Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-02-19 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Sourcefire addresses Snort vulnerability

Published: 2007-02-19
Last Updated: 2007-02-20 23:59:40 UTC
by Joel Esler (Version: 3)
0 comment(s)
The Sourcefire Vulnerability Research Team (VRT) today announced a vulnerability found in the DCE/RPC preprocessor in Snort and Sourcefire Intrusion Sensors.  The DCE/RPC preprocessor is vulnerable to a stack-based buffer overflow that could potentially allow an attacker to execute code with the same privileges as the Snort binary.
 
There are no publicly available exploits for this vulnerability at this time.
 
Mitigation for Snort:  If, for some reason, you can’t upgrade your version of Snort to v2.6.1.3, you can turn off the DCE/RPC preprocessor in your snort.conf file by commenting it out and restarting Snort.  Upgrading to the new version of Snort is highly recommended as soon as possible.  The new version of Snort is available here.
 
Your snort.conf will have an entry like:
 
preprocessor dcerpc: \
    autodetect \
    max_frag_size 3000 \
    memcap 100000
 
Just comment out these lines like:
 
#preprocessor dcerpc: \
#    autodetect \
#   max_frag_size 3000 \
#    memcap 100000
 
and restart Snort.  Then upgrade to v2.6.1.3.
 
If you have a Sourcefire Intrusion Sensor, Sourcefire released SEU 64 today that patches this vulnerability, and this update can be downloaded from the Sourcefire Customer Support Web Site.  After downloading and installing SEU 64, you will need to re-push your policies out from your Defense Center.
 
Mitigation for Sourcefire customers:  If, for some reason, you can’t update your SEU, edit your policies, uncheck the DCE/RPC “Enabled” check box, and re-push your policy until you can upgrade.
 
This vulnerability has been identified as CVE-2006-5276.
 
The versions of Snort that are affected:

* Snort 2.6.1, 2.6.1.1, and 2.6.1.2
* Snort 2.7.0 beta 1

Update:  Sourcefire has released SEU 65 as well as a ruleset for both registered users and VRT subscribers that detect attempts to exploit this vulnerability.  These rules are available at www.snort.org


Joel Esler
(Yes, I am a Sourcefire employee)
http://www.sourcefire.com
http://www.snort.org
http://handlers.sans.org/jesler
Keywords:
0 comment(s)

German spam with malware link

Published: 2007-02-19
Last Updated: 2007-02-19 23:47:17 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
We've received a report that a spam is making the rounds, it's in German, has the Subject "Fand ich Sie zufallig!". According to the automated malware analysis we received from Sven Marten, at the link in the email one obtains 2 pieces of malware, the first of which has sporadic AV detection at the moment. The second looks to be a Riler variant. Thanks Sven! His email to us says;

"The attached file contains an email that has been spammed into my mailbox >100 times this evening, so it aroused my interest. if one wgets the link in it one finds fotoalbum.exe which virustotal identifies as

+++

Complete scanning result of "fotoalbum.exe", received in VirusTotal at 02.19.2007, 23:56:16 (CET).

Antivirus Version Update Result
AntiVir 7.3.1.37 02.19.2007 HEUR/Crypted
Authentium 4.93.8 02.19.2007 W32/Downloader.gen10
Avast 4.7.936.0 02.19.2007 no virus found
AVG 386 02.19.2007 no virus found
BitDefender 7.2 02.19.2007 DeepScan:Generic.Malware.dld!!.7F0C2515
CAT-QuickHeal 9.00 02.19.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 02.19.2007 no virus found
DrWeb 4.33 02.19.2007 no virus found
eSafe 7.0.14.0 02.19.2007 no virus found
eTrust-Vet 30.4.3412 02.19.2007 no virus found
Ewido 4.0 02.19.2007 no virus found
FileAdvisor 1 02.20.2007 no virus found
Fortinet 2.85.0.0 02.19.2007 suspicious
F-Prot 4.2.1.29 02.19.2007 W32/Downloader.gen10
F-Secure 6.70.13030.0 02.19.2007 Trojan-Downloader.Win32.Tiny.ft
Ikarus T3.1.0.31 02.19.2007 Win32.SuspectCrc
Kaspersky 4.0.2.24 02.19.2007 Trojan-Downloader.Win32.Tiny.ft
McAfee 4966 02.19.2007 no virus found
Microsoft 1.2204 02.19.2007 no virus found
NOD32v2 2070 02.19.2007 Win32/TrojanDownloader.Tiny.NCF
Norman 5.80.02 02.19.2007 W32/Downloader
Panda 9.0.0.4 02.19.2007 Suspicious file
Prevx1 V2 02.20.2007 no virus found
Sophos 4.14.0 02.19.2007 no virus found
Sunbelt 2.2.907.0 02.17.2007 no virus found
Symantec 10 02.19.2007 no virus found
TheHacker 6.1.6.060 02.19.2007 no virus found
UNA 1.83 02.19.2007 no virus found
VBA32 3.11.2 02.19.2007 suspected of Win32.Trojan.Downloader (http://...)
VirusBuster 4.3.19:9 02.19.2007 no virus found

Aditional Information
File size: 2108 bytes
MD5: 4b86679ded1718aac5f5bc4840da3e75
SHA1: f42d7eb0934388d65364d212735aae65db26cd5e

norman sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 2108 bytes.

[ Changes to filesystem ]
* Creates file C:WINDOWSTEMPzc2.exe.
[ Network services ]

**WARNING MALWARE AT THE FOLLOWING**

* Downloads file from http://win20all.com/ar/zc2.exe as C:WINDOWSTEMPzc2.exe.
* Connects to "win20all.com" on port 80 (TCP).
* Opens URL: win20all.com/ar/zc2.exe.

[ Security issues ]

* Starting downloaded file - potential security problem.

+++

and if one now takes a look at .... zc2.exe it gives us this littly nicety:

+++

Complete scanning result of "zc2.exe", received in VirusTotal at 02.20.2007, 00:09:26 (CET).

Antivirus Version Update Result
AntiVir 7.3.1.37 02.19.2007 TR/Cimuz.B
Authentium 4.93.8 02.19.2007 W32/Cimuz.gen1@dr
Avast 4.7.936.0 02.19.2007 Win32:Agent-ENM
AVG 386 02.19.2007 Proxy.KMB
BitDefender 7.2 02.19.2007 Trojan.Cimuz.J
CAT-QuickHeal 9.00 02.19.2007 no virus found
ClamAV devel-20060426 02.19.2007 no virus found
DrWeb 4.33 02.19.2007 no virus found
eSafe 7.0.14.0 02.19.2007 Win32.Agent.ly
eTrust-Vet 30.4.3412 02.19.2007 Win32/Difisim!generic
Ewido 4.0 02.19.2007 Proxy.Agent.ly
FileAdvisor 1 02.20.2007 no virus found
Fortinet 2.85.0.0 02.19.2007 W32/Cimuz.BP!tr
F-Prot 4.2.1.29 02.19.2007 W32/Cimuz.gen1@dr
F-Secure 6.70.13030.0 02.19.2007 Trojan-Proxy.Win32.Agent.ly
Ikarus T3.1.0.31 02.19.2007 Trojan-Proxy.Win32.Agent.ly
Kaspersky 4.0.2.24 02.19.2007 Trojan-Proxy.Win32.Agent.ly
McAfee 4966 02.19.2007 Proxy-Agent.o
Microsoft 1.2204 02.19.2007 no virus found
NOD32v2 2070 02.19.2007 Win32/TrojanProxy.Cimuz.NAF
Norman 5.80.02 02.19.2007 W32/Agent.BBAA
Panda 9.0.0.4 02.19.2007 Trj/Cimuz.CZ
Prevx1 V2 02.20.2007 Malicious
Sophos 4.14.0 02.19.2007 Troj/Cimuz-BP
Sunbelt 2.2.907.0 02.17.2007 no virus found
Symantec 10 02.20.2007 Trojan.Riler.F
TheHacker 6.1.6.060 02.19.2007 Trojan/Proxy.Agent.ly
UNA 1.83 02.19.2007 TrojanProxy.Win32.Agent.694F
VBA32 3.11.2 02.19.2007 Trojan-Proxy.Win32.Agent.ly
VirusBuster 4.3.19:9 02.19.2007 Trojan.PR.Agent.SCN

Aditional Information
File size: 69632 bytes
MD5: d4862ca3b6f481141a2f3375ee237c81
SHA1: 97fc4d68b2432a2d0e7dd7750b67f3e4b0d9c166
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=0bc376578083
Keywords:
0 comment(s)

WHOIS contact spam with malicious security maintenance script attachment

Published: 2007-02-19
Last Updated: 2007-02-19 22:15:50 UTC
by Patrick Nolan (Version: 5)
0 comment(s)

We received a report from Hugh Brower that there is a spammed email destined for whois contacts that contains a malicious php attachment. The email is spoofed to look like it's from the domain's hosting provider. The email attempts to trick the recipient into executing the attachment. Currently the attachment information is;

Attachment Name webguard.php
File size: 130990 bytes
MD5: 1071956063131f0fd178ace92ab526bb
SHA1: c47dd28e336030e3d940b66e2884aba91124a831

UPDATE

Additional linformation developed shows that WHOIS contact information is NOT the only source of recipient email addresses. In one instance the recipient's email address was only on the website.

UPDATE
Johannes has a preliminary analysis of the first script reported above that shows that the script harvests critical system configuration information, emails information, sets up a shell, and dumps a perl irc bot. Look for a netcat listener on port 4500.

UPDATE

We've received additional reports (Thanks to Andy Sutton!), a variant shows that a spoofed sender is the US FDIC (Federal Deposit Insurance Corporation) , this email variants script attachment detail;

File Name vprotect.php
File size: 156686 bytes
MD5: 43f3c330f6e85943fd4a60c3b89787e2
SHA1: d58bcb698417cbcf005a0e26e9e962a5097892d9

**NOTE** Emails we have received contain virtually identical content instructions. The attachment and spoofed sender differ.

UPDATE

Matt Jonkman dropped us a note pointing out an identical attachment attack. See BleedingSnort. He reports "Initial hits we saw were on the 9th and earlier. The fbi is aware, the original sites in use were shut down.".

UPDATE

We have previously referenced this attack in John Bambanek's February 9th Diary item here. Arbor made a post late today containing details of a similar attack and details it's techniques.

The email says;

"Subject: Hosting Regular Security Maintenance


Dear yourdomainhost valued Members

Regarding our new security regulations, as a part of our yearly maintenance we have provided a security guard script in the attachment.

So, to secure your websites, please use the attached file and (for UNIX/Linux Based servers) upload the file "webguard.php" in:

"./public_html" or (for Windows Based servers) in: "./wwwroot" in your site.

If you do not know how to use it, you can use the following instruction:

For Unix/Linux or Windows based websites that use PHP/CGI/PERL/ASP:

1) Download the attachment named "webguard.php"

2) Login to your site Control panel.

3) Open "File Manager" window.

4) Go through "Public_html" or "htdocs" (for UNIX/Linux Based servers),

but for Windows Based server, please Go through "wwwroot" directory.

5) Choose "Upload Files"

6) Upload the file "webguard.php"

7) Check its URL too "http://www.yoursite.com/webguard.php", if it is ok

Thank you for using our services and products. We look forward to providing you with a unique and high quality service.

Best Regards"

The attack has targeted more than one domain but does not appear to be widespread at the moment. Additional details will be posted as they develop.

Thanks Hugh!

And thanks Handlers!

Keywords:
0 comment(s)

Oz PM health alert spammed with links to exploit

Published: 2007-02-19
Last Updated: 2007-02-19 14:10:37 UTC
by Patrick Nolan (Version: 2)
0 comment(s)

We've received a report of a spammed email with a hyperlink that ultimately attempts to install malware. The email is targeting Austrailians, the email references a heart attack that the Prime Minister has suffered, of course no such heart attack has occurred.

The email tells the reader to go to Australia's "The Australian - keeping the nation informed" website but the link is not for the real "The Australian" website. The bogus link is to austr-news.c_oh_m.

Thanks for the report Eric!

UPDATE;

AusCERT has issued an alert with additional details including the following malicious sites linked in variants of the email attack;


h**p://www,theaunews,com/
h**p://www,theau-news,org/

Thanks Nick!

Keywords:
0 comment(s)
Diary Archives