WS_FTP server buffer overflow
There is a new buffer overflow vulnerability discovered WS_FTP version 5.03 and prior. The vulnerability is caused by boundary errors within the handling of the "SITE", "XMKD", "MKD", and "RNFR" commands. Successful exploitation can lead to command execution. Obviously the attacker will to first authenticate with the FTP server first before the exploitation can happen.
Reference:

http://secunia.com/advisories/13334/
DomainKeys effective?

DomainKeys is thought to be the solution the spam by many experts. Security professionals know by now that nothing is ever perfect. It turns out that the spammers are using providers that support DomainKeys to broadcast their spam, this indirectly makes the spam look more legitimate. Is there ever a perfect solution for spam?
Reference:

http://www.eweek.com/article2/0,1759,1732576,00.asp

Phishing explained
Knowing that phishing attack is constantly on the rise, it is essential that security professional understand the mechanism of how the phishing attack works. Websense has published a paper detailing the anatomy of a specific phishing attack on MSN and Earthlink customers.
Reference:

http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=85
----------

Jason Lam

jason /at/ networksec.org

IMAP scans

Scans against port 143 (imap) are up considerably today:
http://isc.sans.org/port_details.php?port=143

This coincides with the release of an exploit against imap server in Mercury Mail 4.01 (aka Pegasus Mail). For details, see http://www.pmail.com/ .
I don't think this package is very popular, but some Windows users may use it as an easy to administer/install mailserver.

In addition, a number of vulnerabilities against the popular Cyrus IMAP server where released last week: http://security.e-matters.de/advisories/152004.html

Mailbag: Odd password protected image in email

A reader forwarded an e-mail which included a link to a web server running
on a high port. However, the web server was password protected. We do suspect that the administrator of the server became aware of the server spreading malware and setup the password to avoid further damage. Please let use know if you got similar e-mails. Excerpts:

<IMG class=attach alt=""
src="http://a.b.c.d:12345/slkdh56c/attachment.php?attachmentid=3948&amp;stc=1"
border=0>

(I did modify the port numbers and the content of the link somewhat as they may point back to the submitter, and are probably easily changed by the attacker).

Database Update

Earlier, I posted a complete summary of our "database outage" to the
DShield mailing list. Its rather long, so I won't post it here. If you are interested, see here: http://lists.sans.org/pipermail/list/2004-November/062828.html

In a reply off list, a reader noted that solar flare activity was up significantly and may have caused problems ;-). Nevertheless, Intelsat lost one of its satellites this week: http://www.geekzone.co.nz/content.asp?contentid=3728
sco.com defaced

The defacement of sco.com caused a lot of discussions. SCO has not yet provided any official statement. The only 'glue' so far is that SCO apparently used an old version of PHP. We usually do not cover defacements. However, in this case it may serve as an other kick to upgrade php (see yesterday's diary). The exploit code is now available from multiple popular exploit repositories.

CDI East

We will have a number of our handlers attending and/or teaching at CDI East next week. A few spots are still open if you can make it. See http://www.sans.org/cdieast04/ . I hope to setup a 'Birds of a Feather' session or some similar get together for people interested in ISC. If you attend, please watch the event boards.

--------

Johannes Ullrich, jullrich'\nat';sans.org

Fun – data integrity

We got a report today that at first look seemed rather unlikely: Target was selling dope and prostitutes. After looking a bit deeper it turns out that the Target storefront is actually running on the Amazon database and that database has a book with ‘Marijuana’ as title and a VHS with ‘Hooker’ as title. On the Amazon storefront it looks funny, but on the Target storefront it’s almost hilarious.

It’s impossible for us to check if these items are real books and tapes or not, but it does bring up the subject of data integrity. Normally these things look relatively easy as long as you stay away from partners, vendors and the like. Once you get into them you must start to trust others, just like Amazon trusts its 3rd party vendors and like Target trusts Amazon. The trick isn’t as much ‘how do you make sure you talk to the right person’, or that others can’t intercept or change the communication (VPN technology can solve that), but how do you guarantee that the changes you allow them to make are appropriate, fully checked, and that e.g. nobody enters a joke item in between the real ones?

I hope both Amazon and Target will eventually be able to laugh with it themselves.

http://www.target.com/gp/detail.html/?%5Fencoding=UTF8&asin=B00000I1F6


http://www.target.com/gp/detail.html/?%5Fencoding=UTF8&asin=0823916839


http://www.amazon.com/exec/obidos/ASIN/B00000I1F6/


http://www.amazon.com/exec/obidos/ASIN/0823916839/

PHP up to date?

As you read this, the thanksgiving weekend comes slowly to an end, perhaps it’s time to check your PHP version on your web servers, it’s just speculation so far, but fingers are being pointed at old versions of PHP as the weak point of some recent exploits of web sites.

http://www.php.net/

It can't hurt to make sure you're running a current version.
Versions 4.3.9 or 5.0.2 are current.

WINS

There is some activity with irresponsible released exploits against WINS. As a precaution till Microsoft gets a chance to release a patch for it, we can only reiterate the urgent and continued need to make sure you block the unneeded ports in your firewalls (either the XP2 or the corporate firewall). Ports 42, 137-139, 445 both TCP and UDP can be safely blocked for most applications.

So far we doubt this will be a huge thing, but we might be proven wrong. Still the only thing you can do is block the protocols, which you probably already did if you read this.

I’ll be the first to acknowledge that big vendors aren’t easy to get to move in order to release a patch for something you discovered in their product. Take on top of that, their legal and marketing spin once they finally do and most people will get frustrated by the process.

Still that’s no excuse to release attacking details without giving the world a chance to look into it and get ready for that newly created exploit. If the hackers out there are using it, you can’t really claim to have done it yourself, and if you’ve done it all, there’s not really that urgent a need to beat anybody to releasing the details, but an urge to get your 15 minutes of fame. My guess anyway.

Malicious VBS Script; Mailbag

We received a report from a reader that his users encountered a website containing malicious VBS script. It is detected as VBS_REDLOF.A. We have notified the website owner for necessary action.

During this Thanksgiving Day, we received a few readers sending us some appreciation notes. We are glad to receive all the words of encouragement. It is true that the Net is never quiet. There will still be probes, scans and attacks going on, regardless whether it is day or night. There is no holiday for such activities. And we do see and receive reports on vulnerabilities and exploits almost everyday. Usually we only mention those with high criticality/impact and/or software being widely deployed.

Nevertheless, if your systems and networks are properly secured, you will be able to spend your holidays and weekends in peace. In any case, ISC still works seven days a week, so we are around to watch the Internet weather.

Wish everyone has a nice weekend!

Database server is back online, for now

The Dshield database server, which runs the backend for the Internet Storm Center has been back online for over 24 hours now. We would like to thank everyone that wrote in offering their support, loyalty, and would even like to thank those that wrote in with lovely comments like "you guys should know better..." and worse.


Dave, Johannes, and Miles worked overtime troubleshooting Raid controllers, bad drives, bad slots on the motherboard and more. Thanks hombres.


Currently the reports are being processed as they are received, and the ones received during the outage are being held in a seperate queue to be processed as resources allow. Yes, we did have backups of all the data, and are currently testing a research mirror.


For now, the graphs and top 10 lists will still look a little phunky as the data gets normalized.


Reports of VBS and Javascript "footers" still abound

The isc is still receiving reports from readers about malicious vbs and javascript footers being served up with gifs (usually along with banner ads) and sites serving up the iFrame vulnerability of days past. ISC handlers are following up with the Admins of these sites trying to get malicious sites shut down, and legitimate sites cleaned up.
Thank you for supporting the Internet Storm Center, and have a great weekend,

Mike Poor < moc.snaidraugletni@ekim >
Handler on Duty

Sober.I is on the Go


It appears yet another version of Sober is making the rounds on the Net and is building up speed. This version was first reported on November 19th and has grown to what is now being rated severe by the AV software companies. Secunia has now issued an advisory as well.

http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.i@mm.html


http://wtc.trendmicro.com/wtc/summary.asp


http://www.f-secure.com/virus-info/statistics/


http://secunia.com/virus_information/13463/sober.i/


It appears that the emails are being sent in both German and English. They are being transmitted via a built in SMTP engine and contain an attachment. (Of course none of our faithful diary readers open attachments.) Most of the definitions have been available since November 19th and removal tools are available from many of the AV companies.
Quiet Day on the Net


It has definitely been a quiet day. I guess everyone was busy at Grandma's, Aunt Tilly's or wherever they were stuffing themselves on Turkey and Stuffing complete with all of the fixin's. I on the other hand sat quietly guarding the Net(and did a fine job too I might add). I hope everyone enjoyed their football, family and fun.

Beings I am not as clever and creative as some of our other handlers, and can't write any really cool spooky stories, I guess I will just close this with a greeting of:

Happy Thanksgiving to All

Deb Hale
Handler on Duty

Winamp unpatched Vulnerability


Yesterday was released an advisory about a critical and unpatched vulnerability on Winnamp.


According to Secunia, The vulnerability has been reported in versions 5.05 and 5.06. Prior versions may also be affected.

As a solution, uninstall Winamp or disassociate .cda and .m3u extensions from winamp.
An exploit is already public available for this vulnerability.


Reference: http://secunia.com/advisories/13269/ and
http://www.k-otik.net/bugtraq/20041123.Winamp.php
IFrame - more info

After the IFrame exploitation event last Saturday, a lot of interesting informations are coming to the light.


One of the most interesting are that the majority of the Webservers that were hacked, were apache ones, and running on Unix/Linux systems. This is a really difference between the others attacks that were using the same vector. One recent attack using the same vector, were using IIS servers. Maybe the kidz are trying another tactic. My feeling is that some admins, used to hear about IIS vulnerabilities, are forgetting about all apache environment, like OpenSSL, PHP,etc...and are not patching as they should. These elements, are currently
the suspicious ones that the kidz used to explore and 0wn the machines.
The Register has a good description about that, as well one of our readers sent a detailed explanation about last saturday event.

The register - http://www.theregister.co.uk/2004/11/22/apache_hijack_serves_iframe_exploit/

http://www.vitalsecurity.org/xpire-splitinfinity-serverhack_malwareinstall-condensed.pdf



And now, one of the most successful series of the Internet Storm Center:

Tom Liston´s Following the Bouncing Malware - Part IV:



-------------------------------------------------------------------------

(First, a quick "thank you" to Pedro for letting me use some space on his diary - Obrigado Pedro!)



FTBM - Part I - http://isc.sans.org/diary.php?date=2004-07-23

FTBM - Part II - http://isc.sans.org/diary.php?date=2004-08-23

FTBM - Part III - http://isc.sans.org/diary.php?date=2004-11-04



Follow The Bouncing Malware - Part IV



As this little expedition has wound its way among the malicious flotsam and jetsam of the Internet, I’ve received hundreds of emails echoing the same question:



"Tom, please tell us: who are these people?"



(Ok... I’ve actually gotten ONE email and it asked me to please stop rambling so much. Consider the above to be "artistic license.")



So, rather than diving headfirst into dissecting more code this time, I thought I would take a little "side trip" and see what I could find out about the people who have given us the "gifts that keep on giving." Who are the people profiting off of messing up Joe’s machine?



Since we’ve got a different goal, it calls for a different attitude-- a kinder, gentler approach. We’re going to roll-back the geek-factor a bit and spend a little time away from the hard-core code analysis. To celebrate, I’m all decked out in my fuzzy Garfield slippers (small children/Father’s Day/no choice/don’t ask...) and I’m ready to rock. To round things out, let’s even give this installment a cool Sub-Title:



Follow The Bouncing Malware IV: Mellowing In Fleecy Footwear



(Sorry, couldn’t help myself)



Ok... Let’s see what we can find out...



If you’ve been following along since the beginning, perhaps you noticed something odd. Perhaps after reading through the description of what happened to Joe’s machine, you’ve a feeling that there’s something bigger going on-- something amiss with what you’ve seen, but you just can’t quite put your finger on it.



I know how you feel. It’s that "something" that’s been slowly pecking away at my subconscious since this whole trip began and has finally surfaced into consciousness only recently. Here it is:



In FTBM-1:



1) Joe goes to "yahoogamez.com" and gets served up a banner ad from aim4media.com

2) That ad contains an IFRAME that loads mynet-MML.html from 205.236.189.58

3) mynet-MML.html contains a script that loads hp2.htm from 69.50.139.61

4) hp2.htm whacks Joe’s box with a CHM exploit named (originally enough) hp2.chm

5) hp2.chm goes out and grabs a file called (seeing a pattern?) hp2.exe

6) hp2.exe installs "TV media display" on Joe’s machine.



In FTBM-2:



1) A trip to Joe’s new default home page (changed in FTBM-1 to "http://default-homepage-network.com"... no one ever said that these guys were creative when it came to names...) results in the display of "http://default-homepage-network.com/newspynotice.htm," a warning that Joe’s computer might be (well, duh!) infected with spyware.

2) In "newspynotice.htm," we found some obfuscated JavaScript that pointed an IFRAME to a file called (hold on.. in case you’re just skimming through this, you need to really start paying attention now, because this is important...) "hp1.htm" from 69.50.139.61

3) hp1.html then whacks Joe's box with a CHM exploit named (originally enough) hp1.chm

4) hp1.chm goes out and grabs a file called (once again, seeing a pattern?) hp1.exe



Hey... HEY... HEY! What the heck is that all about?



Well, obviously, the folks who put mynet-MML.html on 205.236.189.58 and newspynotice.htm on "http://default-homepage-network.com" share the same stunted imagination when it comes to filenames.



Or something like that...



Therefore, our goal for today is to try to tie "http://default-homepage-network.com", 205.236.189.58, and 69.50.139.61 together.



So... where do we begin?



Doing a DNS lookup on "default-homepage-network.com" we find that it resolves to 205.236.189.57.



B-I-N-G-O!



Well, let’s see... who administers that block?:



Block: 205.236.189.0 - 205.236.189.255

Service Telematique Service Internet de Montreal

6187A Louis Veuillot

Montreal, QC H1M2N8

Canada



So how does 69.50.139.61 tie into this? They’re using that IP address to start the ball rolling, so to speak, but why use a different server?



Block: 69.50.139.0 - 69.50.139.127

OMEGABYTE Computer Corporation

205 West Ninth Street, Suite 201

Austin, TX 78701



A quick look at Omegabyte’s website shows us the beginnings of an answer: Omegabyte is a hosting provider. It appears that our "Canadian" friends at "default-homepage-network.com" rented themselves a server down in Texas. Why?



Well, if my little excursion into spyware-land has taught me anything, it’s that very little in this ever-shifting terrain stays static. The anti-spyware battle is fought with many of the same "rules" as the anti-virus battle: he who adapts the fastest survives. If you present a fixed target, you get filtered or blocked or "signatured" out of existence. At this point, many of the sites that I’ve mentioned in this chronicle are no longer spyware dumps, having long since been tossed aside once their useful lifetime had expired. In all likelihood, both the Canada and Texas sites are simply innocent hosting companies who were used for connectivity.



So it appears that the people in the spyware industry have taken a cue from the spammers and they use throwaway accounts and hosting services to do their dirty work. And just like with the spammers, by the time we get around to filtering and blocking a server, they’ve moved on to another.



While IP addresses may come and go, domain names are forever... So! What can we find out about "default-homepage-network.com"?



The domain name is registered to:



Seismic Entertainment Productions, Inc.

11 Farmington Road

Rochester, NH 03867



and a little searching on "Seismic Entertainment Productions, Inc." leads to:



http://www.ftc.gov/os/caselist/0423142/0423142.htm



Which is a document entitled: "Federal Trade Commission, Plaintiff, v. Seismic Entertainment Productions, Inc., SmartBot.net, Inc., and Sanford Wallace, Defendants., United States District Court, District of New Hampshire"



For those of you who have had any dealings in anti-spam circles, the name "Sanford Wallace" should ring a very VERY loud bell. Sanford "The Spam King" Wallace has had a very checkered past. His company, Cyber Promotions, was a target of much anti-spam rage in the late ‘90s. Supposedly ol’ "Spamford" had reformed his ways around the turn of the century and had gone "legit."



Apparently not...



It appears that Mr. Wallace has slipped into his old ways and gotten himself into a bit o’ trouble with the U.S. Federal Trade Commission for alleged "deceptive practices affecting commerce."



Strangely enough, if you read through the complaint linked at the FTC’s site:



http://www.ftc.gov/os/caselist/0423142/041012comp0423142.pdf



you’ll see that much of the badness that Mr. Wallace’s "Seismic Entertainment Products, Inc." is alleged to have done has been documented quite nicely in "Follow The Bouncing Malware." The complaint also specifies another of Mr. Wallace’s ventures, passthison.com, which is mentioned in FTBM-2.



According to the FTC’s complaint, the former Spam King's actions have placed him in the crosshairs of a Federal investigation carrying penalties "including, but not limited to, rescission of contracts and restitution, and the disgorgement of ill-gotten gains."



Personally, I’d pay foldin’ money to watch that "disgorgement of ill-gotten gains" part.



So, now let’s return to the question that prompted this little side-trip: “Who are these people?”



Well, at least in this case, we’re able to put an alleged name (and an alleged face, if you’re so inclined: http://www.annonline.com/interviews/970522/biography.html ) to one the folks dumping spyware onto our computers.



Somehow, turning over this particular rock and finding a "reformed" spammer underneath it doesn’t seem so surprising. The ethical leap from spamming to spyware isn’t across a great chasm, but rather over a slight scratch in the pavement. Ethically challenged individuals, for whom the profit motive outweighs all else, seem quite at home in either category. What seems to be missing in their character boils down to a complete disregard for the legitimacy of property rights. To them, it’s not your inbox, your bandwidth, or your computer if they can figure out a way to sneak something past your defenses. In another time and place, they would be highwaymen, embezzlers, or con-artists.



Therefore, in honor of the season, I hereby nominate Sanford "The Spam King" Wallace for the first annual "ISC Tin-Pot Turkey" award for (allegedly) being both a low-life spammer and a scummy purvayor of spyware. Let's hope he spends some time in an orange jumpsuit, "married" to whoever has the most cigarettes.



In the next edition, I promise to editorialize a little less and return to analyzing malicious code. In the meantime, I’ll keep my eye on the FTC case and update you if anything happens.



Finally, before I once again take my leave and begin work on FTBM-5, I’d like to place a simple challenge onto the (virtual) table: Over the course of these articles, I’ve taken several jabs at the folks behind the crud that attempts to infest our computers each time we surf the web. I’ve questioned their skills and their ethics, and I stand behind every dang word I've written. If, however, you either work currently in the spyware industry or have in the past (and I know you guys are reading this...) and you would like to step forward (anonymously or not) and discuss or debate the ethics of what it is you do, please contact me using the ISC’s contact form, found at



http://isc.sans.org/contact.php



Yo Spamford! Care to chat?



---------------------------------------------------------------------

Handler on Duty: Pedro Bueno ( pbueno /AT/ isc.sans.org ) and special story by Tom Liston.

New Multi-Platform, MultiBrowser Java/JavaScript Vulnerability

This one is now public and it looks like it could be a biggie. Consider this your "heads up."



There is an issue with Sun's Java Virtual Machine (VM) in versions less than 1.4.2_06 that allows access, via JavaScript, to portions of a browser's Java plug-in that should NOT be available to untrusted applets.



In order to understand what's going on here, you need to understand a little about how Java applets work. Most people know Java as a cross-platform language for writing web based "applets" -- small programs that run within a web browser in what is known as a "sandbox" environment. This sandbox allows "applets" to perform a specific set of actions that are deemed "safe", and keeps it from being able to do Evil things to your machine (installing viruses, formatting your hard drive, transferring money from your bank account into the ISC Handler's slush fund, etc...)



In order for Java applets to do their thing, however, the "plug-in" (the part of the browser that actually runs the applets) has to have some capabilities that you would never trust to an applet. All that stands in the way are the rules that limit what an "applet" is allowed to do within the plug-in itself. It is these rules that constitute the Java "sandbox."



Think of the movie "Silence of the Lambs." If you haven't seen it, this won't make sense, so go out right now, rent it, watch it, and come back. No, I'm not kidding. Tell your boss I said it's "security research." Ready? Ok. You can think of Java "applets" like Dr. Lechter, being downloaded into your browser on a two-wheeler, wrapped up in a straight-jacket and that muzzle/mask thingie.



Well, we all know how well that worked out, now don't we? Somewhere in the whole "wrap him up tightly enough and we'll be safe from Dr. L." mentality there was a design flaw.



Aiding and abetting the good Doctor's escape in this instance is our old friend JavaScript, which is sort of like Java's really ugly distant cousin (the one that everyone avoids at the family reunion). It turns out that JavaScript can access those parts of the Java plug-in outside of the sandbox and can pass that access along to a Java applet. This is that "design flaw" that I spoke of earlier coming home to roost. In spades.



So now we need to worry about malicious Java "applets" (with a little help from JavaScript) jumping beyond the sandbox and running around saying things like "quid pro quo" and serving up our PCs with a generous helping of fava beans.



What to do? Patch!



To see what version of the Java Plug-in is used by your browser, here are some tips courtesy of the ever helpful George Bakos:



IE: Start->Settings->Control Panel, click the Java "cup" icon labeled
"Java Plug-in" and read the version.



Opera: According to



http://www.opera.com/support/search/supsearch.dml?index=278



pulling down Opera's "Tools" menu, selecting "Advanced", then choosing
"Plug-ins" will load a window showing which plug-ins Opera has
installed.



Mozilla-based browsers (Mozilla/Netscape/FireFox): Type "about:plugins" (without the quotes) into the URL bar and smack the Enter key.



Konqueror: There is a separate KDE Java Applet Server that doesn't use the Java
plugin.



You want to make sure that you're running a plug-in that is version 1.4.2_06 or greater. Updated versions are available here:



http://java.sun.com/j2se/1.4.2/download.html



FYI, what you're looking for when you get there is the link to the "JRE", or Java Runtime Environment, right smack in the middle of the page. We've received reports that running around on Sun's site and clicking other links that you might think would get you to the right place... well... don't. (Thanks, Charles!)



If you're still in Java 1.3 Plug-in Land and not interested or able to move on to v1.4, try here (thanks, Brian!):



http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1



According to Sun, the problem is fixed for version 1.3 in JRE 1.3.1_13 and greater.



More information on this vulnerability is available here:



http://jouko.iki.fi/adv/javaplugin.html

http://secunia.com/advisories/13271/





Yo! Microsoft!

This past weekend saw yet another round of attacks aimed at unpatched vulnerabilities in Microsoft's Internet Explorer. The so-called "Bofra" incident targets an unpatched issue with IE's handling of malicious IFRAMEs. While users of Windows XP with Service Pack #2 applied are immune (and, to answer Marc's question from yesterday's diary, this immunity appears to be a result of a change in the actual code underlying IE, not simply a matter of changes to the default security settings...) those who are not running XP and those who are unable or unwilling to apply SP2 have been left unprotected.



There is a saying: Nature abhors a vacuum. If that's true, inaction on the part of the folks in Redmond must really have Nature's undies in a bunch. Understandably enough, several independent developers have stepped into this Microsoftian-void and are now selling "unofficial" patches on the 'net for unaddressed vulnerabilities in IE, including fixes for the very IFRAME vulnerability exploited by Bofra.



Yo! Microsoft! What don't you get? People are so scared to surf with an unpatched IE that they're shelling out cold, hard cash to third-parties for a level of "Trustworthy Computing" that you should be providing. It's time to step up to the plate. Do you hear? Hello?



End users: While we can understand your frustration, we cannot recommend that you use these "unofficial," third-party patches. Applying these patches will almost certainly cause Microsoft to refuse responsibility for support going forward and using these patches could cause issues with updating your system when "official" patches finally become available.



If you find yourself in a situation where you're unable or unwilling to upgrade your system to XPSP2, there is one third-party security patch to IE that we can wholeheartedly recommend: it's called FireFox (or Netscape, or Opera, or...).



Yo! Microsoft! Did you hear that?




Open Letter To Anti-Virus Software Companies - A Response



On November 5, 2004, Chris Mosby, SMS Administrator and MyITforum Security Message Board Moderator, sent us an "Open Letter To Anti-Virus Software Companies" that we thought was interesting enough to publish:



http://isc.sans.org/diary.php?date=2004-11-05



Our favorite CTO, Johannes Ullrich, stepped into the fray in the November 8th diary:



http://isc.sans.org/diary.php?date=2004-11-08



Yesterday, we received the following response from members of the USCERT's CME (Common Malware Enumeration) initiative. While we don't have any policy about providing "equal time", we thought that their response was also interesting enough to publish:



------------------begin letter------------------



As members of US-CERT’s Common Malware Enumeration (CME) initiative, we would like to respond to Mr. Chris Mosby’s “Open Letter to the Anti-Virus Software Companies” and let Mr. Mosby and the rest of your readers know that we recognize that there are challenges surrounding the “Virus Name Game.” US-CERT and leading security vendors are working together to solve these challenges.



As you may be aware, US-CERT sponsors the Common Vulnerabilities and Exposures list (CVE), which has addressed similar challenges in the vulnerability space (http://www.us-cert.gov/cve/). By building upon the success of CVE and applying the lessons learned, US-CERT, along with industry participants mentioned below, hopes to address many of the challenges that the anti-malware community currently faces with respect to identifying malware through the CME initiative.



As a “neutral third party” in the marketplace, US-CERT will coordinate with security vendors to implement a CME malware identification scheme. Limited operational capability is expected 1Q05; this phase will concentrate on the most important threats, including the recent Beagle/Bagle variants. The role of US-CERT will be to assign a CME identifier (e.g., CME-1234567) to each new, unique threat and to include additional incident response information when available. As our experience with CVE shows, once all parties adopt a neutral, shared identification method, effective information sharing can happen faster and with more accuracy, making it easier to distinguish between very similar threats. In this manner, US-CERT believes that an effective structure can be built to improve what is currently the chaotic world of malware identification.



As mentioned both in Mr. Mosby’s letter and the response posted on November 8th, there are significant obstacles to effective malware enumeration, including the large volume of malware and the fact that deconfliction can be difficult and time-consuming. The CVE experience confirms that strong industry support and involvement is required to meet these challenges. To this end, US-CERT is working with some of the key industry players, including McAfee, Symantec, TrendMicro, and Microsoft. In addition, US-CERT plans to meet with other stakeholders to explore how they can contribute and participate. To date, all parties have shown a strong willingness to work together toward the goal of improving the malware information resources available to AV software users, first responders, and malware analysts – anyone who depends on accurate, concise information about malware. Solving the virus naming problem is a challenging process, but a goal shared across the industry.



We certainly welcome observations such as Mr. Mosby’s. From our point of view, the question is not “why should we have CME IDs” but “how do we make CME IDs work?”



Desiree Beck, CME Technical Leader

US-CERT



Andy Purdy, Acting Director NCSD

Department of Homeland Security



Larry Hale, Deputy Director NCSD

Department of Homeland Security



Jimmy Kuo

McAfee Fellow - McAfee, Inc.



Matthew Braverman, Program Manager

Microsoft Corporation

Security Business and Technology Unit – Antivirus Team



Mady Marinescu, Development Lead

Microsoft Corporation

Security Business and Technology Unit – Antivirus Team



Randy Treit, Program Manager

Microsoft Corporation

Security Business and Technology Unit - Antivirus Team



Vincent Weafer, Senior Director, Symantec Security Response

Symantec Corporation



Oscar Chang, Executive Vice President

Trend Micro, Incorporated



Joe Hartmann, Director North American

Anti-virus Research Group

Trend Micro, Incorporated



-------------------end letter-------------------





No Bounce

Ain't no "Bouncing Malware" here... Ain't no room. It's pretty much complete, but needs a little polishing. Perhaps if Pedro isn't too wordy today, I'll see if I can "borrow" some space from him.





-----------------------------------------------------------

Handler On Duty: Tom Liston ( http://www.labreatechnologies.com )

Bofra/IFrame After Action Review. At SANS we teach a six-step approach to incident handling (if you want to learn it, see our Security 504 class, Hacker Techniques, Exploits & Incident Handling, http://www.sans.org/cdieast04/description.php?tid=145 )

Saturday's banner ad incident that exploited the IFrame vulnerability in Internet Explore is an excellent case study in how to do incident handling on a global scale. Now that the dust has settled a bit, it is time to do step six, Lessons Learned.

Let's begin by walking through each of the steps as applied to this case.

1. Preparation. Prior to any incident, a trained incident handler already has in place notification lists, checklists, policies, and a host of other items to assist when an incident begins. The Storm Center maintains a contact list of people and organizations to call in case of an emergency. Because all of us are volunteers and not employees of SANS, we have standing procedures and policies for how we handle and disclose sensitive information in order to protect SANS as well as the individual volunteers. We also have the handler's diary, a web form for readers to communicate with us, and of course the DShield database (which is currently down, but we'll leave that story for another diary.) Preparation is what you do when there is no current incident under investigation. Think like a Boy Scout - BE PREPARED!

2. Identification. This incident was brought to our attention via an email from "Mark" early on Saturday morning. We rely on several channels for identifying emerging Internet incidents, and our online web form was the vehicle for finding out about this event. Other mechanisms we have are direct email contact, phone calls, the DShield database, plus most of the handlers are watching popular online chat groups and discussion forums for news of breaking events. Without a good mechanism for identification, it is hard to know that an event or incident is occurring.

3. Containment. When an incident is identified, the next step is to contain it so that it does not spread. After confirming that Mark's report was valid, we quickly notified the site that was affected (The Register) plus the UK's National Infrastructure Security Co-ordination Centre, which is the UK's government sponsored organization established to defend their Critical National Infrastructure (CNI) from attacks. Mark had also sent an email to The Register advising them of the problem. At that time, we did not know what the exact nature of the problem was, only that The Register seemed to be the source of the pain. Later we found out that it was a third-party advertiser, Falk eSolutions. Within an hour of the incident being reported, Falk had been notified by The Register and the problem stopped. Many incident handlers want to skip this step and rush into the next step, but we recommend thinking like a firefighter - contain the fire first so that it won't spread, then pour water on it.

4. Eradication. Once contained, the problem can be further investigated, hard drives removed from the servers for forensics or evidence gathering, and other steps taken to clean the intruded systems. The Register and other sites affected by this incident turned off their banner ads, effectively eradicating the problem from their web sites. However, they did this at great cost since their revenues are driven by banner ads. We do not know what Falk and the others did to eradicate the malware from their servers. In this step, it is important to ensure that further damage did not occur through the installation of root kits, key stroke loggers, or hidden back doors.

5. Recovery. Several of the affected web sites have yet to fully recover from this incident even though nearly three days have passed since it started. Not only is there a loss of revenue caused by turning off banner ads, but also a loss of customer trust in the sites. It may take days or weeks before the affected sites have fully recovered. We have not mentioned the potential damage to Microsoft's reputation but that also must be taken into consideration when you consider that except for WinXP SP2, the Internet Explorer has no patch for this vulnerability. It will come back again to visit more unprotected sites.

6. Lessons Learned. The hardest part of handling any incident is trying to figure out exactly what happened and to learn from it. A great technique to help in this step is to make sure that you are keeping good notes. Since last Saturday morning, I've been keeping track of what time certain things happen, who I talked to, what was said, actions taken, observations, etc. From my perspective, here is what I think happened:

- Some time last week one of Falk's load balancing servers was intruded into via a known vulnerability. Going out on a limb here, the most likely cause was that one of the servers got out of sync with the others and a previously applied patch was reversed, perhaps due to software upgrade or other routine maintenance operation. That's just speculation and I'm sure that eventually we will hear the true story.

- Once inside the server, the attacker was able to modify banner ad code to point to another compromised site (search.comedycentral.com, 199.107.184.146) where additional malicious code had been placed. It is not known when Comedy Central was intruded into.

- The first recorded incident in this intrusion set happened on Friday night, but we did not hear about it until Saturday afternoon. "Mike" reported that about 100 hosts in his network hit the Comedy Central site and downloaded malicious software the previous evening. We don't know how they reached the infected server, but it's likely that it was not through The Register since Mike's network is in California.

- Through the day on Saturday we received several other reports of sites that had pointed viewers toward the Comedy Central server. By mid-morning on Saturday the infected sites were off-line.

In summary, it looks like Comedy Central and perhaps some other sites were compromised first, followed by Falk. Then, Falk's site was configured to redirect visitors to Comedy Central. High-profile web sites like The Register use Falk's AdSolution Global service to place banner ads on their pages, and roughly one in thirty hits resulted in a re-direct to the hostile site.

The Register has a notice about the attack online, plus a statement from Falk:

http://www.theregister.co.uk/2004/11/21/register_adserver_attack/
http://www.theregister.co.uk/2004/11/22/falk_bofra_statement/

"Matt" has been keeping a running log of his findings at
http://www.finlandforum.org/bb/viewtopic.php?t=7685

Finally, LURHQ has their nice write-up at
http://www.lurhq.com/iframeads.html

One more thought on this, and a request for comments. The IFRAME issue does not affect Internet Explorer on systems running WinXP SP2. The question is "why?" Is it because SP2 turns off certain scripting features? Or is it the way SP2 handles buffer overflows (stack protection)? We'd like your thoughts on this. The reason is to better understand why SP2 protects IE users, and if there are any settings in SP2 that might make a user vulnerable to the IFRAME attack. If so, we'd like to get those settings made public so that users don't accidentally endanger themselves with unsafe IE settings in SP2.
Marcus H. Sachs

Handler on Duty

Director, SANS Internet Storm Center

Update on Bofra/IFrame Exploits

We are still in the process of notifying sites that are hosting the exploit. We still encourage users to consider using another browser, other than IE6, until a patch for this is released by Microsoft. Windows XP SP2 is reported as not being vulnerable, and to this point we have nothing contrary.


Joe Stewart has an excellent writeup of the IFRAMES exploit, and should be read by users and admins both. Excellent piece of work, thank you Joe.



http://www.lurhq.com/iframeads.html

Tony Carothers

Handler on Duty

(With help from Patrick Nolan to navigate through the cloud cover)

Bofra/IFrame Exploits on More Web Sites. The Storm Center received a report this morning of a high profile UK website that contains a pointer on their main page to another URL hosting the Bofra/IFrame exploit. We have confirmed that if this site is visited using Internet Explorer the exploit will be downloaded. The site owners have been notified.

I know that everybody wants to know "which site?" but to keep little Johnny from burning his fingers we will not list the URL. Please exercise caution when using Microsoft's Internet Explorer since this issue has no current patch. The Storm Center recommends using an alternative browser when visiting sites other than those you absolutely trust.

Thanks to Mark for reporting this to us, and we request that if other sites are found with the Bofra/IFrame exploit on it, let us know. We will attempt to contact the site owners and inform appropriate government response teams if needed.

UPDATE, 1525 UTC. The site in the UK has been fixed. We have received reports of sites in Sweden and the Netherlands that were also compromised. This may indicate a more wide-spread attack across Europe. One suggestion is that the advertising servers rather than the sites themselves contain the exploit, which of course means that perhaps hundreds of sites are affected.
Marcus H. Sachs

Director, SANS Internet Storm Center




UPDATE BELOW at 18:17 UTC - Kyle Haugsness


Microsoft IE IFRAME vulnerability summary (Bofra worm)

Just to refresh everyone on the details. On October 24, a vulnerability
was discovered in the IFRAME tags of Internet Explorer 6.0 affecting
all Windows platforms except Windows XP SP2. This vulnerability can be
exploited by going to a web-site that has malicious code. Currently,
some high profile sites with banner ads are linking to servers that have
the exploit and malicious code.


THERE IS NO PATCH FOR THIS VULNERABILITY! Windows XP SP2 has been
reported as not vulnerable. If you are running IE 6, you are
HIGHLY RECOMMENDED to utilize a different web-browser until a patch is
released by Microsoft. Microsoft has confirmed the vulnerability with
media organizations, but is yet to release any statement on their
website. The next scheduled patch-release day at Microsoft is
24 days away (on December 14).


If you operate a web site that serves banner advertisements, you are
highly recommended to verify that the banners do not contain the IFRAME
exploit code. Or you might want to consider disabling banner ads for
a little while to minimize the risk of accidentally infecting your
users and propogating.


Since this vulnerability is easy to exploit, it is likely that malware
for this issue will come in many flavors and colors. In addition to the
possibility of becoming infected while surfing a website, there are e-mail
propogration vectors. On November 8, we reported MyDoom.AG and MyDoom.AH
(which spread via e-mail) utilize this exploit:


http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631

http://vil.nai.com/vil/content/v_129630.htm


Note that some versions of MyDoom that are including the IFRAME exploit
are being called Bofra (variants A - :


http://www.sophos.com/virusinfo/analyses/w32bofraa.html

http://www.sophos.com/virusinfo/analyses/w32bofrah.html


More vulnerability details:

http://secunia.com/advisories/12959/

http://www.kb.cert.org/vuls/id/842160

http://www.securityfocus.com/bid/11515/info/

http://www.k-otik.net/bugtraq/20041102.InternetExplorer.php

http://lists.netsys.com/pipermail/full-disclosure/2004-November/028286.html




UPDATE BELOW at 00:30 UTC - Kyle Haugsness


Two More IE Vulnerabilities

Exploit code has been released for two more Internet Explorer vulnerabilities
that were released on Wednesday (Nov. 17). This code would enable an attacker
to trick users into executing malware. These vulnerabilities affect Microsoft
Internet Explorer 6.0 SP2 and are not prevented by Windows XP SP2.


The original advisory is here:

http://secunia.com/advisories/13203/


The proof of concept exploit:

http://www.k-otik.com/exploits/2041119.IESP2disclosure.php


While on the topic, it is interesting to note some statistics that
Secunia has been compiling about Internet Explorer vulnerabilities:

IE 5.01 - 42 advisories (7 unpatched)   http://secunia.com/product/9/ 

IE 5.5  - 55 advisories (8 unpatched)   http://secunia.com/product/10/ 

IE 6.0  - 69 advisories (18 unpatched)  http://secunia.com/product/11/ 

New Sober Worm Variant

Anti-virus vendors released pattern updates today to recognized a new variant of the Sober worm. Sober uses its own SMTP engine to spread via email attachments. Secunia has a page that links to anti-virus vendors' descriptions of this specimen. Take a look at this page if you need technical information regarding the latest Sober variant. Also, please be sure to keep your anti-virus signatures up to date.

http://secunia.com/virus_information/13463/win32.sober.i

Spy/Adware via Browser Vulnerabilities and Compromised Web Servers

Steve Friedl pointed us to the BroadbandReports discussion that documents a series of web server compromises that deliver spy/adware to victims that visit compromised sites. The victims are running a vulnerable browser. The information is still preliminary, but there are indications that the attackers are using an IFRAME vulnerability in Internet Explorer to deliver the payload. The web servers hosting the malicious code seem to be running Apache.

The BroadbandReports discussion of this incident:

http://www.broadbandreports.com/forum/remark,11904374

A post to the Full-Disclosure list that may be related to this incident, referencing IFRAME and Apache (this link was posted on the BroadbandReports forum):

http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/27857

Information about the recent IFRAME vulnerability (no patch available at the moment; Windows XP SP2 systems not affected):

http://secunia.com/advisories/12959

We don't have much information regarding this attack pattern to determine its scope. We'd love to hear from you if you can share with us logs, malware samples, or observations relevant to this incident. If server compromises are wide-spread, this incident is reminiscent of attacks on Web servers that distributed the Download.Ject trojan in June.

Recent Phishing Reports

Yesterday's diary mentioned a phishing scam that attempted to harvest logon credentials of MSN customers. Dan Hubbard sent us a link to screenshots that document two versions of this scam:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=73

One of the popular uses for stolen ISP information is sending out more phishing spam. The attackers use the stolen accounts to send spam until MSN, AOL, Earthlink, or another service provider disables the account for policy violations. The attacker then moves to the next account stolen via an earlier phishing scam.

Today we received reports of phishing scams that targeted customers of SunTrust and Comcast customers. In one case, which was quite typical, the attackers used a compromised website to collect stolen information. The owners of the site were unaware of the problem, just like many owners of sites used to proxy spam messages, or the owners of accounts from which the spam was sent. The number of unsuspecting victims, involuntarily acting as phishing collaborators, can be surprisingly large.

No Honor Among Thieves (Part II)

We received a message from Don Parker, as a follow-up to yesterday's mention of the backdoor built into the fake Half-Life 2 exploit. Don described a post to a discussion forum ( http://www.security-forums.com ) that claimed to offer a zero-day exploit for the MS04-029 vulnerability. The exploit claimed to offer the attacker a remote shell; however, MS04-029 focused on denial of service and information disclosure. Moreover, the supposed exploit included shellcode, but lacked NOP instructions typically present in buffer-overflow attacks. Dan's analysis confirmed that the posted "exploit" actually provided the code's author an IRC-based backdoor to the hopeful attacker's system.

The practice of building backdoors into attack tools is quite wide-spread, particularly in malicious programs that don't come with source code, or with exploits that have hard-to-understand shellcode and come from obscure sources. Please use extreme caution when testing such tools on your systems.

Lenny Zeltser

ISC Handler of the Day

http://www.zeltser.com

Insidious Botnets:

Botnets keep getting more malicious every day. Now we're seeing ones that
are logging all the activity of the compromised computer to the botnet controller,
such as what application is running and what the user is typing into that application.

MSN Phishing:

It appears that your bank account isn't all that the phishermen want--they want
your MSN user accounts too. We've gotten a report of an email going around
asking users to verify their account information, due to a "tech problem".
Yes "Deary Msn user" (or "Darling MSN services client", if you prefer), you
should be suspicious and definately NOT click on that link, even though it
appears legitimate.

No honor among thieves:

We've also gotten a report that there is an application circulating the Internet
claiming to be a crack for Half-Life 2 to disable STEAM registration. In reality,
it's a simple VisualBasic backdoor. Shocking. Simply shocking.

The day started out with a potential disaster that seemed to avert itself fairly quickly. A report came in regarding an anti-virus package marking java .class files as infected. This could cause a lot of mayhem. Fortunately the vendor caught this fairly quickly and posted an update. So if your AV is behaving in this way then please go check the vendor for an update.

I am not mentioning the vendor since they do not need the publicity and their customers know who they are.

Lets talk about security awareness for a minute. No really, wake up, sit down and read this! The biggest events of the day from where I sit were related to phishing, which brings a useful newsletter to mind. The SANS OUCH! or OUCH: The Report On Identity Theft and Attacks On Computer Users
It is a bi-weekly newsletter covering the latest phishing and social engineering threats. It is addressed to users not technical folks. Go check it out at http://www.sans.org/newsletters/ouch/

Old friends

So the phishing instances I saw targeted Suntrust Bank. The interesting part that I nearly missed (thanks Tom Liston for being more persistent than I) is that they are checking the user agent of the browser. User Agents (browsers) they are not prepared to fool get redirected to the actual back site. But vulnerable browsers such as IE 5.5 and 6 get the full enchilada, a phony bank site. After 2 failed logins (third time is the charm) the user gets sent to a form where they can validate their credit card per the email that directs them there. This is all standard stuff except for the user agent part.

The next phish targeted Paypal users saying:
This email confirms that you have paid phonebuyer
(phonebuyer451@yahoo.com) $278.99 USD using
PayPal.
And provides a bogus link to protest the fee. All in all nothing new. This ends the awareness session.

We had a minor bout of sasser brought to our attention as well late in the day. Serving as a reminder to me, we can not forget yesterday's troubles yet. They are still there and will come back to get us - we have to stay sharp.

Cheers!

Dan Goldberg

dan /at/madjic /dot/net

MADJiC Consulting, Inc

If It Sounds Too Good To Be True...



We received a report from a reader who found a little more than he bargained for when looking for a cheap used car. It appears that some rather unsavory characters are posting "deals" online that carry some surprises. When you go to look at photos of your "ride-to-be", the seller tells you "please check the pictures on the file. Are packed with WinZip SelfExtract , I don't have much space in this free host and I can put the on the server. After you download it, if you open the file will ask you where to unpack the files."



Uh... sure...



The executable packs a bit more than some candid photos of your dream car. It carries a version of the QHosts trojan which makes changes to your hosts file pointing domain names for various escrow services to a specific IP address. The seller then insists that to "safeguard" the transaction, an escrow service must be used. Care to guess the rest?



Moral of the story: If it seems too good to be true, it probably is.





Don't Let This Happen To You



Another reader pointed out a different scam. This time, the victim receives an email claiming that their credit card has been charged. The victim is given a link to view their "invoice." While none of this is new, the almost overwhelming barrage of exploit attempts at the other end of the "invoice" link was astounding. The victim's machine is hit with three different exploit attempts, targeting different vulnerabilities. It appears that some piece of dirt out there is an over-achiever.





Updated MS04-039

MS updated bulletin MS04-039 today. In their words, the bulletin was updated:

to reflect the release of updated ISA Server 2000 

security updates for all languages. These issues 

affected customers using ISA Server 2000 Service 

Pack 1 or using Windows 2000 Service Pack 3. The 

Security Update Replacement section has also been 

revised.

http://www.microsoft.com/technet/security/bulletin/MS04-039.mspx





-----------------------------------------------------------------------------

Handler on Duty : Tom Liston ( http://www.labreatechnologies.com )

RAID doesn't always save your bacon.

A major disk failure has taken Dshield offline. Estimated time to repair may be as late as Tuesday 16 November 2004.

Are bots new?

A reader commented that IRC bots are not necessarily a new thing. Botnets, using encryption, DoS tools, a variety of infection vectors , etc... have all been around for a while. This certainly is true, however they are one of the more significant threats on the malware front these days. Perhaps the recent attention is simply media hype, or in my opinion the scale in which they are being seen is much larger than ever before and therefore warrant more attention. There isn't anything new under the sun, but they aren't going away any time soon.

Sun releases Solaris 10.

For more information:

http://wwws.sun.com/software/solaris/10/

Some web links.

Feel free to submit your favourites.
Some links I check every day, in no particular order and not categorized:

http://www.securitynewsportal.com/index.shtml

http://www.securitytracker.com/

http://www.theregister.co.uk/

http://www.infosecnews.com/home/index.cfm

http://secunia.com/

http://www.securityfocus.com/

http://www.zone-h.org/

http://www.viruslist.com/en/weblog

http://www.f-secure.com/weblog/

http://securitywizardry.com/radar.htm

http://www.internettrafficreport.com/main.htm

http://www.internetpulse.net/

http://www.us-cert.gov/current/current_activity.html

http://www.security-forums.com/
(Submitted by a reader.)

Vulnerability in Skype.

A buffer overflow vulnerability has been reported in Skype for Windows versions prior to 1.0.0.100. It is recommended to upgrade to the non- vulnerable version.

http://www.skype.com/products/skype/windows/changelog.html

http://secunia.com/advisories/13191/

Cheers,
Adrien de Beaupré

Handler of the Day

www.cinnabar.ca (shameless plug)

Just a reminder, as with all Handler's Diary entries, the opinions expressed here are those of the author and not necessarily those of the ISC or SANS. It is pretty sad that I have to put a disclaimer in here, but some folks have, at times, taken offense at the opinions presented here.



Well, today was a very quiet day at the Storm Center, so, as is sometimes my wont, I was trying to catch up on some reading. :) As a former academic, I like to check out conference proceedings and journals to see what kind of research folks are doing. While I am a huge fan of SANS training, I also am a big fan of conferences with refereed papers. In fact, I was on the program committee for a local Infosec Forum here last week and there were a couple of talks that I think were useful for folks new to the field and those of us who have been doing it for more years than we like to admit. Today, I was finally looking at the proceedings from this past summer's Usenix Security Conference. I found a couple of papers there that I'm going to spend some time studying in more detail (I may talk about one of them in more detail in a future diary). That got me wondering though, what conferences, journals, magazines, books, or websites (besides ours, of course :)), do you, our readers, find useful/interesting? I should know by now, to be careful what I ask for, I might get more than I was counting on in response, but please let us know.



------------------

Jim Clausing, jclausing_at_isc.sans.org

Windows Firewall Article

Microsoft has recently updated the article on "Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2".

The article describes the common problems using Windows Firewall and tools that can be used to troubleshoot Windows Firewall issues.

If you are using Windows Firewall, you may find it useful, in particular the section on "Windows Firewall Troubleshooting Tools". The URL is rather long, so you will have to cut/paste this:

http://www.microsoft.com/downloads/
details.aspx?FamilyID=a7628646-131d-
4617-bf68-f0532d8db131&DisplayLang=en


Hardware Firewall

Thanks to Jason Lam pointing this to me. This may not be a very new, but since we are on the topic of firewalls, it will be interesting to know that Nvidia has released a motherboard controller that makes it possible to build a hardware firewall within a PC itself. We may have more hardware-based firewall solution in future.

http://security.itworld.com/4357/041020nvidia/page_1.html
Follow up on "Rumours about Windows SP2 vulnerabilities"

Two days ago ( http://isc.sans.org/diary.php?date=2004-11-11 ), we mentioned the rumours about Windows SP2 vulnerabilities. Microsoft is looking into this and at this time they cannot confirm Finjan's claims of the ten vulnerabilities in Windows XP SP2.

Let hope this will clear soon and is good news from Microsoft.

http://www.computerworld.com/securitytopics/
security/holes/story/0,10801,97478,00.html?SKC=holes-97478

Follow up on "AV Vendors Taking Out Valuable Resource"

Yesterday ( http://isc.sans.org/diary.php?date=2004-11-12 ) handler of the day John Bambenek pointed out that VirusTotal removed several leading AV vendors from their scanning service. The Storm Center is not privy to the specific reasons for the decision at VirusTotal, and our choice of words on why there was a change is only an opinion. Regardless, most of the major AV vendors provide a free malware scanning service on their own home pages. These sites should be consulted together with the VirusTotal service when trying to identify if a there is a known signature for a particular piece of malware. For example, AVERT Labs provides a free malware scanning service at http://vil.nai.com/vil/submit-sample.asp

A list of AV sites offering scanning services is at http://virusall.com/virussubmit.html . We cannot and do not endorse any of these links, but are providing them as a public service to others in the infosec business.

Bot Nets - Moving to Prime Time

While investigating a bot net we found some interesting new tricks. When I first /whois'd the IRC operator it immediately kicked me off and banned me from the server. (It did return the info first though). Poking around a little more at what IRC server version they are using and the features available to it provided some very eye-opening developments. This particular IRC server was using an 11 month old version, while the newest versions support things such as SSL client/server communication and hostname cloaking. A little more tweaking and research and they can make bot nets fairly stealth and much harder to break apart, especially if they start using SSL certificates and the actual IRC linking functions in the server software. (i.e. they have 20 IRC servers serving the bot net that all talk to each other so you have to take down all 20 to shutdown the net).

AV Vendors Taking Out Valuable Resource

Many readers might be familiar with Virustotal ( http://www.virustotal.com ). This service provides its users the ability to submit a file and have several anti-virus engines scan it. Unfortunately, several major anti-virus vendors decided this was not a good use of their product (probably because it exposes which vendors are lagging on getting updates out) and have badgered Virustotal to remove their engines. Apparently too many customers would come back to AV vendors using Virustotal results to harass them about lagging signatures.

--
John C. A. Bambenek, bambenek /at/ gmail.com
Handler of the Day

Cisco IOS DHCP DoS vulnerability

Cisco IOS version 12.2S is found to be vulnerable to a DoS attack when DHCP server or relay agent is enabled. Cisco has a fix ready (see link below). There are also many workarounds for this vulnerability, such as disabling the DHCP service (no service dhcp), using QoS or using ACL to block potential attack. Please refer to the URL below for details.

http://www.cisco.com/warp/public/707/cisco-sa-20041110-dhcp.shtml



Rumours about Windows SP2 vulnerabilities

Finjan software announced that they have found 10 vulnerabilities in Windows XP SP2 and they have notified Microsoft about these vulnerabilities.

If these claims are true, we might have to do a lot of patching on XP machines soon.

http://www.vnunet.com/news/1159322

http://www.winnetmag.com/Article/ArticleID/44502/44502.html




--------------------------------

Handler on Duty

Jason Lam Email: jason /at/ networksec.org

Secure Remote Services


Today we received an request about secure applications for remote access on windows machines. While the questions were related to Remote Desktop x <A commercial vendor application>, the following advices are from a quick opinions from the handlers:



- Restrict access to the remote service application

- Restrict the resources in the remote machine to remote users

- Some VNC variants will add strong authentication, as secureVNC (
https://sourceforge.net/projects/securevnc/ )

- Tunnel the remote service application, using something like ssh or VPN

MyDoom and IFRAME

On Marcus Sachs´s diary from yesterday, he mentioned the IE exploit email, but not explicitly a MyDoom variant. The reason is that he choose not to refer to MyDoom since there was some argument yesterday as to whether this was really another strain of MyDoom or something brand
new.


Also in this topic, bleedingsnort website released snort signatures for both .ah and .ai variants. Although it may not detect variants with minor changes, it may be worthwhile to try to find those in your network.


MS04-039 revision

Microsoft updated its MS04-039 bulletin, now on its version 2.0. According to the notes at the end of the bulletin, the revision was to german language only:


V2.0 (November 9, 2004): Bulletin updated to reflect the release of an updated ISA Server 2000 security update for the German language only. This issue does not affect any other language version of this security update. The Security Update Replacement section has also been revised.


SSI 2004 - Brazil

If you are in Brazil, and will be on friday at SSI 2004 (Information Security Symposium) at ITA, I will be there speaking at 09:00am, and at 14:00 pm, about ISC and Malwares. Say hello if you plan to be there.


Monthly Webcast



Did you miss our ISC monthly Webcast? Check the archives at:

https://www.sans.org/webcasts/show.php?webcastid=90494


------------------------------------------------------------

Handler on Duty: Pedro Bueno (pbueno /AT/ isc.sans.org)

IE Exploit Email. The Storm Center has received several reports of a hostile email that contains a link (not an attachment) that points to code exploiting the recently announced Internet Explorer vulnerabilities. The email has text similar to this:

Congratulations! PayPal has successfully charged $175 

to your credit card.  Your order tracking number is 

A866DEC0, and your item will be shipped within three 

business days. 

To see details please click this 'link'

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is 

being sent by an automated message system and the reply 

will not be received. 

Thank you for using PayPal.

Clicking on the embedded link points the victim to a previously infected computer, downloads the exploit code, and infects the victim if the victim is using Internet Explorer on any Windows platform other than WinXP SP2. No patches are available (yet) from Microsoft. If today's Microsoft bulletins address this issue we will update this diary entry. The best mitigation is to avoid using Internet Explorer until patches are available. Take a look at Firefox from the Mozilla project team as an optional browser. Version 1.0 was released today.

DNS Vulnerability. The United Kingdom's National Infrastructure Security Co-ordination Centre (NISCC) published a bulletin today about vulnerabilities in various DNS implementations. Please note that ISC-BIND is not vulnerable to this issue. If successfully exploited, an attacker could cause a denial of service condition on a DNS server. Details are at http://www.uniras.gov.uk/vuls/2004/758884/index.htm

Microsoft "Patch Day" Today. Today is the second Tuesday of the month. Right on schedule, Microsoft published their monthly security summary: http://www.microsoft.com/technet/security/bulletin/ms04-nov.mspx

There is only one issue listed: MS04-039 Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow Internet Content Spoofing (888258). The issue is rated IMPORTANT by Microsoft and only affects this software:

Microsoft Internet Security and Acceleration Server 2000 SP 1 and 2

Microsoft Small Business Server 2000 (includes Microsoft Internet Security and Acceleration Server 2000)

Microsoft Small Business Server 2003 Premium Edition (includes Microsoft Internet Security and Acceleration Server 2000)

Microsoft Proxy Server 2.0 Service Pack 1


Unfortunately there is no mention of the new vulnerabilities in Internet Explorer. Stay tuned...
Marcus H. Sachs

Handler on Duty

Reminder: Webcast this Wednesday. Details: https://www.sans.org/webcasts/show.php?webcastid=90494
New MyDoom Variant uses IFRAME exploit

We received several reports of a new MyDoom variant making the rounds.
McAfee lables it 'MyDoom.AG' and 'MyDoom.AH'. This virus claims to contain a link to pornographic images. The web page this link refers to will use the so far unpatched 'IFRAME' vulnerability to infect the target computer. The
target system itself will become a web server for the malicious code.

Another version of the email claims to come from Paypal.

A couple other observations so far:

+ The web server listens on a high port (so far, it is reported in the
1600-1700 range. Seems to vary from machine to machine

+ The e-mail includes fake headers that identify the e-mail as anti-virus scanned (and found harmless)
The email itself does not appear to include any malicious code. Many anti-spam filter may catch it due to it's content. The malicious code is launched once the user clicks on the URL and connects to the remote server with a vulnerable version of Internet Explorer.

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631
selected user reports about this virus:

--------------

We have been hit with the Paypal version of this exploit and I can tell you that the current version of Trend doesn't detect it at all.
Below is the text of the message:

Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.

To see details please click this 'link'
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.

Thank you for using PayPal.

My experience showed that the infected PC establishes a TCP 6667 connection with several IPs and sends a continual barrage of smtp messages outbound to public sites. The infected system showed a vv.bat file on the desktop which was also running as a process.

-------------

Phishing tip

Quick note to all webmasters out there: One was to make it harder for
people to impersonate your site is to personalize it for your users.

First time the user logs in, set a cookie with a simple personal, but
non-confidential string (e.g. user's first name). Next time the user
comes back, great them with this string before they log in.

If you want to do it fancy, allow the user to set the string (but
validate it ;-) ).

A phishing site will not be able to read the cookie containing the
string if you limit it to your domain. As a result, the user will not see
the greeting string and maybe get tipped off that the site is fake.

Diary flagged as Virus

We did receive a couple of reports that part two of Tom Liston's "follow
the bouncing malware" story was flagged as containing malicious code.

We can assure everyone that the diary does not include any malicious code.
However, some of the strings quoted are from actual malware, and some
AV scanners happen to use these strings as part of their signatures.

Trust us!

Virus Naming

On Friday, we published an open letter to Anti-Virus Software companies.
(see: http://isc.sans.org/diary.php?date=2004-11-05 ). The letter was
contributed by our reader Chris Mosby.

I would like to take the opportunity to comment on the ongoing problem of "Virus Babel" and respond to a couple points raised in the letter.

In my opinion, one problem is the large number of very similar malware
released in rapid sequence. For example, according to Symantec, today
version 'BQJ' of Gaobot was spotted, which gets us to about 1800
(1804 if my math is right). The first version of Gaobot was released a bit over a year ago.

For malware analysts, analyzing minute differences between different versions my provide a unique insight into the bot/virus scene. However, for the anti-virus software user, it doesn't matter if the AV software caught Gaobot.AAA or .AAB, as long as it successfully detected and disposed of the malware before it could do any damage.

In this sense, I would suggest that anti virus software will become smarted in identifying variations of known malware, in particular if the variation has been generated by automated packers or obfuscater.

BTW: We do not have any plans to become a 'Virus Name Clearing House' as suggested in the letter. It may be fun to do, but we just don't have the resources.

(great spot to discuss this issue: our mailing list, http://www.dshield.org/mailman/listinfo/list ).

Country Reports

yes. they are broken. Will be back shortly... Mike H.: Next time please include your e-mail address if you want a response ;-).

------------

Johannes Ullrich, jullrich'at;sans&org

CTO SANS Internet Storm Center.

Linux/Unix Backdoor Trojan



Symantec has released the details on a new Linux/Unix Trojan horse, which introduces Backdoor.Maxload into the system. The Trojan Horse, which is appearing on various download sites, is falsely described as an application that exploits the Windows DCOM exploit to entice users to download and run.



http://securityresponse.symantec.com/avcenter/venc/data/backdoor.maxload.html



New Windows Virus shows up on the radar



A new virus, introducing some very ugly results, has started showing up in a few locations. Anti-Virus vendor results show what appears to be a new Backdoor based on the Windows DCOM exploit. More information will be posted as it becomes available.



Scan results
File: msass43.exe
Date: 11/07/2004 16:59:03
----
BitDefender 7.0/20041104 found [Backdoor.SDBot.Gen]

ClamWin devel-20041018/20041107 found [Exploit.DCOM.Gen]

eTrust-Iris 7.1.194.0/20041105 found [Win32/IRCBot.Variant]

F-Prot 3.15b/20041105 found nothing

Kaspersky 4.0.2.24/20041107 found [Backdoor.Win32.Rbot.gen]

NOD32v2 1.917/20041106 found [probably unknown NewHeur_PE]

Norman 5.70.10/20041105 found [W32/Malware]

Panda 7.02.00/20041107 found nothing

Sybari 7.5.1314/20041107 found [Backdoor.Win32.Rbot.gen]

Symantec 8.0/20041106 found nothing




Many thanks to Patrick Noli... sorry, _Nolan_ for help with todays diary.



Tony "Duckfoot" Carothers

Handler on Duty

MS Security Alert Advanced Notice



Microsoft has recently acknowledged that we need a little more time to prepare for the second Tuesday of each month. Starting this month, Microsoft will announce the patches that are going to be released with little technical detail a few days ahead of time. Notices will include the number of security bulletins that <i>might</i> be released (which has no bearing on the number of patches, *coughMS04-028cough*), anticipated security ratings and the products that will be affected.



http://www.microsoft.com/technet/security/news/bulletinadvance.mspx

http://www.microsoft.com/technet/security/bulletin/advance.mspx



Notably missing from this advance notice report is anything relating to the Internet Explorer IFRAME vulnerability, for which an exploit is currently circulating.



http://www.securityfocus.com/bid/11515



Cisco PIX Source Code Reported Stolen



A group calling themselves the Source Code Club that previously claimed to have stolen source code for Cisco IOS is now attempting to sell the source code to interested parties. No word on the cisco.com website about this dubious offer at this time.


Just in case you were wondering, the Source Code Club FAQ indicates that they are NOT hiring at this time.






Open Letter to Anti-Virus Software Companies



The following letter was provided to us by Chris Mosby, SMS Administrator and MyITforum Security Message Board Moderator. I think many of us can relate to the grief caused by the virus name game described in his letter. Note these the thoughts and opinions in this letter are those of the author and not necessarily those of the Internet Storm Center or the SANS Insitute. Thanks Chris.




-----BEGIN LETTER-----

As we are all aware, it was exactly one week ago today that there was an unusual outbreak of not just one; but three globally spreading variants of the Bagle virus.


Now that the smoke has cleared, and security professionals around the world have all had time to reflect on the events of the last seven days; I wanted to write to you on behalf of your customers to let you in on a little secret that we already know.


The “Virus Name Game” has gotten out of hand. If you are unaware of what I refer to, I will attempt to explain.



Sometime during the Bagle\Netsky war of earlier this year, your virus variant names got out of synch with other anti-virus software companies. We can understand how that could have happened. There were multiple versions of those viruses coming out everyday, with virus writers trying to out do each other in some childish game of hacker supremacy; and you were dealing with the waves of malware as fast as you could. When the “virus war” slowed down with the arrest of the author of Netsky, your virus variant names stayed out of synch. Your customers were able to “deal with it” as the new viruses trickled in at their normal pace by working together as a community with resources like the Internet Storm Center ( http://isc.sans.org/index.php ), Secunia’s Virus Information page ( http://secunia.com/virus_information/ ), VGrep Online ( http://www.virusbtn.com/resources/vgrep/index.xml ), MyITforum’s Security message boards ( http://myitforum.techtarget.com/forums/default.asp?catApp=2 ), and AntiVirus e-mail list ( http://myitforum.techtarget.com/articles/14/view.asp?id=1301 ).



This last Bagle virus outbreak reminded us all what a mess we are in. Since your respective companies have adopted an isolationist attitude and don’t usually share information with other anti-virus software companies, your customers were left with a lot of confusion as to exactly what they were dealing with.



While the new Bagle variants were spreading like wildfire, some companies acknowledged the variants existed; but had no details of what these variants did or what to look for. This did not change even after they raised the threat level of these viruses.



Others provided more detail, but did not match the threat level of other companies since the number of submissions they received from their customers were lower. Their virus variant names were different than other companies, so your customers were left in the dark.



Still other companies had only one or two of these variants listed, with various degrees of detail; and again completely different variant names than other companies, since that was all their customers had submitted to them. This left your customers in the dark again. For those of your customers that use more than one companies anti-virus product, and I know there are plenty out there; that left them with an even bigger mess than just the virus outbreak. With all of this going on your customers “dealt with it” as they usually do, working together as community. We sorted through all the information that trickled down to us, or when you felt like letting us know. As usual, we got through it, with some of us showing a few more gray hairs.



I think I can speak for everyone in the security community when I say; "dealing with it" is not acceptable anymore. As the customers that spend money for your products, we should not have to work so hard to figure out if your products are keeping us protected. We know you can do better, and we challenge you to do so. With the increasing problem of spyware, spam, and patch management, we have enough to deal with.



Along those lines, I have a suggestion. Since your business thrives on competition with the other companies out there, then maybe picking a name for a virus should be played as a competition by anti-virus software companies. First we would need a neutral third party you can send virus information to, like the Internet Storm Center or the United States Computer Emergency Readiness Team (US-CERT, http://www.us-cert.gov/ ). The competition would be that the first company to send the neutral party detailed and accurate information on a virus before any other would be the one to name the virus. This would be what all other companies would have use in their descriptions from that point on.



However things are fixed might not matter, as long as something is done before things get worse. Work together as a community of security professionals and help out your customers at the same time. With Microsoft soon to be entering the anti-virus software business, we believe it is in your best interest to figure out how to do accomplish this and keep your customers better informed about how they are protected.




Thank you for your time and attention,

Chris Mosby

SMS Administrator

MyITforum Security Message Board Moderator.

-----END LETTER-----





-Joshua Wright/Handler on Duty

SSH Honeypot Capture

Reader Steven Sim Kok Leong sent us a note explaining that his organization had monitored a SSH brute force compromise of a honeypot machine with a deliberately
added "weak" account/password matching those that we've noted scans for over the past several weeks. An analysis writeup on the compromise can be found at:



http://www.security.org.sg/gtec/honeynet/viewdiary.php?diary=20041102



Additional comments on protection from automated SSH hacks came from a gentleman whose father ;-) pointed out:



"Firewall parts of the 'net from which you do not anticipate legitimate traffic on a particular port. If you don't expect any legitmate SSH traffic from anywhere but your office and your mother's house, block connections from the rest of the world.



Use the SSHD configuration file to limit the accounts that can log on, and to generally tighten things. Exceptions to the defaults that I like are...

        PermitRootLogin no              

        AllowUsers userA userB userC   

        Protocol 2

        LoginGraceTime 20s

        MaxStartups 5

        Banner /etc/ssh/sshd_banner

Make sure userA, userB and userC have good passwords, of course.



You can also run SSH on a non-standard port if your users can accommodate this. The current attacks seem to use only the default port."





Follow The Bouncing Malware, Part III



Note: Most of the links in the following are not "clickable" on purpose. Think of it as a warning...



Before we begin our tumble down the rabbit hole once more, just a few brief words:



For those of you who have been following this little excursion: thank you for your patience. It’s probably difficult to completely understand the amount of time that each of these little essays takes to research and write. While I’ve been working on this particular installment, there were also the distractions of family, job, the daily “stuff” coming in at the SANS ISC, MS04-028, GDIScan, turning the ISC into the GDIScan helpdesk (sorry gang!), windsurfing the halls at NS2004 in Vegas, etc..., etc... You have my sincere apologies for the wait, as well as my fervent hope that it was worth it.



With that out of the way, why don’t we “warm up” by quickly retracing the path we’ve already trod? Perhaps now would be a good time to take a bathroom break and grab a fresh container of your favorite adult beverage, ‘cause once this caravan rolls, we ain’t stoppin’. Go on, I’ll wait...



Ready? Good. Let’s go!



In the beginning, there was Joe Average. And Joe didst buy himself a computer and conneceth it to the Internet. And with his computer, Joe did surfeth, and readeth email, and playeth many games. And Joe looked upon the Internet, and it was Good.



But while Joe did possess knowledge of the Internet Good, he did not understand that Evil too lived on the Internet. And he patcheth not.



Then one day, Joe didst unknowingly go to a Bad Place, and much Evil befell his shiny new computer.



How Evil? Very, VERY Evil:



From Follow The Bouncing Malware, Part I

( http://isc.sans.org/diary.php?date=2004-07-23 ):



1) Joe's homepage had been changed. It is now set to:



http://default-homepage-network.com/start.cgi?new-hkcu



2) Joe’s default search page has been set to:



http://server224.smartbotpro.net/7search/?new-hkcu



3) Search assist has been turned off.



4) "TV Media Display" has been installed on Joe's machine.



5) addictivetechnologies.net had graced Joe's machine with a file identified by AV software as Win32/TrojanDownloader.Rameh.C.



And, from Follow The Bouncing Malware, Part II

( http://isc.sans.org/diary.php?date=2004-08-23 ):



6) Joe’s computer, at the behest of the Addictive Technologies malware, downloaded “instructions” from F1Organizer.com



7) Following those instructions, new “Favorites” were added to Joe’s browser, and two new “gifts” (SplWbr.dll and ezbdlLs.dll) were installed on his computer.



8) The installation of SplWbr.dll dumped an “Ad Destroyer and Virtual Bouncer” from SpyWare Labs, Inc. and “TopRebates.com AutoTrack software” onto Joe’s computer.



9) The installation of ezbdlLs.dll dropped a “Utility for downloading files and upgrading software” from “ABetterInternet”, a utility to “Make Your Internet Browsing Simple, Exciting, and Personal” from the fine folks at “ezULA”, and an affiliate ID hijacker called SAHAgent onto Joe’s PC.



10) Finally, the file hp1.exe was downloaded and executed via a .CHM exploit.



That’s where we stopped last time, with my promise that the file “hp1.exe” was “a real piece of work.”



So... let’s take a look at hp1.exe.



The file hp1.exe contains 49,152 bytes o’ Visual Basic goodness (guffaw). The file’s version information claims that it was created by a company called “df”, with an internal name of “bigs104”. Launching this beastie begins bringing down a veritable rain of malware on a machine. Sit back and try to keep up as we follow the bouncing malware:



First, it contacts "http://mmm.roings.com/bundle.php?aff=bigs104" and downloads 1449 bytes of some sort of data:

388

{}{}{}wrds======ckkcha*gki+waevgl9uxwaevgl*}elkk*gki+waevgl9tx

}elkk*gki+v+w|+.9txv`w*}elkk*gki+9txwaevgl*iwj*gki+vawqhpw*ewt9ux

eqpk*waevgl*iwj*gki+vawqhpw*ewt9uxc*iwj*gki+9ux

ekhwaevgl*gki+ekhgki+waevgl9uqav}xwaevgl*ekh*gki+ekhgki+waevgl9uqav}x

ehhplasaf*gki+waevgl9uxsaf*ewo*gki+saf9uxkravpqva*gki+`+waevgl9Oa}skv`wx

gkjpajp*kravpqva*gki+`+waevgl9Oa}skv`wxiw|ih*mjbkwtega*gki+lkia+`kc9uosx

mjbkwtega*gki+lkia+`kc9uosxwaevgl*japwgeta*gki+jw+waevgl9uqav}x

japwgeta*gki+jw+waevgl9uqav}xehpermwpe*gki+saf+vawqhpw9ux

waevgl*h}gkw*gki+`abeqhp*ewt9uqav}xh}gkw*gki+waevgl*ewt9uqav}x

waevgl*aevplhmjo*jap+pvego9uxwaevgl*hkkowievp*gki+t+waevgl9up

{}{}{}doms======faewp}wtkvpeh*2|*pk9995xxxgavmeh~*gki9996xxx

`vmjoi}*gki9995

{}{}{}ver======17

{}{}{}pay======yes

{}{}{}ip======aa.bbb.cc.dd  (note: this was Joe’s machine’s IP address)

{}{}{}phases======`veckjfehh~9995xxxgvegow9996xx

mb$}kq$qwa$plmw$wmpa9995

{}{}{}sewers======wa|$bkv$bvaa9995xxxwa|9996xxxikva$wa|$bkv$ia9995

12

{}{}{}outers======

175

xxxxxi}a|a999lppt>++fmjw6*ia`me)ikpkv*jap+wkbp+hke`w+999i}a|a999999EHHx

JQHHxxxxxerepev999lppt>++sss*erepevvawkqvgaw*gki+`mwp+ewp[0[ii*a|a999ewp[0

[ii*a|a999ewp[0[ii*a|a999QWxAFxEQxGExCFxxxxx

a6cmra999lppt>++fmjw6*ia`me)ikpkv*jap+wkbp+Ia`meIkpkv61*a|a999Ia`meIkpkv61*

a|a999Ia`meIkpkv61*a|a999QWxGExxxxx

qjwpeh999lppt>++qtw*vkmjcw*gki+wkbp+qjwpehh*a|a999qmjwpehhav999999EHHx

JQHH

f

{}{}{}reg======

5c

xxxxxkg|5<999lppt>++fmjw6*ia`me)ikpkv*jap+wkbp+ii64*kg|999ii64*kg|999ii64*kg|

999EHHxQWxGExAF

6

{}{}{}

0

(Note: the data has been reformatted to display better in the Diary.)



Well, what the heck does all of that mean? Hmmm... it’s obviously a “generated on the fly” data file, because the file contained, in plain-text, the IP address of the NAT firewall that Joe’s machine was behind. It also appears to have been “encrypted” in some manner.



Given some time, and several pieces of paper wadded up and thrown at the cat in frustration, your intrepid author cracked the code, and wrote the following program to decrypt the data:

#include <stdio.h>

 

int main(int ac, char **av) {

FILE *in, * out;

  char buffer[80], *c, val;

  int cont = 1;

 

  if(ac != 2){puts("Usage: df_decrypt filename"); return 1;}

  if((in = fopen(av[1], "r")) == NULL){puts("Cannot open input file."); return 2;}

  if(!(out = fopen("output.txt", "w"))){puts("Cannot open output file."); return 3;}

  while(cont){

    if(fgets(buffer, sizeof(buffer), in)){

      c = buffer;

      while(*c){

        if(*c != '\n'){

          val = *c & 7;

          if(val < 4) *c = *c + 4;

            else *c = *c - 4;

        }

        c++;

      }

      fputs(buffer, out);

    } else cont = 0;

  }

  fclose(in); fclose(out);

  return 0;

}

Filling the decrypted data back into the file alongside any original data that is obviously “keywords” results in the following unencrypted file:

388

{}{}{}wrds======google.com/search=q|search.yahoo.com/search=p|

yahoo.com/r/sx/*=p|rds.yahoo.com/=p|search.msn.com/results.asp=q|

auto.search.msn.com/results.asp=q|g.msn.com/=q|aolsearch.com/aolcom/search=query|

search.aol.com/aolcom/search=query|alltheweb.com/search=q|web.ask.com/web=q|

overture.com/d/search=Keywords|content.overture.com/d/search=Keywords|

msxml.infospace.com/home/dog=qkw|infospace.com/home/dog=qkw|

search.netscape.com/ns/search=query|netscape.com/ns/search=query|

altavista.com/web/results=q|search.lycos.com/default.asp=query|

lycos.com/search.asp=query|search.earthlink.net/track=q|

search.looksmart.com/p/search=qt

{}{}{}doms====== beastysportal.6x.to===1|||cerialz.com===2|||drinkmy.com===1

{}{}{}ver======17

{}{}{}pay======yes

{}{}{}ip======aa.bbb.cc.dd  (note: this was Joe’s machine’s IP address)

{}{}{}phases====== dragonballz===1|||cracks===2||if you use this site===1

{}{}{}sewers====== sex for free===1|||sex===2|||more sex for me===1

12

{}{}{}outers======

175

|||||myexe===http://bins2.media-motor.net/soft/loads/

===myexe======ALL|NULL

|||||avatar===http://www.avatarresources.com/dist/ast_4_mm.exe

===ast_4_mm.exe===ast_4_mm.exe===US|EB|AU|CA|GB

|||||e2give===http://bins2.media-motor.net/soft/MediaMotor25.exe

===MediaMotor25.exe===MediaMotor25.exe===US|CA

|||||unstal===http://ups.roings.com/soft/unstall.exe

===uinstaller======ALL|NULL

f

{}{}{}reg======

5c

|||||ocx18===http://bins2.media-motor.net/soft/mm20.ocx

===mm20.ocx===mm20.ocx===ALL|US|CA|EB

6

{}{}{}

0

After downloading this “control data” file, Joe’s computer then contacts "http://www.mastermind.com/a?l=PeAyF1sgrZYw&i=aaa.bbb.ccc.ddd" on TCP port 8010 (where aaa.bbb.ccc.ddd is Joe’s computer’s IP address) and has three lines of data returned: “2”, “US”, “0”.



This ties in with what appear to be “country codes” found within various portions of the unencrypted data file. It appears that the malware will react differently depending on the country where the infected machine is located. The script at www.mastermind.com takes the IP address and returns a country code. The other two codes (“2” and “0”) appear to control different aspects of the malware’s behavior.



Immediately upon receiving the “US” country code from mastermind.com, Joe’s computer contacts "http://bins2.media-motor.net/soft/mm20.ocx" and downloads, installs, and registers this 61,440 byte OCX. Examining this file, it appears to be an OCX version of hp1.exe. It contains many of the same strings, and appears to offer the same functionality. I would assume that it acts as a resident version of hp1.exe.



Next, hp1.exe contacts "http://bins2.media-motor.net/soft/loads/8-24.exe" and downloads a 40,960 byte executable. The “8-24” name is derived from the date at the time of the download (August 24th).



Based upon the “marching orders” within the unencrypted datafile, Joe’s computer now contacts "http://www.avatarresources.com/dist/ast_4_mm.exe" and downloads a 129,152 byte executable. It then contacts "http://bins2.media-motor.net/soft/MediaMotor25.exe" and downloads a 9,056 byte executable.



Both of these files are launched, and MediaMotor25.exe immediately initiates a download from "http://64.7.220.98/downloads/IeBHOs.dll" which is a 129,536 byte long BHO (Browser Helper Object) that is installed into (duh) IE (Internet Explorer). IeBHOs.dll is a known component of adware from “e2give.” Because it is installed into IE and becomes, essentially, part of the browser, it is in the perfect position to monitor the URLs being “surfed” and to change Joe's browser's requests when going to specific sites in order to “direct” affiliate commissions to e2give. According to the e2give.com website, “e2give will donate a portion of each qualifying purchase to the e2give charities network.” This, of course, makes it perfectly fine for them to install their software onto Joe’s machine without his permission. (Yes, that was sarcasm.)



The ast_4_mm.exe file from avatarresources.com is a Wise installation executable. As it installs, it phones home to let the fine folks at avatarresources know that it has found a new place to live:



"http://www.avatarresources.com/count/count.php?&mm2_us&mm2_new_nocpr"



The Wise installation has it’s own downloading engine which contacts the interestingly named “www.wenksdisdkjeilsow.com” and accesses the URL “http:// www.wenksdisdkjeilsow.com/config/?v=5&n=mm2&i=” which, despite the fact that it generates errors, sends back more configuration information (sheesh guys, if you’re going to go through all the trouble to set this stuff up, at least set the permissions correctly on your scripts...)

566

<br />

Warning:  SAFE MODE Restriction in effect.  

The script whose uid is 500 is not allowed to access

/usr/local/psa/home/vhosts/wenksdisdkjeilsow.com/httpdocs

/config/log owned by uid 10011 in/usr/local/psa/home

/vhosts/wenksdisdkjeilsow.com/httpdocs/config/index.php 

on line 24<br /><br />

Warning:  fopen("/usr/local/psa/home/vhosts

/wenksdisdkjeilsow.com/httpdocs/config/log", "a") - 

Inappropriate ioctl for device in /usr/local/psa

/home/vhosts/wenksdisdkjeilsow.com/httpdocs

/config/index.php on line 24<br />

<br />

Warning:  fputs(): supplied argument is not a 

valid File-Handle resource in /usr/local/psa

/home/vhosts/wenksdisdkjeilsow.com/httpdocs/config/index.php

on line 25<br />

<br />

Warning:  fclose(): supplied argument is not a 

valid File-Handle resource in /usr/local/psa

/home/vhosts/wenksdisdkjeilsow.com/httpdocs/config/index.php 

on line 26<br />

[URLS]

2,http://tt2.avres.net/tt/remove_spyware.exe

2,http://tt2.avres.net/tt/curgsi.exe

3,http://searchlocate.com/toolbar/searchlocate.exe

 

[VERSION]

5

 

[PROGRAM URL]

http://www.wenksdisdkjeilsow.com/files/ast_5_main.exe

 

[ID]

ArKJ9t9HzRnbf0GineJhq

 

[PRIORITY]

1,http://tt2.avres.net/tt/cpr_mm2.exe

2,http://tt2.avres.net/tt/ab1.exe

3,http://tt2.avres.net/tt/tvm_bundle.exe

4,http://tt2.avres.net/tt/cpr_mm2.exe

 

0

That’s just really BAD programming: you MUST check that those handles returned are valid when you open a file... dang... that’s Programming 101 Stuff. But I digress...



Hey! Look there! I see more URLs pointing to executable files. Gee, I wonder what’ll happen...?



Anyway... we now manage to round out the list of files that was in our original encrypted configuration data, and Joe’s machine goes out and grabs a file from "http://ups.roings.com/soft/unstall.exe." This actually does appear to be some sort of uninstall program, written in Visual Basic, and weighing in at 45,056 bytes. It only seems targeted at the files directly installed by the hp1.exe file, though.



But, lest we forget, we still have a Wise install running in the background. And, you guessed it, in “PRIORITY” order, it downloads:



"http://tt2.avres.net/tt/cpr_mm2.exe" (270,415 bytes)

"http://tt2.avres.net/tt/ab1.exe" (500,869 bytes)

"http://tt2.avres.net/tt/tvm_bundle.exe" (53,738 bytes)

"http://tt2.avres.net/tt/cpr_mm2.exe" (270,415 bytes - ????????)



Yes, you read that correctly. It DID download the exact same file twice. (It must be a personality trait of the morally bankrupt that they can be both clever and inane at the same time. The authors of these programs really do pull off some amazing stuff... but then they follow that up almost immediately by doing some amazingly STUPID stuff. Consistency guys, consistency...)



While all of that is happening, hp1.exe (Remember that file? It’s the one we started this installment with...) phones home to tell the folks at roing.com that all is well in malware-land, that it has done everything it was supposed to do, and that it deserves a big ol’ digital pat on the back:



"http:// logs.roings.com/log3.php?c={D358D17F-0D1A-4A98-A98D-810B01216183}
&what=newinstall&aff=bigs104&country=US&ocx18=1&myexe=1&avatar=1&e2give=1"



“See! Look what I did! I installed ‘ocx18’ (mm20.ocx), ‘myexe’ (8-24.exe), ‘avatar’ (ast_4_mm.exe), and ‘e2give’ (MediaMotor25.exe) on this poor schmoe’s computer! Aren’t you proud of me?”



Not to be outdone, our Wise installer needs to phone home and let everyone know what a good job it did too:



"http://www.avatarresources.com/count/count.php?&mm2cpr_new"



So where does this leave us?



Well, Joe’s computer now has had so many fun and exciting “additions” installed I’m beginning to lose track. Let’s see: Joe’s computer now has two “affiliate buck” redirectors (SAHAgent and e2give), it’s had stuff from avatarresources.com installed, as well as all of those files from tt2.avres.net. And there’s more... trust me, there’s more.



Remember: this is all the result of visiting a SINGLE website with an unpatched machine.



If you ever need to explain to someone the pitfalls involved in not patching, all you need to do is point them to this listing:



The score card thus far (and I’m only counting executable content):



hp2.exe (16,384 bytes)

tvmupdater4bp5.exe (195,072 bytes)

AtPartners.dll (96,256 bytes)

SplWbr.dll (454,656 bytes – expands out to 3 files making up 892,288 bytes)

ezbdlLs.dll (151,040 bytes – expands out to 4 files making up 314,880 bytes)

hp1.exe (49,152 bytes)

mm20.ocx (61,440 bytes)

8-24.exe (40,960 bytes)

MediaMotor25.exe (9,056 bytes)

ast_4_mm.exe (129,152 bytes)

IeBHOs.dll (129,536 bytes)

cpr_mm2.exe (270,415 bytes)

ab1.exe (500,869 bytes)

tvm_bundle.exe (53,738 bytes)

and of course cpr_mm2.exe (270,415 bytes) again...



The shameful total (thus far... there’s more to come):

15 files – 2,428,141 bytes downloaded

20 files – 3,029,613 bytes on disk



And, no doubt, I missed a few...


I started Part II of “Bouncing Malware” by saying that Joe’s PC was no longer his own. With over 2 MB of software downloaded, installed, and executed without his permission, I would say that there is little doubt that Joe ISN’T the guy running the show. But who is?



In the next installment, I want to finish up looking at some of the software installed on Joe’s PC and then turn my sights to finding out a little more about the folks responsible for the deluge of spyware and adware that assault our machines and networks on a daily basis. Stay tuned... it’s gonna be fun.





------------------------------------------------------------------------

Handler on Duty: Tom Liston ( http://www.labreatechnologies.com )

IE IFRAME Exploit Code Released

A vulnerability in IE can be exploited by having a user go to a web page that has malicious code on it. This uses the handling of certain IFRAME attributes. This exploit DOES NOT work on XP Service Pack 2. For more information see:

http://lists.netsys.com/pipermail/full-disclosure/2004-November/028286.html

http://secunia.com/advisories/12959/

http://www.k-otik.net/bugtraq/20041102.InternetExplorer.php
Sun Java Web Proxy Server Buffer Overflow DoS

Sun Java System Web Proxy Server 3.6 SP4 and prior are vulnerable to a boundary condition that can cause buffer overflows that can lead to DoS or potential system access. Upgrade to SP 5 or later. For more information see:

http://secunia.com/advisories/13036/
Continued SSH Scanning

Reports keep trickling in on SSH brute force scanning, and I see it at my own site. It now uses much more than the 3 or so usernames it started scanning with and I have to think there is some success if these attacks keep persisting. It just shows the importance of a strong password has not gone away with encrypted protocols. If you can, use keys for authentication via ssh, not passwords.

Yesterday's diary

It was not a real story, it was humor for a slow day. It appears the script kiddies are more interested in hacking voting machines than the Internet today. :)

--

John Bambenek / bambenek (at) gmail.com

The ISC received this bone-chilling email late last night. Word of warning? Cry for help? You be the judge.

"Handlers,

I thought I'd share an experience that happened to a buddy of mine this evening. Bob is a analyst at a security operations center for an ISP. He sent me this email and I decided I'd pass it on to you guys for review. Is this even possible? I'm not sure, but it sure did freak Bob out. He can't bring himself to go back to the SOC anymore, and he's looking for telecommuting jobs on Monster.

Regards,

Alice

************************

Alice,

I know you're gonna think I'm crazy but you're the only one I can think who would possibly listen to what I'm about to say without immediately dismissing it. Please, read my whole account of what happened to me tonight before writing me off.

I went into work last night for the graveyard shift. Yeah, graveyard shift on Halloween, haha. We'd just ramped up to 24/7 ops the previous week so this was going to be my first night alone in the SOC. I was pretty excited at first, since I wouldn't have any of these other knuckleheads in my hair while I was doing some hard core analysis, you know? I logged into my station, started some queries for deltas in the previous 24, and went to get some coffee, since it was going to be a long night.

Little did I know...

After returning to the SOC with my joe, Carol gave me the briefing on the days events (in a nutshell, nothing - apparently all the s'kiddies were gearing up for Trick or Treating and not harassing us). She did mention something that didn't show up in any of the reports though - a general "weirdness" to the traffic in the DMZ. She couldn't really qualify it, but she said she though something kind of odd was going on. Okay Carol, I'll keep my eyes open (as I roll them back into my head). She punched out and I was all alone.

Or was I?

I threw some tunes on WinAmp and started to rock out while pouring over the output of my earlier queries. My attempts at scripting up some rudimentary anomaly detection in our aggregation console appeared to be woefully inadequate or simply functioning properly with a dearth of anomalies when I saw it.

A new host in the DMZ.

A host which had apparently come up at midnight local, October 31st. Who the hell stands up a box in the DMZ at *midnight* on a Saturday night? It had to be the mouth-breathers in development relying on the assumption that no one would be monitoring the network over the weekend. Heh, nice try chumps, but you've just tweaked the wrong BOFH. To cover my bases, I looked up the latest network diagrams for the DMZ. Just as I thought, nothing authorized or even submitted regarding a new box in the DMZ. Finally, after months of slaving away over reports I was going to get to demand someone take a box down. I could feel the power coursing through my fingertips as I began to compose the flame to end all flames.

"Dear clownboats,"

I hesitated. What would they come back with? I needed more ammunition to stave off a possible counteroffensive. I decide to scan the box, to see how much risk these "developers" were actually exposing my DMZ to. A quick nmap returned results the likes of which I had not seen since my days at that dot bomb in Sunnyvale.

"Remote operating system guess: Linux 2.0.35-37"

W

T

F

Two-oh? Was this some sort of prank? These guys are dullards to be sure, but no one is this stupid. It's gotta be some sort of security through ob-fu or something. I had to know. Telnetting quickly confirmed my worst fears.

Trying 10.31.10.31...

Connected to 10.31.10.31.

Escape character is '^]'.


Red Hat Linux release 5.2 (Apollo)

Kernel 2.0.36 on an i486

login:


I stared, dumfounded, at the prompt's ever-blinking cursor. I tried to wrap my head around what I was seeing. Red Hat FIVE DOT FSKING TWO? Even if this was a honeypot, this was ridiculous. What were they trying to do, find out which kiddie has the oldest sploits?

I did what any sane security professional would do in my situation.

I typed "root".

The box retorted with "Password:"

I reiterated, "root".

[root@zion root]#

A chill crept out of my keyboard and up my spine as I realized that this wasn't a joke, and it wasn't a honeypot. It was a real box, and the people who put this on my DMZ were officially TOO STUPID FOR INTERNET. I was going to get to the bottom of this and it would be made right, dammit. I haven't been working in the security industry for over SIX MONTHS to have morons like this come CRAP ALL OVER MY DMZ.

I took a deep breath and considered my options. If I went off half-cocked, blasting accusatory emails to everyone in network engineering, the box would be burned and mysteriously vanish. Oh, a magic server that no one owns, how original.

No, I needed to find out who this box belonged to. I listed the contents of /home, and was rewarded with a litany of names which I did not recognize. The one with the most recent activity was an 'tanderson,' so I decided to play a hunch. The 'w' command confirmed my hunch, and showed root and tanderson currently logged in. It also showed that the box had been up for close to 12 days, and that tanderson had logged in on October 18th, 1999. This box has more problems than I thought. 'date' confirmed it, these fools apparently have the system set to a date in 1999. Still testing those Y2K compatibility patches, eh boys? It was a little outside of my jurisdiction, so to speak, but I decided to question my only witness/suspect. After googling for a bit, I discovered the "write" command.

[root@zion root]# write tanderson tty1

What's up with this box?

Message from tanderson@zion on tty1 at 23:53

> what? who are you?

I'm root, who are you

> look i dont know if your a hacker or whatever but please dont hack my computer right now i need to finish my work

You look, you bring a swiss-cheese box up on *my* DMZ and its *my* problem. What the hell are you doing?

> hey pal i dont want to fight i just want to finish this project, okay, i'm on a
d e a d l i n e ...

The word "deadline" appeared slowly, one character at a time, and for some reason really resonated with me. I could swear I felt a presence in the room with me - or was I merely feeling "sympathy pains" for this 'tanderson' and his arbitrary deadline?

Shake it off Bob, you're an infosec pro, not a social worker. You get paid to be hardcore.

Sorry dude, but your deadline ain't my problem. This box is going to have to come down immediately - it's too risky to leave up.

> No.

What? I don't think you've got much say in the matter. I'm the security admin, and you're some random cluebie who happened to be in the wrong place at the wrong time. Take it like a man.
> NO


All of the other boxes in the SOC powered down.

> NO

Then the lights.

> NO

I stared at the screen, my breath caught in my throat. My terrified trance was broken by the beeping of my calculator watch. It was midnight.

"Connection closed by foreign host."

I scooped up the phone and hurriedly dialed Ted, the night sysadmin.

"This is Ted. Whassup?"

"Hey Ted, Bob." My mouth was dry and the words barely managed to squeak out.

"Hey Bob, what can I do ya for?"

"Do you know anything about a box named 'zion' in the DMZ?"

"Our DMZ?"

My fear had begun to give way to annoyance again.

"Yes, our DMZ. At 10.31.10.31."

"Bob, there's nothing at that IP."

I quickly pinged it, and attempted to telnet in again. He was right, the box was down.

"It... it was just up. I telnetted right in, it was a Red Hat 5.2 box, and a user named 'tanderson' was logged in ..."

"tanderson? Are you sure?", Ted said, with a wavering uncertainty.

"Yes, I'm positive. He kept yammering about finishing his project," I blurted.

"Bob - Thomas Anderson was downsized back in '99. He was working on moving all of our NT servers to Linux, but he never got to finish. Bob...

... that server's been down for FIVE YEARS."

**********************

Cory Altheide

Handler-on-Duty

**********************