Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-07-21 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

AIM Phishing, Windows file integrity flashback, pstools vulnerability

Published: 2004-07-21
Last Updated: 2004-07-22 11:31:53 UTC
by George Bakos (Version: 1)
0 comment(s)
AIM Phishing

Phishing is not just for e-mail anymore. A reader associated with
antiphishing.org reported a new twist to this scheme that advertises
malicious URLs via Instant Messaging. This scheme has been used a
few times in the past to distribute viruses.

This new message reads "you have been sent a picture. To view it,
Click here". In this sample, the 'From' address is four random
letters. However, a 'trusted' name could be used.

It is important to understand that most instant messaging systems use
only weak authentication schemes. Instant messaging is not a tool to
exchange confidential information. Only few instant messaging systems
allow for encryption and sophisticated authentication. If you need
instant messaging to communicate confidential information, use a system
which allows you to control the server and provides for encryption and
reasonable authentication. Jabber is an example of a free package.

Flashback: Windows Host Based IDS

Based on my earlier request for Windows based file integrity checkers,
I got a number of responses recommending Osiris from Shmoo.com:
http://osiris.shmoo.com/

Sysinternals pstools vulnerability

pstools, a collection of utilities from sysinternals, do not properly
disconnect from $IPC and $ADMIN shares. As a result, a local user
could gain admin privileges on a remote host, if the remote host uses
the tools. These tools are frequently used when
analyzing malicious code. If you are using these tools, make sure
you update to version 2.05

http://www.sysinternals.com/ntw2k/freeware/pstools.shtml
Looking for contributors

Do you run a personal firewall on your DSL/Cable Modem connection? We
are looking for more small (1-16 IPs) firewall log submitters. Its not
all that hard to get started. See http://www.dshield.org/howto.php for
details. If you have a nice script to setup a Linux system to submit
logs, share it with us. We do have parsers/clients for many many different
firewalls of all sizes.
----------

Johannes Ullrich (jullrich_AT_sans.org), emergency backup handler for George Bakos.
Keywords:
0 comment(s)
Diary Archives