.CW
Avira 18.104.22.168 06.20.2005 BDS/Haxdoor.CW
Fortinet 22.214.171.124 06.20.2005 W32/Haxdor.3048-tr
Kaspersky 126.96.36.199 06.20.2005 Backdoor.Win32.Haxdoor.cw
McAfee 4517 06.20.2005 BackDoor-BAC.gen.b
NOD32v2 1.1146 06.20.2005 a variant of Win32/Haxdoor
Sybari 7.5.1314 06.20.2005 Backdoor.Win32.Haxdoor.cw
Symantec 8.0 06.20.2005 Backdoor.Haxdoor.D
TheHacker 5.8.2.056 06.20.2005 Backdoor/Haxdoor.cw
VBA32 3.10.3 06.20.2005 Backdoor.Win32.Haxdoor.cw
I?d prefer to not post further details at this time to avoid false-positives or expose the readers to a real danger.
Update: If one were to do one?s job and follow-up on what Exploit.Helpcontrol really triggered on, a few minutes of effort would finally turn up a link to: http://www.microsoft.com/technet/security/bulletin/ms05-001.mspx
Ahh, such is the dangerous life of a volunteer incident handler, living on the edge of exposing your stupidity and suffering the wrath of readers. :-)
OpenRBL ist Kaput
Visitors to http:://openrbl.org are greeted with a message reporting the demise of this free service. They are reporting that one can find similar services from
Passive Reconnaissance and the Disaster Response Threat-space
While shopping for a gift for my old man last week, my attention was grabbed by Michal Zalewski?s "Silence on the Wire: a Field guide to Passive Reconnaissance and Indirect Attacks". From a simple flip through it looks like some though-provoking chapters are in there. I picked up a copy?because I can?t resist another book to put on the bookshelf.
Recently, I participated in a disaster response drill with the State and Local Governments simulating a mass casualty accident. While managing my other duties in the drill, I took the opportunity to set up some passive sensors in the response centers to see what a potential attacker could pick-up on when a massive group of first- and second-responders converge on a disaster scene.
Remember to have a nice solstice, wether it be winter or summer in your area.
Remember to send your kind comments to:
There were the expected open 802.11x WAPs, but I was pleased to not see a plethora of wide open bluetooth devices full of juicy government contact numbers. This may be simply been caused by a lack of funds by said Governments to equip their staff with spiffy new cell phones though.
Mod_jrun exploits spotted
Ben, a reader, has spotted an up-tick in exploit attempts against mod_jrun on his servers.
And as always, make sure you?ve patched Macromedia Jrun
Remember to have a nice solstice, be it winter or summer in your area!
Jun 20th 2005
1 decade ago