The source code claims to be made by the folks at metasploit and xforce, together with a anonymous source.
The exploit generates files:
- with a random size;
- no .wmf extension, (.jpg), but could be any other image extension actually;
- a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
- a number of possible calls to run the exploit are listed in the source;
- a random trailer
Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files.
Wishing all windows machines a happy New Year, with a bit fewer nasty exploits.
Considering this upsets all defenses people have in place we voted to go to yellow in order to warn the good guys out there they need to review their defenses.
Kaspersky Lab Blogs
Be very careful when opening the New Years Greetings that you receive folks. We wouldn't want you to have to spend the rest of your holiday weekend rebuilding your computer.
Thanks to Juha-Matti for providing the information.
I'm also not trying to bash on Microsoft. If I were I'd have borrowed a subject of some spam message I got recently: "forget microsoft, get big and hard". I'm just trying to show how you can come from an extreme reasoning to a workable solution to protect those assets that need protection.
Suppose you defend a place that has high to very high security needs and wants to avoid the wmf thing at all cost. Reasons to do this should be based on a risk assessment, but elements that might lead to such extreme conditions might include:
- No patch in sight from Microsoft
- Not wanting to infect peers such as customers
- Not wanting to rely on anti-virus signatures when people are developing versions of the exploit with a highly random nature
- Not wanting to rely on IDS devices due to the same randomness and the "it's too late already" aspect
- Ban Microsoft products in your environment
- I told you we were going to start from the extreme viewpoint, so hold your horses.
- What does it buy?
- No windows, no windows WMF vulnerability
- What does it not buy?
- You still can pass on dangerous payload to others like to your customers.
- If a single escaped machine remains or a single machine snuck back in, you still might get affected.
- Ban all communication and/or file exchanges
- Extreme again isn't it? Moreover it is perceived very hard in a modern world.
- What does it buy you?
- You prevent yourself from getting and giving dangerous payload to all peers
- What does it not buy you?
- If a single file would sneak in, or be present already, you might still have a major problem
- You have sacrificed a lot of the availability to gain confidentiality and or integrity
Most of our readers do not have the extreme "at all cost" risk situations.
Most of us have a situation where we have a business, and the business must continue to operate. In such a business however you will identify -if you look for it- areas that might need more protection and are willing to sacrifice more for that protection than other parts of the same business. That difference in need for protection is what you can play on to do something.
E.g.: Suppose I know the accounting department was considered sensitive and due to the risk analysis performed, worthy of more extreme measures then other departments.
What could I try to do to use some of the very extreme ideas and build a safer solution for them now and in the next weeks ?
- Isolate them frmm the rest of the company. Plug a firewall between them and the rest of the internal networks. Disallow all unneeded communication with the rest of the company, making sure their servers are on their new inside.
- Use advanced networking solutions to prevent (accidental) hookup of unauthorized equipment to the sensitive network. E.g.:
- Make sure switch ports automatically shut down when try try to learn a second MAC address
- Assign only DHCP addresses to known MAC addresses
- Kick unknown MAC addresses into a separate VLAN
- Use layer 2 measures (such as private VLANs) to prevent client-to-client communication
- Disallow dangerous usage:
- Disallow IM
- Disallow web surfing
- Disallow email, or strip all attachments from the more secure email server they get access to.
- Now no surfing, no email, ... etc can be hard on the users and they might have really good arguments to have the functionality back.
- Build a second less sensitive network on different infrastructure
- Add machines for those that need the web/email/...
- Allow them to surf the web (with traditional restrctions) on those "less" secure machines but not on the "sensitive" machines which are to be used exclusively for their sensitive application(s).
- Be very procedural and build the needed infrastructure if you want to allow transfers between the two environments.
- The more traditional stuff should not be forgotten, especially not on the more secure side:
- Take a tough stance on updating Anti-virus signatures
- Look for unregistering the DLL as per Microsofts suggestion
- May be consider an unofficial patch from some reputable source
- Look for other platforms
- This is hard as training users to switch platforms takes time, and worse applications might not have clients for other platforms that work properly. Still it's one way out of the de-facto monoculture of operating systems and related vulnerabilities. We know from agriculture monoculture has risks. If we want not to accept the risks we need to act on it as well.
- Look for other strongholds to build
- If you have more than one sensitive section in you company, build more of these strongholds, do not build larger ones.
- More smaller ones will contain the spread of infections and the associated risks and costs in clean up better under control.
Add to that that families of nobles get their own donjon so as not to risk all nobles getting wiped out in one go should disease strike the city.
On December 27th I asked for predictions for 2006. Here is what we got. Many thanks to all of you that responded. Now let's see how close these guys are.
On December 27th I asked for predictions for 2006. Here is what we got. Many thanks to all of you that responded. Now let's see how close these guys are.
From Dan:You asked for them...
* Trojans outpace worms
I believe that one of the biggest threats are going to be insecure databases. The proof of concept database worm that was released about a month or so ago is just the very beginning of what we will see over the next year+. To me this is a very real problem as I have audited environments where there was a huge focus on securing hosts and servers, but zero or minimal focus on securing the database.
My 2006 predictions/paranoid phobias:
- "Zero-Day" exploits that are discovered and exploited by The Bad Guys, with no one being the wiser until it is far, far too late; 2. Tightly-targeted malware (currently being used) that, once it gleans information from financial institutions, allows the attacker(s) to then completely trash the entire information store - causing panic/chaos (if only for the targeted company(s); 3. Hackers taking the Fed's recent announcement that "the Internet is not vulnerable to widespread attack" as a personal challenge.
I purchased new computers for my grown, married children and their families for Christmas. They each had really old hand me downs and it was time to get them up to date. My daughter and her husband didn't even have an email address of their own, they came to my house and used mine. So for Christmas I decided to give their families something they could really use.
Before those machines even made it under the tree - they were completely updated. (That is what I spent late Christmas Eve doing). I installed a software firewall program and antivirus program on them as well as AdAware and Spybot. I uninstalled all of the junk programs that the vendor had put on the machines (Kazaa Lite, etc...). Their email was setup and all of the updates were done. They have been instructed on running scans and making sure that the live update is running. I have instructed them on what not to do (open unsolicited emails, click on links or attachments from unsolicited emails), don't download, stay out of chat rooms, etc.....
I contacted them yesterday and reminded them not to open ANY attachments or links in any email that they were not specifically expecting. And to stay out of the IM's.
Here is hoping that this will keep them safe for the next few days. How about you? Have you adequately protected your computer? Do you have a current AV program that has updated defs? Do you have a firewall?
Have a Happy New Year everyone.
WMF Indexing, White Elephants and White RabbitsThe WMF White Elephant in the room as far as I'm concerned is Indexing. YMMV. How many Vendors have other Indexing services installed that are going to automagically enable WMF exploitation on or across your network?
F-Secure pointed out the White Elephant when they recommended you "disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows" and said "This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.". And I agree, turn all Indexing off until a fix is out.
Microsoft, Google and other vendors should immediately address what the role is of their indexing services, particularly as it relates to shares, synchronization and potential mitigation activities. Their lack of comment on this issue is glaring.
MS Indexing (White Rabbit Link)
F-Secure's blog today has a new vulnerability workaround (unrelated to indexing).
Preparation for the Inevitable (and New Years Resolution?)When your Family and friends inevitably ask for help to "clean" their systems exploited by malicious WMF (or other) attacks, refer them to MS's free phone support.
Microsoft's No-Charge support phone number for virus and other security-related issue support is 1-866-727-2338, and "is available 24 hours a day for the U.S. and Canada."
"Outside of the U.S. and Canada", click here and then select your region to obtain the free support phone number for virus and other security-related issue.
It is possible that one could run arbitrary code through the vulnerability with the OSPF dissector, but more likely you will just have Ethereal crash or use up all available system resources.
The new version is available at http://www.ethereal.com/download.html .
Handler on Duty
Websense released some more information about their investigation in some website exploitation that involves IFRAMEs and WMF vulnerability. My fellow handler Lorna said recently, "IFrames are always suspect in my eyes." In light of this information, I have to agree with her. Take a look at Websense Security Labs website for details of their investigation including a nice movie file showing the exploitation at work.
As a side note, I am quite thankful that most university and K-12 schools are still on holiday until next week. This will hopefully give enough lead time for the mass media to report on this issue, and maybe, just maybe, Microsoft will have a better solution for the home users and our student populations. *crossing his fingers that MS will release a preliminary update quickly*
One reader send us the following summary, which pretty nicely outlines the issues with this vulnerability:
- Filename extension filtering will not work.
- Even if you un-register the DLL, some programs may re-register it by invoiking it (shimgvw.dll) directly.
- you have to delete or rename the DLL to protect yourself. However, remember to undo this once there is a patch.
- While images embedded into docuements may not immediately trigger the exploit, they may once saved into their own file.
Handler on Duty
John Herron at NIST.org discovered today that Lotus Notes versions 6.x and
higher is vulnerable to the WMF 0-day exploit. In the advisory, located
on the NIST website here, John reports that Lotus Notes remained vulerable
even after running the regsvr32 workaround in the Microsoft security advisory.
First a couple notes about these rules:
In its simplest case, you may want to limit the rules to port 80 (or $HTTP_PORTS, which typically maps to ports used by web servers). But realize, that this only works if you block access to other ports at your firewall. Otherwise, its trivial to just run a web server on an odd port, and link to the image on the odd port.
Here the rule developed by the Bleedingsnort team:
(to avoid copy/paste issues, see the bleedingsnort CVS repository
I'll be the first to admit, there are things I can do much better than I have been and I'd wager that most people reading this believe there is at least one security related thing that they can do better as well.
If you have not already done so, take a few moments to think about what you could do better. We all understand the realities of budgets, office politics and the other factors we often complain about daily and lay blame on for an inability to do [insert whatever here], and we understand that many things will not change despite how much we wish them to.
Think of one thing that you can (realistically) do better next year to make the systems you are responsible for safer, more secure and just as usable and then make a plan to make it happen.
You don't have to send your resolutions in to us, but at some point next year, I'll put the question to you as to whether you kept your resolution or not.
If you insist on sharing, or want to send your resolution to someone thinking that you might be more inclined to keep it if someone else knows, send them to me at isc dot chris at gee mail dot com. If I have enough and see any patterns emerge I'll write about it when I am again on duty next month.
An advisory has been released by Microsoft, working snort signatures are available and as a result of raising the Infocon to yellow yesterday, awareness of the issue has been raised appropriately.
Moving to green signifies that no -new- significant threats are currently being tracked and is not intended to imply that the threat level today is any less than it was yesterday. See Infocon Levels for more information. Administrators and others responsible for system security are encouraged to act appropriately if no action or incomplete actions have been taken at this time.
Update 19:07 UTC: We are moving to Infocon Yellow for a bit. There has been some debate among the handlers about this step, but considering that a lot of people are on holidays and might otherwise miss the WMF 0-day problem, we have decided to raise the alert level.
The folks at Websense Labs have a nice movie on how it looks like if a system gets exploited by this WMF 0-day, see http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv . Don't go to any of the URLs visible in the movie unless you know what you are doing (or feel like spending the next hours reinstalling your PC).
The orignal exploit site (unionseek.com) is no longer up. But the exploit is being served from various sites all over by now, see the F-Secure Blog on http://www.f-secure.com/weblog/ for an update on the versions of the exploit found in the wild.
Working exploit code is widely available, and has also been published by FRSIRT and the Metasploit Framework.
Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet ), the WMF exploit attempt will result in a warning and not run on its own. Don't feel too safe though, we have also received comments stating that a fully enabled DEP did not do anything good in their case.
While the original exploit only refered to the Microsoft Picture and Fax Viewer, current information is that any application which automatically displays or renders WMF files is vulnerable to the problem. This includes Google Desktop, if the indexing function finds one of the exploit WMFs on the local hard drive - see the F-Secure Weblog mentioned above for details.
Update 23:00 UTC: The vulnerability seems to be within SHIMGVW.DLL. Unregistering this DLL (type REGSVR32 /U SHIMGVW.DLL at the command prompt or in the "Start->Run" Window, then reboot) will resolve most of the vulnerability, but will also break your Windows "Picture and Fax Viewer", as well as any ability of programs like "Paint" and "Explorer" to display thumbnails of any picture and real (benign) WMF files.
Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.
From Daniel's diary entry yesterday ...
Just when we thought that this will be another slow day, a link to a working unpatched exploit in, what looks like Windows Graphics Rendering Engine, has been posted to Bugtraq.
The posted URL isÂ Â [ uni on seek. com/Â Â d/tÂ Â Â 1/Â wmf_exp.Â htm ]
(DON'T GO HERE UNLESS YOU KNOW WHAT YOU'RE DOING. Added spaces to avoid accidental clicking. See Firefox note below!!)
The HTML file runs another WMF (Windows Meta File) which executes a trojan dropper on a fully patched Windows XP SP2 machine. The dropper will then download Winhound, a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove the reported threats.
During the test Johannes ran, it was interesting that the DEP (Data Execution Prevention) on his system stopped this from working. However, as this was tested on a AMD64 machine, we still have to confirm whether (or not) the software DEP also stops this - let us know if you tested this.
Internet Explorer will automatically launch the "Windows Picture and Fax Viewer".Â Note that Firefox users are not totally imune either. In my install of Firefox, a dialog box will ask me if I would like to load the image in "Windows Picture and Fax Viewer". If I allow this to happen ("pictures are safe after all" NOT!), the exploit will execute.
UPDATE - According to F-Secure's blog "Firefox users can get infected if they decide to run or download the image file."
For more information, see also http://secunia.com/advisories/18255/Â http://vil.mcafeesecurity.com/vil/content/v_137760.htm and http://www.securityfocus.com/bid/16074/info
Most Hated Netblock:195.225.176.x - 195.225.177.x (AS31159)
Provider: Netcathost, Kiev, Ukraine
Reason for claim to fame: Hosting exploits, browser hijackers and CoolWebSearch related annoyances since several months. Ignoring, bouncing, or rejecting any complaints to the abuse contacts.
Update: beehappyy.biz is being implicated in the currently ongoing WMF 0-day exploit mania. And guess what beehappyy.biz resolves to ? 22.214.171.124 - my favorite netblock again. Null-Routing, anyone?
Remember - Don't click on links in IM - ever. A dog is not a dog in IM. And Aunt Sally probably is not really Aunt Sally.
With the developing trends in botnets and denial of service with them, I'm willing to bet that we'll see more
frequent use of ddos for hire and malware distribution by zombie pcs. It also would be a shock to see an
adaptive botnet..that can change and adapt to discovery on the fly..shutting down discovered nodes and such.
As direct electronic invoicing becomes more popular, crimals will try to leverage poor implementations of
Web Services to submit fraudulent invoices for payment. Agencies that have done away with support staff
necessary for manual invoice processing will pay dearly.
I can't think of a new 'technical' threat but the existing technology joy-ride hackers are using could end up
being more dangerous in the near future. Currently when we find a hacked system it is normally being used to
share copyrighted music, movies or applications. They mainly want to use our disk space and bandwidth and
have no dangerous agenda. This could change in the future, however. As financial institutions tighten up
security the money motivated hackers may turn to using BotNets to harvest documents. Instead of hijacking a
system to use the disk space and setup detectable FTP servers they may end up harvesting all of the documents
from the system in hopes of gaining financial or personal information for identity theft. Pretty scary to even think
Just thought I'd add some of the potential issues that we might start seeing in 2005. First, is the spread of bots
to IP enabled devices. Once more as devices reach that "on-line all the time" state, the vulnerabilities will be
exploited more. This could include a range of devices from cellular phones, to even the next generation console
systems. (Note: viruses and exploits for console systems may deserve to be its own potential issue). Second, an
increase of malware for alternative operating systems (non-Windows), primarily for the Tiger OS. Third, IPv6
will become wider spread, and while it will be a partial remedy for some sercurity issues; improper
implementation will create added security risks and issues -- primarily in the areas of content
management/filtering, simpler facilitation of cryptographic malware, and brand new vulnerabilities for IPv6
So what do you think? How did our predictors do for 2005? What do you think were the biggest issues for 2005? I will be the Handler On Duty on News Years Eve and will print some of the responses we receive.
What are your predictions for 2006? Let us know. Your response could be used in a Diary next year.
Traditionally a honeypot was a (somewhat) vulnerable system that you let get infected in order to learn something form it. This newer breed is more an an automated system to catch malware without getting the system infected.
mwcollect (http://www.mwcollect.org/) is an automated downloader of malware. Georg Wicherski, mwcollect head developer, sent us some collected samples of his setup and I must say I'm still impressed by the number of collections he's sent us then.
Along the same lines is nepenthes (http://nepenthes.sourceforge.net/) a system that emulates known vulnerabilities in order to catch the exploits thrown at it.
Fellow handler Daniel Wesemann suggested a look at the Argos system, (http://www.few.vu.nl/~porto/argos/), designed to detect arbitrary control flow and arbitrary code execution attacks. It is build on top of QEMU for the emulation of x86 processors. I have one big gripe about the approach and that is the comment in the FAQ of QEMU (quoting):
Q: "I want to set up a honeypot. Can I use QEMU for that purpose ?"
A: "It is possible, but the QEMU code has not been reviewed for security issues."
With recent vulnerabilities in the commonly used vmware and the trend of malware detecting vmware and debugging, great care is needed to the quality and security of these tools. So my suggestion would be to carefully inspect the source code of any of these before deciding to deploy it, even for a test run.
There are for sure more efforts in this arena, I'm just summarizing what we received recently.
As always, use these systems at your own risk.
Collecting all these samples is however just the first step. Somebody needs to analyze it and with the increase of malware that race might be tough on some. See also Kevin Liston's on Dasher article.
Some might ask why I choose silent drop. I will explain but first a few questions.
What does it help if the firewall sends notification of traffic it rejects?
Why tell the bad guy what you're blocking? (And what your not blocking).
Which good guy is permitted to scan my systems for open ports or protocols?
1: Silent drop prevents some reflective attacks.
In some cases the source address of the attack victim is spoofed. The desire is to cause firewalls, routers and other systems to send traffic back against the spoofed source.
2: Silent drop prevents reverse mapping.
In other cases by sending back a "port closed" type message your firewall can be negatively mapped. (e.g Denied 1-1024 except 22, 23, 25,...). That is how nmap udp port scan and protocol scan work. They basically assume a port or protocol is open unless they get a message stating its closed.
3: Silent drop might not be effective, as a reject might never reach the intended target.
With the recently discovered blind TCP resets via forged icmp errors the rfc's governing some of these reactions will probably be changed. Gont the author of the vulnerability suggested a larger amount of the original packet be returned with the icmp error packet. In the mean time one of the primary mitigations for this issue is to ignore the first few icmp errors that could cause a reset. Many networks blocked some incoming icmp error messeges as a result of that vulnerability.
I personally require silent drop (no icmp, no TCP resets) as a standard feature from firewalls and other filtering devices.
The jury is still out on the "correct" thing to do but if a firewall or filtering devices doesn't support silent drop I would not buy it or recommend it. It should be an option the end user can choose.
Additional comments were contributed by fellow handler Swa Frantzen and Johannes Ulrich respectively
"I try to build "drop" to the "bad" side and reject to the "good" side. Good
and bad might not always be in and outside. I permit the
network admin stations to initiate traceroute and icmp echoes,
in order to not have the reaction "it's the firewall" all over the place when the firewall is working as intended."
One reason to have internal reject rules that prevent systems from 'calling out' but send correct error report: is rejects make it easier to debug issues. In these cases its more about mistakes then malicious users.
Suliman brought a phishing attempt to our attention that was written in Arab aiming at a bank out there and diverting the clicks to http://www_sambaonlineaccess_com/ instead of the bank's http://www.samba.com/ normal address. According to the submitter -I can't read Arab- it was linked to an online registration of a large IPO for a chemical company.
Aside of the IPO relation, it was also noteworthy because of the language used (Arab) and of the location of the server where the clicks were directed to: Israel. I cannot help to note that at the very least this is quite provocative.
The website supposedly collecting the information wasn't responding at time I tried to look at it, which might be a good sign after all.
The lesson for the end users remains the same: never follow links you get in email. If possible turn off the rendering of HTML for email, it's a serious risk from a security perspective.
The warning for those of us fighting abuse is also clear.
- Some attacks might aim at very shortlived events.
- You won't be able to understand it all, so you will have to make sure you have processes in place that can deal with language in abuse complaints you can't understand yourself.
Some observations from http://isc.sans.org/diary.php?storyid=960:
- 8% suggested the use of a hardware router
- 8% suggested that Linux was the answer for their parents
- 11% thought that Macs were a safer option
- 19% were willing to enter a lifetime support contract for their parents
- 19% thought that their parents couldn't handle a computer
- 25% of the submitters chose to send their suggestions anonymously
As Johannes pointed out in http://isc.sans.org/diary.php?storyid=957 RFC2142 is a pretty good RFC to follow. It works both ways too.
For example, let's say you're running vulnerability scans against your local bank's website and you come across what you think is a very serious vulnerability do you:
a) Jot that IP address down for later use when you need to pay off your credit card debts from the holiday season's over-indulgences.
b) Drop a friendly fact-filled note to email@example.com
c) Launch a media campaign to publicize the risk encouraging your readers to write letters to the Office of the Comptroller of the Currency
If one supports the idea of Responsible Disclosure the answer would be B, followed by C after an acceptable period of time.
Harry Hoffman submitted his intro to iptables on Linux
It's a nice little getting-started piece and it starts off with a default-deny policy-- which is one of my personal favorites.
A more advanced treatment on reactive iptables is available here: http://www.sans.org/rr/special/index.php?id=adaptive_firewalls
I predict we'll be seeing profile.php probes appear in your web logs right along with the awstats and xml-rpc attacks that you've been getting.
Good luck on Christmas morning, everybody! We know that most of our readers are also family system administrators and this time of year we work overtime.
Best wishes to you and your family from all of us at the Internet Storm Center!
Marcus H. Sachs
Director, SANS Internet Storm Center
From Gary Hinson:
Merry Christmas to all at SANS.
From Yves Konigshofer:
In fact, I got my parents a router last year (OK, I also wanted to be able to use my laptop there at the same time) and my father is looking to get a new computer any day now.
It's also important to set up accounts that are not administrator accounts for everyday use.
From John Herron:
From Pawel Maczka:
- set strong admin password - use >= 8 characters mix with !"#¤&/) and numbers
- just uncheck "Sharing disks and printers in MS networks" in network connection properties
- agree for firewall and automatic updates
- get Mozilla FF from www.mozilla.com and set as default system browser.
- purchase and install commercial antivirus software
- set password for regular user like admin password
- install an ad/spy-ware freeeware like spybot or lava or just even MS AntiSpyware
From Jafar Calley:
Next, my present to them would be free Linux lessons and support for life. As they are complete PC n00bs they wouldn't be able to tell the difference between Linux and Windows, but a little help in using it would go a long way.
Using Linux would also be less frustrating for them as they wouldn't have to worry so much about viruses and spam so they can surf the "interweb net thingy" without worrying. No Spyware either.
Most other stuff like email, writing letters etc.. is straight forward and usually pre-installed with most Linux Distros so after a few lessons, they won't need to keep call ing me back because the computer keeps crashing or they can't do what they want to do.
From Steve K:
(Luckily the limit to my father's computing expertise is playing "Missile Command" from MS Arcade and he has no aspirations to further technical savoir faire!)
From Peter Glock:
She has an existing AOL account for the rare times when she needs to be online which I set up for her some years ago. I foolishly though this would add some additional layer of protection (d'oh).
I'll use the included Apple Remote Desktop to give me VNC access (tunneled over ssh of course) for remote diagnostics, not sure how this will work through the AOL proxy, I will probably have to put a script together to setup a reverse tunnel. I'll set her up two accounts, a 'normal' one for everday usage plus an admin account for those rare occasions when she needs to install/update something.
The mac firewall will be set to allow only ssh inbound. I'll setup ClamAV on the mac to scan stuff for malware.
I'm probably going to setup a wifi dial-up access pont (I have an older Apple Airport going spare) so she doesn't have to have a phone lead installed by the TV. This will be locked down with WPA.
Thinks that's it!
Knowing it would most likely be Windows as the OS (beginner's choice), I'd have autoupdate set up, AV with hourly checks and weekly scans, a REAL firewall with updates set up, and a card taped to the monitor with my phone number for emergencies that will occur (new users).
After a bit, I might try to persuade them to go LINUX, use openoffice, firefox, thunderbird, etc. Security updates are posted as soon as they can be resolved and don't wait for a patch cycle on fixes for Zero-Day exploits.
I find that many of my relatives that are 55 and older just have not had the experience with technology to intuitively understand it and these are the same ones with always-on high speed connections at home and no firewall/AV measures. I spend many hours helping fix these issues for them only to find that after 12 months and the subscription runs out, they get confused by the nag screen asking for a renewal and never do it and end up compromised again. Return to top of paragraph.
I hate this time of year.... My list of relatives that call me for help will increase with each new PDA, computer, and MP# player.
From Randy Nash:
While some of this may be somewhat dated, I tried to keep it generic and high-level enough to be useful over time. Today I'd at least add a section on using a secondary browser such as FireFox. I may also expand on the various tool listings for each category. I hope you find this suitable.
From John Franolich:
UltraVNC is a nice remote app that can be customized to connect with your IP. The executable, that the home user downloads, does not install as a service. Also, it will time out after a few minutes if there is not any inbound connection.
From Bert Rapp:
From Michael Varre:
Write down the Dell tech support number and keep it on the fridge.
P.S. That number should do ya for a year :) After that please feel free to call me. Baahhhhh Humbug.
Oh, I may also share the basics of keeping their computer up to date with patches. A reminder every week or so in their calendar to double check their AV signatures and run a spyware scan also worked extremely well.
From Art McFadden:
The first logical steps would to ensure the OS and drivers are up today and add some of my favorites. Microsoft's anti-spywear program, Spybot Search and Destroy, and Girsofts free version of AVG antivirus. From experience, I have found that people with expired antivirus programs allow them to lapse for two main reasons:
• Money- Will the computer still work? Yes? Well then why should I pay anything? I won't get a virus. (sounds like an incorrect similar line of thought I heard about from some less cautious fellow students in college ;-) • Not informed- We warn people constantly about fraud on the Internet, identity theft, and other white collar crimes. Now they get a window asking them for credit card information. Hopefully, they will call someone they trust before dismissing this as a scam to be enlightened.
If my father (the retired computer analyst/administrator) received a new computer for Christmas, I would ask him what the specs were and how does he like it. After all, he is one of the people I call when I have questions.
Happy Holidays and stay safe.
Now he has broadband on a little celery 2 gig machine. He still does email, but now his joy is printing color photo's of the fish his son catches. He goes thru color ink cartridges pretty fast. I worry about phishing attacks because he's a prime target. I swing by and run spybot and adaware occaisionaly and so far, so good.
My neighbors are in their 80's and surf high speed all the time. They are very pc savy and know about suspicious emails and using Firefox instead of IE, etc. It just depends on their comfort levels. Mom and Dad's machine is ripe for a zombie attack, while my neighbors are trusted surfers.
From Wayne Smith:
1) You will use alphanumeric passwords at least 8 chars long. You will not use the same password for more than one account. Your ISP email password should not be the same password you use for ebay, which should not be the same password you use for paypal. Period.
2) You will have an anti-virus program installed and you will update it every time you are online. You will get the new upgrade once a year. Yeah, it's a pain on dial-up so just do it when you are done surfing each time, unless you haven't been on for a few weeks and then do it immediately before you surf the web or check email.
3) email... you will never forward, forward, forward something that simply has to go to all your friends. Chili's and sear's aren't given away their money. If you forward anything like that to me, I'm changing my email address and my name.
4) you will never, ever, for any reason, click on a link inside an email. If you want to go to ebay, paypal, anywhere, you open up a new browser and type the URL in. You look for the 'lock' and the https. If it looks strange, don't trust it. If anybody says your account has been hacked and click here, what do you do? Exactly
5) if you weren't expecting an attachment in an email, you don't open the attachment until you contact the person you know and ask them what it is and why and have them confirm they sent it. If you don't know the person sending it, delete it and don't email the person.
6) Windows requires updating. It's not an option. When you are online, check for new updates.
7) you will have a separate, low limit credit card you use for online transacations. You never send the number via email and unless you see https, the lock, and you didn't get any warnings about 'certificate', etc, you don't use it.
8) if something pops up on your screen, you'll read the whole message before clicking anything.
I'm a tech head and so is my wife. My Mom is on the other side of the spectrum. She's been computing safely for two years and only asks me for help when she needs to pull down a new copy of Norton once a year (hard on dialup).
If I could talk them through installing the antivirus and firewall software, we would have our second miracle.
Now if, and this is a biggie...if I could get Mom and Dad to stop forwarding every single chain letter they receive, asking if it really is true, or warning me about...
This would be miracle number three, and I would consider myself truly blessed.
Happy Holidays to all!
From R. J. Brown:
From Jim Halfpenny:
My parents do have a computer and use it only for web browsing. It's coming home with me this Christmas to have Linux installed on it. So long as it has Firefox and Solitare they will be happy. So long as it's not got pr0n dialers, spam relays, spyware, adware, DoS tools, viruses, trojans, worms et. al I'll be happy.
From David Hamilton:
If I did it over, I would install hardware and software above all at once and train them throughout the year.
From Kristina Harris:
"Hi, honey, it's mom."
"Oh, hi mom."
"Say, I got a new computer, and I was wondering if ..."
" ... what's that?"
"No. Just No. You got it at Costco, didn't you?"
"Well, yes, but ..."
"And it has Windows, doesn't it?"
"I think so, but ..."
"Okay, do NOT plug in the computer until I come over with my adware detector/firewall/antivirus CD."
"Well, I was just going to .."
" ... what?"
"I said no. No, no, no. Do NOT. Plug IN. The computer. Until I get there."
"Well, really, honey I was just ..."
"Mom, don't make me disable your DSL."
"Oh ... okay."
"I'll be over in a few minutes."
"All right honey, I guess I could wait for ..."
"Oh, and Mom?"
"If you decide not to listen to me, just remember: Wells Fargo does not outsource their emailing to a company in Uganda, and Paypal does NOT need to verify your information. Neither does eBay. And you don't need to click on that link to verify anything. Trust me."
"Oh. Are you sure?"
"Yes. Oh, and Mom?"
From Ron M:
Return it. No kidding. There's just no hope that it'll stay updated and happy if they actually plug it in. An cuticle chainsaw would be a safer gift.
Have a good holiday, all!
* many new motherboards have built-in RAID capabilities.
I would purchase a 2nd hard-drive, and build a "mirrored"
RAID ocnfiguration. Then, if one hard-drive died, the other drive will become a backup, until I could replace the dead-drive, and re-enable the mirroring.
Yes, mirroring adds a one-time hardware cost, but it certainly is much easier for my parents than trying to teach them how to do routine backups.
* enable the Windows XP firewall *BEFORE* connecting the computer to the Internet, and then accessing Windows Update.
* download free software: MS Word Viewer, Adobe Reader, the GIMP (www.gimp.org), the latest Shockwave and Flash plug-ins. Then, tell them that anytime that a pop-up window tells them to download or install something, just say "no", by closing the window, rather than clicking on the "NO" or "DECLINE" or "CANCEL" buttons insdie the window.
* of course, anti-virus software (www.my-etrust.com/microsoft) is an absolute essential.
* inventory the CDs and documents that come with the computer, to ensure that they have received everything that they are entitled to, and help them to store that bundle in a safe place.
My advice to anyone receiving a new computer for Christmas:
1) Do not connect it to the Internet without an external hardware firewall.
2) Boot the machine and set a secure login password for admin / root and for the user account.
The following advice assumes it is a Windows machine
3) Before doing ANYTHING ELSE, perform a complete Windows Update.
4) Launch Internet Explorer. Download and install an alternative browser. My choice is Firefox, but Opera is also a reasonable choice. Then remove the blue e from the desktop and the launcher on the taskbar, and exit from IE.
5) Launch the alternative browser. Download and install Thunderbird for email. Remove Outlook / Outlook Express from the desktop and the launcher taskbar.
6) Install a good anti-spam tool. I like K9 from www.keir.net/k9.html. Teach the new PC owner how to train the antispam tool.
6) Download and install a personal firewall. Unfortunately Sygate is no longer recommended because support has ended :-( ZoneAlarm is ok.
7) Download and install the free grisoft AVG antivirus product. Update it and set it up to scan nightly.
8) Go to housecall.trendmicro.com and perform a scan to be sure the machine is clean.
9) Give the standard lecture about not clicking on links in emails, not opening attachments, and being generally paranoid about unknown web sites.
10) If they insist on using instant messaging, install the latest version of gaim and remove icons for any IM tool supplied with the pc.
11) Install Startup Monitor and Startup Control Panel from http://www.mlin.net/. Educate the owner about how to answer the popup questions that will occasionally be presented to them.
ALTERNATIVE to #3-11: Install Ubuntu Linux or a similar user-friendly distribution.
From Mike Lewis
Why go through all the service, support, spyware, antivirus, free downloads ... crap available to Windows based PCs if all you want to do is e-mail, surf, and save pictures?!
From Brent Bice:
1. The first thing I've recommended several times to the extended family is, go buy a router/firewall -- not just firewall software, but a separate network device. Yes, they've had their own set of issues but it's far harder and less likely that the malware du jour will disable a hardware firewall than any of the software firewalls that may be on a compromised PC. I also urge them to get the latest firmware updates for their new network router/firewall.
2. From behind the firewall, update the brand new machine with the latest recommended patches and all security patches from Microsoft. Reboot. Rinse, lather, repeat until no more recommended or security patches are found.
3. Repeat step 2 with any software packages installed on the system and repeat as needed if any additional software gets installed.
5. Uninstall unneeded software.
6. Install/update anti-virus software. Ensure it updates itself at least once a day.
7. Install/update anti-spyware tools such as (but not limited to) Spybot S&D, AdAware, the new MS Malware Removal Tool, etc.
8. Give a class (or two or three) on the care 'n feeding of anti-virus software, anti-spyware software, applying updates (ensure automatic-updates are on), recognizing phish, the risks of opening holes in the firewall or installing browser plugins/helpers, and generally install a bit of healthy skepticism about clicking on links coming via IM or email.
Most of these require that I or another geeky family member pay a visit to help out. Oh well. It's usually good for a dinner and generally means far fewer of those REALLY painful attempts to walk someone through un-fscking their computer over the phone after it's been trashed by the MS Worm of the week -- especially if you're a unix geek like myself who hasn't kept up with all the changes to the windows desktop interface!
From Keith Rosenberg:
- Antivirus software
- anti-spam capability
- Hardware firewall if they have broadband
- Keep OS and all software updated
- Provide phone and e-mail support
- Educate them about the internet's redlight district
- And finally, set up their computer for them if possible. That is what I did in one case.
From Dave Rundle
we were gathered round the PC, examining the mouse;
The flat-panel LDC; speakers, so new and so crisp,
Displayed Microsoft Sam, with his usual lisp;
"Welcome to Windows," it intoned with a beep
Never warning that the Internet has more than one creep;
And mamma's logging in, and shopping like crazy,
Cause security issues make most people lazy,
When up on the screen there arose a quick popup,
A quick flash of the drive light, a really quick screw-up.
Away to the keyboard I flew like a flash,
Tore open the registry and cried "Where's the Patch!"
The new startup path was pointed to "Temp,"
Hmm, where the Internet cache is usually kept?
When, what to my wondering eyes should appear,
But a known key logger, to cause much fear
With an outdated driver, more useless than junk,
"Who hacked my computer; what little cyber-punk!"
More holes than had patches, who was to blame?
And he whistled, and shouted, and called them by name;
"Now, Microsoft! now, Borland! now, eBay and Spammers!
On, Oracle! on Apache! on, Mozilla and Hackers!
Who can guard my computer, who's the best of them all?
Who can do a good job, and not leave me to fall?
As Norton was loaded, and Mcafee started,
My guests grew tired, and soon they departed.
Loading up patches took most of the night,
And then the next morning, I had a new fight.
My adolescent son awoke before dawn
Frantic scrambles downstairs I heard as I woke with a yawn.
Cam Girls Live he'd found; a deviant site,
You won't meet him here, cause he's grounded for life.
Net Nanny I loaded, and then CyberSitter,
A whole lot of trouble caused by this little critter…
A new bunch of toolbars has just been installed,
And a DLL error, (the kid will get mauled!)
By the next week, I gave up, the computer reloaded,
40 hours of work, like the Matrix I coded.
Had I taken the time to prepare my Dell,
I would not be he sitting here inside malware hell.
Merry Christmas and a safe and prosperous new year to all the handlers.
I would hope it is a Macintosh.
First and foremost because they easier to use, so less support calls...
But also because they are somewhat less prone to the on-going barrage of malware and viruses and all around pests that make computing such a pain.
If it is not a Mac, then I just got myself a free weekly dinner on Sundays...
From all of us at the ISC, we wish you the merriest of holidays and best wishes in the coming year!
We kind of have come used to seeing "bots" as a Windows issue. But to be fair: Kaiten probably pre-dates a lot of the Windows worms and bot. IMHO: its so much easier to write a bot for Linux. You got perl after all. I wouldn't be surprised to find one written in bash.
On realy quick and dirty way to fool bots in Linux: make 'tmp' its own partition and mount it as non-executable. This will fool probably 80% of the bots, as they start out by writing themselves to /tmp. Don't forget to make /usr/tmp and /var/tmp symlinks. If you don't want to repartition: use a loopback file. Most Linux malware will compile itself on the target system. So removing development tools is always an option but a bit painful for many. And you may not be able to do without perl. I wouldn't be able to make coffee in the morning without it, and without coffee not much would be happening here.
We do get LOTS AND LOTS of reports about various php exploit attempts. Its one of these things where you are probably already long exploited if you are vulnerable. The exploit attempts target a long list of vulnerable php applications. Nothing particular fancy, just more and more of it.
Unless you turn off the systems, they will still need a bit of watching and caring. Do you have someone on call in case the burglar alarm goes off? Make sure you have someone checking the 'abuse' or 'security' mailboxes once a day (at least). You may have them even forwarded to a pager if you can filter the spam.
And while I am on the topic: Make sure you do actually have an 'abuse' and a 'security' alias for all of your domains. There are a number of aliases you should define for each of your domains:
RFC2142 provides a number of references to other RFCs, and suggests the following aliases:
- postmaster@domain (RFC822). This should exist on all mail servers. You should also have postmaster@IP-Address-of-the-mail-server.
- usenet@domain (RFC977). I know a lot of people will write to say differently. But I consider usenet dead for all practical purposes. You can probably do without this address.
Spam to these addresses has become a problem. I don't think there is a great solution, as some of the mail sent to these mail boxes may include copies of spam messages (even if you don't send them, others may impersonate you and you still want to know. Abuse reports are one way you will find out).
I can't find a reference right now (but I am sure someone will write with the correct RFC for it), but it is commonly suggested to also maintain a '/security' URL on all your websites. This URL should be used to provide contact information for security issues and information about security patches or such for any products you may offer. But this standard, while usefull, is not widely implemented (is it still a 'standard'?).
Last but not least: Have fun this weekend. I think I will run some network cable in my house (already got the big drill, but still need one more Home Depot trip for some conduit). The holiday security guide should be live sometime tomorrow. We got some great input.
Thank you for the information X-Force!
Symantec's announcement -
SYM05-027, December 21, 2005, Symantec AntiVirus Decomposition Buffer Overflow
Further info: gift.com renames itself to c:\windows\winrpc.exe, and sets itself up as the service "Windows RPC Services". There is no rootkit built in, it is totally dependant on download instructions from the command and control site. Rather than calling it a "worm" as was reported in the press, a more accurate description is that it's a bot with replicating capabilities. Digging a bit deeper into the code, we found that it was also likely compiled/pushed to the distro point on 2005-12-18 18:09:11.000000000 -0500.
Several days ago Secunia issued a bulletin discussing a new vulnerability in phpBB-2.0.18 (which is the latest one and which, unfortunately, has been a pretty popular target over the last year or so). Fortunately, the vulnerability can only be exploited if a couple of settings are changed from the default to values that will open your web server to a lot more problems than just this one. Having said that, the exploit is now in the wild, so if you are running phpBB, make sure that you follow the recommendations and that "Allow HTML" and register_globals are both disabled. One of our intrepid readers also noticed that an exploit has been posted in several places that will do brute force dictionary attacks to get the passwords of phpBB users.
Also, a couple of days ago a worm started making the rounds exploiting a vulnerability in the genealogy application PhpGedView. The authors have posted patches here which users are encouraged to apply as soon as possible.
Jim Clausing, jac /at/ isc.sans.org
Jim Clausing, jclausing /at/ isc.sans.org
One of our attentive readers sent us a note yesterday and we missed posting it in the diary. There's a nasty present waiting under your IM tree if you have been naughty this past year. Read on...
"A new worm posing as a come-on to a Santa Claus site is traveling across all the major instant messaging networks, a security firm warned Tuesday, and when recipients visit the bogus site, they're infected with a file hidden from sight by a rootkit. IMlogic said that the worm, dubbed "M.GiftCom.All," is circulating on the MSN, AOL, ICQ, and Yahoo instant messaging services, is a "Medium" threat, a relatively rare classification for the Waltham, Mass.-based company. Most IM worms and Trojans listed on its Threat Center receive only a "Low" classification. Like virtually all IM worms, M.GiftCom.All includes a URL in messages it spams out to contacts hijacked from previously-infected PCs. When users naively visit that site -- which is billed as a harmless Santa site -- a file is automatically downloaded to their computers. The file, usually named "gift.com" includes rootkit elements that cloaks it from security software. In addition, the downloaded executable tries to disable a number of anti-virus programs, adds a keylogger to the system to capture confidential information, and then spreads to others by snatching names from the user's IM client contact list..."
IM Logic -
"...Description: This worm broadcasts a URL out over IM clients which downloads an executable file, often named gift.com. When this file is executed, it hides itself and scans the registry, file system, and internet cache. By operating as a rootkit, the process is hidden from all tools and anti-virus software. It also attempts to shut down anti-virus software and makes several networking calls. Also it does keystroke logging and may attempt to propagate itself over IM clients..."
The vulnwatch article is here.
The Secunia advisory is here
VMWare's response is here.
Jim Clausing, jclausing at isc.sans.org
For complete details see, the Bugtraq posting, the Secunia advisory, and what I believe is Alex's paper.
We'll bring you more info as it becomes available.
Jim Clausing, jclausing at isc.sans.org
- RSS 2.0 should now be understood by most aggregators. When we originally started offering the RSS feed two years ago, RSS 0.91 was the most commonly used standard.
- RSS 2.0 allows us to include a 'TTL', which indicates to the RSS reader how frequently to refresh the feed. Lets see if this helps a bit with overly busy readers
- We do get regular requests to include full diary content.
Now the advantage is of course that the RSS feed is a static page, and doesn't take a lot of resources to serve.
Another problem with RSS feeds is less technical: The ISC site does not want to be just a "news feed". In order to work, we do need you to interact with the site, and support us by providing reports about incidents and other feedback. Using an RSS reader will remove you from the actual site and lead to a more passive use. This is one reason why we will not offer full content of diary entries. For now, I added a "teaser" (first 100 characters). A technical problem with adding diary content is the fact that we have to strip links and characters that are not supported by the RSS standard.
Special note for Firefox users: You may see an odd character at the beginning of each headline but the first two. This is due to the fact that there is a new line at the start of each subject. For now, this is necessary to support the "iscalert" taskbar application. The feed is valid according to the validators I checked, so as far as I am concerned this is a bug in Firefox.
And don't forget that you can always get alerts of new diaries via e-mail: sign up here
and the VLAN issue is at:
That one was really great and I would recommend those interested in malware analysis to read them!
Now, I will take a break of it until january and will post new quizes on 2006!
Thanks a lot for all submitters!
Pedro Bueno ( pbueno //&&// isc. sans. org)
We have warned Microsoft and are awaiting a reaction from them.
Confirmation the code works and/or snort IDS signatures will cause updates to this story as we get them.
The smartest mitigation strategy at this point is to plan an upgrade to the most recent version of IIS.
If you have samples of the malware, our malware team can have a look. You can upload them through our contact form.
Despite efforts to cut off the distribution points (http://www.honeynet.org.cn/honeyneten/index.htm) new versions of Dasher continue to pop up. Symantec identified Dasher.C yesterday that added an anti-security-software payload (your typical disable anti-virus and firewall type of gig.) New versions with new distribution points, and signature-evasion changes continue to come out. Before you ask: "which ones don't detect it?" Right now, it's most of them. In a few hours, I hope that list to be much shorter.
It would be simply swell if the AV developers would write sigs for the samples that we're sending them. I know it's a weekend... but I'm working.
So, why is Dasher "finding-legs?" or why is it successful?
To answer that, we have to ask Microsoft: why are services listening on ephemeral ports? Or, why are some filtering/firewall strategies blocking only 1024 and below?
Overall, the response procedure appears to be working. The 1025/TCP scans were detected, packets were gathered, the vector was identified, examples of the code were captured, and command-and-control points were neutralized. Everything went according to plan-- just not quickly as I hoped.
Now, I'm waiting for Prancer.
Update 23:10 UTC: It took most of the AV vendors their sweet time to get the patterns out for this one. Now things slowly start to look a bit more cheerful, though we know of at least one vendor where the Beagle/Bagle attachment still sails right through the filter, even though the vendor website claims that protection is in the current pattern. If you are not yet anyway already blocking all .exe (and .exe within .zip) on your email gateway, days like today should maybe make you reconsider.
[Note: This problem description and resolution has not yet been verified by SANS ISC]
Update 15:27 UTC: Georg Wicherski from the German Honeynet Project has successfully captured the full exploit, including payload, on one of these tcp/1025 attacks. The payload will be called Dasher.B by F-Secure - and unlike the .A variant, this one does work, and drop a keylogger. Georg is planning to update mwcollect with MS05-051 detection and capture code over the next days.
E-mailsPlain text messages obviously are little risk and don't need warnings against them. It gets worse when there are attachments involved. Some of these attachements will not be just a simple picture. Many will include executable programs. Those attachments might contain gifts you just do not want to receive. The best policy with it is to ignore those wishes from people you do not know to start with and to even be extremely careful with the attachments to E-mails, even of the people you do know. Let's face it many of those attachments are not created from scratch by the well-wisher, they contain foreign components where you might not have the needed trust in the creator.
Also show the good example and just send plain old text messages to your contacts. It's a matter of leading by example. We'll come back to this ...
E-cardsE-cards are a different story. From a sender's perspective, there are a number of companies trying to offer a responsible service but how do you recognize them? If you use one of the services you give the company behind it the list of e-mail addresses of your friends. If the company is trustworthy that should cause little concern, but how can you be sure?
On the receiving end it gets worse, sometimes it says who tried to send you something, sometimes it doesn't. Sometimes you know the company sending you the e-card, sometimes you've never heard of them. You do know that the sender sometimes gets confirmations you went are read the card.
If you read this regularly, you might even be aware of possible cross site scripting issues that could be exploited somehow.
So what to do?
Start you own chain of secure greetings this yearSend out the E-mail greetings early this year to your contacts. Keep it plain text and ask them to please not send you e-cards as you will not read them this year over security reasons.
If enough people do that, there will hopefully be a few less incidents of people getting infected with all sorts of malware and loss of privacy.
So in summary: Make sure you grab the MS05-054 update. It has fixes for things that have been exploited since last month.
Just thinking back, I do not remember a diary about the PCI standards, but I have slept once or twice in the past year since it came into existance. So for those that have missed this, the major credit card companies have developed a set of data security standards that merchants will need to comply. This include the Sam's Club's or other large merchants all the way down to that coffeehouse down the street who may only be processing 20,000 transactions in a year. (Personally I think that some subsection of these standards should also apply to merchants with a single transaction _ever_ .)
As IT Security professionals, are you aware of locations within your company which processes credit card transactions? If you aren't, then take a closer look there is probably somewhere in most companies. Have your business complied with the PCI standards? If you haven't, you need to get moving because you are about 6 months late.
If you are looking for resources to catch up on PCI standards, here are a few sites where you can get more information. If any of you have other good resources, please go ahead and post them our direction. I will update the below list with a more comprehensive list.
SANS PCI Webcast - November 2005
Visa Cardholder Information Security Program
Update (22:30 UTC): This seems to have been resolved in the past hour. Not exactly sure what happened, but I guess that is what you get for using beta software right? In any case, thank you google for the free 2.6G and growing disc space.
MS 05-55: Vulnerability in Windows Kernel Could Allow Elevation of Privilege.A vulnerability in the Asynchronous Procedure Call queue allows local users to escalate their privileges. A regular user (who has to be logged in first) could use this vulnerability to gain Administrator privileges.
Microsoft rates this vulnerability as "Important" as there is no direct remote vector to exploit this issue. However, coupled with an Internet Explorer vulnerability or similar issues, this could be used to gain Administrator privileges even if a user runs Internet Explorer as a less privileged user.
Note that remote exploit may be possible if user credentials are known.
Something to keep in mind is that this time there may be several unscrupulous activities using 53. Other malware that has been discovered in recent months, using Port 53, include Backdoor.Civcat, Trojan.Esteems.C, Trojan.Esteems, and W32.Beagle.BH@mm.
Any thoughts welcome.....
As reported by Koon Tan yesterday we have seen, and are continuing to see, increased activity reported by more users now.Â The link below will show a graph that indicates activity over the past ~72 hours.
We still need full packet captures to help nail this down, so if anybody has them please submit them via the 'Contact' link at the top of the page.
Core Security Technologies has an excellent article on this subject and RPC Vulnerabilities.Â One highlight from this article is that the "patches for these vulnerabilities ..... effectively fixÂ the problem(s)" with the vunerabilities used in the discussion.Â All of the vulnerabilities are more than 18 months old; these fixed have been out for some time, giving lots of time for admins to perform testing and loading of said patches.
Ikarus 0.2.59.0 12.10.2005 Backdoor.Perl.Whoredoor.08
Kaspersky 126.96.36.199 12.10.2005 Rootkit.Linux.Matrics.sk
McAfee 4647 12.09.2005 Linux/BackDoor
2) On another note, Juha-Matti has pointed out an interesting Trojan.Spaxe. The interesting part is that it will display a balloon message, attempting to fake from the Windows Automatic Updates icon on the System Tray, with the following text:
"Your computer is infected!
Windows has detected spyware infection.
It is recommended to use special antispyware tools to prevent data loss.
Windows will now download and install the most up-to-date antispyware for you.
Click here to protect your computer from spyware."
Clicking on the balloon will result in downloading a file from the Internet.
3) You may have read from news that there will be a Sober worm attack on 5 Jan 06. This is due to the pre-programmed date of current Sober variant to activate on 5 Jan 06. The interesting part is that the Sober variant has the intelligence to create pseudorandom URLs which will change based on date. It also can synchronize the systems via atom clocks so that it does not matter even if the system clock is not correct. F-Secure has come out a list of URLs that you may want to block. You can read the details from F-Secure nice writeup.
[Update to (3)]
On another note, LURHQ has a writeup on the key dates in the various Sober variants. It mentioned that the Sober.Y activation date should be after 5 Jan 06. The logic is "current date > Jan 5" and not "current date == Jan 5". Thanks to Dominic for pointing out.
and may require a restart. One of which may or may not be the unpatched Internet
Explorer vulnerability reported by us here:
IE 0 Day
The Microsoft Advanced Bulletin is here:
They will also be updating the Malicious Software Removal Tool and releasing two
Adrien de Beaupre
Handler of the Day
Cinnabar Networks Inc.
Stefan Esser published a critical vulnerability in phpMyAdmin, popular web based MySQL administration package. What's interesting about this vulnerability is that, in fact, it happens in the code which should protect the application.
The variable $import_blocklist is supposed to list variables that may not be overwritten. However, as this variable is not protected, an attacker can overwrite it and change the blocklist, after which this can be exploited to execute arbitrary script code in user's browser session, in the context of the site running a vulnerable installation of phpMyAdmin.
If you use this product, be sure to upgrade to phpMyAdmin 2.7.0-p1 from http://sourceforge.net/project/showfiles.php?group_id=23067. The original advisory is at http://www.hardened-php.net/advisory_252005.110.html.
Thanks to Richard for sending the note!
Besides this, iDefense published an advisory about a design error in Dell's TrueMobile 2300 Wireless Broadband Router. By accessing a certain page it is possible to obtain another page which will allow an attacker to reset authentication credentials.
It was reported that the following firmware versions are affected:
* 188.8.131.52, dated 07/24/2003
* 184.108.40.206, dated 1/31/2004
Dell stated that this product is no longer being sold and that it was replaced with newer models which are not affected by this vulnerability, so no patch will be released.
We wonder if you can go and return the device for a new one - let us know if you try to do this.
Finally, PoC exploits for some old vulnerabilities have been released.
First one is for a two-year old Oracle 9i vulnerability, XDB HTTP Authentication Remote Stack Overflow Exploit. You can find more information about the vulnerability at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0727.
The second exploit was for HP OpenView Network Node Manager Remote Command Execution vulnerability. connectedNodes.ovpl, a script that comes with HP OpenView, had inadequate input validation so an attacker was able to execute arbitrary system level commands. HP released the patch for this vulnerability on 5th of October; their original advisory is available at http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01224.
As we research this more, details will be added on to this post.
The machine I was testing this on has McAfee Enterprise 8, and Firefox would not crash. Despite my valiant efforts in disabling the protection, I couldn't get it to crash. While annoyed that I couldn't (short of uninstalling) get the protection disabled, it probablly is a good thing. I'll test more when I get in the office tomorrow and have more machines to play with.
This seems to be more of a denial of service than a true buffer overflow. It looks like Firefox just chokes on page topics that are too long. Some people it hangs, other people it crashes.
However, the following is a workaround that should work (if it doesn't let me know). Go to Tools -> Options.
Select the Privacy Icon, and then the History tab. Set the number of days to save pages at 0. This will disable writing anything to history.dat as far as I can tell, and should nullify the exploit. Readers have confirmed that this workaround does prevent the buffer overflow. You can also change your privacy settings to delete personal info when you close Firefox.
Another workaround is to modify prefs.js while Firefox has not been started and put in the line:
Lastly, you can also run the NoScript extension, found here. (Which I have not looked at in depth.) However, there are other ways of exploiting this where NoScript might not work.
Some users have reported being unable to reproduce this error. I will test more to try to establish what makes this work and not. So far it appears Mac users are not affected by this.
HOW TO LOCATE THE PROFILE FOLDER:
If you need to delete your history.dat file (in case you tested this PoC code), it can be difficult to locate where exactly this file is.
You can find instructions for locating the profile folder at the following URL: http://www.mozilla.org/support/firefox/edit#profile.
John Bambenek, bambenek *at* gmail *dot* com
The impact of this kind of attack is probably small, but it does present an interesting new vector for tricking users into going to locations that include the standard class of passive web browser exploits. Something like this using code that wasn't immediately known to the AV vendors and using an item that was very popular (say an XBOX 360 at release) could create a situation ripe for widespread exploitation.
Any site that allows users to enter HTML or images could theoretically be misused this way and illustrates the importance of validating end-user input, both in restricting what they can put in, and in the case of images that there is no exploits in the image files. These checks need to be repeated instead of checking only when entered so that new DATs can examine existing files that may have gotten in before new DATs were implemented.
John Bambenek, bambenek *at* gmail *dot* com
First, for some unknown reason, it is in our human nature to want to click on anything clickable! Maybe its the rebel in us all, a form of expression. Regardless of who you are, we all click on URLS, especially on sites that we trust. How many viruses have you had to fight off at your organization from users clicking on links in email they got? Well, we don't want to contribute to that infection rate. However, if you are one of the very few, probably could be counted on one hand, who actually types every single URL, my hats off to you!! But for the rest of us, we don't post the URL to malicious sites to help protect folks from themselves and that insatiable urge to click on things. If we were to point users to a URL which has malware on it like http://220.127.116.11/vir_r00tk1t.html (Don't click on that link) then there is a chance a security minded user could accidently click the link while copying it to an email or another window. Whether your a newbie or an oldie, accidents do happen.
Second (you'll need to think devious), if you are a bad guy and you want to stay up on some of the latest exploits or if you have done some exploiting and wonder if someone is on to you, where would you look? Well, major security sites with forums would be a good start. A place where you can see what are the latest happenings as they are posted. Since good guys as well bad guys visit our site, we don't post the links to keep the "bad guys" from getting their hands on new malware or pointers to the latest exploit code. The last thing we want to do is to help further their endevors. Sure, if they want it they can probably find it, but we're not going to make it easy for them and they'll have to get it some where else. We all need to be responsible with what we post and make available. Things that can be used for good can be used for evil as well.
Hopefully this cleared up things for folks as to why we don't post the full URL to malicious sites or post the links to exploit code for that matter. We really enjoy helping everyone and part of that is protecting everyone who visits the site.
The worm is simple and doesn't exploit any vulnerability; instead it relies on social engineering.
The user will receive the following AIM message:
"This AIM user has sent you a Greetings Card, to open it visit: http://greetings.aol.com/index.pd?source=christmastheme?my_christmas_card.COM"
Instead of going to the AOLs site, this link actually points to a different site (http://<REMOVED>.<REMOVED>.134.156/My_Christmas_Card.COM) from which the user will download the worm.
This file is a SDBot variant and at the moment the most popular AV programs detect it generically.
Thanks to Joshua!
Thanks for all the feedback received!
Pedro Bueno (pbueno //&&// isc. sans. org)
Let me know if you find this useful.
1) Criminal groups are starting to exploit the (still unpatched) IE vulnerability. This could get ugly soon.
2) Update: Several people have reported that a patch is now available, so patch now!... There is a very serious bug in most Panda antivirus products that seems to still be unpatched. This was announced several days ago. Possible mitigation is to block .zoo attachments at your network entry points (email and web browsing). Of course, you might be in trouble if Panda *is* your mail filtering server.
3) One person reported that Google now allows Gmail functionality to run on www.google.com. This change caused his web filtering software company to categorize www.google.com as webmail. And since his organization doesn't allow webmail access, users were blocked from google. Did anybody else run into this problem?
It appears that depending on your platform/configuration the sunjavaupdate scheduler may not apply the updates or notify the end-user in a timely manner. It appears to check for updates on the one month anniversary of the original install. So it may not check again for quite some time.
The Sun Java download site will determine if an update is needed if you're using IE and ActiveX:
Also the JavaTester site details all the different methods for determining what if any JDK/JRE is installed:
Also be aware many systems accumulate Java versions over time so you may have more than one installed.
Why do I think this way? Well.... Glad you asked.
Yesterday, Microsoft updated the advisory located at KB911302 with a couple of tidbits. First, they made mention of both Proof of Conecept and malicious software which appear to be targeting the reported vulnerability. Second, they also mention the Windows Live Safety Center where end users can scan and remove any malicious software and variants that may be running around now.
Throwing in that Microsoft has on occasion released out-of-cycle patches (June 2004 is a case in point in my mind), then I think it is a safe bet that Microsoft will take appropriate steps to fix the problem as quickly as possible. In the meantime there are 2 things I can continue to suggest.
1) Be vigilant. Know that a patch will be forthcoming hopefully within the next 2 weeks and be ready to deploy quickly.
2) If your organization can operate with one of the workarounds Microsoft has mentioned in KB911302, then I recommend mitigating your risk as much as possible. We all have at least one person who is a little too...uhm...liberal with browsing the Internet on company time. Think about it, that very person is probably shopping for Christmas* presents right now on less-than-secure sites. SO....I would suggest doing those workarounds to that computer first. :-)
* For those that celebrate other holidays in December than Christmas, this statement is not meant to be offensive in any shape or form, or otherwise slight your holiday of choice.
It was just a question of when will malware authors start exploiting this Internet Explorer vulnerability.
When users visit certain web sites, a file will be dropped on their machine using this exploit. The file being dropped is currently detected as TrojanDownloader:Win32/Delf.DH. When executed, this dropper will download another trojan.
Microsoft published information about this trojan at http://www.microsoft.com/security/encyclopedia/details.aspx?name=TrojanDownloader:Win32/Delf.DH.
Thanks to Juha-Matti!