Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-04-16 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Easter Eggs FUN to find in your yard, BAD to find in your software.

Published: 2006-04-16
Last Updated: 2006-04-17 16:51:03 UTC
by donald smith (Version: 1)
0 comment(s)
Over the years lots of software have had hidden easter eggs in them.

An easter egg is an undocumented feature or object.
Definition:
http://en.wikipedia.org/wiki/Easter_egg_(virtual)

Article on finding Easter Eggs in software.
http://www.pcworld.com/howto/article/0,aid,109378,00.asp

Potential issues with any hidden code or resources include:
lack of functional testing
waste of space
wasted software design and coding effort,
too much freedom for the code authors,
inadequate control of quality,
Easter eggs have included backdoors.
implication that no systematic code review was preformed,
Binary patching issues.


Many software manufacturers have had Easter eggs discovered in their production products. Microsoft has had some pretty interesting Easter eggs in the past. My personal favorite was the flight simulator hidden in excel 97.
From: http://www.eggheaven2000.com/detailed/17.html
"How it Works:
1: Open a new Worksheet and Press F5.
2: Type "X97:L97" and press Enter.
3: Press the Tab key, Hold down Ctrl & Shift and left click the Chart Wizard toolbar icon.
4: Use the mouse to move around - Left button reverse thrust, Right button forward thrust.
5: Look around carefully to find the Shrine with the programmers messages and the Blue Lagoon ! "

Microsoft came out with a stronger policy on eastereggs sometime around 2k stating "No hidden features" or "you're fired". http://www.themicrosoftblog.com/16-easter-eggs-in-microsoft-products-youre-fired/

A really good discusion about the microsoft anti-easter egg policy can be found here.
http://blogs.msdn.com/larryosterman/archive/2005/10/21/483608.aspx

A driving game was in first release of Excel 2000 but pulled in SP1 and 2.
Based on the types of Easter eggs being reported in recent Microsoft products, I believe Microsoft still allows the software engineers to put in credits but that portion can no longer include active code such as games. I hope that the credit code is now part of the standard code review process.

Several handlers contributed to this including Swa and Daniel, Thanks!

Keywords:
0 comment(s)

The chocolate / attack correlation

Published: 2006-04-16
Last Updated: 2006-04-16 21:31:40 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
A handler shift on Easter Sunday apparently has (at least :-) two drawbacks. One, inbound reports are considerably thinner than usual. Two, abuse contacts at large ISPs and web hosters seem to be out on an egg hunt or choco bunny meltdown contest or something - provider response to abuse reports and follow-up on reported bot-net controllers has been glacially slow today. Good thing that the major two holiday weekends where IT staff is apparently away from the console are the same public holidays on which the h4x0r kiddies get distracted by sweets or presents...


Keywords:
0 comment(s)

Horde exploit downloading Perl/Shellbot

Published: 2006-04-16
Last Updated: 2006-04-16 12:55:16 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
As already mentioned in Friday's diary, exploits for the Horde App Framework vulnerability are making the rounds. The exploit downloads and installs two variants of Perl/Shellbot which connect back to IRC servers in Germany and the U.S. over tcp/4444. A Nessus Plugin is available to check for the Horde vulnerability.

Keywords:
0 comment(s)

Patch Tuesday Fallout

Published: 2006-04-16
Last Updated: 2006-04-16 00:56:49 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Microsoft published a knowledge base article about issues with MS06-015. The two main culprits appear to be HP's "Share-to-Web" software and Kerio Personal Firewall.

In order to implement the MS06-015 fix, Microsoft created a special binary (VERCLSID.EXE) which will validate extensions before the windows shell or explorer is able to instantiate them. If VERCLSID.EXE fails to run, many functions are disructed (e.g. open files in applications using the 'File'->'Open' menu).

More stories about patch MS06-013 can be found in a recent Inforworld article. This patch was expected to cause issues due to the changes in ActiveX functionality. Again, see the respective Microsoft statement. Let us know if you experience any issues. So far, everything appears to center around 'Siebel 7'. Given the lack of outcries so far, I don't expect a lot of problems with other applications.

(Thanks to Susan and Juha-Matti for their contributions!)
Keywords:
0 comment(s)
Diary Archives