Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Raw Sockets; Trend 594 Update; Mac Trojan & More SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Raw Sockets; Trend 594 Update; Mac Trojan & More

Microsoft vs. Raw Sockets, Round 2

Apparently heeding the dubious advice of infosec hysteria celebrity , Microsoft has taken another step forward in the neutering of the TCP/IP stack in Windows XP. The removal of raw sockets was one of the "features" included in Service Pack 2. Intrepid hackers soon found a way around this feature. The MS05-019 critical security patch closes this loophole. Fyodor, of
fame, has a
on the situation. Be warned - Fyodor is rabidly anti-Microsoft, so the previous link may be hilarious or infuriating, depending on your bias.

Trend Pattern 594 Update

We're continuing to receive reports from readers who have been impacted by the
, including reports of machines being rebuilt to restore functionality. An ISC reader who prefers to remain anonymous suggest the following solution*:

"If customers are using Trend OfficeScan and have Outbreak Prevention Services, they can active Outbreak mode on the server. This will lock down the firewall on the client machines and allow them to only communicate with the OfficeScan server. The reduction in network traffic being processed by the client should allow enough CPU usage to download (albeit, slowly) the update from the server. This could take several hours depending on the number of took us about 2 1/2. But, if it works it keeps you from having to touch all 100's, 1000's, or 10's of thousands of clients. Trend has a lot of 30,000+ client customers that were slammed by this and are probably still trying to recover from it. This might help them."

Trend have also posted updated information at

Hopefully this will help any readers out there who haven't already resorted to scorched-earth tactics in dealing with this unfortunate issue. If only they were running Macs, they wouldn't have to run antivirus.

Oh, wait a minute...

Macintosh Trojan "Discovered"

As a Mac aficionado (3 Powerbooks between home & work), I'm happy to report that we've finally warranted some attention from the Malware community. It's about damn time. Intrepid ISC reader Juha-Matti alerted us to Sophos' (brief)
If any readers have spotted this thing in the wild, please let us know.

Symantec Website Restructuring

We had more than one reader write in to let us know that both
and Symantec's were apparently MIA for several hours today. While things are back to normal, I'd be remiss if I didn't point our readers at Chris Mosby's . It's good to see that we're not the only ones who get flamed for site redesigns. ;)

That's all I've got for this diary, fair readers. Some of you may have noticed my semi-absence from handling recently. "Real Work" has been eating up the majority of my time of late, so I'll probably relegate the bulk of my diary writing to rambling lazy Sunday afternoon prose. Feel free to write in subjects you'd like to see researched/covered at length, since Sundays are usually devoid of pressing issues.

Until next time, I leave you with this quote from Deltron 3030:

"Upgrade your gray matter, 'cause some day it may matter."


Cory Altheide


*As a Linux user, I have been conditioned to recognize a workaround as a type of solution.
Cory Altheide

19 Posts
Apr 25th 2005

Sign Up for Free or Log In to start participating in the conversation!