Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Large Child porn Arrest and how to report it.

Published: 2006-03-15
Last Updated: 2006-03-17 02:01:26 UTC
by Johannes Ullrich (Version: 5)
0 comment(s)
Major news media reported today about a large child porn sting operation, which resulted in 27 arrests in several countries. In this context, if you find / observe such activity, please report it in the US to the National Center for Missing and Exploited Children. Please DO NOT send us any samples or links, but report it to the National Center's Cyber Tipline (see link on their home page).

The National Center for Missing and Exploited Children is tasked by the US government to coordinate the response in such cases and will forward reports to the appropriate law enforcement entities. Let us know if you know about similar entities in other countries and I will add respective links.

Links for other countries:
Standard Disclaimer: we do not endorse these sites and are not responsible for their content.
That being said these sites have been recommended by a number of readers and we check each one out to see if it looks useful and legit.

Germany: your local "LKA" (Landes Kriminal Amt). For a list, see the list of addresses.
Switzerland: (for all cyber crime)
for other countries, check

(Thanks to everyone submitting links!)

0 comment(s)

March Microsoft Security Bulletins Released

Published: 2006-03-15
Last Updated: 2006-03-15 21:44:20 UTC
by Johannes Ullrich (Version: 2)
0 comment(s)
As covered in the pre-announcement, Microsoft released two bulletins today:

MS06-012: Critical Vulnerability in Microsoft Office, KB905413

This update fixes a number of different Excel vulnerabilities, and a "Malformed Routing Slip" vulnerability which affects muliple Office components.

All the vulnerabilities come down to the same issue: If you open a malformed file, an attacker could get control of the system as the user opening the file.

If you use Microsoft Office, you should apply this patch quickly.

UPDATE: 2006-03-15: PoC exploits have been released.  The patch window is closing rapidly.

MS06-011: Priviledge Escalation in Windows (Important)

It may be possible for a regular user to obtain the privileges assigned to a service. A lower privileged user could change the configuration for a service in order to have it execute code or modify the system in other ways, once the service is running at the higher privilege (e.g. 'system').

This vulnerability has been disclosed for a while now. It is important to note that a "service" is not just a "server". Services typically have to run at a higher privilege level as they require access to files across multiple users, and access to system resources.

0 comment(s)

Request for Data

Published: 2006-03-15
Last Updated: 2006-03-15 18:47:49 UTC
by John Bambenek (Version: 1)
0 comment(s)
I am currently working on some research and would like to put out a request for data.  What I need is that given a list of signatures relating to keyloggers and associated malware, the number of unique IPs in an environment that has triggered them (with some additional info).  When I publish my findings, I will not identify organizations or the data, but report in the aggregate with all the participants I get (I won't say, for instance, Acme Inc has X infection rate, I'm interested in establishing a general trend).  For this, I'm looking for environments in the United States only (no offense to non-US readers, but it's US trending only). If you are interested in helping me or have additional questions, please contact me at bambenek -at- gmail -dot- com.
0 comment(s)

Unspecified Vulnerabilities in Flash

Published: 2006-03-15
Last Updated: 2006-03-15 15:04:30 UTC
by Erik Fichtner (Version: 1)
0 comment(s)
A number of readers have written in to warn us about a recent notification from Adobe/Macromedia regarding an unspecified number of vulnerabilities of some nature within pretty much every Flash execution engine you've heard of on all the platforms that support Flash; eg Windows and Macintosh running:

Macromedia Breeze 4.x
Macromedia Breeze 5.x
Macromedia Breeze Meeting Add-In
Macromedia Flash 8.x
Macromedia Flash MX 2004
Macromedia Flash MX Professional 2004
Macromedia Flash Player 7.x
Macromedia Flash Player 8.x
Macromedia Flex 1.x
Shockwave Player 10.x

There are several other sources of "information" about this issue:
Secunia's WriteupMicrosoft's Writeup, and Macromedia's Writeup. 

So, we know that it appears as if the arbitrary code you're running inside a flash file has the potential to escape the flash engine and obtain access to the host system.  We know that updated versions of flash are available.
Microsoft's writeup also contains instructions on disabling the flash ActiveX control from executing.   Firefox users could probably get away with using AdBlock to prevent "*.swf" files, although it's not necessary that
the malware end in ".swf".

We don't know much else. We don't know how it works. We don't know who's seen it, if anyone has.

0 comment(s)
Diary Archives