Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-02-09 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Security Guard Script e-mail scam

Published: 2007-02-09
Last Updated: 2007-02-09 22:40:01 UTC
by John Bambenek (Version: 1)
0 comment(s)
There is a spam making the rounds that is targetting customers of ISPs. The template of the e-mail is attached below and the attackers are using some sort of method to specifically mention the proper ISP name being used by the victim.  In short, it's trying to get you to upload scripts to your webserver and run them.  So far, the reverse engineering is ongoing, but it is obfuscated PHP or ASP code that will run once you go that page.

So far, I've seen that it sends an email to firstbts@gmail.com and tries to get a 0-byte file from 66.246.240.45.  I'm create a VMware image to continue to reverse engineer, but these e-mails are scams of the typical social engineering variety. It seems most Anti-Virus picks this up already.

== START EMAIL ==

Dear <<insert ISP name here>> valued members

Regarding our new security regulations, as a part of our yearly maintenance we have provided a security guard script in the attachment.

So, to secure your websites, please use the attached file and (for UNIX/Linux Based servers) upload the file "guard.php" in: "./public_html" or (for Windows Based servers which use ASP) upload the file "guard.asp" in: "./wwwroot" in your site.

If you do not know how to use it, you can use the following instruction:

For Unix/Linux based websites that use PHP/CGI/PERL:
1) Download the attachment named "guard.zip"
2) Extract file "guard.php"
3) Login to your site Control panel.
4) Open "File Manager" window.
5) Go through "Public_html" or "htdocs"
6) Choose "Upload Files"
7) Upload the file "guard.php"
8) Check its URL too "http://www.yoursite.com/guard.php", if it is ok

For Windows based websites that use ASP:
1) Download the attachment named "guard.zip"
2) Extract file "guard.asp"
3) Login to your site Control panel.
4) Open "File Manager" window.
5) Go through "wwwroot" directory
6) Choose "Upload Files"
7) Upload the file "guard.asp"
8) Check its URL too "http://www.yoursite.com/guard.asp", if it is ok

Thank you for using our services and products. We look forward to providing you with a unique and high quality service.

Best Regards
<<insert ISP name here>>

== END EMAIL ==

--
John Bambenek, bambenek/at/gmail/dot/com
University of Illinois
Keywords:
0 comment(s)

A Case of Identity Theft

Published: 2007-02-09
Last Updated: 2007-02-09 22:37:30 UTC
by John Bambenek (Version: 1)
0 comment(s)
ISC reader Aaron sent along a story in the News Tribune in Tacoma, WA. In short, it's the case of a serial identity thief who never got arrested but stole money from someone who is friends with a reporter. (Don't mess with journalists or their friends, oops. :) It's a pretty good read and a decent case study on ID theft and on the limitations in actually bringing these people to justice.

In this case, the identity theft took place because the individual involved had physical access to the victim's mail (it was a roommate). Right now, most identity theft takes place using non-technological means (i.e. dumpster diving). However, I still posit that electronic ID theft is not only dangerous, it is more dangerous. It takes time and effort to steal someone's identity in person. Online, with the right piece of malware and a good infection vector, you can steal thousands of identities in seconds. The only protection that is provided to consumers (at least in the United States) that I have been able to discern is that the existing fraud models limit the amount of money stolen by a particular attacker. Of course, risk management models allow companies to predict the amount of loss due to ID theft and pass it back down to the consumer in the form of increased prices. One day, someone will be smart enough to figure out how to bypass the fraud models.

It doesn't help that in the United States we have a weak national ID that easy to steal (we call it a Social Security Number). Getting that number makes everything else easy. It certainly doesn't help that organizations like the US Department of Education use SSNs for authentication, making it easy for keyloggers to steal them. SSNs as authentication are stupid... once you know the 9 digit number the game is over. Keyloggers and other malware has successfully compromised (this is different from actually stealing all the money) about $55 billion in US assets alone (an increase from my earlier estimate).

In short, protect your identity as best you can, from both physical and electronic theft.

--
John Bambenek, bambenek/at/gmail/dot/com
University of Illinois
Keywords:
0 comment(s)

PHP 5.2.1 released

Published: 2007-02-09
Last Updated: 2007-02-09 14:07:36 UTC
by Swa Frantzen (Version: 2)
0 comment(s)
PHP.net released their version 5.2.1 which contains a number of security fixes.
"The majority of the security vulnerabilities discovered and resolved can in most cases be only abused by local users and cannot be triggered remotely. However, some of the above issues can be triggered remotely in certain situations, or exploited by malicious local users on shared hosting setups utilizing PHP as an Apache module. Therefore, we strongly advise all users of PHP, regardless of the version to upgrade to 5.2.1 release as soon as possible. PHP 4.4.5 with equivalent security corrections will be available shortly."

(BTW: Since you will have to recompile/test PHP anyway, take a look at security extensions from the hardened php project at www.hardened-php.net/ (in particular 'Suhosin' is nice and not too hard to install and configure)


--
Swa Frantzen -- net2s.com
Keywords:
0 comment(s)
Diary Archives