Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Email Ploy;Cisco Password Leak Source;Cisco CCO Password Reset Reply-To Spoof Concern;Patch Tuesday Preview;Windows 2000 SP4 Rollup 1 Re-Release SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Email Ploy;Cisco Password Leak Source;Cisco CCO Password Reset Reply-To Spoof Concern;Patch Tuesday Preview;Windows 2000 SP4 Rollup 1 Re-Release

Email Ploy


[Brought to you by Lorna Hutcheson and Tom Liston]

We received several reports of an email circulating with links to a
news article that came with a surprise if you followed the links. DO
NOT GO TO THE FOLLOWING LINKS or any others from this site that may be
sent to you!!!




www.jsnvowe.vbnnews.com

www.iepwls.vbnnews.com

www.jxdg.vbnnews.com

www.nevkbq.vbnnews.com




Each of the emails seem to have different links in them but associated
with the same site.




The subject of the email is "Iraq Bombinng - 140 marines killed" or
something similar to it. Yes the misspellings are from the actual
email and there are many other discrepancies and misspellings in the
version that we have seen. We received several reports but only one
person sent the actual email to look at. The misspellings alone are a
big indicator that something is not right. If you follow the links
you get taken to a news article that has obviously been modified and
pieced together. For example says 140 Marines were killed, however,
the actual news article found by googling for it has 14 as the number
killed. (Not in any way making light of the the numbers or the loss,
just pointing out the discrepancy).




Once you click on the link, you get their news article, but you also
set off a series of events that require no interaction from the
user.




First off, there is an exploit on the page that takes advantage of
MS05-001 (Vulnerability in HTML Help Could Allow Code Execution) which
is just another cross-domain scripting vulnerability. This allows you
to get a file called ppp.hta from their website and is then launched
on your local harddrive. This then creates a file called netlog.exe
and and this appears to be launched on your local hard drive by using a combination of an ActiveX FileSystemObject and shell. Netlog.exe then goes and gets another file
called win32sba.exe, which is Robobot variant. Now your system can be
used for what ever malicious intent the folks who set this scheme up
had in mind.



The moral of this story is......Don't follow the link!!!!!


[Note: The above was updated to fix an error in our analysis. Thanks to Juergen Schmidt for pointing out our mistake.]


Cisco Password Leak Source


It appears the passwords could be leaked through the search engine.

from: http://www.cisco.com/security/

"Cisco Systems, Inc. was made aware of a vulnerability of a search tool on Cisco.com that could expose passwords for registered users."

Cisco CCO Password Reset Reply-To Spoof Concern


Testing confirmed a spoofed reply-to field in a message to the CCO Locksmith would be accepted.

We notified the Cisco PSIRT team and they are reviewing the spoofed
reply-to issue.

Patch Tuesday Preview


Next Patch Tuesday: 8/9/2005

6 bulletins (including one or more critical vulnerabilities)

Update to the Malicious Software Removal Tool

Important updates for the various update services




Fixes We're Hoping to See:


http://secunia.com/advisories/16210/

http://secunia.com/advisories/16071/


Windows 2000 SP4 Rollup 1 Re-Release



http://support.microsoft.com/kb/891861


"If you are affected by these issues, we suggest that you do not install Update Rollup 1 for Windows 2000 SP4 until the corresponding hotfix is available. We plan to reissue Update Rollup 1 for Windows 2000 SP4 soon. Several hotfixes will be integrated into the new version of Update Rollup 1 for Windows 2000 SP4."

Helpful Tool of the Day


eWeek is reporting on the new MS Word Redaction Tool:

http://www.eweek.com/article2/0,1759,1843858,00.asp




--------------

Robert Danford

SANS ISC Handler on Duty


Robert

49 Posts

Sign Up for Free or Log In to start participating in the conversation!