AWStats Exploits

A couple days ago, an advisory (e.g. see ) detailed a vulnerability in the popular web statistics package 'AWStats'.
We got a note from Ryan Barnet earlier, who detected an exploit attempt for this vulnerability. The traffic was flagged using mod_security.
The following mod_security rule was used to detect the attempt:

SecFilter "\;id"

This rule will 'trigger' on all requests that contain the string ';id'. 'id' is a command frequently executed by attackers, as it is ubiquitous across various Unix versions, and it will return details about the user executing the command. This is helpful to find out if commands are executed as 'nobody', 'apache' or maybe even 'root' and allow the attacker to adjust a follow-up attack.
Another reader reported an incident where this attack was succesful. The
attacker defaced the respective website by replacing various 'index' files.
(index.htm, index.html, index.php). The web hosting company attacked informed
its clients.
This rule was derived from the following snort rule (line wrapped):

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 

(msg:"WEB-ATTACKS id command attempt"; flags:A+; content:"\;id";nocase;

sid:1333; rev:1; classtype:web-application-attack;)

And the captured request data (I removed some lines that may reveal too much about the attacked system):

HTTP_ACCEPT = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,

 application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*

HTTP_ACCEPT_LANGUAGE = en-us

HTTP_HOST = www.foo.com

HTTP_MOD_SECURITY_ACTION = 403

HTTP_MOD_SECURITY_MESSAGE = Access denied with code 403. Pattern match "\;id" at THE_REQUEST

HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)

PATH = /usr/sbin:/usr/bin

QUERY_STRING = 

REDIRECT_QUERY_STRING = configdir=|echo%20;echo%20;id;echo%20;echo|?configdir=|echo%20;echo%20;id;

   echo%20;echo|

REDIRECT_REQUEST_METHOD = GET

REDIRECT_SCRIPT_URI = http://www.foo.com/awstats/awstats.pl

REDIRECT_SCRIPT_URL = /awstats/awstats.pl

REDIRECT_STATUS = 403

REDIRECT_URL = /awstats/awstats.pl

REDIRECT_mod_security_relevant = 1

REMOTE_ADDR = 200.203.166.61

REMOTE_PORT = 33165

REQUEST_METHOD = GET

REQUEST_URI = /awstats/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo|

     ?configdir=|echo%20;echo%20;id;echo%20;echo|

SCRIPT_NAME = /cgi-bin/403.cgi

SCRIPT_URI = http://www.foo.com/awstats/awstats.pl

SCRIPT_URL = /awstats/awstats.pl

SERVER_ADDR = 192.168.1.100

SERVER_ADMIN = webmaster@foo.com

SERVER_NAME = www.foo.com

SERVER_PORT = 80

SERVER_PROTOCOL = HTTP/1.0

SERVER_SIGNATURE = 

TZ = US/Eastern

Port 7162/tcp

Eric Hughes submitted a packet he captured on port 7162. The content looks
IMHO suspiciously like a P2P application, but we would like to know if anybody
else sees it and what application uses this port. Sample content captured:

GET sha1:3vIubshl4KdNlGzXw//cbRN6dsU= http/1.1

User-Agent: W rez.2.4.0.2948

X-My-Nick: tj

X-B6MI: j0OfdLQkO69V8F/S

X-MyLIP: 0A010109

X-B6St: sg10Hu0BaYbhwVbXs40IS8bJltFOWbw=

Range: bytes=0-2097151

Similar traffic was reports in May of 2004 (on port 32624) and interpreted
as P2P afterglow from a P2P application called 'Ares' (see the DShield
mailing list archive here:

http://lists.sans.org/pipermail/list/2004-May/048210.html
To double check, I downloaded the latest version of Ares ('regular' version) and ran it for a short time. But the above pattern never came up. I did start
the download for one random file. The packet dump captured during this test can be found here: http://isc.sans.org/images/ares.dump.zip . The application does communicate on numerous tcp ports. I didn't see it talk on port 7162.

Port 24212/tcp

Another user reports that his router is rejecting port 23212 traffic. The
log excerpt he sent shows a few hits each minute from very different
sources. Anybody got any idea what 23212/tcp could be used for? Maybe a recent
virus backdoor?
BTW: As seen in the port 7162 example above, it is very helpful to get a bit
of payload from mystery traffic like this. TCP traffic blocked at a firewall will typically not include any payload as all you should see is the SYN packet. To find out more, 'netcat' can be used to setup a quick listener. Just run netcat -p 24212 -l (or replace 24212 with the port number of interest). Of course, for this to work you need to open the firewall for this traffic.

Spamvertised site redirected to Al'Jazeera

Sadie Brinham notified us that the spamverised site 'www.levitra.get.to' redirects
users to the Al'Jazeera news site. The pharmacy scam site opens two frames. One fo the advertisement and one with content from the Al'Jazeera news site. We don't really know why this is happening. It could be a cause of vigilante defacement, or maybe someones attempt to use anti-spam DDOS tools to DDOS the news site.
Initially, we didn't see any malware installed by this site. But now (thanks Deb!), it appears to install some spyware.
-------

Johannes Ullrich, jullrich@';/bin/sh rm -rf *;'sans.org

Since today has been a pretty quiet day, I looked back through my mailbox at a few items that we haven't mentioned in recent diaries.


Defeating XP SP2 Heap Protection

There was some discussion earlier this week on several mailing lists about a new paper that describes a technique for evading one of the new buffer-overflow defenses introduced with SP2.

http://www.maxpatrol.com/defeating-xpsp2-heap-protection.htm


New squirrelmail release

A new version of squirrelmail was released which fixes a couple of vulnerabilities in the popular webmail package.

http://www.squirrelmail.org


Still no MS05-002 patch for Win98 (vulnerable to Hebolani?)

The MS05-002 bulletin said that patches for Win98, Win98SE, and WinME would follow at a later date. One of our readers, Erik, has reported that it does not appear that they have been released yet.


Port 6346 on the rise

Looking at the trends page ( http://isc.sans.org/trends.php ) and the port details ( http://isc.sans.org/port_details.php?port=6346 ), there seems to be a big jump in traffic on this port. We haven't heard of anything new attacking on this port, but given that this port is primarily used for P2P filesharing (a favorite target of bots and worms), we'll be keeping our eye on this one.



=============================

Jim Clausing, jclausing/at/isc.sans.org

Jabber hades server 0wned

"The machine (hades.jabber.org) was cracked approximately one year ago by means of an automated rootkit." "Developers who use JabberStudio for their projects MUST follow the instructions posted at http://www.jabberstudio.org/ in order to validate their code. Only validated code will be restored to JabberStudio!"

http://mail.jabber.org/pipermail/jdev/2005-January/020062.html

Vulnerabilities affect Koffice, Kdegraphics, xpdf viewer, Gpdf, Cups, and Tetex

Across the pond at the NISCC, a daily site to visit, they posted an Advisory with the name "Seven Mandrake Security Advisories", describing xpdf PDF code and viewer vulnerabilities, and some kernel vulns.
Operating Systems affected: Linux
Impact: Execute unprivileged code

http://www.uniras.gov.uk/niscc/docs/br-20050128-00079.html?lang=en
And Secunia had a Mandrake update for evolution item, Moderately critical, Impact: Privilege escalation

http://secunia.com/advisories/14055/

phpPgAds dest parameter cross-site scripting

There was actual informationa on the phppgads-dest-xss at ISS, you won't find much else posted, ISS labels it a Medium Risk, Secunia says Less critical, I vote for High Risk, and "Can I send you a link to the most recently published security book where you were quoted? I can also send a link to a used version for sale too.";

http://xforce.iss.net/xforce/xfdb/19136
"An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials."

Winamp Exploit (POC) Released

Advisory info;

http://secunia.com/advisories/13781/
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

http://forums.winamp.com/showthread.php?s=&threadid=202799
Software: Winamp 5.x

Mailbag Malware

Thanks Kenneth for reporting the malware site! And thanks to Handler Daniel Wesemann for the quick follow-up work on the report! And thanks to Hurricane Electric Internet Services for taking steps to remove the site.

Thanks also, and again, to Micheal Cottingham for his malware submission. Every submission is appreciated!


Earlier in the week;

"Visio 2002 Service Pack 2 (SP2)" "contains significant security enhancements"

http://www.microsoft.com/downloads/details.aspx?FamilyID=00b9dfe4-ed08-4328-b355-4bc63d6267b2&DisplayLang=en

"Software Update for Web Folders" (WebDAV)

http://www.microsoft.com/downloads/details.aspx?FamilyID=17c36612-632e-4c04-9382-987622ed1d64&DisplayLang=en
"Support for additional security enhancements"

dejavu section, ymmv

Port 4664 - DDoS? Or just gamer (Novalogic) aftermath ....

http://isc.sans.org/port_details.php?port=4664

Port 3072, Could it be explained as simply as POWERHOME?

http://isc.sans.org/port_details.php?port=3072
"WHAT IS POWERHOME?

http://www.myx10.com/index.asp
PowerHome is a home automation software package that allows you to control your home's lighting and appliances as well as your Home Theater's infrared devices. Lighting and appliances are controlled via the following X-10 controllers: CM11A, CM17A, MR26A, PowerLinc (Serial and USB), W800RF32, and CPU-XA/Ocelot. Infrared control is achieved through the following IR controllers: CIR (Computerized Infrared Remote), Multi-CIR, RedRat2, RedRat3, CPU-XA/Ocelot, USB-UIRT, and Slink-e. With the CPU-XA/Ocelot and additional modules you also have access to digital inputs/outputs and analog inputs. With this programmable interface, control is achieved via keyboard, mouse, web, EMail, X-10, IR, Voice recognition, Socket communications, Windows Messaging, and even your internet enabled cellphone."

"The Adaptive Server Anywhere runtime engine opens port 3072 for remote access.
You must allow this port to open in order for PowerHome to function."

"Is the PowerHome database available to other programs or is it exclusive to PowerHome?

PowerHome uses an ODBC connection to communicate with the Sybase Adaptive Server Anywhere database. This database is also accessible to any other program capable of connecting to ODBC databases (Microsoft Access, etc). The userid/password for access to the database is ph/ph."

Bot WarZ

http://isc.sans.org/port_details.php?port=27374

http://isc.sans.org/port_details.php?port=12345

OT - Humor Section

Cisum.A virus writer supports "Accessibility" efforts.

If anyone successfully incorporates the linked mp3 at Panda into Awareness training and does _NOT_ get fired, please share how you did it ( ; ^ ).
Cisum.A mp3;

http://www.pandasoftware.com/img/enc/W32CisumA_mp3.mp3
A Cisum.A write-up is at;

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=58233&sind=0

What next, Dancing Baby Trojans?

"Backdoor.Hebolani is a Trojan that exploits the Windows User32.DLL ANI File Header Handling Stack-Based Buffer Overflow Vulnerability (BID 12233). The Trojan exists as a malformed animated cursor (.ani)."

http://www.sarc.com/avcenter/venc/data/backdoor.hebolani.html

http://www.eeye.com/html/research/advisories/AD20050111.html

http://www.osvdb.org/displayvuln.php?osvdb_id=12842&print

http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx

Patrick Nolan

"Thirty spokes are united in one hub, it is in its emptiness, where the usefullness of the cart is."
Lao Tsu, Tao Te Ching

The continuation of modified virus still seems to infect networks. Overlooked operating systems, sometimes you overlook the patches for those systems. Mumblings about corporate assets and job security.


Beagle/Bagle:

Various variants of virus seem to still be spreading around. Nothing that is new, but just annoying to those of us that have pledged to protect our networks. The latest is Beagle/Bagle worm/virus.


http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.az@mm.html

http://vil.nai.com/vil/content/v_131351.htm

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AZ


Apple Patches:

Sometimes I forget that there are other operating systems out there besides the obvious ones. Our own handler Swa, was mumbling around and found out that Apple notified subscribed customers only, that patches for the Mac OS X 10.2.8 and 10.3.7 were available. They cover the following:

at commands - local privilege escalation

ColorSync - heap overflow fixed though malformed input files

libxml2 - potentially exploitable buffer overflows

Mail - strange one: CAN-2005-0127: Message-ID info leak

PHP – multiple known vulnerabilities

Safari - pop-ups (when not blocked) can mislead users

SquirrelMail - CSS vulnerability fixed


More info at:

http://docs.info.apple.com/article.html?artnum=300770

Corporatations at large:

For most reading this, I’m preaching to the choir. The Beagle/Bagle variant, patches and mysql bot are all just examples of even if we don’t know what we are protecting, we should be doing better. With the addition of IPS devices, application filtering firewalls, etc.. etc.. there really should be no excuse of why some of this stuff continues to spread around the networks at large. You can’t continue to use just one piece of the technology, you have to …? Defense in Depth

With that said, there are various things that companies can do, and very soon will be required to do to further protect these assets. VISA and MasterCard have both released requirements that companies will have to follow in order to process credit cards in the future. I think that we are finally on to something. It doesn’t matter how many times I’ve said to “x” company in the past that they need to do “y” now maybe they will start taking this advice more seriously than they would have previously done.

For some of us, protecting these networks is our day job, and allows us to continue to still be employed. So you might say that it is job security. But in the end we also get held responsible for what may or may not happen to these networks.

In the end I love what I do, and I can say that the work I do I take with pride. I often view the networks that I’m employed to protect, as my own, and treat them as such. And when something happens to them, I take a look back and learn from the mistakes I’ve made to better protect them.

Visa CISP information:

http://tinyurl.com/4ph6h

MasterCard SDP information:

https://sdp.mastercardintl.com/



The views expressed here are those of the handler on duty, and do not necessarily reflect the views of the ISC.

MySQL Bot

A "bot", exploiting vulnerable MySQL installs on Windows systems, has been
spotted. It infected a few thousand systems so far. Like typical for bots,
infected systems will connect to an IRC server. The IRC server will instruct
them to scan various /8 networks for other vulnerable mysql servers.

Infection Method

The bot uses the "MySQL UDF Dynamic Library Exploit". In order to launch
the exploit, the bot first has to authenticate to mysql as 'root' user. A long
list of passwords is included with the bot, and the bot will brute force the
password.

Once connected, the bot will create a table called 'bla' using the database
'mysql'. The 'mysql' database is typically used to store administrative information like passwords, and is part of every mysql install. The only field in this database is a BLOB named 'line'.

Once the table is created, the executable is written into the table using an insert statement. Then, the content of is written to a file called 'app_result.dll' using 'select * from bla into dumpfile "app_result.dll"'. The 'bla' table is dropped once the file is created.

In order to execute the 'app_result.dll', the bot creates a mysql function called 'app_result' which uses the 'app_result.dll' file saved earlier. This function is executed, and as a result the bot is loaded and run.

Post Infection Behavior

The bot will now try to connect to one out of a number of IRC servers:

dummylandingzone.hn.org -> 212.105.105.214

this have been disabled by respective dynamic dns providers(thanks!!):

landingzone.ath.cx -> 212.105.105.214

dummylandingzone.dyndns.org -> no such name

landingzone.dynamic-ip.us -> was: 212.105.105.214

dummylandingzone.dns2go.com -> 63.64.164.91 and 63.149.6.91

dummylandingzone.hn.org -> 212.105.105.214

dummylandingzone.dynu.com -> 212.105.105.214

zmoker.dns2go.com -> 63.64.164.91

landingzone.dynu.com -> was: 212.105.105.214

dummylandingzone.ipupdater.com -> 212.105.105.214
The bot will connect to the IRC server on port 5002 or 5003. At this point, the IRC servers appear busy and unable to accept new connections. Note that dynamic DNS services are used. The IP addresses will likely change. Last time we where able to connect, about 8,500 hosts where connected to the IRC server.

The bot will connect to a channel called '#rampenstampen' using the key 'gratisporn'. The topic of the channel is set to '!adv.start mysql 80 10 0 132.x.x.x -a -r -s'. This will instruct the bot to scan random ips in '132.0.0.0/8' for mysql server. Throughout our observation, the topic was changed regularly. To be scanned networks included 10.0.0.0/8, likely an attempt to infect other mysql servers within a local network that is otherwise protected by a firewall.

So far, the bot has been identified as a version of 'Wootbot'. It appears to include the usual set of bot features like a DDOS engine, various scanners, commands to solicit information from infected systems (e.g. system stats, software registration keys and such). The bot provides an FTP server, and a backdoors (details later. Appears to be listening on port 2301/tcp and 2304/tcp, maybe other ports).

Mitigation

This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week 'root' account. The following mitigation methods will prevent exploitation:

Strong Password: Select a strong password, in particular for the 'root' account.

Restricted root account: Connections for any account can be limited to certain hosts in MySQL. This is in particular important for 'root'. If possible, 'root' should only be allowed to connect from the local host. MySQL will also allow you to force connections to use mysql's own SSL connection option.

Apply firewall rules: MySQL servers should not be exposed to the "wild outside". Block port 3306 and only allow access from selected hosts that require such access. Again, the use of ssh forwarding or SSL is highly recommended.
For a one page cheat-sheet explaining how to setup passwords and disable network access in mysql, see: http://isc.sans.org/papers/secwinmysql.pdf

Detection

The port 3306 scanning should be quite obvious. If an infected host is not able to connect to the IRC server, you will still see port 5002 and 5003 connection attempts to the hosts shown above. If you have query logging configured on your DNS server, you will see lookups for the hostnames shown above. Note that the IPs will likely change over time.

Most antivirus scanners will detect the binary. Summary from
Virustotal (as of 12:45 pm EST):

AntiVir 6.29.0.8/20050127 found nothing

AVG 718/20050127 found [BackDoor.Wootbot.4.S]

BitDefender 7.0/20050127 found nothing

ClamAV devel-20041205/20050127 found nothing

DrWeb 4.32b/20050127 found [Win32.HLLW.ForBot.based]

eTrust-Iris 7.1.194.0/20050127 found nothing

eTrust-Vet 11.7.0.0/20050127 found nothing

F-Prot 3.16a/20050127 found nothing

Kaspersky 4.0.2.24/20050127 found [Backdoor.Win32.Wootbot.gen]

NOD32v2 1.985/20050127 found [probably unknown NewHeur_PE]

Norman 5.70.10/20050127 found [W32/SDBot.gen2]

Panda 8.02.00/20050127 found nothing

Sybari 7.5.1314/20050127 found [Backdoor.Win32.Wootbot.gen]

Symantec 8.0/20050127 found [W32.Spybot.Worm]
Credits

Thanks to Evan for providing the sample of Spoolcll.exe (md5sum 18d3fe6ebabc4bed7008a9d3cb3713b9), our malware list, in particular Joe Stewart of LURHQ ( http://www.lurhq.com ), our handlers, and the members of the Whirlpool forum ( http://forums.whirlpool.net.au/forum-replies.cfm?t=291921 ).

--------

Johannes Ullrich (filling in for Deb Hale)

UPDATE: Possible MySQL Bot

We called this a worm earlier. However, after running a sample, it turns
out that this is actually a bot. It will not start to scan until instructed
to do so via IRC. The control server is at landingzone.dynamic-ip.us, which
currently resolves to 212.105.105.214.

The bot is looking for mysql servers, and infecting Windows systems. The
exact infection mechanism is not clear right now.

Some discussion about this worm can be found here:

http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=3

(thanks to Evan for sending a sample. But we always like more. MD5SUM of the sample we got from Evan: 18d3fe6ebabc4bed7008a9d3cb3713b9)

We do observe a significant rise in port 3306 scanning, which is likely
caused by infected systems.
http://isc.sans.org/port_details.php?port=3306&tarax=1

(at the time of this writing, about 4,000 distinct source IPs scanned
where observed, up from about 500 during the prior days)

The worm creates a file called 'Spoolcll.exe' and has so far been named 'MySpooler'.

You should not expose any MySQL servers to unsolicited connections. If you run MySQL, make sure you block port 3306. MySQL can run without networking enabled, as long as you only connect to it from the local host (e.g. if a web server and mysql run on the same system, which is common for small website). In order to turn off networking, start mysql with the --skip-networking option. You will however need networking if you use replication.

Like allways: If you have to connect from remote systems to your mysql server, tunnel via ssh if possible. Other mitigation options are to enforce SSL encrypted connections (available in mysql 4.0 and later), limit access to certain hosts via firewall rules, and restrict access via mysql's access controls. And as always: Defense in depth. Implement as many of these options as possible, don't rely on one option by itself. If possible, run mysql in a chroot jail (this may require some adjustments to your applications).

New Juniper Vulnerability:

We've got a new vulnerability that has been rumored for a while but is now public-

http://www.kb.cert.org/vuls/id/409555

Quoting from the CERT announcement

"This vulnerability could be exploited either by a directly attached
neighboring device or by a remote attacker that can deliver certain
packets to the router. Routers running vulnerable JUNOS software
are susceptible regardless of the router's configuration. It is
not possible to use firewall filters to protect vulnerable routers.

This vulnerability is specific to Juniper Networks routers running
JUNOS software. Routers that do not run JUNOS software are not
susceptible to this vulnerability. ...

This problem exists in all releases of JUNOS software built prior
to January 7, 2005.

US-CERT is aware this issue is known to affect M-series & T-series Juniper routers."
Patrick Nolan offers the following analysis

Port 6000 X Window system/Linux Malware Activity

Another of our invaluable readers/contributors made the time to persist in
responding to scans of Port 6000 on their network and discovered some
interesting malware for Linux that AV vendors are still responding to. The
activity was reported to have "began in early to mid December." The analysis
they submitted showed that the "Xserver tools" found were used to harvest
accounts and passwords.

Port 6000 scanning trends can be seen here;

http://isc.sans.org/port_details.php?port=6000&days=80

Observations from the trench/submitted reports;

"there appear to be more systems using "try" to attach to tcp/6000 and log
keystrokes. users who do "xhost +" are most at risk. we told them not to
do that. ;-)" (The Xhost command line option + results in "Access granted to
everyone.")

"we'll be closing down 6000 at routers and system levels."

"In my testing, I've found that the keystroke logger didn't log well. some
keystrokes did not get recorded. it does well enough though."

"this works better that those constent ssh brute force scanners. it leaves
few traces of use."

"it doesn't require root and it doesn't not put the nic into promiscuous
mode."

The examination of "email logs to date do not reveal outbound to the
addresses found in the files removed from the system."

11 files were submitted to VirusTotal and about 9 other AV Vendors.

F-Secure shot back this information on the submitted files;

**snip**

do read lines from file and feed them to "try"

madscan simple TCP connect scanner, takes hosts/ports from file

rpmquery clue script that mails results

scan clue script that starts to scan to port 6000 with "madscan" and tries to connect with "try" to hosts

send clue script that sends some mail

setup script that sets "rpmquery" in crontab

t read lines from file and feed them to "touch"

touch seems to be normal "touch" command, maybe hacked for setting predefined date

try X windows keylogger, tries to connect to remote hosts and snoop on X windows using XOpenWindow/XNextEvent

x read addresses from file and feed them to "mail" (missing file from the submission)

xfil script for parsing scan logs

**end snip**
SANS CRITICAL INTERNET THREATS 2005
SANS Critical Internet Threats research is undertaken annually and provides the basis for the SANS "Top 20" report. The "Top 20" report describes the most serious internet security threats in detail, and provides the steps to identify and mitigate these threats.

The "Top 20" began its life as a research study undertaken jointly between the SANS Institute and the National Infrastructure Protection Centre (NIPC) at the FBI. Today thousands of organizations from all spheres of industry are using the "Top 20" as a definitive list to prioritize their security efforts.

The current "Top 20" is broken into two complimentary yet distinct sections:

• The 10 most critical vulnerabilities for Windows systems.

• The 10 most critical vulnerabilities for UNIX and Linux systems.
The 2005 Top 20 will once again create the experts' consensus on threats - the result of a process that brings together security experts, leaders, researchers and visionaries from the most security-conscious federal agencies in the US, UK and around the world; the leading security software vendors and consulting firms; the university-based security programs; many other user organizations; and the SANS Institute. In addition to the Windows and UNIX vulnerabilities, this year's research will also focus on the 10 most severe vulnerabilities in the Cisco platforms.

For reference a copy of the 2004 paper is available online: http://www.sans.org/top20

*A list of participants may be found in the Appendix.


CALL FOR SECURITY & ASSURANCE EXPERTS

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you are interested in the Top 20 2005 research please contact the Director Top 20, Ross Patel (rpatel@sans.org), with the following details:

• Your Name

• The Organization you represent and your role

• Contact Details (inc. email and phone)

• A brief description of your security specialty

--------------

Toby Kohlenberg

BIND 8 and 9 Vulnerabilities

Two vulnerabilities in Internet Systems Consortium, Inc. (ISC) BIND were released today at UNIRAS(UK Gov CERT).


The first one will affect BIND versions v8.4.4 and v8.4.5 and may cause a Denial of Service. According the advisory, this vulnerability is rated as low.


As mitigation, the Internet System Consortium (ISC) recommended the following work-around:


- Disable recursion and glue fetching



A new version was released to fix this: 8.4.6


This advisory is at: http://www.niscc.gov.uk/niscc/docs/al-20050125-00059.html?lang=en


The second one is related to Bind 9 and affects BIND v9.3.0. It is also rated as low but may cause Denial of Service if exploited.


As mitigation, the advisory recommends the following work-around:


- Disable dnssec validation (off by default) at the Options/View level


A new version 9.3.1 was also released.

This advisory is at: http://www.niscc.gov.uk/niscc/docs/al-20050125-00060.html?lang=en


ISP Blocking Traffic yet

SANS ISC Handler John´s diary from yesterday gave a lot of feedback regarding the ISP blocking traffic topic.

While it was John´s opinion, I would like to give mine as well.
We received emails from people that agreed with what he wrote and people that didn't agree. I am in the middle of them.


One model that I like is from one telecom company in Brazil. For the home adsl user, they block ingress traffic to some well known problematic ports, like ´hack-me´ 137-139, 445, and some service ports like 80, 1434, 1433,etc...according this company it reduced a lot the impact of some worms.
They are now thinking about egress traffic, like for port 445. This is a good solution because the ingress block would prevent some worms from reaching the machine and the egress filter would prevent their infected users from scanning and infecting other network(s).


Corporate adsl users with static IP address are far more difficult and I dont believe that any filtering rules would work with them. They ´bought´ a link, and they must have access to all kind of traffic. Of course, if that traffic doesn't violate an AUP (Acceptable Use Policy).

Sharing thoughts...

Some web sites are reproducing an interview with a brazilian guy who wrote a virus for mobile devices and posted the source code in his site.

I was upset with that article because it makes Brazil look like it is something of a 'no-man´s-land'...

I just would like to say some things in this article are wrong.


Is wrong to think that write virus is a good way to disseminate knowledge, like the virus' author says.


Is wrong to think that Brazil is not using it´s resources to fight hackers. They are doing a really nice job over there, fighting and arresting the miscreants. Laws are being changed to get them. The Brazilian CERTs (CAIS/NBSO) are doing great things there.

In short, there are still a lot of things to do, but we are moving on...and there is no 'good thing' in writing and disseminate virus and malwares...


ok...enough rant for my first diary of the year...:)

--------------------------------------------------------

Handler on Duty: Pedro Bueno (pbueno /AT/ isc.sans.org)

ISPs and Egress Filtering

An increasing number of ISPs are beginning to brooch to concept of egress filtering of their end users (and not just port 25, and not just to stop spam). This has become a security vs usability problem, with the usability side probably going to lose. As a highly technical person, I do not want to hear that my ISP will not allow me to do what I want to do. I am in the minority.

On the other hand, most users don't have automatic updates, patch their machines, have anti-virus software, run Windows 95, or all of the above and the ISP has no control to do much about it. These machines will get compromised and happily spew all its malware goodness all over the Internet. There will come a day when ISPs will simply stop caring about the minority and reduce the high level of impact that compromised machines cause by filtering more and more traffic from their customers.

Many Universities have solved this problem by setting up "leper colony" VLANs and putting the problem users on them once infected. Then when they try to do something, they are redirected to a "clean up your machine" page. This may be something ISPs may more and more want to look at, in addition to setting minimum security standards for their users to get on the Internet.

Bad News for Reverse Engineers

IDA Pro has a vulnerability that allows for buffer overflows that execute arbitrary code under the context of the logged in user. If a user opens a hostile Portable Executable file with a vulnerable version of IDA Pro, they can be compromised.

The iDEFENSE Advisory is here: http://www.idefense.com/application/poi/display?id=189&type=vulnerabilities

Broken Spam Message

A handful of users have reported getting spam messages that contain:
"<br />
Fatal error/: Call to undefined function: imagecreatefromgif() in /var/www/html/spamw/img.php/ on line4<br />"

This is probably due to a broken PHP spam engine that is sending email via multiple SMTP servers/open-relays throughout the Internet. If there is any hosting company that has a username on their machine with "spamw", kindly delete the account. Enabling spammers is bad.

==========
John Bambenek
bambenek /at/ gmail.com

Activity and analysis of port 2525 continues, while the France-based K-OTik Security reveals an English version of their website.

Update on Port 2525 Increase

Earlier today, one of our readers submitted that SBC has closed outbound Port 25 to their DSL customers. The reader also submitted that 2525 is indeed their alternative SMTP port.
Another note on messaging alternative, submitted by fellow Handler Erik Fichtner, is that port 587 is setup exactly for the purpose of alternative message submission port. http://www.faqs.org/rfcs/rfc2476.html paragraph 3.1 states, “Port 587 is reserved for email message submission as specified in this document.”
In addition, another observation is the increase of port activity in the 2500-2600 range. A random sample, shown in the links below, indicates an increase in both records and sources submitted. Beginning on 17 Jan. 2005, continuing through today, is an increase of activity, across the board, in the ranges specified above. In contrast, a look at two samples outside the range shows normal activity for the same period.

http://isc.sans.org/port_details.php?port=2587&repax=1&tarax=2&srcax=2&percent=N&days=40

http://isc.sans.org/port_details.php?port=2508&repax=1&tarax=2&srcax=2&percent=N&days=40

http://isc.sans.org/port_details.php?port=2543&repax=1&tarax=2&srcax=2&percent=N&days=40

http://isc.sans.org/port_details.php?port=5714&repax=1&tarax=2&srcax=2&percent=N&days=40

http://isc.sans.org/port_details.php?port=7726&repax=1&tarax=2&srcax=2&percent=N&days=40

The possibility exists that we are currently seeing two separate activities, with related ports, or port ranges. We will continue to post updates as they come in. As always, any information, logs, captures, or thoughts regarding this activity is welcome.
K-OTik.com now available in English

K-OTik Security Research, a security research/monitoring firm in Montpellier, France, has launched an English version of its website. According to the K-OTik site, it is currently in beta; the site is stable, very well done, and worth a look for Internet security-related information.

Thank you to my co-Handlers Erik, Mike Poor, Koon Yaw Tan, and Swa Frantzen, Another thank you, to Gilles Fabienni of K-OTik Security, for the note regarding the new English K-OTik.com website.

Tony Carothers

Handler on Duty

tony dot carothers at geemail dot com

Increase in port 2525

One of our handlers, Patrick, saw a surge of port 2525 traffic. According to the port graph, there is an increase on this port for the past few days.

This port is associated with the ms-v-worlds platform. However, a google search shows that this port is also used as an alternative port for SMTP.

Many viruses are captable to propagate themselves through their own SMTP engine. As such some ISPs have closed the SMTP port (25) for outgoing connections from their customers to prevent an infected computer from propagating the virus.

If you also observe this upward trend on this port and other possible use of this port, let us know.

http://isc.sans.org/port_details.php?port=2525
Ethereal released new version

Ethereal has released a new version to address the vulnerabilities discovered. The vulnerabilities may allow a remote user to execute arbitrary code or cause denial of service conditions.

http://www.ethereal.com/news/item_20050120_01.html
New Phishing Attack Trend

Yesterday, Jason published a very useful information on handling phishing attack. Anti-Phishing Working Group has also just released its December report. The report provides phishing statistic and trend. It also reported the use of a new attack vector, using concealed malicious code on websites, to gather information without users knowledge.

http://antiphishing.org/APWG%20Phishing%20Activity%20Report%20-%20December%202004.pdf

Recently, I have the *privilege* of being on the target end of a phishing attack. It was a lot of work handling this incident. In traditional incident handling, you generally feel like you are at the scene fighting fire. When handling the phishing attack, I felt like I was away from the fire and just trying to fight the fire by yelling and shouting. I am writing this diary entry to share some tips and tricks on handling phishing attack, hopefully someone will find this useful.

First of all, if you are under a phishing attack, you should feel proud (seriously). Yes, be optimistic! The phishers pick their target wisely, if you are a mom and pop shop, the phisher are not likely to choose you as target since the return is minimal. Look at all the sites that have been attacked in the past, they are mostly well-known websites and are usually sites that have a high percentage of market shares (www.antiphishing.org has a list of previous attack). So, if someone is willing to launch a phishing attack against your organization, it means that your organization is important.

Let's get started on how to handle phishing attack

Preparation - before it happens

Nothing beats education when it comes to phishing attack. Dedicate some space on your website to educate users about phishing. As we all know, it will never work perfect, but any effort here helps. Some companies also like to include a statement when the user sign up for service telling the user to never reveal information when being asked over the phone or internet. These tactics helps!

---------------------------------------------------

Fighting fire - after phishing attack were noticed
Get the offending email with all header information

Same as any other incidents, you would want to identify the issues first. At this point, some whistleblowers might have alerted your organization about the existence of the phishing email. It is important that you get the full email with headers from them so you can analyse the origin of the email as well the content of the email (HTML source). The following link has information on how to get the full email content.

http://www.spamcop.net/fom-serve/cache/19.html

Try to get your hands on as many copies of the email as possible and compare them, see if they are sent from the same host and if they are directing user to the same phishing host.

Investigate the phishing email and the site

This is the important part of the incident handling for phishing. Inspect carefully the email, is that really a phishing email by looking at the content? You sure that your organization did not send out this email? If you answer yes to these two question, then you are likely to be dealing with a phishing attack. Next, look through the source line by line and pick out the interesting things from the source (email address, link to the phishing site, other URL links).

In the email, there should be a link to the phishing site which is where the victims hand over their valuable information. Get yourself prepared before visiting that site, you really don't know what you are dealing with here. There could be a 0-day browser exploit on the phishing site waiting for you. As the first step, fire up wget to download and save the source of the website. Take a quick look at the source and examine it very carefully for any potential malicious commands. Another way to do this is to use an online service called Master Snooper, it will reveal the source for you without using your browser.

http://www.willmaster.com/master/snooper/MasterSnooperV2.cgi

There is likely a HTML form where the victims are asked to send in their information, check to see where the information are being sent to, does it get send back to the same site or another host?

Submit the spamming host to all realtime blocklist

Feeling the urge to stop this attack? Let's get to the source of the problem - the email. Victims get to the phishing site because of these emails. Stopping the email spread could potentially reduce the number of people exposed to the attack. The email provided information about where this email was sent from (IP address). There are multiple ways of stopping the spread of this email. 1. Contact the organization hosting the mail server - this can be very time consuming and not very rewarding, since it is just too slow. Attempt this only if you know you can stop that mail host quick or you have enough people on your team to handle this. 2. Submit the source IP to the realtime mail blocklist. After the source IP is blocklisted, the mailservers on the Internet subscribing to the blocklist will start blocking email from the spamming host, effective cutting down the number of emails getting to potential victims.

Get your public affairs people involved

Since phishing email can reach a lot of people and your company is probably famous, the press people pick up on these things real quick. Before you know it, they are already calling your company about it. Get your public affairs people involve early on in the incident handling process and keep them informed. This saves your company from mis-representation of information leading to reputation damage.

Inform customers

During the attack, you probably want to coordinate a way to inform customers that such an attack is underway. The best way to inform customers is different for every company. For some, a small notice on the company's main website is sufficient.

Report to external teams

In the high stress incident handling mode, any handler would benefit from expert help. There are incident handling team dedicated to help you out in emergencies like this. Since you are reading this diary, SANS ISC is one good candidate to help you out. antiphishing.org is dedicated for phishing attacks. There are also other government teams that will be able to help you out. Contact them and seek help.

Report to police

Depending on your company policy and local laws, you may be required to report the incident to police. Contact them early on and seek advise, some police force may have experience on dealing with phishing attack and may offer help. There is a very high chance that the phishing site is located in another country, they usually poses a big problem for the local police force.

Contact the hosting parties

In normal incident handling, you would want to isolate and eradicate the problem. The problem with phishing attack is - you do not own the phishing site. Some other party does. In previous experience, most phishing sites are hosted on compromised machines at another country. Netcraft has statistics on which country hosts most phishing sites (see link below).

http://toolbar.netcraft.com/stats/countries

If the incident involve a host in your data center, you can goto the machine and yank the cable, that's the isolation right there. When dealing with a machine in another country, how do you get it done? Contact the party hosting the website (or owning the netblock) to get them to resolve the issue is almost the only way to isolate the problem. With the IP of the phishing site, you can look up the registry service (ARIN, RIPE, APNIC...) to seek out the party responsible for that netblock and their contact information. Pick up the phone and call them might yield a faster resolution.

Important thing to keep in mind here is language barrier. If you are calling another country, try to see if you have anyone on staff who can speak the local language, that will help you a lot. If you are not successful at contacting the party hosting the phishing site, consider contacting their upstream provider about the issue. In previous experience, I found larger ISP to have better understanding of security issue and better English speaking staff (if there's language barrier). If you ask nicely, they are most likely willing to contact the downstream party (their customer) and help resolve this problem. Since they usually have previous communication with their client and they speak the local language, they usually get the issue resolved pretty quick.

Ask for the log files

After you get the site shutdown, you might want to contact the phishing site hosting organization and see if they are willing to supply you with their log on the phishing site computer. With those logs, you might be able to figure out the affected customers and the lost data. Remember, the phishing site hosting party have no obligation to reveal their logs to you but ask nicely and usually they will help you out. Remember, they are probably shocked about the incident (since their host likely got compromised) and is not in the best mood, so be as gentle as possible with them. Ask nicely and you might get it.




Conclusion

That's a lot of tasks to be done which mean one thing - do not do it all by yourself. Get help! I won't go into the details of incident handling techniques and theories, but I do want to stress the importance of segregation of duties here. Unless you are superman, I don't see how you can coordinate the site shutdown and deal with the press all at the same time.

If you think you may be a high risk phishing target, do a drill on a Saturday ASAP. It will let you see if your call list need revision and expose the weakness before the incident actually happens.

I forgot to mention one important point in handling the phishing incident - pray to your God. To get the phishing site shutdown (which is the most effective mitigation), you are at the mercy of some other administrators potentially half a world away. You definitely need some luck to get that going.

Lastly, I would like to praise the team I worked with on my last phishing adventure. You know who you are and you guys really handled it well.

-------------------------------

Handler on Duty - Jason Lam, jason /AT/ networksec.org

Bots installed through IM and packet capture howto



We had a post from a Storm Center reader that noticed a version of W32.Spybot.Worm being installed via MSN Messenger. A handful of users reported that they were receiving a file called WebCam_012.pif. The users claimed that that the file executed without intervention (the poster added that users sometimes disavow any involvement).




The network was "protected" by Symantec real-time protection (Corp version 9) which in its configuration did not stop the worm from executing in memory. The worm then spread through a variety of Windows methods (exploits and shares). The malware installs itself in %SYSTEMROOT%\system32\iexplore.exe




This begs a few questions:
What solutions have users found work in this situation (malware running actively in memory).

What solutions work in blocking file transfer during instant messanger?


If I recall Ed Skoudis' excellent article in Infosecmag regarding Anti-virus tools, Symantec's antivirus had to be configured to scan memory for malware, so that helps address one problem.


Instant messenger has long been the bane of many a security admin. Ive always favored an Instant Messanger proxy server, ala Jabber or similar. This atleast allows me to monitor the traffic, as well as limit its points of entry/exit.

################
In diaries past, we have routinely asked readers to submit packets (everyone can repeat Don Smith's trademarked slogan: "Got Packets?"). A reader requested that we put together some guidelines for gathering/submitting packets to the Storm Center. I have compiled a simple set of guidelines as a starting point. Please feel free to comment, add, augment via the usual contact form.

tcpdump -nns 1514 -w filename

would be the simplest form. Note that the above will capture all traffic that that interface can see.

tcpdump -nns 1514 -w filename 'protocol and port insert_port_number'

example:

tcpdump -nns 1514 -w weird_traffic.cap 'dst host 10.10.0.10 and tcp and port 42'

would capture more specific traffic.

If 'anonymizing' your IP address space is important, Snort can do this with with the -B and -h switches like so:

snort -h <insert_home_net/mask> -B <insert_what_to_change_to/mask> -r in.cap -bl out.cap

example:

snort -h 10.10.0.0/16 -B 192.168.0.0/16 -r in.cap -bl out.cap

In the above example, all of the 10.10 addresses will be converted to 192.168 addresses.

Note: snort will not correct the checksum's for the anonymized packets.

On Linux, netdude ( netdude.sourceforge.net ) is a GUI packet editor that will not only change the packets, but also fix the checksums.

Mike Poor :s/oversomewhere/\@/g mikeoversomewhereintelguardians.com

Handler on Duty

We have been seeing a lot of user reports of activity on port 42, although we don't seem to have any reports of what specifically is causing it, we really would like to receive additional reports from systems receiving or originating high port 42 traffic.

This traffic appears to have spiked on the 13th or so, but is maintaining higher than normal levels, and so is still interesting. A good suggestion might be to disable port 42 if you are not running WINS.

Looks like Microsoft is going to update MS04-038 if this is in fact updated, it was a critical vulnerability, so you should check your systems regardless of the press that Microsoft gives the update. Note that the 2004 date in the link appears to be a typo.

More details can be found at http://www.ngssoftware.com/advisories/msinsengfull.txt
Scams/Phishing
We seem to be seeing more sophisticated phishing sites/attempts from multiple sources on a more routine basis. So, with that in mind, most solutions are non-technical in nature, what I would really like to know is, what are you doing to educate your users? If not education, how do you protect against phishing sites?

-
Michael Haisley mhaisley@isc.sans.org
SANS Internet Storm Center Incident Handler

Tsunami.exe

A piece of malicious code is making the rounds of the Internet masquerading as a Tsunami relief donation request. While not really surprising I find this is somewhat of a new low even for the writers of malware. Words like despicable, shameful, contemptible, pathetic, and feeble come to mind. I had to check a thesaurus for printable comments, can you tell? Filter attachments at your perimeter in organizations, use up-to-date anti-virus, and as users do not open attachments.
Oracle critical patch update released

Oracle has released a critical patch update to address vulnerabilities in the RDBMS products. The full details of the vulnerabilities have not yet been released. Oracle has rated some of them as having wide impact. NGSSoftware, who have released an advisory, rates many of them as high risk. They include privilege escalation and a buffer overflow condition.

For more info:

http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf

and

http://www.ngssoftware.com/advisories/oracle-02.txt

Got packets?

Upswings in scanning activity for ports tcp/901 un-explained, possibly looking for swat/samba installs? Share your theories and packet captures.

http://www.dshield.org/port_report.php?port=901

Cheers,
Adrien de Beaupré

Internet Storm Center Handler of the Day

http://www.cinnabar.ca

We received several submissions today on the topic of "Wireless Thoughts" from yesterday's Diary written by Marc Sachs. Here is Part II for Wireless Thoughts contributed by our readers and compiled by Marc.
Wireless Thoughts - Part II.

We received several emails today from
readers with additional suggestions and ideas for personal VPNs when
traveling. Here are some excerpts from the mailbag.

Holger suggests that, "WPA encryption will cover traffic only locally on the
link between your mobile device and the WiFi-hotspot. From the hotspot on
the data will travel unencrypted and hence unprotected - most likely through
the hotels local network infrastructure and an ISP's public backbone also.
So in my opinion, cryptographic protection, which is '"good enough" for most
of us", has to cover the communication on an end-to-end basis and WPA on
public hotspots may not be good enough most of the time..." In a follow-up
note he offered, "...while using public access even WEP/WPA is just not
"good enough" and additional means of (cryptographic) protection
(VPN/SSL/SSH or whatever) is required anyway."

In reference to SSH port forwarding, a reader wishing to remain anonymous
says, "...in newer version of OpenSSH there's a much nicer way. The -D
option on the client sets up a local SOCKS server which proxies data across
the SSH tunnel so you don't need to worry about configuring every protocol
you use as long as your application is SOCKS aware (as many are, and if they
aren't you can use API hooking to make them -- see FreeCap @
http://www.freecap.ru/eng/?p=index ; I also recommend the SwitchProxy
plugin for firefox). Dan Kaminsky added this feature and refers to it as
"poor man's VPN". Another option for the ultra-paranoid users would to use
something like Tor, a mix-based anonymizer ( http://tor.eff.org ), which
would set up a local SOCKS proxy, encrypt and do a decent job of anonymizing
your location as well for privacy in web browsing)."

Tina pointed us to a link from Intel that addresses this issue:
http://www.intel.com/personal/do_more/wireless/security/secure.htm

Brent reminds us that, "...some VPN implementations have a distinction
between "split-tunnelling" connections and non-split-tunneling.
Split-tunneling (at least with Cisco and the old VPNet VPN gear) means that
the ONLY traffic that gets encapsulated and encrypted is traffic both to and
from protected networks (the remote machine being considered "protected").
So... With a split-tunneling VPN solution, my machine could, potentially,
be attacked by another person with a wireless card while I was using a
public hotspot. Also, if I signed on to a service (like an IM client, for
instance) where the username and password were sent in the clear, someone
nearby with a wireless card could sniff the traffic and obtain my password
since that traffic would NOT be going across the VPN. This is why I always
set up users with wifi cards with two profiles in their Cisco VPN client.
One for use when they're on their broadband connection at home, and one
(with split-tunneling disabled) for when they're using a hotspot. When they
use the non-split-tunneling VPN profile, as soon as they've authenticated
with the VPN, ALL of their IP traffic gets sent over the encrypted VPN
tunnel back to the home office including internet access. This not only
gives them another layer of security (wifi packets sent to their machine
that are not encapsulated get dropped), but it means that their internet
access can't be sniffed by someone else in the local area with a wifi card."

Finally, Darrin told us that, "I follow a similar approach by tunneling my
traffic to a linux box running on my home broadband account. Using a dynamic
DNS provider (e.g. dynDNS), I can route traffic to my broadband connection
and not have to use an external hosting service."

Thanks, everybody!
Netgear Vulnerabilities

Two vulnerabilities have been found in Netgear's FVS318 firewall/router. The first one allows for hex encoded characters to bypass the URL filters. The second one is a vulnerability with the content filter/log viewer. A URL that is blocked and has JavaScript embedded in it will be logged. When that log is viewed, the JavaScript will be executed. For more information see:
http://www.securinews.com/vuln.htm?vulnid=103

Phishing Creativity

I spent part of today looking at four phishing attempts. All of them were different from each other and three of them were more creative than some I have looked at in the past. It seems that the folks doing these attempts are taking more actions to cover their tracks and to avoid detection. One of them even had several "presents" for their victim. As the creativity grows, detection and tracking becomes more difficult as they are involving more servers, code obfuscation, use of I-Frames, redirects, on-line form publishers etc. Tracking these down to find all the entities involved can take time and can be difficult. It will be interesting to see what the future holds in the realm of phishing. Anyone care to make any predictions?


Lorna Hutcheson

Handler on Duty

http://www.iss-md.com

Panix DNS Hijacked. Panix, a commercial Internet provider in New York, had its main domain name (panix.com) hijacked by an unknown party. According to Panix, the ownership of panix.com was moved to a company in Australia, the actual DNS records were moved to a company in the United Kingdom, and panix.com's mail was redirected to yet another company in Canada. As of this writing, Panix has been able to recover their domain but the global DNS will take several hours to get the records updated. More details are on Panix's alternate web site at http://www.panix.net

tcp/3306 Increase. There has been a slow but steady increase in hostile activity aimed at tcp/3306 (MySQL) over the past several weeks, with a spike on or about Christmas day. We are not aware of any new MySQL exploits, but clearly there is some interest in this port. Any packet captures, analysis, or thoughts would be appreciated. See http://isc.sans.org/port_details.php?port=3306&days=70

Osama Captured SPAM. There is yet another email going around that claims to have photos about Osama bin Laden's capture. Like the ones that circulated last spring and summer, this one points to a site containing hostile Java scripting. Watch for flows going to the 218.30.123.0/24 subnet in your outbound logs.

Thoughts on Hotel Wireless. This past week I had the pleasure of teaching SANS's Security Essentials course to a group of 25 US Government students. They were a great class and had plenty of good questions, comments, and ideas. One topic we discussed was the use of open wireless devices in hotels and other public locations. A few of the students asked me after class for specific information on how I secured my own laptop and how I use it on open wireless networks. That made me realize that others might want to know the same thing.

In my case, I use a laptop with built a built-in wireless card. The radio can be turned on and off via the keyboard, which is a nice feature. I pay a commercial service for nation-wide 802.11b/g roaming, which typically gives me access in most major airports, popular coffee shops, and popular package shipping and office support stores. They support the IEEE 802.1x security standard with WiFi Protected Access (WPA), which is "good enough" for most of us. However, many times I'm in a hotel that offers wireless without any encryption, not even WEP. So that leaves me with only one choice - a personal VPN.

Many companies offer VPN capability for their employees, but if you are a do-it-yourselfer or your employer does not have a VPN service you are not out of luck. I have a hosting service that takes care of my domain names and with it I get a standard Unix shell account (no, I'm not using Panix!) Using an SSH client on my laptop connected to my Unix shell account, I simply map any ports I want to protect from wireless eavesdropping (110 for POP3 and 25 for SMTP are a good start) over to my SSH tunnel. For ease of numbering, pick a starting point that is an even thousand (like 3000 or 4000) then map each port in a manner that is easy to remember. For example, map 110 to 3110 and 25 to 3025. On my email client I changed the POP and SMTP settings to point to myself (localhost) at the ports I mapped over to SSH.

Most SSH clients have the specific details on port mapping in their help or MAN pages.

For those in the United States who have tomorrow off, happy Martin Luther King day! For everybody else, hope you enjoy your Monday!
Marcus H. Sachs

Handler on Duty

More than Veritas on TCP port 10000

Stephane Nasdrovisky sent us a list of other things listening on TCP port 10000.

- webmin: web based unix system administration
http://www.webmin.com/

- Dumaru: worm starting an ftp server on port 10000
http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru.b@mm.html
(and many more vendors and variants, just one URL as an example)

- Cisco VPNs: use a default TCP port 10000 to do IPSEC over TCP. E.g.:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a00800946af.shtml#encap

- Backdoor XHX, oracle.zip, ... : there's a collection of malware creating backdoors like port 10000 as well to connect telnet servers among other to it.
http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html

- Video multicast IETF 56 uses port 10000 (udp)
http://www.ncast.com/ietf/ietf56sfo-info.html

We'll appreciate insight our readers can share esp. in the form of captures of what is being scanned for.

Connecting mismatched protocols and making it work?

It doesn't come as a normal thing to see clients and servers hooked together that speak a different protocol and still expect it to work. At least for me it's almost unnatural to think of it that wat.

Still that's exactly what the less honest people out there do nowadays.

Consider this scenario: You're evil and will try to relay spam through a normally closed network. You don't care all that much about who gets the spam or what it is for, you're hired hand and get paid by the message.

First you slowly scan the net for proxies, especially proxies accidentally configured on web servers are attractive. Sending packets to a web server won't attract all that much attention from defenders and can learn you a lot about their make and chance of it being misconfigured.

Once you see a not so security minded configuration of an apache you fire off a connect request. Such a request is normally used to be able to proxy SSL requests.

Once you have found such a proxy that is either configured to be open (most likely by accident) or a web server also acting as proxy, again most likely an error, you start to learn more about the inside of the network, where's the outgoing smtp server is one of your most pressing questions. But if you find a usenet server you might note it to have some "fun" later on with posting nasty messages in some discussion boards.

Once you find an outgoing SMTP server with an open proxy in it's service are, you're in business if that proxy doesn't restrict you in talking to port 25.
Most defenders won't realize they're not safe, after all they don't have an open relay. Nor will they presume hooking HTTP and SMTP together as a viable option.

So how do they hook together?
the HTTP proxy will send a HTTP header to the SMTP server and the SMTP server won't understand the commands, but that's all to be discarded. After the header you, the hacker gets control and due to the friendliness in these protocols they won't break the connection due to excessive errors all that easily. So one the data you supplied get through, you managed to type SMTP commands and that the SMTP server will understand.
NNTP works the same, it just has other commands it will understand but it will sit through the errors from it's perspective while receiving the HTTP headers.

Back to the real world.

So what can a defender like you do ?
- make sure your proxies do not allow connections to well known ports other than typical HTTP and HTTPS ports.

- make sure your web server do not have proxies enables without need (apache has the option of having a proxy compiled in, try to compile your own without that possibility)

- Esp. for ISPs and the like: consider your NTTP, SMTP, ... servers that don't need to have your web servers, proxy servers etc in their service area to have those servers removed from being able to relay email.

- Stopping connections after a number fo errors in SMTP and/or NNTP needs to be done carefully, e.g. ESMTP and SMTP servers always exchange an error in the EHLO/HELO handshake but is something for e.g. the IETF to consider in my opinion...

And if you don't prevent this, you'll likely get blocklisted a few times for sending out spam or worse.

--

Swa Frantzen

More Veritas Backup Exec fun

We continue to receive reports of probes that appear to be looking for the
Veritas Backup Exec vulnerability. Initial probe spikes showed up at port
6101, but we've been told by Erik Fichtner that recent versions of Backup
Exec have agents also running at tcp 10000. Regardless, make sure your
organization is patched!

For those looking to move ports around, have a look at:
http://seer.support.veritas.com/docs/255498.htm

The search for open relays continues

Reports of open (web) proxy scanning continue to come in. Organizations
are reminded to keep an eye on their proxy and mail servers, as even
security-conscious administrators sometimes fat-finger configurations and
open up the door for future problems. (This handler certainly has had his
fair share!) Checking the relay capabilites of your own infrastructure
from time to time isn't a bad idea!

Santy still running around making trouble

The phpBB Santy worm continues to make its rounds. While quite tame
compared to the Internet's heavier hitting malware, some interesting stats
pertaining to Santy's progress can be found here for anyone who is
curious:

http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=112

Mailbag

Brian Marino had problems with Cisco ACLs (Access Control List) not
stopping malicious fragmented UDP packets. While his ACLs looked ok, we
figured out he was running into some known issues over at Cisco.

We thought many more would enjoy the URL for the Cisco white paper on how
ACLs work:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800949b8.shtml

--

Edited by Swa Frantzen, for Greg Shipley. Wishing him some sound sleep after a very busy day.

Auto-executing spam installers via email



Jim Slora reported on the Intrusions list that malware installer
emails are now making use of an OBJECT tag vulnerability in MS Outlook in the
event that the malicious email is forwarded to another person and the initial
recipient uses Microsoft Word as their
editor. http://secunia.com/advisories/12041/ and http://lists.sans.org/pipermail/intrusions/2005-January/008734.html



The malware will then be executed without warning (even on XP SP2) in the
local computer's trusted zone. There currently is no patch for this issue, so
please don't use Word as your email editor if you like to forward messages to
others!



Dipnet/Oddbob on the move again



We've received a number of reports of increased traffic on TCP ports 10758,
11768, and 15118, where the remote system would send a magic sequence of
"__123_asdasdfdjhsdf_SAFasdfhjsdf_fsd123" if it managed to connect to any
of those ports. The folks at LURHQ had a nice write-up of the malware
at http://www.lurhq.com/dipnet.html



.ANI file followup



Earlier this morning, VirusTotal http://www.virustotal.com/ showed that the
number one submission to their site was "Exploit.Win32.IMG-ANI", and it still
barely scrapes in at #10 on the seven day trend. We hope that this is simply
all the friends that Tom made yesterday testing their PoC's against Antivirus
products, but we can't be completely certain of that.



We encourage everyone to do what they can to block .ANI files from entering
their networks, and to make sure they've got the MS05-002 patch applied.



SMTP = Strange Mail Transfer Protocol ?



One of our readers mentioned that they had seen some strange HTTP traffic to
their SMTP mail server on port 25 coming from a number of remote IP addresses.
While it could just be a brain-damaged vulnerability assessment tool running
amok; we all remember the incidents with IRC traffic being sent to SMTP
servers, and we're wondering if anyone else has seen any out of place HTTP
traffic to their mail servers in the past few days.

The truth, the whole truth, and nothin' but the truth...



If you're running Veritas Backup Exec 8.x or 9.x and you aren’t patched or blocking access to port 6101/tcp, you're either 0wn3d or soon will be. On Monday, we mentioned a rise in scans for port 6101, and as of today, "universal" exploit code for the vulnerability is widely available. We are seeing indications of active (ie. non-worm) exploitation of Backup Exec systems but have heard rumblings that a worm may be in the works.



http://isc.sans.org/diary.php?date=2004-12-16

http://isc.sans.org/diary.php?date=2005-01-10





MS05-002 PoCs : 12 for $0.10



For all you s'kiddies out there, a word: if you haven’t yet developed your own PoC for the MS05-002 "Cursor and Icon Format Handling Vulnerability" you've officially forfeited all of your hard-earned Hacker Cred. Turn in your pocket protector and go get a tan.



For the rest of us... the PoCs are out there. Make sure you're patched.





Wouldn't it be easier to just get a real job?



Lorna "The Army Lady" Hutcheson passed along an interesting story about the extent of "hoop jumping" a phisher went through to cover his tracks. It starts with a typical phish-bait email sent from a spam box and filled with Javascript that pointed the unwary victim to (what we'll call) website #1. Website #1 then redirected the visitor to another website (which we’ll call website #2). Website #2 then used a third-party "forms processor" website to collect the phished information and forward it, via email, to a webmail address, accessible from anywhere.



Personally, I think it would be a whole lot less stressful to learn how to say: "Do you want fries with that?"





Meanwhile, back at the ranch...



First there was that whole gdiplus.dll thing making .jpg files hazardous, now .wmv files are hosting nasties as well. Trj/WmvDownloader.A and Trj/WmvDownloader.B, are the current vectors by which Microsoft is taking all the fun out of porn*. It seems that these little buggers take advantage of the fact that .wmv files can be rigged to use the DRM features of Windows Media Player to download more than just licensing info—rather, they can use the DRM features to browse sites loaded with malware. Alternate Browser Users Beware: Windows Media Player uses a Genuine IE engine to do its dirty work, so even if you use another browser, you’re only as safe as the version of IE installed on your system.





*Every dang time I write a diary, someone finds something to be offended about. No doubt, this will be that "something." Please don't bother writing in to lecture me on how EEEEVIL porn is. It's a joke. Lighten up. If you keep taking life too seriously... uh... uh... you'll go blind.





Someone to watch over me...



During today's SANS/ISC webcast, three of the ISC handlers (Donald Smith, Scott Fendley, and I) fielded a wide range of questions and did a bit of crystal ball gazing for the new year. The final question was "What do you think will be the big security issue for 2005?" While Donald and Scott felt that the continuing rise of the botnets would be the dominant factor, Johannes Ullrich and I were of the opinion that "device hacking" (cellphones, voip boxes, etc...) would be a big issue this year.



As if to prove us right, over the past several days there has been a growing interest in the exploitablity of several brands of IP based surveillance cameras. It seems that some of these have "issues" and that they're pretty easy to find with a properly formatted Google search. If you have one of these cameras, or if you know someone who does, it might be a good idea make sure that the cameras are patched and that access to them is restricted to the greatest extent possible.



Actually that's "picture perfect" advice for anything you've got hooked to the 'net... not just cameras.



Webcast archive: http://www.sans.org/webcasts/archive.php



(Thanks to Juha-Matti for the tip)





------------------------------------------------------------------------

Handler on duty : Tom Liston ( http://www.labreatechnologies.com )

New Poll.
FireFox vulnerability POC released.
WINS traffic flow diagrams.
Microsoft Tuesday 3 patches & 4 vulnerabilities announced today.

The question for the new poll released today is "When do you think public release of an exploit is useful?" This is your chance to be heard.

WINS update
Several people have noticed that there appears to be a fairly low number of source addresses associated with the WINS scanning. This implies to an autorooter rather then a worm is responsible for the WINS scanning.
The Internet Motion Sensor project has released an analysis of the traffic on TCP port 42 associated with recent WINS exploit activity. This report was written by Evan Cooke of U of Mich, Jose Nazario and Danny McPherson of Arbor Networks.
The report is located here: http://ims.eecs.umich.edu/reports/port42/

One Important and 2 Critical patches were announced today by Microsoft.
http://www.microsoft.com/security/bulletins/200501_windows.mspx

Microsoft Security Bulletin MS05-001 Critical

Vulnerability in HTML Help Could Allow Code Execution (890175)
http://www.microsoft.com/technet/security/bulletin/MS05-001.mspx

Vulnerability:A cross-domain vulnerability exists in HTML Help ActiveX control that could allow information disclosure or remote code execution on an affected system.

Affected Software: Basically every Microsoft OS other then NT Server SP6a and NT terminal server SP6a. NT is affected if they have IE 6.0 sp1 installed.

Mitigation: Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX controls and active scripting in the Internet zone and in the Local intranet zone.
This will cause a lot of prompting since many websites use active-x. An alternate mitigation would be to trust some websites but the users has to add each trusted website by hand.
Microsoft Security Bulletin MS05-002 Critical
Cursor and Icon Format Handling Vulnerability - CAN-2004-1049 AND
Windows Kernel Vulnerability - CAN-2004-1305

Vulnerability CAN-2004-1049:
Cursor and Icon Format Handling Vulnerability - CAN-2004-1049:
A remote code execution vulnerability exists in the way that cursor, animated cursor, and icon formats are handled. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Affected Software: Basically every Microsoft OS other then Microsoft Windows XP Service Pack 2.

Mitigation: Read e-mail messages in plain text format.


Vulnerability - CAN-2004-1305:
The Windows Animated Cursor (ANI) in Windows allows remote attackers to cause a denial of service (kernel crash or resource consumption) via the (1) frame number or (2) rate number set to zero.

Affected Software: Basically every Microsoft OS other then Microsoft Windows XP Service Pack 2.

Mitigation: Read e-mail messages in plain text.
Microsoft Security Bulletin MS05-003 Important

Vulnerability CAN-2004-0897:
A remote code execution vulnerability exists in the Indexing Service because of the way that it handles query validation. An attacker could exploit the vulnerability by constructing a malicious query that could potentially allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. While remote code execution is possible, an attack would most likely result in a denial of service condition.

Affected Software:
Win 2K SP 3
Win 2k SP 4
Win XP SP 1
Win XP 64-Bit SP 1
Win XP 64-Bit 2003
Win Server 2003
Win Server 2003 64-Bit Edition

Mitigation: Block the following ports:
UDP ports 137 and 138 and TCP ports 139 and 445


Microsoft is not doing enough Quality Control on their vulnerability announcements.

From: http://www.microsoft.com/security/bulletins/200501_windows.mspx
In the description of CAN-2004-1305 microsoft states its a DOS. Then they imply a remote user would get the same privledges as the user under mitigation.

According to an eEye release today the ANI vulnerability can lead to remote code execution.
eEye Digital Security has discovered a vulnerability in USER32.DLL's
handling of Windows animated cursor (.ani) files that will allow a
remote attacker to reliably overwrite the stack with arbitrary data and
execute arbitrary code.
A Firefox exploit was released for a vulnerability in Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP SP2.

Details:
Using javascript it is possible to spoof the content of security and download dialogs by partly covering them with a popup window. This can fool a user to download and automatically execute a file (if a file extension association exists) or to grant a script local data access (if codebase principals are enabled).

Yesterday's diary discussed printme a "harmless joke application".
This is not related in anyway to www.printme.com which is used by many hotels to allow customers to print documents without installing drivers/software.

6101 and 6129 scans on the rise

Readers submitted queries this morning about scans against 6101/TCP and 6129/TCP. We’ve seen only SYN scans so far, there have not been any packets submitted.

The 6101/TCP is theorized to be scanning for the Veritas BackupExec Agent vulnerability discussed earlier (http://isc.sans.org/diary.php?date=2004-12-16) in December.

The 6129/TCP scan MIGHT be looking for instances of the remote administration port for Dameware. There are a few know weaknesses in the authorization code in older versions.

These are just guesses at this point. Without packets, there’s not much to go on. If you have packet captures send them in. If you have reports of the scans, please submit them via Dshield (http://www.dshield.org/howto.php).

”Infected Links”

Some days in the Handler’s Diary we include snippets of source code, or links to sites with in-depth analysis of examples of malicious code. These are likely to upset your Anti-Virus software. We try to be diligent and not link to a site that may compromise your system. When your Anti-Virus warns you, it’s just telling you that you’re walking a little closely to the “dangerous” side of the Internet. Enjoy the rush.

A Reader Query

Joel, a reader, sent us an incident report of a “PrintMe” (http://research.sunbelt-software.com/threat_display.cfm?name=Print%20Me) infection. He thinks they picked it up while using a Hotel’s network to allow them to print to the Hotel’s printers. He’s asking if anyone else has seen a similar use of the code, or has picked this bit of code while on the road.

A Goodie Basket for Grandma

While traveling around for my winter holidays (which were delayed due to ice storms and flooding—but that’s another story) to visit family and friends, I took a little CD with me—A Goodie Basket for Grandma, if you will. If you’re involved in computer security, I’m sure that your family has plenty of questions for you when they get their new computers. If so, I have some advice to make your life a bit easier. If not, they should be asking, and you may want to start doing this for them.

I downloaded SP2 for Windows XP Home edition. I downloaded the security patches released since SP2. I downloaded Spybot S&D and it’s latest signatures. I downloaded Clamwin. I downloaded tightVNC. Burn them all to a CD (or put them on your USB drive.) Then, while you’re visiting, you can clean-up their PC, patch it up, and leave VNC behind so you can provide remote assistance should they call you in the future (and you’re far away.)

In my experience, it was best to install Spybot S&D and Clamwin first, in order to make sure the system is clean. I found plenty of tracking cookies, and a few SDBot infections. Once the systems are clean, you can begin patching. “Windows XP: Surviving the First Day” (http://www.sans.org/rr/whitepapers/windows/1298.php ) makes for a good read, too.

*the goal of the Goodie Basket was to provide freeware solutions for people on dial-up connections.

**Microsoft’s Anti-Spyware tool was released less that 24 hours before I built the Goodie Basket, it wasn’t properly tested, so it was not included.

***Don't run VNC in server mode, set it up in a "click here in an emergency" program group in Grandma's menu.

-------------------------------------------------------

kliston AT isc.sans.org

Secunia Advisory for IE

Thanks to John Germain for bringing this update to our attention. Secunia has upgraded the advisory for SA12889 to "Extremely Critical" as of January 7th. They also have add a nice link to test your browser. The orginal advisory was posted at
http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm

The vulnerability is yet another cross-site scripting vulnerability. It will allow remote code execution on a victim's system just by visiting the website. The Storm Center has received one email of such a site and confirmed that it was actively using the exploit to attempt to download XP.exe from several locations. Currently vulnerable is IE6 on a fully patched WindowsXP system. As of now, there is no patch available. I know Symantec is detecting this as bloodhound.exploit.21 from what I have observed, but I'm not sure what other antivirus software is doing. It is advisable to keep your antivirus software updated and move to another web browser if possible. For more information, please see

http://secunia.com/advisories/12889/


For those who would like to check out the source code themselves before visiting an untrusted website and don't/can't use wget, there is a good online tool found at the following URL which will retrieve the source code of the web page for you.

http://willmaster.com/master/snooper/MasterSnooperV2.cgi
meeneemee.exe

Fellow handler Toby Kohlenberg orginally posted very limited information we had about what this maybe (see http://isc.sans.org/diary.php?date=2005-01-07 ) We still are looking for more information. If you have any information about what this might be, please let us know.
Since its my first shift for the 2005, I would like to say thanks to everyone for all the submissions and support you have given to all of us here at the ISC. To my fellow handlers, you are all simply awesome and a great group of friends!! Here's to another great year for everyone!
Lorna Hutcheson

Handler on Duty

http://www.iss-md.com

It looks like the 53/TCP packets being seen are 3DNS probes. Thanks to Frank Knobbe for the pointer. Here are some rules from Bleeding Snort that may be used to ignore these packets:

pass tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"F5 BIG-IP 3DNS TCP Probe 1"; flags:S,12; dsize:24; window:2048; id:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001609; rev:2;)

pass tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"F5 BIG-IP 3DNS TCP Probe 2"; flags:S,12; dsize:24; window:2048; id:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001610; rev:2;)

pass tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"F5 BIG-IP 3DNS TCP Probe 3"; flags:S,12; dsize:24; window:2048; id:3; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001611; rev:2;)

There have been a couple of new vulnerabilities announced today that are worth noting-

Linux Kernel 2.6.10 / 2.4.28 Local Privilege Elevation Exploit from K-OTiK

http://www.k-otik.com/exploits/20050107.elflbl.c.php

Mozilla / Mozilla Firefox Download Dialog Source Spoofing

http://secunia.com/secunia_research/2004-15/advisory/

Secunia announced PoC for arbitrary command execution with IE+SP2:

http://secunia.com/internet_explorer_command_execution_vulnerability_test/
Analysis of the WINS worm

Steve Friedl has posted this work-in-progress of reverse engineering the WINS Trojan Horse
http://www.unixwiz.net/research/winser-a.html
We've gotten lots more reports flowing in of false positives from the MS anti-spyware tool.
Please report them to Microsoft so they can fix it. There is one that is worth mentioning-

An anonymous donor points out

"If you manually add domains to MSIE's "Restricted Zone" list or "Always Block" cookies list, then beware that Microsoft's new AntiSpyware Beta may flag these as either "High" or "Elevated" security risks, with the default action of "Remove". Don't be fooled.

For increased security, I highly recommend keeping these sites listed. Thus, change the default action of "Remove" to "Always Ignore" for these entries."
Finally, we had a query about an odd executable being found in the registry of a Windows 2003 system-

Multiple Windows 2003 systems on the same subnet have the following registry key:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) REG_SZ meeneemee.exe

A clean system would have:
(Default) REG_SZ "%1" %*

Every search engine I tried came back with nothing. If you have seen this or know about it, please let us know.

Net fraud gang recruits students to launder money

Students are being paid to collect money that was stolen from others using viruses or trojans to steal their account info.
http://australianit.news.com.au/articles/0,7204,11865688%5E15318%5E%5Enbv%5E,00.html

Microsoft news of the day

Microsoft has released the beta of their new spyware... er, make that spyware removal tool. It appears to be very similar (not surprising) to the GIANT product that they just purchased. We have heard some reports of false positives on things like WinPcap.
http://www.microsoft.com/athome/security/spyware/software/default.mspx

MS04-011 worm has been seen

Trend Micro reports on a worm that is taking advantage of the MS04-011 vulnerability. If you haven't patched this yet, you should be ashamed of yourself. Go patch right away.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=HKTL_LSASSSBA.A&VSect=T

Update on WINS IDS detection

Snort successfully detects the WINS exploits being seen when using the Sourcefire rules. However, it must be configured with stream4_reassemble to reassemble traffic from the client and you must explicitly add port 42 to the list of reassembled ports.
There are actually a number of signatures that don't work without reassembly turned on, if you aren't doing it now you might want to check your config and see which sigs are missing as a result.

SQL Injection Worm example

For those who are interested in learning more about worms that can spread via SQL Injection, you should check out Mike Murr's GCIH practical http://www.giac.org/practical/GCIH/Michael_Murr_GCIH.pdf

Dave Litchfield has published a number of vulnerabilities for DB2

http://www.nextgenss.com/advisory.htm
http://www.ngssoftware.com/advisories/db205012005A.txt
http://www.ngssoftware.com/advisories/db205012005B.txt
http://www.ngssoftware.com/advisories/db205012005C.txt
http://www.ngssoftware.com/advisories/db205012005D.txt
http://www.ngssoftware.com/advisories/db205012005E.txt
http://www.ngssoftware.com/advisories/db205012005F.txt
http://www.ngssoftware.com/advisories/db205012005G.txt
http://www.ngssoftware.com/advisories/db205012005H.txt
http://www.ngssoftware.com/advisories/db205012005I.txt

Odd port 53/TCP traffic

We have gotten a report of odd port 53/TCP traffic. If anyone else has seen this, please let us know.
Brian King reported:
"I first noticed them because they were setting off my SNORT signature #526 (BAD-TRAFFIC data in TCP SYN packet) http://www.snort.org/snort-db/sid.html?sid=526. This has been going on since the second week in December with a short Xmas break.
They all:
have my MYIPADDRESS:53 as destination (there is no nameserver there)
All have window size of 2048
All have TTL of 47-49
All have IP ID of 1-3
All have source ports 1027-2554
All packets are 64 bytes in size
There are many different source IP addresses
All source IP addresses except for 1 are administered by Savvis Communications
The other IP is admined by UUNet global hosting ( http://www.ripe.net/whois?form_type=simple&full_query_string=&searchtext=194.129.79.121 )
All TCP Packets have empty data
It always come in waves of 12 packets
There are always 2 to 3 waves that are 3-4 hours apart
Each wave has 3 packets with a source address of 194.129.79.121."

USA National Response Plan

I still think "run in circles, scream and shout" is the best response but, if you're interested, this is the plan for the United States
"The National Response Plan establishes a comprehensive all-hazards approach to enhance the ability of the United States to manage domestic incidents."
http://www.dhs.gov/dhspublic/interapp/editorial/editorial_0566.xml
http://www.dhs.gov/interweb/assetlibrary/NRP_FullText.pdf

SQL Injection Attacks by Example

We did receive two submissions of interested regarding SQL injection. SQL injection is a problem commonly found in web based applications which use a SQL database back-end. Like so many security issues, missing user input validation is to blame. A couple of lines of pseudo code will easily illustrate the issue:

Lets assume your web site is verifying users login credentials using this code:

$valid=select count(*) from users where username='$user' and password='$pass'

if ( $valid==0 ) {

  send_user_to_login_page

}

if we do not validated '$user' or '$pass', a malicious user could supply the following as "username": ' or 1=1; select 1 from users where username='

As a result, the application would execute this statement:

$valid=select count(*) from users where username='' or 1=1; 

        select 1 from users where username='' and password='password'

As a result, the user would be considered 'logged in' regardless of the password supplied (of course, the result will vary somewhat depending on how the actual site will deal with multiple queries).

For much more on this topic, see this brief overview:

SQL Injection Attacks by Example http://www.unixwiz.net/techtips/sql-injection.html

While the paper doesn't include any particular new revelations, it does show the basic principle behind SQL Injection attacks quite clearly. However, the paper falls somewhat short when it comes to input validation mechanisms, and how an attacker may bypass them.

As a minimum precaution for all the PHP folks: make sure you enable 'magic_quotes'. It should be enabled by default.

While the problem is usually found in web sites as they are accessible to a large number of users, similar problems could be found in other applications with database back-ends.

SQL Injection Worm

To drive home the point about SQL Injection: "Zeno" from CGISecurity.com pointed out a bugtraq posting about a worm which propagates using SQL Injection. At this point, we have not yet seen the code for the worm. However, it is quite possible given that worms have taken advantage of SQL databases in the past (e.g. see "SQL Snake"). Many SQL databases have the ability to execute shell commands or read and write arbitrary files. As always, it is good to observe "defense in depth": Run your SQL database in a chrooted environment, limit the permissions of web-accessible SQL users and check your web logs.

more WINS details

We did receive a number of submissions with packet traces showing use of the recently released exploit against flaw in WINS. The exploit used is a variation of the code published at K-Otik. In order to evade IDS signatures, the exploit was sent across multiple small packets. We only had the chance to test one IDS so far, and it recognized the exploit. I will update this diary later as I get to analyze the traffic in more details.

Asking for your input

We would like to add a new feature to our diaries. If you would like to write a short piece about a current security topic of your choice, let us know. We plan to include a contributed "speakers corner" once a week, likely Mondays.

The basic rules: It has to be relevant, and 'signed' with your name. We will verify the identity of the writer. We will pick one submission each week. It is ok to ask ahead of time is a given idea is appropriate. Opinions are welcome, but should be voiced coherently and politely. We will not screen submissions based on the opinion of the writer matching our own (at least we will try to be open). We will forward feedback to the writer. The length is limited to about 500 words.

---------

Johannes Ullrich, jullrich\at'sans.org

Keeping You Updated More Frequently

At the ISC, we recognize that security information changes often and those changes need to be communicated quickly. That need is balanced by the ability of our volunteer staff to identify, verify and communicate the information during what are often hectic work days.
Beginning today, and based on the availability of the Handler On Duty, we're attempting to update the diary as frequently as events warrant during the day.

Give us a few days or even a week and then look for a new poll. Until then, as always, feedback is welcome.


Update: 01:52 UTC - New Trojan Making the Rounds

An alert reader (thanks Mike!) forwarded a rather poorly crafted phishing attempt. Attached to the mail, is a zip file containing setup.exe. According to virustotal.com, setup.exe is detected as ..
Antivirus Version Update Result
AntiVir 6.29.0.5 01.04.2005 -
BitDefender 7.0 01.04.2005 -
ClamAV devel-20041205 01.03.2005 -
DrWeb 4.32b 01.04.2005 -
eTrust-Iris 7.1.194.0 01.05.2005 -
eTrust-Vet 11.7.0.0 01.04.2005 -
F-Prot 3.16a 01.01.2005 -
Kaspersky 4.0.2.24 01.05.2005 Trojan-Spy.Win32.Goldun.a
NOD32v2 1.964 01.04.2005 -
Norman 5.70.10 12.31.2005 -
Panda 8.02.00 01.04.2005 Suspect File
Sybari 7.5.1314 01.05.2005 Trojan-Spy.Win32.Goldun.a
Symantec 8.0 01.04.2005 -

Here is the text of the e-mail:
Dear user of E-gold. By the reason that the last time the number of complaints of unapproved removal of money resources became more often, we ask you to install the following service pack on your computer. This renovation blocks all known Trojan modules which allow removal of your money without your permission. - In case of losing money from your account, E-gold *DOES NOT* take any responsibility if this service pack wasn't installed on your computer. - The installation file is on the archive attached to this letter. -------------------------------------------------- * * * Read/Save/Print this email message * * * -------------------------------------------------- Important information about your e-gold account: - It's OK to tell others your e-gold account number! Other e-gold Users need your e-gold account number in order to Spend e-gold to you. So don't hesitate to display it on your web page, your business cards, or your e-mail signature file. - However, *DO NOT* reveal your passphrase to others!!! Anybody with knowledge of both your e-gold account number and your e-gold passphrase has complete access to your e-gold account; therefore, do not reveal your e-gold account passphrase to others. *NEVER* enter your passphrase on any website other than the www.e-gold.com web site. e-gold Resource Links: - e-gold Account User Agreement: Ever used a currency with a contract at all, let alone one that clearly outlined the Issuer's obligations to you? Well, you are now! Truly a "must read" for any e-gold User: http://www.e-gold.com/unsecure/[url_removed] - e-gold Incentive Program Information: Spread the word that better money has arrived and get paid some of it for doing so (please don't spam): http://www.e-gold.com/unsecure/[url_removed] - e-gold brochure: Having trouble coming up with the words? Use these (we do!): http://www.e-gold.com/unsecure/[url_removed] - e-gold Directory: Whether you want to obtain some e-gold or part with some, we have some links to get you started: http://www.e-gold.com/unsecure/[url_removed] --------------------------------------------- Thank you for using e-gold! --------------------------------------------- Samples have been submitted to the AV vendors.


WINS Server Vulnerability (Blatantly stolen from Scott's diary entry yesterday)

As many of you are aware, the WINS server vulnerability (MS04-045) appears to be getting exploited. The ISC, and other organizations have seen a marked increase in the probes directed at WINS services (42/tcp) since December 31, 2004. The Research and Education Networking ISAC has graphs showing marked increases in these probes on Internet2 via the Abilene network netflows.

So, if you have not patched your WINS servers in respective companies or campuses, beware. Patching these systems is now overdue. Additionally, WINS services probably should not cross your border router. SO please block these ports and keep the rif-raf out in case your local Windows Server Admins have not patched for this over the holidays.

If any of you have packet captures of this activity, please do not hesitate to send it on to the ISC for analysis.


A Bit Too Friendly of a Welcome For My Taste(thanks to Pat Nolan)

Certain URLs at brazilwelcomesyou.com have been handing out malware. Be warned that following a link to brazilwelcomesyou.com may cause malware to be downloaded to your system without your knowledge. But you're not worried, you don't use IE, right? And if you do, you're fully patched, right?

Here's the report we received from a source who wishes to remain anonymous.

We have managed to come across a well known site "classmates.com" than seems to have had one of it's banner hosting companies "brazilwelcomesyou.com" compromised. The details are as follows:

1) when using classmates.com several banner appear once logged one of these banners is advertising coming to brazil for a vacation.

2) When you get that certain browser ad from "brazilwelcomesyou.com" it does a quick browser check and if you are running IE. If you are found to be running IE then it adds a javascript "defer" script to the page that loads the ms-its exploit.

3) if you are vulnerable to the exploit then it then downloads a .cab file that runs on the victim machine.
We also know that if you try to view the image page with firefox or opera the extra code won't appear on the brazil site. Also if you try to pull down with lynx or wget the [IP Removed] IP's "counter.js" file the javascript bombs with a variable equaling 22.

brazilwelcomsyou.com has been made aware of the situation.


It's Not Us

We've recieved quite a few reports from people claiming that we were trying to break into thier systems using Back Orifice.

When we checked it out, it was determined that the source IP address (which is in a net block we own) was spoofed.

From the Mailbag

Subject: Overrated Security Topics

IMHO, all of the listed topics are real, or potential, threats.

Looking at the poll results, YES, cyber-terrorism is probably the currently least threatening.

BUT, until 9/11/2001, Arab Terrorism was a joke to the western world. The US had TWO movies about the attempted bombings of the World Trade Center in 1993, both of them showed the Arab terrorists as bumbling idiots. They were repeatedly shown on US TV 1993 - 2001, but not after 9/11/2001.

The word "overrated" is kind of frivilous. How about "currently least active" or something similar?

Please don't discount the reality of each of these threats by this poll. With our interconnected systems, cyberterrorism is a very real possibility. If a CT attack takes place, its impact could be much more serious than any of the other topics listed.

-cacroll


I think it's safe to say that we're not discounting the reality of -any- threat. Our intent, is to see what you, our readers see as the "least threatening".

Thanks for the feedback - keep it comming!


isc dot chris at gee mail dot com - Handler On Duty.

WINS Server Vulnerability

As many of you are aware, the WINS server vulnerability (MS04-045) appears to be getting exploited. The ISC, and other organizations have seen a marked increase in the probes directed at WINS services (42/tcp) since December 31, 2004. The Research and Education Networking ISAC has graphs showing marked increases in these probes on Internet2 via the Abilene network netflows.

So, if you have not patched your WINS servers in your respective companies or campuses, beware. Patching these systems is now overdue. Additionally, WINS services probably should not cross your border router. SO please block these ports and keep the rif-raf out in case your local Windows Server Admins have not patched for this over the holidays.

If any of you have packet captures of this activity, please do not hesitate to send it on to the ISC for analysis.

For more information:
http://www.ren-isac.net/monitoring/port-costa.cgi?tcp_dst_42_packets

http://isc.sans.org/port_details.php?port=42
Password Aging

We have now entered the first business day of the new year. Stop and think about how old those passwords you are using are now. How many of you can not remember when it was last changed. If your users are anything like mine, it may have been a year on some of our systems. This is a good time to change those root, administrator, and user account passwords. The students will be coming back to their respective University/College/K12 network computers shortly. Corporate users have had many weeks of potentially accessing internal resources through hostile networks at home. Take the time to check your security posture and retire some of those old passwords.

Passwords are like Underwear... Change yours often.

Passwords are like Underwear... Don't leave yours lying around.

Passwords are like Underwear... Don't share them with friends.

Passwords are like Underwear... Be mysterious.

Passwords are like Underwear... The longer the better.
*Note: The above was/is a part of a security awareness campaign started by the ITCS at University of Michigan. Make sure they get all of the appropriate credit for this interesting way to get password security through to end users.

---

Scott Fendley

University of Arkansas

sfendley _at_ isc.sans.org

Reader Diary

As the Editor of today's postings, I am taking the liberty of first comments, so here ya go .....

I'd like to thank all that have contributed to make this what it is, and those that have helped me as well. Those include, but not limited to

Johannes & Marcus for making this possible for all of us. Scott F., Patrick N., Michael H., and Chris B. for your insight and advice. Gonzopancho for your patience, guidance, and understanding. Last, but not least, Lorna H. for all you've done, including the invitation to the desert.



Tony Carothers

Handler on Duty

---

---
Hi ISC,

The first time I visited storm center, I was looking for the global trend pattern in the port traffic after the 0 day! Since then it has become my Home Page, so I know what is going on before I visit any other page!

Best Webcast was on Malware by Ed Skoudis and his book Titled "Malware - Fighting Malicious code"

I advise every one to make http://isc.sans.org as their home page!

Wish You All Very Happy New Year!

I salute the BEST voluntary job done by you all!


Best regards,
Ramu

---

---
As the lone technical person in a very small start-up company, I have
the secondary responsibility (and pleasure) of architecting,
protecting, and maintaining our computing infrastructure, while also
tending to my primary responsibilities. When I took this position
several months ago, I knew security was one of my weaker areas, and so
I made the SANS ISC my browser homepage. The daily Handler Diaries
have been a God-send for me, helping me stay one step ahead of the
malware coming at my systems from so many vectors. Thank you,
handlers, for providing concise, timely and useful information to
those of us who don't have the time to do the research ourselves!

Patrick K.

---

---
While the ISC handlers sure have earned high praise for their work, my
Kudos for the best ITSec Innovation in 2004 go to the folks at Hispasec
for http://www.virustotal.com, a free service that allows to automatically
scan a suspicous file with a dozen different anti virus products.

Daniel W

---

---
the ISC Handler's Diary is one of my three required pages to check every day, and it has the best information per time spent ratio of any resource. I also like how you guys are informal on it, it's very readable and presents better information than if it went through some kind of "officializing" filter. So thanks for it, you are all appreciated.

James Foster

---

---
Cheers, ISC! You've done us great justice. Keep up the good work.

"Don't mistake a temptation for an opportunity. After that, the rest will
follow."
---
Michael F. Rork

---

---
I am a 65 year old computer geek wannabe. I don't remember how I first discovered your website but I immediately bookmarked it and for every day of the last 3 years, I have read, quoted from and referred users to it. It is the first place I go every morning and the last place I visit every night. You have educated, warned and, on occasion, amused me every one of those days. I may never reach the level of computer literacy of some of your readers but none could appreciate you more than I do. The continuing dedication of your volunteers has helped me create a safe and protected OS. Thank you for being there.

With sincere appreciation,

Anne

---

---
I just want to say a resounding THANK YOU! to all the handlers who work so hard, around the clock, for the Internet Storm Center. There are many system administrators like me who manage small business networks without the benefit of 3000 US$ seminars every few months. We are able to glean much good information from the Handler's Diary and from all the other resources at ISC.
Handlers, your labors are appreciated.

Christopher Smith
Virginia, USA

---

---
A big thank you to the ISC and the handlers for a great job. You're the
first site I check in the morning to get the latest info on security
threats.

Norman.

---

---
Well, another year comes to an end.

And you asked for it, so
here it is.

Thanks kindly for "The Handlers Diary".

It, is quite literally, the first thing I read when I
start my work day (be that day, evening, wee hours of the
morning, or whenever).

It is often the last thing I glance at before
logging off for the night (morning, day, whatever).
after checking email for that last time.

I've shared what I've read there with others and
all in all, tried to be a good netizen, this year,
as in many years past, and for the new year as well.

Your musings and notices and occasional admonishments
are a big help in that task.

So,

There it is.

Keep up the good work,

- --chipper

---

---
Just a quick note to say thanks for all the posts from the last year. ISC is the place I go first to find out what's going on. And you do it with a nice sense of humor. Keep up the good work and thanks.

Have a safe and Happy New Year.

--
Mark-Allen Perry

---

---
====

Contained within this vine, of white magnolias, red and green, exists a cipher
of mystical beauty. Control the vine and it is yours to use; let it grow freely
and you will be a prisoner to its thorns. Contained within this vine, of white
magnolias, red and green, exists a voice. Speak to the voice, and it will speak
to you. This is the mystical beauty." -- NoamEppel.com

====

Thank you and HAPPY NEW YEARS! Keep up the great work!

Noam Eppel

---

---
I would like to thank ISC for the professional service
that is offered through the web portal. It is nice to
have such a resource where one can get the 'big
picture' quickly. I have used your site for years and
enjoy the benefit of getting to the point without
having to waste time with research on other sites.

The personal firewall log submissions are great.
Having this information allows rapid determination of
threats and exploits in the wild. It is a great
service.

Keep up the good work and I hope your site continues
to enjoy technical advances that better the security
posture of all of us.

Happy New Year everyone and thank you for volunteering
your time.

//Seab

---

---
Each and every one of us (being seen as opinion leaders on all things tech) should strive to put that bad/dirty habit of Internet Explorer to rest for once and for all. Leading by example will have a knock on / exponential impact in this case

Use of IE versus another browser such as Firefox has many similarities to other bad habits such as smoking or excessive drinking:

1>You know there is an alternative ie not smoking / use Firefox - but you just cant help yourself! You have done it for so long and it comes as second nature.

2>Being seen to indulge the habit - ie smoke / use IE in the company of your peers usually results in ridicule (every fire up IE at a SANS conference when showing off the latest tool in your arsenal? remember the sniggers!)

3>If you ditch smoking / use of IE you will be fitter and healthier - less time smoking - more exercise and less time patching - more exercise.

4>Ultimatley you know ongoing indulgence will result in your downfall - smoking will kill you and a zero day IE exploit is going to wipe out your entire corporate infrastructure with a super worm that chews data, OS and hardware!

So the moral of the story is if you want to be habit free, respected by your peers, healthy and have a long fruitful career - stop using that blo*dy browser!

Now where's my ciggarettes!

Peter Mc Laughlin

---

---
To the ISC and SANS, especially the volunteers, a great big THANK YOU for the job you do every day to help keep the world safer and more informed.


To anyone who has found there way to this message, read and heed what these guys say about security. Paranoia is simply a normal level of computer security.



To people who spam, write spyware, phish, and do other things that generally make others lives miserable… Well, that just shouldn’t be printed.



Greg Miller

---

---
Dear Sir/Madam,
Just wanted to say thankyou for the excellent work you ladies and gents do at ISC and express my best wishes to you all for 2005 and beyond.

Yours Sincerely

Steven Burn

---

---
I follow your Diary every day, even on a holiday and through the summer.
It's a very "heavy" source of information and helps to understand what
is believable in IT security news, in fact.
All the best and let's be awake!

Regards, and happy holidays,

Juha-Matti Laurio, Finland

---

---
I'd like to offer my thanks to the Handlers as a group for their time
and effort. I'm planning to attend SANS in San Diego this April and
hope to have a chance to meet some of you (and most any other denizens
of the Intrustions list) there.

Ken Connelly

---

---
Dear Sir,

It seems to be that in 2005, Africans and their governments will rise up to the threats that information technology vulnerabilities and crooks pose to their infrastructure.

Privacy will also become a major issue in South and West Africa as bodies such as EPIC and right curusaders get to users to realise that there is a bad side to the internet.

Those are my predictions for 2005.

I wish to thank SANS for contributing in no small measure to promoting information security awareness.

Idara Akpan

---

---
The year 2004 will be remembered for the virus wars and the rise of
phishing. My prediction is for more of the same, only on a larger and more
destructive scale: organized mass exploitation of critical vulnerabilities
for the purposes of illegitimate and criminal activity. To those obnoxious
(I guess that's all) virus writers I say: quit while you have your freedom.
Anyone who launches a file attachment virus to be clicked on by 300,000
users (July Mydoom variant), for "fun" or profit or just to one-up another
virus, deserves serious serious time in adult prison. To those who know the
identity of any virus writer I say: report them and collect the reward. And
by the way, file attachment viruses aren't even "elite" anymore; they don't
show creativity or ingenuity; they are just lame.

Remote exploits will be a growing problem in 2005. Sometimes, the hands of
security professionals are tied when vendors leave critical vulnerabilities
unpatched for more than a month, with zero workarounds (other than ditching
the application; go Firefox)! I mention this because one of my fondest
memories of 2004 came near the end. On Dec. 30, I passed the GCIH practical
and the two exams, thus earning my first (and hopefully not last) GIAC
certification. My practical, "Exploiting the Microsoft Internet Explorer
Malformed Iframe Vulnerability" covers the October vulnerability (CVE
CAN-2004-1050) that raised the ire of the infosec community for all of
November. To understand what the fuss was about, or to read an
attack/defense scenario complete with a buffer overflow diagram,
shell-shoveling shellcode, Netcat, and NTFS alternate data streams, I have
posted my practical at
http://www.as2.info/Alan_Tu_GCIH.doc

Thank you Alex for the inspiration to get certified; thank you Kevin Bong
for the instruction; and last but not least thank you Ed Skoudis for
putting together such high-quality courseware. The books for Track 4 are a
complete treatise on network attacks and incident response, and your
conference presentation of the material is beyond first-rate.

Alan Tu, GCIH 2004

---

---
Hi



The most valuable site in the internet for security professional
RAVI.R

---

---
To ISC:

I start working in security field from early of 2004
and Internet Storm Center always be my reference for
latest Internet threat. ISC have gave me better idea
in security field and how to further develop myself.
Really thanks a lot!!! Keep it guys!!

Regards,
Ahman

---

---
Happy 2005 ISC Handlers! Reading the Incident Handlers Diary has become a part of my daily operations and has, on more than one occasion, provided a valuable heads up or insight into anomalous behavior on the network. Thanks for providing such an excellent Diary and for your direct responses throughout the year. Especially thanks to Deb for the help with IRC botnets!

Terence Runge, CISSP
Senior Security Analyst

Time is running out for *you* to write your diary!

We are planning a diary for the first week of the New Year that is exclusively a "Reader's Diary". This will be a diary of inputs from you, our readers, to the rest of the world. We are looking for inputs that pertain to ISC, the Internet, New Year Predictions, suggestions, 'thank you' notes, almost anything (within reason). We will try to get all of the inputs posted, and they will be available for reading on January 2nd/3rd. Please include your name and valid email address. Names will be posted, however email addresses will be kept private.

Please submit entries to newyear@isc.sans.org by Jan. 2nd 1200hrs GMT to be added to the diary. Yes, that is only a few more hours away.

Update of Windows XP: Surviving the First Day

It has been over a year since Johannes Ullrich and the ISC wrote XP Survival Guide. During that time XP Service Pack 2 has been released, along with a number of other critical patches. Additionally, there has been comments through out the year of things that could be improved in the document for end users. As such the ISC is in the process of updating the document to include SP2 considerations and hopefully release the new and improved Guide shortly. (Okay, I had planned to release something this week except I had the fun of extended time at home on a dial-up link for my family's white Christmas, and then was sick most of this week.) As I have not finished the rewrite, and there was very limited amount of new security issues to mention, I am going to ask our readers if there is any particular things that you would like to include in the document. Keep in mind this document was highly oriented toward those that are home users or are small office/home office in which Windows Update is the primary method of securing new systems.

So, if you have any ideas, suggestions, criticisms on the current document, please let the ISC know. It is my hope that the document will be ready for version 2 within a week (or 2 if there are more major overhauls suggested by the readers then I am guessing).

---

Scott Fendley

University of Arkansas

sfendley _at_ isc.sans.org