Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-01-12 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Veritas 'Sploits, MS05-002 PoCs, Phishin' through the hoops, Microsoft vs. Porn

Published: 2005-01-12
Last Updated: 2005-01-13 14:21:24 UTC
by Tom Liston (Version: 1)
0 comment(s)
The truth, the whole truth, and nothin' but the truth...



If you're running Veritas Backup Exec 8.x or 9.x and you aren?t patched or blocking access to port 6101/tcp, you're either 0wn3d or soon will be. On Monday, we mentioned a rise in scans for port 6101, and as of today, "universal" exploit code for the vulnerability is widely available. We are seeing indications of active (ie. non-worm) exploitation of Backup Exec systems but have heard rumblings that a worm may be in the works.



http://isc.sans.org/diary.php?date=2004-12-16

http://isc.sans.org/diary.php?date=2005-01-10





MS05-002 PoCs : 12 for $0.10



For all you s'kiddies out there, a word: if you haven?t yet developed your own PoC for the MS05-002 "Cursor and Icon Format Handling Vulnerability" you've officially forfeited all of your hard-earned Hacker Cred. Turn in your pocket protector and go get a tan.



For the rest of us... the PoCs are out there. Make sure you're patched.





Wouldn't it be easier to just get a real job?



Lorna "The Army Lady" Hutcheson passed along an interesting story about the extent of "hoop jumping" a phisher went through to cover his tracks. It starts with a typical phish-bait email sent from a spam box and filled with Javascript that pointed the unwary victim to (what we'll call) website #1. Website #1 then redirected the visitor to another website (which we?ll call website #2). Website #2 then used a third-party "forms processor" website to collect the phished information and forward it, via email, to a webmail address, accessible from anywhere.



Personally, I think it would be a whole lot less stressful to learn how to say: "Do you want fries with that?"





Meanwhile, back at the ranch...



First there was that whole gdiplus.dll thing making .jpg files hazardous, now .wmv files are hosting nasties as well. Trj/WmvDownloader.A and Trj/WmvDownloader.B, are the current vectors by which Microsoft is taking all the fun out of porn*. It seems that these little buggers take advantage of the fact that .wmv files can be rigged to use the DRM features of Windows Media Player to download more than just licensing info?rather, they can use the DRM features to browse sites loaded with malware. Alternate Browser Users Beware: Windows Media Player uses a Genuine IE engine to do its dirty work, so even if you use another browser, you?re only as safe as the version of IE installed on your system.





*Every dang time I write a diary, someone finds something to be offended about. No doubt, this will be that "something." Please don't bother writing in to lecture me on how EEEEVIL porn is. It's a joke. Lighten up. If you keep taking life too seriously... uh... uh... you'll go blind.





Someone to watch over me...



During today's SANS/ISC webcast, three of the ISC handlers (Donald Smith, Scott Fendley, and I) fielded a wide range of questions and did a bit of crystal ball gazing for the new year. The final question was "What do you think will be the big security issue for 2005?" While Donald and Scott felt that the continuing rise of the botnets would be the dominant factor, Johannes Ullrich and I were of the opinion that "device hacking" (cellphones, voip boxes, etc...) would be a big issue this year.



As if to prove us right, over the past several days there has been a growing interest in the exploitablity of several brands of IP based surveillance cameras. It seems that some of these have "issues" and that they're pretty easy to find with a properly formatted Google search. If you have one of these cameras, or if you know someone who does, it might be a good idea make sure that the cameras are patched and that access to them is restricted to the greatest extent possible.



Actually that's "picture perfect" advice for anything you've got hooked to the 'net... not just cameras.



Webcast archive: http://www.sans.org/webcasts/archive.php



(Thanks to Juha-Matti for the tip)





------------------------------------------------------------------------

Handler on duty : Tom Liston ( http://www.labreatechnologies.com )
Keywords:
0 comment(s)
Diary Archives