Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Blocking .exe attachments

Published: 2007-01-31
Last Updated: 2007-02-01 14:23:13 UTC
by Johannes Ullrich (Version: 3)
0 comment(s)
"Storm Worm" and a recent rash of simple .exe attachments showed how easy it is to still trick users into clicking on executables that arrive via e-mail. On the other hand: Why do users still receive attachments which they are not supposed to click on. In this diary, we are trying to summarize some simple recipes to block attachments with given extensions for different mail transport agents (MTA). Feel free to submit your own. We will keep adding amending. The start is from a quick google search and consulting with our handlers.  Also, we should mention that for some of us, this sort of a default allow stance (allow anything not explictly denied) grates a little.  We'd prefer to explicitly whitelist those attachments that must be allowed for business purposes and deny everything else, but for the rest of this story, we'll assume the default allow stance most of us have inherited.

MailEnable:

see: http://www.mailenable.com/kb/Content/Article.asp (Thanks Jon!)

Exchange:

Technet has an article with details for Exchange 2007.

Exim:

Use the "acl_smtp_mime" feature and add:
# File extension filtering.
deny message = Blacklisted file extension detected
condition = ${if match \
{${lc:$mime_filename}} \
{\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
{1}{0}}
(Thanks Greg!)

 

Postfix:


Postfix uses 'mime_header_checks' to apply regular expressions to incoming e-mail. You can use the following expression to filter attachments based on extension:
/^Content-(Disposition|Type).*name\s*=\s*"?(.*\.(
bat|exe|scr))(\?=)?"?\s*(;|$)/x
REJECT 598 Attachment name "$2" may not end with ".$3"
(this example filters .bat, .exe and .scr, see references below for a list of other extensions you might want to consider blocking)

Procmail:


The procmail recipe can use the same regular expression used by Postfix:

:0
* ^Content-(Disposition|Type).name\s*=\s*"?(.*\.(bat|exe|scr))(\?=)?"?\s*(;|$)
/dev/null


Amavisd-new:

 

Amavisd-new can be configured to block based on filename by setting up the following in amavisd.conf (note, that amavisd-new can also do more accurate checking based on examining the file 'magic' values as shown in the second regex below, so simply renaming a .zip to .piz, for example, won't allow the attachment through):

$banned_filename_re = new_RE(
   qr'.\.(bat|exe|scr)$'i,
   qr'^\.(exe|zip|lha|tnef)$'i,    # banned file(1) types
);


Sendmail:

The preferred method to block these in sendmail (8.12.x and later) is with a milter.  One of the most popular is MIMEdefang (http://www.mimedefang.org), which includes a default filter that blocks these and a number of other "bad" file types.

References:


http://support.microsoft.com/kb/883260/ - describes the XPSP2 Attachment Manager and lists dangerous types
Keywords:
0 comment(s)

Solaris 10 ICMP induced panic

Published: 2007-01-31
Last Updated: 2007-01-31 22:52:57 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
For those of you who remember the Ping of Death issues, there's a recent twist to the story.

Sun has released patches for Solaris 10. It fixes an issue where a single ICMP packet could panic a host. Sun did not make available details on the required ICMP packets.

--
Swa Frantzen -- net2s.com
Keywords:
0 comment(s)

Older Microsoft word unpatched vulnerability used as vector in targeted attacks

Published: 2007-01-31
Last Updated: 2007-01-31 22:10:11 UTC
by Swa Frantzen (Version: 3)
0 comment(s)
Symantec reported on what was thought of initially as yet another unpatched vulnerability being exploited by the bad guys out there. We have confirmation it is in fact one of the older -still unpatched- vulnerabilities CVE-2006-6456 that is exploited in targeted attacks.

Even though it appears there might be little gain in once again trying to convince people not to email office documents, not to open them, etc. some renewed attention might be required.
If actively exploited unpatched vulnerabilities is the risk level you need before being allowed to act and start to filter, you might have your "go" at this point. The oldest of the 4 vulnerabilities is publicly known since December 5th, 2006. This latest wave of attacks is exploiting a vulnerability that was publicly known since December 10th, 2006.

Let's hope at least some of them get patched in February's Black Tuesday patches.
With thanks to Juha-Matti, Ryan, and others helping out on this issue as it developed.

--
Swa Frantzen -- net2s.com
Keywords:
0 comment(s)

Day Light Saving Change for 2007

Published: 2007-01-31
Last Updated: 2007-01-31 20:15:05 UTC
by Deborah Hale (Version: 3)
0 comment(s)
First of all I have to ask... How many people know about the upcoming change to Daylight Saving Time this year?  How many are aware that it starts earlier this year and ends later?  It is amazing to me that when you start talking about this subject a lot of folks say change... what change? 

For those of you that don't know there is a change in the start and end dates for Daylight Saving Time this year.  It will start on Sunday, March 11th, 2007 at 2:00am and will end on Sunday, November 4th, 2007.  So for 2007 DST starts 3 weeks earlier on the second Sunday of March and ends a week later on the first Sunday of November.  This change was made as attempt to reduce energy consumption. 

So what needs to happen this year to facilitate the change in DST and what will the impact be. 

Yesterday it suddenly dawned on me that this change was about 5 weeks away.  I started doing some research on how it will affect my company and what we would need to do to our PC's, servers and equipment.  Let's just say, I should have thought of this earlier. (But I am still one step ahead of those of you that don't realize the change is set to happen). 

Here is what I found out.

First of all things like VCR's, DVD's, DVR's, may have some problems.  They won't realize that the time change takes place 3 weeks earlier so that show that you thought you were recording may not record at all. (Now in the case of 24 that would be devastating to me.  If I miss 24, I may go into melt down. ...  Only kidding.)

Now what about cell phones, PDA's, Fax Machines, Time Clocks, switches, routers, NTP appliances and PBX's?  How many of them have the code imbedded to change to DST on the first Sunday of April and the last Sunday in October? This is just the tip of the iceberg.  Each company will have to look at the impact that this change will have on you.

According to Microsoft these are their products that will be affected by the change.

Microsoft products affected by the DST legislation
Windows Client
Windows Server
Windows Mobile
Microsoft Windows SharePoint Services
Microsoft Exchange Server
Microsoft Office Outlook
Microsoft Dynamics CRM
Microsoft Biztalk Server
Microsoft SQL Server Notification Services
Microsoft Entourage

Now for the OS's and how they are going to handle it.

Windows 2000 Server and Professional

The news is not good for those of us still forced to run Windows 2000, either server or workstation.  Windows 2000 is going to require a manual process be done to update the timezone database and the registry keys for the current control set.  I downloaded and watched the webcast on the steps to do the process and the information contained in the webcast was very helpful.

To view the webcast go to:
www118.livemeeting.com/cc/msevents/view

For those of you that don't want to take the time to view the webcast, you will need to look at the information in the Microsoft Knowledge Base articles number KB914387 and KB928388.  The first article is the step by step procedure for making the change to your timezone database and the registry settings.  The second is a Time Zone Editor tool that will help you if you just want to change the timezone that you or the computer is located in.  (This is not recommended, especially for laptops that travel.)

It looks like the entire process may take between 15 minutes and a half hour to complete.  I haven't had a chance to follow the procedure yet so can't give you a definite time. 

Windows 95/98/ME/NT Server and Workstation

For those of you still using Windows 95, 98, ME, NT 4 server or workstation, it is time to upgrade.  Of course upgrading may mean buying a new computer.  Sorry about that but that is the price of progress.  Technology continues to change and we just have to change with it.

Windows XP (SP1) and  XP Home Edition (SP1)

Here is the information/clarification on these two items.  Installing service pack 2 appears to be the answer.  Then you fall into the patch available category.  When Microsoft talks about XP SP2 it includes Home and Professional.

Windows XP (SP2), XP Home Edition (SP2)  and Windows 2003

There is a patch available on the Microsoft download site and will be in the Update Patch cycle sometime in early March.

Windows Vista

No updates are needed. It is shipping with the new Timezone Database installed.

Microsoft Exchange, Outlook, Biztalk Server, SQL Server or any of the other items listed in the table above would be advised to check the Microsoft article about what the requirements for them will be.

www.microsoft.com/windows/timezone/dst2007.mspx


It looks like Redhat has released patches for their OS's, as well as IBM, Novell, Sun, Cisco, Fortinet, Apple and the list goes on. For more info and additional resources check out:

www.edgeblog.net/2007/daylight-saving-time-the-year-2007-problem/

Applications like Oracle, MySQL, Java also have issues that need to be addressed.  The information for these can be found at the above website.

Now for those of you that say... Ok this is it. I do it now and I am done with it.  Well, maybe not.  Take a look at the information provided at:

webexhibits.org/daylightsaving/b.html

Specifically the paragraph that states, "The Secretary of Energy will report the impact of this change to Congress. Congress retains the right to resume the 2005 Daylight Saving Time schedule once the Department of Energy study is complete." 

I think what that means is that this is a test year. If they don't like it they can change it back.  Ok so then does that mean that next year we have to do the whole thing over and reverse what we did this year??? 


Note from Jeremy (one of our readers):

An important note for the Daylight Saving Time changes for this year: a lot of software needs updates, not just operating systems. Anything that uses its own prepackaged JVM needs updates, most software that calculates dates (many will read the system time/date, but use internal code for calculating dates after that).

The best bet is to list out any 3rd party software and double check with the vendors. We've got piles of software that needs to be updated on top of the OS patches. And to make matters worse, not all vendors have released patches for their software yet.

Great idea so thought I would include it in the diary.


We are getting a lot of questions about the DST change and whether it impacts anyone outside of the US.  I am not aware of other countries that are changing their start and end dates. There are more than 70 countries that observe DST in one form or another.  We recommend that you check with your local government to determine if any change will be taking place in your country or area. 

Keywords:
0 comment(s)

VIVO Lure Spreading Crimeware

Published: 2007-01-31
Last Updated: 2007-01-31 18:35:24 UTC
by Deborah Hale (Version: 3)
0 comment(s)
Websense Security Labs reports that they have discovered another information stealing, malicious code attack that appears to be a coordinated effort of the Russian and Brazilian bad boys.  The program is spreading via email by email receivers clicking on a link included in an email.  The page attempts to infect the PC by downloading and running a program called stylecss.exe. (If your computer is properly patched the program will not run.)  Once infected the program is designed to steal banking information from banking websites. 

For more information see the write at:

www.websense.com/securitylabs/alerts/alert.php


The company name involved is actually VIVO and the diary has been changed to reflect that fact.  Thanks to one of our readers, Lou, for the great catch.

Keywords:
0 comment(s)
Diary Archives