Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Update: Paypal Phish Conditioning; DNS Denial of Service Vulnerability; CA Vet Library Vulnerability; Combating Windows Malware Tutorial SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Update: Paypal Phish Conditioning; DNS Denial of Service Vulnerability; CA Vet Library Vulnerability; Combating Windows Malware Tutorial
<H3>Update: Paypal Phish Conditioning

Cory Altheide would like to thank the many readers who sent in their stories of experiencing activity similar to what was described in . He'd also like to request that anyone who has copies of the phishing emails sent soon after receiving an unsolicited password reset request send them in via the ISC .

<H3>DNS Denial of Service Vulnerability

Earlier today, the NISCC released an advisory that involves a problem with some implementations of DNS. The vulnerability occurs during a recursion process used to decompress compressed DNS messages. Using specially crafted DNS packets, it is possible to cause vulnerable DNS servers to abnormally terminate. Later this afternoon, Cisco and Secunia both issued similar advisories which show some of the Cisco products that are vulnerable to this issue. For more information on this, please see the below URLs:

http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html

http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml

http://secunia.com/advisories/15472/
<H3>Computer Associates Antivirus Vet Library Vulnerability

Alex Wheeler recently released a paper detailing a flaw in the Vet library that many of the CA products and other OEM products use to provide antivirus scan capabilities. According to CA, most of their product have the ability ot update for this automatically since May 3rd. Other companies that use this library should have patches forthcoming.

As this library is used in personal firewall suites like CA's eZ Armor and ZoneLab's ZoneAlarm, I am recommending that this issue be addressed quickly. (This issue conjures up some not-so-fond memories involving the criticality of the Blackice ICQ parser problem used by the Witty worm last year.)

Update (2330UTC) - One of our readers, Glenn Jarvis, noted that the versions of the CA EZ products are hard for most average consumers to compare against the list of vulnerable versions. In the list provided by CA, eZ Armor has many versions that are vulnerable. Using Regedit, Glenn was able to determine that his version was in fact 2.4.4, which was one of the vulnerable versions. However, if you attempt to look at the version numbers looking at the normal GUI based routes from the tray icon, you will see module numbers like

EZ Firewall Version 4.5.585.000

EZ Antivirus Version 6.2.1.1

EZ Antivirus Engine 11.5.0.0
Most consumers are not going to have the knowledge to look for the version number in the registry. And it appears that CA does not make it any easier to determine the versions of this product. In addition, Glenn noted that it appears to be possible to download separate components for either the antivirus pieces, or the firewall and miss a vulnerable library installed on the computer. I hope that CA will provide a method that their users can use to assess their risk better.

For more information on this, please see the below URLs:

http://www.rem0te.com/public/images/vet.pdf
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32896
http://www.frsirt.com/english/advisories/2005/0596
http://secunia.com/advisories/15470/
http://secunia.com/advisories/15479/
<H3>Combating Windows Malware Tutorial (using WinXP Pro)

Earlier today, I received a note on one of the mailing lists I monitor asking for help trying to remove a virus off of a computer on his network. His antivirus software was detecting malware on his computer and was cleaning much of this junk out of the \Windows\System32 directory, but periodically these files would get recreated. So he was ending up in this cycle of the antivirus software removing the files and something else putting them back.

As I work in an academic environment, I have seen this happen a lot with various botnet files and spyware. So I shared with this technician how I have gone about getting the system stable again. Before I proceed in my "tutorial", let me note one thing. THIS IS NOT THE WAY TO CLEAN A SYSTEM THAT HAS BEEN COMPROMISED. This is just a way to stabilize a system enough that you can backup user data prior to a complete reinstall or re-image. If you use this procedure as a way to "clean" a system, be aware that the process is not perfect and can be defeated. So in all cases, I believe it to be best to use this as a stop gap measure one can use until you can do what really needs to be done. (Think of this as placing a tourniquet on a limb before transporting the victim to a hospital. This is a field procedure to stop the "bleeding" only.)

The tools I am using and many of the Spyware and Antivirus cleaners work fine in safe mode. Some will require you to be in multi-user mode. It is also recommended that you turn off System Restore. To disable System Restore go to Start Menu -> Settings -> Control Panel -> System -> System Restore tab. You can check the box to disable the restore, and uncheck it to re-enable it at the end.

First, you need to have the right tools available. I have a CD handy which has a number of tools including major patches from MS, AntiVirus software, Spyware removal tools, personal firewall software and various other useful things. (Note to self: put a list of the field kit in a future diary.) For the moment, I am going to mostly use 4 tools in this discussion. I leave it to the reader to understand how to use their specific antivirus and spyware removal tools and when to use them in the discussion. The main 4 tools I use are Autoruns, Process Explorer and TCPView from SysInternals ( http://www.sysinternals.com/ntw2k/utilities.shtml ) and BHODemon from Definitivesolutions.com ( http://www.definitivesolutions.com/bhodemon.htm ).

Second, boot the computer to safe mode. Once you are in safe mode, run Autoruns. This utility will show you all of the various programs that are being started from the various locations in the registry and the Start Menu. Generally these and the Services are the first things that are run at boot time. So I uncheck pretty everything with few exceptions. The main ones I never touch are

* Userinit Logon Application C:\Windows\system32\userinit.exe

* Windows Explorer C:\Windows\explorer.exe

* Any wireless, mouse, touchpad specific apps for your computer

* Antivirus and personal firewall apps
Third, run msconfig.exe (Start Menu -> Run -> msconfig.exe). Select the Services Tab and then check the box to "Hide All Microsoft Services". The remaining list of services will need to be checked for any programs you do not recognize. To disable any of these, uncheck them. Many of the services will be items like AntiVirus, Bluetooth and wireless service apps, printer and any other special services needed by your company (VNC, Backup Server software, etc). Others may be other bits of malware that looks similar to a real Microsoft service that would be easy to overlook. After exiting msconfig, I typically let my system reboot again to allow those changes to take affect.

Fourth, this is an excellent time to scan the computer with any AntiVirus and Spyware cleaner tools. Some of these tools do not like running in safe mode, so test this in your lab to see which tools you choose to use in the field.

Fifth, install and run BHODemon. BHODemon will show you all of the Browser Helper Objects that Internet Explorer will load at boot time. Some applications, such as Adobe Acrobat, Spybot Search and Destroy, and most IE Toolbars, will start from here. As any real executable content can be made into a BHO, one could have an almost clean system, then launch IE and suddenly have spyware or other malware attempting to be reinstalled. Uncheck any applications that BHODemon believes are malware and/or does not recognize. The benign items are probably safe enough to leave in place.

Sixth, reboot the system back into normal mode and run TCPView and Process Explorer. These 2 tools will allow you to watch the processes and the TCP/UDP connections your computer is performing. If you see much activity, then it may point you to applications that may have been missed in the first 5 steps. And chances are these are the items that need to be sent on to your favorite AV companies. If you would like to be nice and send it our direction via our <A HREF="http://isc.sans.org/contact.php"> contact page, we can also submit it to the AV companies which we have contacts.

Last, It may be safe to restart system restore at this time. Additionally, one should determine how the malware came into the computer. This will help you know where you need to better protect your systems in the future. Most of the botnet or other malware I have seen recently have come in through either a weak password on a local account, or through missing lsass/rpc patches. Perhaps your user caught the malware through a webpage, or IM. Perhaps the malware came through email, or a P2P application to the computer. You may be the best judge of it based on what you have found from the above steps.

Hopefully, you have been able to beat this wack-a-mole game with the malware at this point. Backup the users data and rebuild. Make sure that all patches are applied and all local user accounts have strong passwords. And if you can make the time, educate the user in how best to protect their computer.

Note:  The above is a procedure I have used many times on my campus. At 
some point, I plan to refine this a bit more using more concrete examples
with perhaps screen captures of some of these tools. If you have
suggestions of other tools that might be useful, let us know. If there
are other places that you have seen malware get automatically started,
please let me know that too!

---

Scott Fendley

Handler On Duty

sfendley _AT_ isc.sans.org

ScottF

189 Posts
ISC Handler
May 25th 2005

Sign Up for Free or Log In to start participating in the conversation!